aaa_base
- Drop patches (bsc#1199926 and bsc#1199927)
  git-34-9a1bc15517d6da56d75182338c0f1bc4518b2b75.patch
  git-35-91f496b1f65af29832192bad949685a7bc25da0a.patch
  git-40-d004657a244d75b372a107c4f6097b42ba1992d5.patch
  ping broke in sle15 and sle15sp1 when adding
  the sysctl setting for ping_group_range
- Add patch git-46-78b2a0b29381c16bec6b2a8fc7eabaa9925782d7.patch
  * The wrapper rootsh is not a restricted shell (bsc#1199492)
bind
- Security Fixes:
  * Previously, there was no limit to the number of database lookups
  performed while processing large delegations, which could be abused
  to severely impact the performance of named running as a recursive
  resolver. This has been fixed.
  [bsc#1203614, CVE-2022-2795, bind-CVE-2022-2795.patch]
  * A memory leak was fixed that could be externally triggered in the
  DNSSEC verification code for the ECDSA algorithm.
  [bsc#1203619, CVE-2022-38177, bind-CVE-2022-38177.patch]
  * Memory leaks were fixed that could be externally triggered in the
  DNSSEC verification code for the EdDSA algorithm.
  [bsc#1203620, CVE-2022-38178, bind-CVE-2022-38178.patch]
ca-certificates-mozilla
- Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)
  Added:
  - Certainly Root E1
  - Certainly Root R1
  - DigiCert SMIME ECC P384 Root G5
  - DigiCert SMIME RSA4096 Root G5
  - DigiCert TLS ECC P384 Root G5
  - DigiCert TLS RSA4096 Root G5
  - E-Tugra Global Root CA ECC v3
  - E-Tugra Global Root CA RSA v3
  Removed:
  - Hellenic Academic and Research Institutions RootCA 2011
- Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079)
  Added:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - D-TRUST BR Root CA 1 2020
  - D-TRUST EV Root CA 1 2020
  - GlobalSign ECC Root CA R4
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
  - HiPKI Root CA - G1
  - ISRG Root X2
  - Telia Root CA v2
  - vTrus ECC Root CA
  - vTrus Root CA
  Removed:
  - Cybertrust Global Root
  - DST Root CA X3
  - DigiNotar PKIoverheid CA Organisatie - G2
  - GlobalSign ECC Root CA R4
  - GlobalSign Root CA R2
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
- updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)
- Added CAs:
  + HARICA Client ECC Root CA 2021
  + HARICA Client RSA Root CA 2021
  + HARICA TLS ECC Root CA 2021
  + HARICA TLS RSA Root CA 2021
  + TunTrust Root CA
- Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994)
- Added new root CAs:
  - NAVER Global Root Certification Authority
- Removed old root CA:
  - GeoTrust Global CA
  - GeoTrust Primary Certification Authority
  - GeoTrust Primary Certification Authority - G3
  - GeoTrust Universal CA
  - GeoTrust Universal CA 2
  - thawte Primary Root CA
  - thawte Primary Root CA - G2
  - thawte Primary Root CA - G3
  - VeriSign Class 3 Public Primary Certification Authority - G4
  - VeriSign Class 3 Public Primary Certification Authority - G5
cifs-utils
- CVE-2022-29869: mount.cifs: fix verbose messages on option parsing
  (bsc#1198976, CVE-2022-29869)
  * add cifs-utils-CVE-2022-29869.patch
cloud-regionsrv-client
- Follow up fix to 10.0.4 (bsc#1202706)
  - While the source code was updated to support SLE Micro the spec file
    was not updated for the new locations of the cache and the certs.
    Update the spec file to be consistent with the code implementation.
- Update to version 10.0.5 (bsc#1201612)
  - Handle exception when trying to deregister a system form the server
- Update to version 10.0.4 (bsc#1199668)
  - Store the update server certs in the /etc path instead of /usr to
    accomodate read only setup of SLE-Micro
cups
- cups-branch-2.2-commit-3e4dd41459dabc5d18edbe06eb5b81291885204b.diff
  is 'git show 3e4dd41459dabc5d18edbe06eb5b81291885204b' for
  https://github.com/apple/cups/commit/3e4dd41459dabc5d18edbe06eb5b81291885204b
  (except the not needed hunk for patching CHANGES.md which fails)
  that fixes handling of MaxJobTime 0 (Issue #5438) in the CUPS 2.2 branch
  bsc#1201511:
  Stuck print jobs being cancelled immediately, despite MaxJobTime being set to 0
curl
- Security Fix: [bsc#1204383, CVE-2022-32221]
  * POST following PUT confusion
  * Add curl-CVE-2022-32221.patch
- Security fix: [bsc#1202593, CVE-2022-35252]
  * Control codes in cookie denial of service
  * Add curl-CVE-2022-35252.patch
cyrus-sasl
- bsc#1159635 VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl
  has an out-of-bounds write leading to unauthenticated remote
  denial-of-service in OpenLDAP via a malformed LDAP packet
  o apply upstream patch
- 0001-Fix-587.patch
cyrus-sasl-saslauthd
- bsc#1159635 VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl
  has an out-of-bounds write leading to unauthenticated remote
  denial-of-service in OpenLDAP via a malformed LDAP packet
  o apply upstream patch
- 0001-Fix-587.patch
dbus-1
- Fix a potential crash that could be triggered by an invalid signature.
  (CVE-2022-42010, bsc#1204111)
  * fix-upstream-CVE-2022-42010.patch
- Fix an out of bounds read caused by a fixed length array (CVE-2022-42011,
  bsc#1204112)
  * fix-upstream-CVE-2022-42011.patch
- A message in non-native endianness with out-of-band Unix file descriptors
  would cause a use-after-free and possible memory corruption CVE-2022-42012,
  bsc#1204113)
  * fix-upstream-CVE-2022-42012.patch
- Disable asserts (bsc#1087072)
- Refreshed patches
  * fix-upstream-CVE-2020-35512.patch
docker
- Backport <https://github.com/containerd/fifo/pull/32> to fix a crash-on-start
  issue with dockerd. bsc#1200022
  + 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
dracut
- Update to version 049.1+suse.238.gd8dbb075:
  * fix(nfs): /var is not mounted during the transactional-update run (bsc#1184970)
  * fix(nfs): give /run/rpcbind ownership to rpc user (bsc#1177461)
expat
- Security fix:
  * (CVE-2022-43680, bsc#1204708) use-after free caused by overeager
    destruction of a shared DTD in XML_ExternalEntityParserCreate in
    out-of-memory situations
  - Added patch expat-CVE-2022-43680.patch
- Security fix:
  * (CVE-2022-40674, bsc#1203438) use-after-free in the doContent
    function in xmlparse.c
  - Added patch expat-CVE-2022-40674.patch
freetype2
- disable brotli linkage / WOFF2 support for now to keep dependencies
  as before.
- Added patches:
  * CVE-2022-27404.patch
    + fixes bsc#1198830, CVE-2022-27404: Buffer Overflow
  * CVE-2022-27405.patch
    + fixes bsc#1198832, CVE-2022-27405: Segmentation Fault
  * CVE-2022-27406.patch
    + fixes bsc#1198823, CVE-2022-27406: Segmentation violation
- Update to version 2.10.4
  * Fix a heap buffer overflow has been found  in the handling of
    embedded PNG bitmaps, introduced in FreeType version 2.6
    (CVE-2020-15999 bsc#1177914)
  * Minor improvements to the B/W rasterizer.
  * Auto-hinter support for Medefaidrin script.
  * Fix various  memory leaks (mainly  for CFF) and other  issues that
    might cause crashes in rare circumstances.
- Update to version 2.10.2
  * Support for WOFF2 fonts, add BR on pkgconfig(libbrotlidec)
  * Function `FT_Get_Var_Axis_Flags' returned random data for Type 1
    MM fonts.
  * Type 1 fonts with non-integer metrics are now supported by the new
    (CFF) engine introduced in FreeType 2.9.
  * Drop support for Python 2 in Freetype's API reference generator
  * Auto-hinter support for Hanifi Rohingya
  * Document the `FT2_KEEP_ALIVE' debugging environment variable.
gnutls
- Security fix: [bsc#1202020, CVE-2022-2509]
  * Fixed double free during verification of pkcs7 signatures
  * Add gnutls-CVE-2022-2509.patch
google-guest-agent
- Update to version 20220713.00 (bsc#1202100, bsc#1202101)
  * try restoring module mode (#172)
  * update for golang 1.16 (#171)
- from version 20220614.00
  * Remove log that can break startup scripts (#170)
- from version 20220603.00
  * repeat fix for arm (#169)
  * no authorized keys on debian (#168)
- from version 20220527.00
  * Add authorized keys command to the Windows agent package. (#167)
  * Support for Windows SSH (#164)
- from version 20220523.00
  * restore double slash metadata url (#166)
- from version 20220520.00
  * Support .exe as an option for scripts and refactor runScript (#165)
- Update to version 20220429.00
  * Move some functionality to a utils module (#162)
- Update to version 20220412.00
  * enable goproxy during build (#163)
- from version 20220321.00
  * enable routes for ipv6 (#160)
google-guest-oslogin
- Update to version 20220721.00 (bsc#1202100, bsc#1202101)
  * prune outdated info from readme (#86)
- from version 20220714.00
  * strip json-c version symbol (#84)
- from version 20220622.00
  * pam login: split conditions for logging (#83)
- use pam_moduledir (boo#1191036)
  * Support UsrMerge project
- Update to version 20220411.00
  * pam login: split conditions for logging (#83)
google-osconfig-agent
- Use install command in %post section to create state file (bsc#1202826)
- Remove useless creation of state file directory in /var/lib
- avoid bashim in post install scripts (bsc#1195391)
- Update to version 20220801.00 (bsc#1202100, bsc#1202101)
  * update OWNERS (#438)
  * Close client when RegisterAgent fails. (#436)
- from version 20220714.00
  * Add timeouts for pip/gem updates. (#433)
- from version 20220623.00
  * upgrade to golang 1.16 and override deb build settings for compatibility (#432)
- from version 20220606.00
  * new example policy to ensure sshd is running on windows VMs (#430)
- from version 20220531.00
  * Add default timeout for pip and gem list commands (#429)
- Don't restart daemon on package upgrade, create a state file instead (bsc#1194319)
- Update to version 20220314.01
  * Support COS on arm64 (#426)
- from version 20220314.00
  * Fix previous PR: exec.CommandContext cannot be reused (#425)
- from version 20220304.00
  * Update the error message when an exec task is run on Windows
    without an interpreter (#423)
  * Fix string that apt-get returns when requiring downgrade (#422)
  * e2e_tests: fix patch test rerun (#421)
  * Add --allow-downgrades flag to apt-get calls when it
    fails because of wanting to downgrade a package (#418)
  * Create e2e test that runs apt-get in a state that makes
    it downgrade a package (#420)
  * e2e_tests: update OS targets, adjust retries (#419)
  * Create change_group.yaml (#416)
- from version 20220215.00
  * Add regex support to package exclusion in OS Patch (#415)
gpg2
- Security fix [CVE-2022-34903, bsc#1201225]
  - Vulnerable to status injection
  - Added patch gnupg-CVE-2022-34903.patch
icu
- Backport icu-CVE-2020-21913.patch: backport commit 727505bdd
  from upstream, use LocalMemory for cmd to prevent use after free
  (bsc#1193951 CVE-2020-21913).
iputils
- Add fix for ICMP datagram socket ping6-Fix-device-binding.patch
  (bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927).
kernel-default
- wifi: cfg80211: avoid nontransmitted BSS list corruption
  (CVE-2022-42721 bsc#1204060).
- commit ad43041
- wifi: mac80211: fix MBSSID parsing use-after-free
  (CVE-2022-42719 bsc#1204051).
- commit 561b313
- wifi: mac80211: refactor elements parsing with parameter struct
  (CVE-2022-42719 bsc#1204051).
- commit 7b3171e
- mac80211: fix memory leaks with element parsing (CVE-2022-42719
  bsc#1204051).
- mac80211: always allocate struct ieee802_11_elems
  (CVE-2022-42719 bsc#1204051).
- commit 1d0e42c
- wifi: cfg80211: fix BSS refcounting bugs (CVE-2022-42720
  bsc#1204059).
- cfg80211: hold bss_lock while updating nontrans_list
  (CVE-2022-42719 bsc#1204051).
- mac80211: mlme: find auth challenge directly (CVE-2022-42719
  bsc#1204051).
- mac80211: move CRC into struct ieee802_11_elems (CVE-2022-42719
  bsc#1204051).
- mac80211: don't re-parse elems in ieee80211_assoc_success()
  (CVE-2022-42719 bsc#1204051).
- commit 36cb3f6
- Add CVE reference on lightnvm removal patch
  modified:
  - patches.drivers/lightnvm-remove-lightnvm-implemenation.patch
- commit 6251214
- Guard out the mana driver update
  The patches were not ready yet, I accidentally picked them up too
  early. Guard them out until they have been properly backported.
  Note: this means that despite what the changelog suggests,
  jsc#PED-529 is NOT implemented yet.
- commit 4de885b
- char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops
  (CVE-2022-41848 bsc#1203987).
- commit c6f643b
- fbdev: smscufx: Fix use-after-free in ufx_ops_open()
  (CVE-2022-41849 bsc#1203992).
- commit 1b1c9cc
- net: mana: Add support of XDP_REDIRECT action (bug#1201310, jsc#PED-529).
- commit d4f48f2
- net: mana: Add the Linux MANA PF driver (bug#1201309, jsc#PED-529).
- commit 8429558
- wifi: cfg80211: ensure length byte is present before access
  (CVE-2022-41674 bsc#1203770).
- wifi: cfg80211/mac80211: reject bad MBSSID elements
  (CVE-2022-41674 bsc#1203770).
- wifi: cfg80211: fix u8 overflow in
  cfg80211_update_notlisted_nontrans() (CVE-2022-41674
  bsc#1203770).
- commit a878ee7
- mm/mremap: hold the rmap lock in write mode when moving page
  table entries (CVE-2022-41222 bsc#1203622).
- commit 07909f0
- ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC (CVE-2022-3303
  bsc#1203769).
- commit aa1dc74
- Move upstreamed patches into sorted section
- commit 8fc0f8a
- media: dvb-core: Fix UAF due to refcount races at releasing
  (CVE-2022-41218 bsc#1202960).
- commit 260d985
- media: em28xx: initialize refcount before kref_get
  (CVE-2022-3239 bsc#1203552).
- commit b9d53ba
- dm verity: set DM_TARGET_IMMUTABLE feature flag (CVE-2022-2503,
  bsc#1202677).
- commit cb91fc5
- x86/bugs: Reenable retbleed=off
  While for older kernels the return thunks are statically built in and
  cannot be dynamically patched out, retbleed=off should still work so
  that it can be disabled.
- Update
  patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271).
- Update patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271).
- commit eb85c2d
- Update references:
  - patches.kabi/kabi-return-type-change-of-secure_ipv-46-_port_ephem.patch
  - patches.suse/secure_seq-use-the-64-bits-of-the-siphash-for-port-o.patch
  - patches.suse/tcp-add-small-random-increments-to-the-source-port.patch
  - patches.suse/tcp-drop-the-hash_32-part-from-the-index-calculation.patch
  - patches.suse/tcp-dynamically-allocate-the-perturb-table-used-by-s.patch
  - patches.suse/tcp-increase-source-port-perturb-table-to-2-16.patch
  - patches.suse/tcp-resalt-the-secret-every-10-seconds.patch
  - patches.suse/tcp-use-different-parts-of-the-port_offset-for-index.patch
  (add CVE-2022-32296 bsc#1200288)
- commit d9e9e6c
- mmc: block: fix read single on recovery logic (CVE-2022-20008
  bsc#1199564).
- commit de3f02b
- dccp: don't duplicate ccid when cloning dccp sock
  (CVE-2020-16119 bsc#1177471).
- commit 7c77568
- netfilter: nf_tables: do not allow RULE_ID to refer to another
  chain (CVE-2022-2586 bsc#1202095).
- netfilter: nf_tables: do not allow SET_ID to refer to another
  table (CVE-2022-2586 bsc#1202095).
- commit 9335568
- mm: pagewalk: Fix race between unmap and page walker (git-fixes,
  bsc#1203159).
- commit 173564a
- mm: Force TLB flush for PFNMAP mappings before unlink_file_vma()
  (CVE-2022-39188, bsc#1203107).
- commit 84aac57
- netfilter: nf_conntrack_irc: Tighten matching on DCC message
  (CVE-2022-2663 bsc#1202097).
- netfilter: nf_conntrack_irc: Fix forged IP logic (CVE-2022-2663
  bsc#1202097).
- commit a949534
- mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
  (git-fixes, bsc#1203098).
  kABI: Fix kABI after "/mm/rmap: Fix anon_vma->degree ambiguity
  leading to double-reuse"/ (git-fixes, bsc#1203098).
- commit cfac9ee
- rpm/kernel-source.spec.in: simplify finding of broken symlinks
  "/find -xtype l"/ will report them, so use that to make the search a bit
  faster (without using shell).
- commit 13bbc51
- mkspec: eliminate @NOSOURCE@ macro
  This should be alsways used with @SOURCES@, just include the content
  there.
- commit 403d89f
- kernel-source: include the kernel signature file
  We assume that the upstream tarball is used for released kernels.
  Then we can also include the signature file and keyring in the
  kernel-source src.rpm.
  Because of mkspec code limitation exclude the signature and keyring from
  binary packages always - mkspec does not parse spec conditionals.
- commit e76c4ca
- kernel-binary: move @NOSOURCE@ to @SOURCES@ as in other packages
- commit 4b42fb2
- dtb: Do not include sources in src.rpm - refer to kernel-source
  Same as other kernel binary packages there is no need to carry duplicate
  sources in dtb packages.
- commit 1bd288c
- af_key: Do not call xfrm_probe_algs in parallel (bsc#1202898
  CVE-2022-3028).
- commit 50479c7
- Update patch reference for USB gadget fix (CVE-2020-27784 bsc#1202895)
- commit 8033d12
- xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like
  fallocate (bsc#1194272 CVE-2021-4155).
- commit 049d5e6
- bpf: Don't use tnum_range on array range checking for poke
  descriptors (bsc#1202564 bsc#1202860 CVE-2022-2905).
- commit c59b8fc
- tpm: fix reference counting for struct tpm_chip (CVE-2022-2977
  bsc#1202672).
- commit b71aab0
- cifs: fix uninitialized pointer in error case in
  dfs_cache_get_tgt_share (bsc#1188944).
- commit 6366996
- cifs: skip trailing separators of prefix paths (bsc#1188944).
- commit 6e6a2e7
- fuse: handle kABI change in struct sock (bsc#1194535
  CVE-2021-4203).
- commit 53bc420
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
  (bsc#1194535 CVE-2021-4203).
- commit 603bd9d
- net_sched: cls_route: disallow handle of 0 (bsc#1202393).
- net_sched: cls_route: remove from list when handle is 0
  (CVE-2022-2588 bsc#1202096).
- commit b08a235
- lightnvm: Remove lightnvm implemenation (bsc#1191881 bsc#1201420
  ZDI-CAN-17325).
- commit 1b534db
- ext4: Fix check for block being out of directory size
  (bsc#1198577 CVE-2022-1184).
- commit e41d129
- ext4: make sure ext4_append() always allocates new block
  (bsc#1198577 CVE-2022-1184).
- commit 5c3a0a2
- ext4: check if directory block is within i_size (bsc#1198577
  CVE-2022-1184).
- commit d289dcd
- Update config files (bsc#1201361 bsc#1192968 https://github.com/rear/rear/issues/2554).
  ppc64: NVRAM=y
- commit dc3f9b9
- Refresh
  patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch.
- Updated
  patches.suse/x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch.
  Add missing objtool annotations from upstream commits and update the latter
  patch to fix bsc#1202396.
- commit 377da7c
- objtool: Add support for intra-function calls (bsc#1202396).
- commit a72253f
- objtool: Remove INSN_STACK (bsc#1202396).
- commit c38cd13
- objtool: Make handle_insn_ops() unconditional (bsc#1202396).
- commit 493d9e5
- objtool: Rework allocating stack_ops on decode (bsc#1202396).
- commit 8697c43
- objtool: Support multiple stack_op per instruction
  (bsc#1202396).
- Refresh
  patches.suse/objtool-allow-no-op-cfi-ops-in-alternatives.patch.
- Refresh
  patches.suse/objtool-fix-cfi-insn_state-propagation.patch.
- Refresh patches.suse/objtool-fix-orc-vs-alternatives.patch.
- Refresh patches.suse/objtool-rename-struct-cfi_state.patch.
- commit db13a33
- kabi: return type change of secure_ipv_port_ephemeral()
  (CVE-2022-1012 bsc#1199482).
- tcp: drop the hash_32() part from the index calculation
  (CVE-2022-1012 bsc#1199482).
- tcp: increase source port perturb table to 2^16 (CVE-2022-1012
  bsc#1199482).
- tcp: dynamically allocate the perturb table used by source ports
  (CVE-2022-1012 bsc#1199482).
- tcp: add small random increments to the source port
  (CVE-2022-1012 bsc#1199482).
- tcp: resalt the secret every 10 seconds (CVE-2022-1012
  bsc#1199482).
- tcp: use different parts of the port_offset for index and offset
  (CVE-2022-1012 bsc#1199482).
- secure_seq: use the 64 bits of the siphash for port offset
  calculation (CVE-2022-1012 bsc#1199482).
- tcp: add some entropy in __inet_hash_connect() (bsc#1180153).
- tcp: change source port randomizarion at connect() time
  (bsc#1180153).
- commit 11d737c
- rpm/kernel-binary.spec.in: move vdso to a separate package (bsc#1202385)
  We do the move only on 15.5+.
- commit 9c7ade3
- rpm/kernel-binary.spec.in: simplify find for usrmerged
  The type test and print line are the same for both cases. The usrmerged
  case only ignores more, so refactor it to make it more obvious.
- commit 583c9be
- xfrm: xfrm_policy: fix a possible double xfrm_pols_put()
  in xfrm_bundle_lookup() (CVE-2022-36879 bsc#1201948).
- commit 97b83f0
- net/packet: fix slab-out-of-bounds access in packet_recvmsg()
  (CVE-2022-20368 bsc#1202346).
- commit e8bbbca
- media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers
  across ioctls (bsc#1202347 CVE-2022-20369).
- commit 36d8575
- md/bitmap: don't set sb values if can't pass sanity check
  (bsc#1197158).
- commit 5acc079
- x86/speculation: Add LFENCE to RSB fill sequence (bsc#1201726
  CVE-2022-26373).
- commit 470f698
- x86/speculation: Add RSB VM Exit protections (bsc#1201726
  CVE-2022-26373).
- commit 93929be
- acpi: Disable APEI error injection if the kernel is locked down
  (bsc#1023051, CVE-2016-3695).
- commit 80750a7
- x86/speculation: Change FILL_RETURN_BUFFER to work with objtool
  (bsc#1201726 CVE-2022-26373).
- commit 29edec0
- openvswitch: fix OOB access in reserve_sfa_size() (CVE-2022-2639
  bsc#1202154).
- commit bfc6551
- ipv4: avoid using shared IP generator for connected sockets
  (CVE-2020-36516 bsc#1196616).
- ipv4: tcp: send zero IPID in SYNACK messages (CVE-2020-36516
  bsc#1196616).
- commit 6c53c05
- Fix parsing of rpm/macros.kernel-source on SLE12 (bsc#1201019).
- commit 9816878
- netfilter: nf_queue: do not allow packet truncation below
  transport header offset (bsc#1201940 CVE-2022-36946).
- commit f4f33cd
- KVM: emulate: do not adjust size of fastop and setcc subroutines
  (bsc#1201930).
- commit c66c17b
- kvm/emulate: Fix SETcc emulation function offsets with SLS
  (bsc#1201930).
- Refresh
  patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch.
- commit 46a6214
- Refresh
  patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch.
- commit f2664df
- Update
  patches.suse/netfilter-nf_tables-disallow-non-stateful-expression.patch
  references (add CVE-2022-32250).
- commit 8871b3f
- net/sched: cls_u32: fix netns refcount changes in u32_change()
  (CVE-2022-29581 bsc#1199665).
- commit e1d6992
- fsnotify: invalidate dcache before IN_DELETE event
  (bsc#1195478i bsc#1200905).
- commit 7cf8b1d
- kABI workaround for including mm.h in fs/sysfs/file.c
  (bsc#1200598 cve-2022-20166).
- commit 29d7d8a
- Update patches.suse/vt-vt_ioctl-fix-race-in-VT_RESIZEX.patch
  (git-fixes bsc#1200910 CVE-2020-36558).
  Add references.
- commit d84e9d7
- Fix 1201644, 1201664, 1201672, 1201673, 1201676
  All are reports of the same problem - the IBRS_* regs push/popping was
  wrong but it needs
  1b331eeea7b8 ("/x86/entry: Remove skip_r11rcx"/)
  too.
- commit 161f935
- Update
  patches.suse/vt-vt_ioctl-fix-VT_DISALLOCATE-freeing-in-use-virtua.patch
  (git-fixes bsc#1201429 CVE-2020-36557).
  Add references.
- commit 76ab189
- lockdown: Fix kexec lockdown bypass with ima policy
  (CVE-2022-21505 bsc#1201458).
- commit 5806b46
- x86/entry: Remove skip_r11rcx (bsc#1201644).
- Refresh
  patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- commit 2479e4a
- x86/bugs: Remove apostrophe typo (bsc#1114648).
- commit 783ffdb
- Sort in RETbleed backport into the sorted section
  Now that it is upstream...
- Refresh
  patches.suse/KVM-VMX-Convert-launched-argument-to-flags.patch.
- Refresh
  patches.suse/KVM-VMX-Fix-IBRS-handling-after-vmexit.patch.
- Refresh patches.suse/KVM-VMX-Flatten-__vmx_vcpu_run.patch.
- Refresh
  patches.suse/KVM-VMX-Prevent-RSB-underflow-before-vmenter.patch.
- Refresh
  patches.suse/KVM-VMX-Prevent-guest-RSB-poisoning-attacks-with-eIBRS.patch.
- Refresh
  patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch.
- Refresh
  patches.suse/documentation-hw-vuln-update-spectre-doc.patch.
- Refresh
  patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch.
- Refresh patches.suse/x86-Add-magic-AMD-return-thunk.patch.
- Refresh patches.suse/x86-Undo-return-thunk-damage.patch.
- Refresh patches.suse/x86-Use-return-thunk-in-asm-code.patch.
- Refresh patches.suse/x86-bpf-Use-alternative-RET-encoding.patch.
- Refresh
  patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch.
- Refresh patches.suse/x86-bugs-Add-retbleed-ibpb.patch.
- Refresh
  patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch.
- Refresh
  patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-not-supp.patch.
- Refresh patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch.
- Refresh
  patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch.
- Refresh
  patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch.
- Refresh
  patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch.
- Refresh
  patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch.
- Refresh
  patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch.
- Refresh
  patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch.
- Refresh
  patches.suse/x86-common-Stamp-out-the-stepping-madness.patch.
- Refresh patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch.
- Refresh patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch.
- Refresh
  patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch.
- Refresh
  patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- Refresh
  patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch.
- Refresh patches.suse/x86-retpoline-Use-mfunction-return.patch.
- Refresh
  patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch.
- Refresh
  patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch.
- Refresh
  patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch.
- Refresh
  patches.suse/x86-speculation-Fill-RSB-on-vmexit-for-IBRS.patch.
- Refresh
  patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch.
- Refresh
  patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch.
- Refresh
  patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch.
- Refresh
  patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch.
- Refresh
  patches.suse/x86-speculation-add-eibrs-retpoline-options.patch.
- Refresh
  patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch.
- Refresh
  patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- Refresh
  patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch.
- Refresh
  patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch.
- Refresh
  patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch.
- Refresh patches.suse/x86-xen-Rename-SYS-entry-points.patch.
- commit 43fbd8f
- Refresh
  patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-not-supp.patch.
- commit 648f79b
- kernel-obs-build: include qemu_fw_cfg (boo#1201705)
- commit e2263d4
- mm: and drivers core: Convert hugetlb_report_node_meminfo to
  sysfs_emit (bsc#1200598 cve-2022-20166).
- commit 6f05f26
- drivers core: Miscellaneous changes for sysfs_emit (bsc#1200598
  cve-2022-20166).
- commit 6ff7ebb
- drivers core: Remove strcat uses around sysfs_emit and neaten
  (bsc#1200598 cve-2022-20166).
- commit 4cafd1f
- vt: drop old FONT ioctls (bsc#1201636 CVE-2021-33656).
- commit bcf7213
- drivers core: Use sysfs_emit and sysfs_emit_at for show(device
  * ...) functions (bsc#1200598 cve-2022-20166).
- commit 747b6a7
- sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output
  (bsc#1200598 cve-2022-20166).
- commit 4aaf7f0
- fbmem: Check virtual screen sizes in fb_set_var()
  (CVE-2021-33655 bsc#1201635).
- fbcon: Prevent that screen size is smaller than font size
  (CVE-2021-33655 bsc#1201635).
- fbcon: Disallow setting font bigger than screen size
  (CVE-2021-33655 bsc#1201635).
- commit a7693d8
- rpm/kernel-binary.spec.in: Require dwarves >= 1.22 on SLE15-SP3 or newer
  Dwarves 1.22 or newer is required to build kernels with BTF information
  embedded in modules.
- commit ee19e9d
- pty: do tty_flip_buffer_push without port->lock in pty_write
  (bsc#1198829 CVE-2022-1462).
- commit ce8f318
- tty: use new tty_insert_flip_string_and_push_buffer() in
  pty_write() (bsc#1198829 CVE-2022-1462).
- tty: extract tty_flip_buffer_commit() from
  tty_flip_buffer_push() (bsc#1198829 CVE-2022-1462).
- commit cbf8ad3
- io_uring: fix fs->users overflow  (CVE-2022-1116, bsc#1199647).
- commit e8dfed6
- net: rose: fix UAF bugs caused by timer handler (CVE-2022-2318
  bsc#1201251).
- commit 84c7e09
- xen/netfront: force data bouncing when backend is untrusted
  (bsc#1200762, CVE-2022-33741, XSA-403).
- commit 7daee4f
- xen/netfront: fix leaking data in shared pages (bsc#1200762,
  CVE-2022-33740, XSA-403).
- commit bfb8cc2
- xen/blkfront: force data bouncing when backend is untrusted
  (bsc#1200762, CVE-2022-33742, XSA-403).
- commit 9c6c1df
- xen/blkfront: fix leaking data in shared pages (bsc#1200762,
  CVE-2022-26365, XSA-403).
- commit 7095954
- Add dtb-starfive
- commit 85335b1
- dma: kABI: Add back removed exports (bsc#1196472 ltc#192278).
- commit bddf636
- powerpc: dma: kABI workaround for moving around dma_bypass bit
  (bsc#1196472 ltc#192278).
- commit bd1c9b6
- dma-mapping: move the remaining DMA API calls out of line
  (bsc#1196472 ltc#192278).
- commit 504fce8
- powerpc/pseries/iommu: Update call to ibm, query-pe-dma-windows
  (bsc#1196472 ltc#192278).
- powerpc/pseries/iommu: Create defines for operations in ibm,
  ddw-applicable (bsc#1196472 ltc#192278).
- commit cde6266
- powerpc/pseries/iommu: Fix window size for direct mapping with
  pmem (bsc#1196472 ltc#192278).
- powerpc/dma: Fallback to dma_ops when persistent memory present
  (bsc#1196472 ltc#192278).
  Update config files.
- dma-mapping: Allow mixing bypass and mapped DMA operation
  (bsc#1196472 ltc#192278).
- dma-direct: Fix potential NULL pointer dereference (bsc#1196472
  ltc#192278).
- commit c5ebdbd
- Add dtb-microchip
- commit c797107
- rpm/kernel-source.spec.in: temporary workaround for a build failure
  Upstream c6x architecture removal left a dangling link behind which
  triggers openSUSE post-build check in kernel-source, failing
  kernel-source build.
  A fix deleting the danglink link has been submitted but it did not make
  it into 5.12-rc1. Unfortunately we cannot add it as a patch as patch
  utility does not handle symlink removal. Add a temporary band-aid which
  deletes all dangling symlinks after unpacking the kernel source tarball.
  [jslaby] It's not that temporary as we are dragging this for quite some
  time in master. The reason is that this can happen any time again, so
  let's have this in packaging instead.
- commit 52a1ad7
- powerpc: use the generic dma_ops_bypass mode (bsc#1196472 ltc#192278).
- Refresh patches.suse/powerpc-dma-Fix-dma_map_ops-get_required_mask.patch
- Update config files.
- commit 865c59d
- dma-mapping: add a dma_ops_bypass flag to struct device (bsc#1196472 ltc#192278).
- Refresh patches.suse/0003-kabi-Add-placeholders-to-a-couple-of-important-struc.patch.
- blacklist.conf: Remove f1565c24b596 powerpc: use the generic dma_ops_bypass mode
- commit 9b4bd0f
libassuan
- update to 2.5.5:
  * Fix a crash in the logging code
  * Upgrade autoconf
- update to 2.5.4:
  * Fix some minor build annoyances
- Update to 2.5.3:
  * Add a timeout for writing to a SOCKS5 proxy.
  * Add workaround for a problem with LD_LIBRARY_PATH on newer systems.
- qemu-disable-fdpassing-test.patch: remove
-Update to 2.5.2:
  * configure.ac: Bump LT version to C8/A8/R2
  * include libassuan.pc in the spec file
libksba
- Security fix: [bsc#1204357, CVE-2022-3515]
  * Detect a possible overflow directly in the TLV parser.
  * Add libksba-CVE-2022-3515.patch
libtasn1
- Add libtasn1-CVE-2021-46848.patch: Fixed off-by-one array size check
  that affects asn1_encode_simple_der (CVE-2021-46848, bsc#1204690).
libtirpc
- fix CVE-2021-46828: libtirpc: DoS vulnerability with lots of
  connections (bsc#1201680)
  - backport 0001-Fix-DoS-vulnerability-in-libtirpc.patch
- exclude ipv6 addresses in client protocol 2 code (bsc#1200800)
  - update 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
- fix memory leak in params.r_addr assignement (bsc#1198752)
  - add 0001-fix-parms.r_addr-memory-leak.patch
libxml2
- Security fixes:
  * [CVE-2022-40303, bsc#1204366] Fix integer overflows with
    XML_PARSE_HUGE
    + Added patch libxml2-CVE-2022-40303.patch
  * [CVE-2022-40304, bsc#1204367] Fix dict corruption caused by
    entity reference cycles
    + Added patch libxml2-CVE-2022-40304.patch
- Security fix: [bsc#1201978, CVE-2016-3709]
  * Cross-site scripting vulnerability after commit 960f0e2
  * Add libxml2-CVE-2016-3709.patch
libyajl
- add libyajl-CVE-2022-24795.patch (CVE-2022-24795, bsc#1198405)
libzypp
- Resolver: Fix missing --[no]-recommends initialization in
  update (fixes #openSUSE/zypper#459, bsc#1201972)
- Log ONLY_NAMESPACE_RECOMMENDED because this is what corresponds
  to --[no]-recommends.
- version 17.31.2 (22)
- UsrEtc: Store logrotate files in %{_distconfdir} if defined
  (fixes #402)
- Log backtrace on SIGABRT too.
- Need to explicitly enable building experimental code. Otherwise
  an old Notcurses++ package which happens to be present in the
  buildenv breaks the build (fixes #412).
- Work around libyui/libyui#78 on code 15.4 and older.
- Stop using std::*ary_function; deprecated and removed in c++17.
- Don't expose header files which use types not available in
  c++11.  In 15.3 and older, YAST and PK compile with -std=c++11.
- Remove no longer needed %post code (bsc#1203649)
- Enable zck support for SLE15-SP4 and newer. On Leap it is enabled
  since 15.1 (bsc#1189282)
- version 17.31.1 (22)
- Add PoolItem::statusReinit to reset the status it's initial
  state in the ResPool (might help bsc#1199895)
  This may either be 'KEEP_STATE bySOLVER' or 'LOCKED byUSER' if
  the PoolItem matched a hard lock defined in /etc/zypp/locks.
- Fix building with GCC 13 on i586 (fixes #407, fixes #396)
- Be prepared to receive exceptions from curl_easy_cleanup
  (bsc#1201092)
- Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
- Remove Medianetwork and dependend code.
  This commit removes the MediaNetwork tech preview and all related
  code. First reason for this is that MediaNetwork was just meant
  as a way to test the new CURL based downloader and second: since
  the Provide API is going to completely replace the current media
  backend it would be extra work to ensure that changes on the
  Downloader do not break MediaNetwork.
- version 17.31.0 (22)
- Fix building with GCC 12.x release (#396)
- version 17.30.3 (22)
- appdata plugin: Pass path to the repodata/ directory inside the
  cache (bsc#1197684)
- zypp-rpm: flush rpm script output buffer before sending
  endOfScriptTag.
- version 17.30.2 (22)
- PluginRepoverification: initial version hooked into
  repo::Downloader and repo refresh.
- Immediately start monitoring the download.transfer_timeout.
  Do not wait until the first data arrived. (bsc#1199042)
- singletrans: no dry-run commit if doing just download-only.
- Work around cases where sat repo.start points to an invalid
  solvable.  May happen if (wrong arch) solvables were removed
  at the  beginning of the repo.
- fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER
  (fixes #388)
- version 17.30.1 (22)
logrotate
- Security fix: (bsc#1192449) related to (bsc#1191281, CVE-2021-3864)
  * enforce stricter parsing to avoid CVE-2021-3864
  * Added patch logrotate-enforce-stricter-parsing-and-extra-tests.patch
- Fix "/logrotate emits unintended warning: keyword size not properly
  separated, found 0x3d"/ (bsc#1200278, bsc#1200802):
  * Added patch logrotate-dont_warn_on_size=_syntax.patch
mozilla-nspr
- update to version 4.34.1
  * add file descriptor sanity checks in the NSPR poll function.
- update to version 4.34
  * add an API that returns a preferred loopback IP on hosts that
    have two IP stacks available.
- update to 4.33:
  * fixes to build system and export of private symbols
mozilla-nss
- Require libjitter only for SLE15-SP4 and greater
- update to NSS 3.79.2 (bsc#1204729)
  * bmo#1785846 - Bump minimum NSPR version to 4.34.1.
  * bmo#1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
- Add nss-allow-slow-tests.patch, which allows a timed test to run
  longer than 1s. This avoids turning slow builds into broken
  builds.
- Update nss-fips-approved-crypto-non-ec.patch to allow the use of
  DSA keys (verification only) (bsc#1201298).
- Update nss-fips-constructor-self-tests.patch to add
  sftk_FIPSRepeatIntegrityCheck() to softoken's .def file
  (bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to allow the use of
  longer symmetric keys via the service level indicator
  (bsc#1191546).
- Update nss-fips-constructor-self-tests.patch to hopefully export
  sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to prevent sessions
  from getting flagged as non-FIPS (bsc#1191546).
- Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
- Enable nss-fips-drbg-libjitter.patch now that we have a patched
  libjitter to build with (bsc#1202870).
- Update nss-fips-approved-crypto-non-ec.patch to prevent keys
  from getting flagged as non-FIPS and add remaining TLS mechanisms.
- Add nss-fips-drbg-libjitter.patch to use libjitterentropy for
  entropy. This is disabled until we can avoid the inline assembler
  in the latter's header file that relies on GNU extensions.
- Update nss-fips-constructor-self-tests.patch to fix an abort()
  when both NSS_FIPS and /proc FIPS mode are enabled.
- update to NSS 3.79.1 (bsc#1202645)
  * bmo#1366464 - compare signature and signatureAlgorithm fields in legacy certificate verifier.
  * bmo#1771498 - Uninitialized value in cert_ComputeCertType.
  * bmo#1759794 - protect SFTKSlot needLogin with slotLock.
  * bmo#1760998 - avoid data race on primary password change.
  * bmo#1330271 - check for null template in sec_asn1{d,e}_push_state.
- Update nss-fips-approved-crypto-non-ec.patch to unapprove the
  rest of the DSA ciphers, keeping signature verification only
  (bsc#1201298).
- Update nss-fips-constructor-self-tests.patch to fix compiler
  warning.
- Update nss-fips-constructor-self-tests.patch to add on-demand
  integrity tests through sftk_FIPSRepeatIntegrityCheck()
  (bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to mark algorithms
  as approved/non-approved according to security policy
  (bsc#1191546, bsc#1201298).
- Update nss-fips-approved-crypto-non-ec.patch to remove hard
  disabling of unapproved algorithms. This requirement is now
  fulfilled by the service level indicator (bsc#1200325).
- Remove nss-fips-tls-allow-md5-prf.patch, since we no longer need
  the workaround in FIPS mode (bsc#1200325).
- Remove nss-fips-tests-skip.patch. This is no longer needed since
  we removed the code to short-circuit broken hashes and moved to
  using the SLI.
- Remove upstreamed patches:
  * nss-fips-version-indicators.patch
  * nss-fips-tests-pin-paypalee-cert.patch
- update to NSS 3.79
  - bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
  - bmo#1766907 - Update mercurial in clang-format docker image.
  - bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail.
  - bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
  - bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
  - bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
  - bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
  - bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
  - bmo#1764788 - Correct invalid record inner and outer content type alerts.
  - bmo#1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
  - bmo#1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle.
  - bmo#1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
  - bmo#1769302 - NSS 3.79 should depend on NSPR 4.34
- update to NSS 3.78.1
  * bmo#1767590 - Initialize pointers passed to
    NSS_CMSDigestContext_FinishMultiple
- update to NSS 3.78
    bmo#1755264 - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
    bmo#1294978 - Reworked overlong record size checks and added TLS1.3 specific boundaries.
    bmo#1763120 - Add ECH Grease Support to tstclnt
    bmo#1765003 - Add a strict variant of moz::pkix::CheckCertHostname.
    bmo#1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
    bmo#1760813 - Make SEC_PKCS12EnableCipher succeed
    bmo#1762489 - Update zlib in NSS to 1.2.12.
- update to NSS 3.77
  * Bug 1762244 - resolve mpitests build failure on Windows.
  * bmo#1761779 - Fix link to TLS page on wireshark wiki
  * bmo#1754890 - Add two D-TRUST 2020 root certificates.
  * bmo#1751298 - Add Telia Root CA v2 root certificate.
  * bmo#1751305 - Remove expired explicitly distrusted certificates
    from certdata.txt.
  * bmo#1005084 - support specific RSA-PSS parameters in mozilla::pkix
  * bmo#1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
  * bmo#1756271 - Remove token member from NSSSlot struct.
  * bmo#1602379 - Provide secure variants of mpp_pprime and mpp_make_prime.
  * bmo#1757279 - Support UTF-8 library path in the module spec string.
  * bmo#1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
  * bmo#1760827 - Add a CI Target for gcc-11.
  * bmo#1760828 - Change to makefiles for gcc-4.8.
  * bmo#1741688 - Update googletest to 1.11.0
  * bmo#1759525 - Add SetTls13GreaseEchSize to experimental API.
  * bmo#1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
  * bmo#1755904 - Fix calculation of ECH HRR Transcript.
  * bmo#1758741 - Allow ld path to be set as environment variable.
  * bmo#1760653 - Ensure we don't read uninitialized memory in ssl gtests.
  * bmo#1758478 - Fix DataBuffer Move Assignment.
  * bmo#1552254 - internal_error alert on Certificate Request with
    sha1+ecdsa in TLS 1.3
  * bmo#1755092 - rework signature verification in mozilla::pkix
- Require nss-util in nss.pc and subsequently remove -lnssutil3
- update to NSS 3.76.1
  NSS 3.76.1
  * bmo#1756271 - Remove token member from NSSSlot struct.
  NSS 3.76
  * bmo#1755555 - Hold tokensLock through nssToken_GetSlot calls in
    nssTrustDomain_GetActiveSlots.
  * bmo#1370866 - Check return value of PK11Slot_GetNSSToken.
  * bmo#1747957 - Use Wycheproof JSON for RSASSA-PSS
  * bmo#1679803 - Add SHA256 fingerprint comments to old
    certdata.txt entries.
  * bmo#1753505 - Avoid truncating files in nss-release-helper.py.
  * bmo#1751157 - Throw illegal_parameter alert for illegal extensions
    in handshake message.
- Add nss-util pkgconfig and config files (copied from RH/Fedora)
- update to NSS 3.75
  * bmo#1749030 - This patch adds gcc-9 and gcc-10 to the CI.
  * bmo#1749794 - Make DottedOIDToCode.py compatible with python3.
  * bmo#1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
  * bmo#1748386 - Remove redundant key type check.
  * bmo#1749869 - Update ABI expectations to match ECH changes.
  * bmo#1748386 - Enable CKM_CHACHA20.
  * bmo#1747327 - check return on NSS_NoDB_Init and NSS_Shutdown.
  * bmo#1747310 - real move assignment operator.
  * bmo#1748245 - Run ECDSA test vectors from bltest as part of the CI tests.
  * bmo#1743302 - Add ECDSA test vectors to the bltest command line tool.
  * bmo#1747772 - Allow to build using clang's integrated assembler.
  * bmo#1321398 - Allow to override python for the build.
  * bmo#1747317 - test HKDF output rather than input.
  * bmo#1747316 - Use ASSERT macros to end failed tests early.
  * bmo#1747310 - move assignment operator for DataBuffer.
  * bmo#1712879 - Add test cases for ECH compression and unexpected
    extensions in SH.
  * bmo#1725938 - Update tests for ECH-13.
  * bmo#1725938 - Tidy up error handling.
  * bmo#1728281 - Add tests for ECH HRR Changes.
  * bmo#1728281 - Server only sends GREASE HRR extension if enabled
    by preference.
  * bmo#1725938 - Update generation of the Associated Data for ECH-13.
  * bmo#1712879 - When ECH is accepted, reject extensions which were
    only advertised in the Outer Client Hello.
  * bmo#1712879 - Allow for compressed, non-contiguous, extensions.
  * bmo#1712879 - Scramble the PSK extension in CHOuter.
  * bmo#1712647 - Split custom extension handling for ECH.
  * bmo#1728281 - Add ECH-13 HRR Handling.
  * bmo#1677181 - Client side ECH padding.
  * bmo#1725938 - Stricter ClientHelloInner Decompression.
  * bmo#1725938 - Remove ECH_inner extension, use new enum format.
  * bmo#1725938 - Update the version number for ECH-13 and adjust
    the ECHConfig size.
- update to NSS 3.74
  * bmo#966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in
    OCSP responses
  * bmo#1553612 - Ensure clients offer consistent ciphersuites after HRR
  * bmo#1721426 - NSS does not properly restrict server keys based on policy
  * bmo#1733003 - Set nssckbi version number to 2.54
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate
  * bmo#1735407 - Replace GlobalSign ECC Root CA R4
  * bmo#1733560 - Remove Expired Root Certificates - DST Root CA X3
  * bmo#1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root
    certificates
  * bmo#1741930 - Add renewed Autoridad de Certificacion Firmaprofesional
    CIF A62634068 root certificate
  * bmo#1740095 - Add iTrusChina ECC root certificate
  * bmo#1740095 - Add iTrusChina RSA root certificate
  * bmo#1738805 - Add ISRG Root X2 root certificate
  * bmo#1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
  * bmo#1738028 - Avoid a clang 13 unused variable warning in opt build
  * bmo#1735028 - Check for missing signedData field
  * bmo#1737470 - Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
- update to NSS 3.73.1:
  * Add SHA-2 support to mozilla::pkix's OSCP implementation
- update to NSS 3.73
  * bmo#1735028 - check for missing signedData field.
  * bmo#1737470 - Ensure DER encoded signatures are within size limits.
  * bmo#1729550 - NSS needs FiPS 140-3 version indicators.
  * bmo#1692132 - pkix_CacheCert_Lookup doesn't return cached certs
  * bmo#1738600 - sunset Coverity from NSS
  MFSA 2021-51 (bsc#1193170)
  * CVE-2021-43527 (bmo#1737470)
    Memory corruption via DER-encoded DSA and RSA-PSS signatures
- update to NSS 3.72
  * Remove newline at the end of coreconf.dep
  * bmo#1731911 - Fix nsinstall parallel failure.
  * bmo#1729930 - Increase KDF cache size to mitigate perf
    regression in about:logins
- update to NSS 3.71
  * bmo#1717716 - Set nssckbi version number to 2.52.
  * bmo#1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
  * bmo#1373716 - Import of PKCS#12 files with Camellia encryption is not supported
  * bmo#1717707 - Add HARICA Client ECC Root CA 2021.
  * bmo#1717707 - Add HARICA Client RSA Root CA 2021.
  * bmo#1717707 - Add HARICA TLS ECC Root CA 2021.
  * bmo#1717707 - Add HARICA TLS RSA Root CA 2021.
  * bmo#1728394 - Add TunTrust Root CA certificate to NSS.
- update to NSS 3.70
  * bmo#1726022 - Update test case to verify fix.
  * bmo#1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
  * bmo#1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
  * bmo#1681975 - Avoid using a lookup table in nssb64d.
  * bmo#1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
  * bmo#1714579 - Change default value of enableHelloDowngradeCheck to true.
  * bmo#1726022 - Cache additional PBE entries.
  * bmo#1709750 - Read HPKE vectors from official JSON.
- Update to NSS 3.69.1
  * bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
  * bmo#1720226 (Backout) - integrity checks in key4.db not happening
    on private components with AES_CBC
  NSS 3.69
  * bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again)
  * bmo#1720226 - integrity checks in key4.db not happening on private
    components with AES_CBC (backed out again)
  * bmo#1720235 - SSL handling of signature algorithms ignores
    environmental invalid algorithms.
  * bmo#1721476 - sqlite 3.34 changed it's open semantics, causing
    nss failures.
    (removed obsolete nss-btrfs-sqlite.patch)
  * bmo#1720230 - Gtest update changed the gtest reports, losing gtest
    details in all.sh reports.
  * bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
  * bmo#1720232 - SQLite calls could timeout in starvation situations.
  * bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67
  * bmo#1709817 - Import the NSS documentation from MDN in nss/doc.
  * bmo#1720227 - NSS using a tempdir to measure sql performance not active
- add nss-fips-stricter-dh.patch
- updated existing patches with latest SLE
- Mozilla NSS 3.68.4 (bsc#1200027)
  * Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
    (bmo#1767590)
- Update nss-fips-constructor-self-tests.patch to scan
  LD_LIBRARY_PATH for external libraries to be checksummed.
- Run test suite at build time, and make it pass (bsc#1198486).
  Based on work by Marcus Meissner.
- Add nss-fips-tests-skip.patch to skip algorithms that are hard
  disabled in FIPS mode.
- Add nss-fips-tests-pin-paypalee-cert.patch to prevent expired
  PayPalEE cert from failing the tests.
- Add nss-fips-tests-enable-fips.patch, which enables FIPS during
  test certificate creation and disables the library checksum
  validation during same.
- Update nss-fips-constructor-self-tests.patch to allow
  checksumming to be disabled, but only if we entered FIPS mode
  due to NSS_FIPS being set, not if it came from /proc.
- Add nss-fips-pbkdf-kat-compliance.patch (bsc#1192079). This
  makes the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- Update nss-fips-approved-crypto-non-ec.patch to remove XCBC MAC
  from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
  for build.
- Update nss-fips-approved-crypto-non-ec.patch to claim 3DES
  unapproved in FIPS mode (bsc#1192080).
- Update nss-fips-constructor-self-tests.patch to allow testing
  of unapproved algorithms (bsc#1192228).
- Add nss-fips-version-indicators.patch (bmo#1729550, bsc#1192086).
  This adds FIPS version indicators.
- Add nss-fips-180-3-csp-clearing.patch (bmo#1697303, bsc#1192087).
  Most of the relevant changes are already upstream since NSS 3.60.
ncurses
- Add patch ncurses-bnc1198627.patch
  * Fix bsc#1198627: CVE-2022-29458: ncurses: segfaulting OOB read
openldap2
- bsc#1198341 - Prevent memory reuse which may lead to instability
  * 0243-Change-malloc-to-use-calloc-to-prevent-memory-reuse-.patch
openssl-1_1
- Added openssl-1_1-paramgen-default_to_rfc7919.patch
  * bsc#1180995
  * Default to RFC7919 groups when generating ECDH parameters
    using 'genpkey' or 'dhparam' in FIPS mode.
- Fix memory leaks introduced by openssl-1.1.1-fips.patch [bsc#1203046]
  * Add patch openssl-1.1.1-fips-fix-memory-leaks.patch
pam
- Update pam_motd to the most current version. This fixes various issues
  and adds support for mot.d directories [jsc#PED-1712].
  * Added: pam-ped1712-pam_motd-directory-feature.patch
pciutils
- Add "/pciutils-Add-PCIe-5.0-data-rate-32-GT-s-support.patch"/ and
  "/pciutils-Add-PCIe-6.0-data-rate-64-GT-s-support.patch"/ to fix
  LnkCap speed recognition in lspci for multi PCIe ports such as
  the ML110 Gen11. [bsc#1192862]
pcre2
- Added pcre2-bsc1199235-CVE-2022-1587.patch
  * CVE-2022-1587 / bsc#1199235
  * Fix out-of-bounds read due to bug in recursions
  * Sourced from:
  - https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0
- Added pcre2-Fix_crash_when_X_is_used_without_UTF_in_JIT.patch
  * CVE-2019-20454 / bsc#1164384
  * Fix crash when X is used in non-UTF mode on certain inputs.
  * Sourced from:
  - https://github.com/PCRE2Project/pcre2/commit/342c16ecd31bd12fc350ee31d2dcc041832ebb3f
  - https://github.com/PCRE2Project/pcre2/commit/e118e60a68f03f38dd2ff3d16ca2e2e0d800e1d9
permissions
  * Revert "/drop ping capabilities in favor of ICMP_PROTO sockets"/. Older
    SLE-15 versions don't properly support this feature yet (bsc#1204137)
- Update to version 20181225:
  * fix regression introduced by backport of security fix (bsc#1203911)
- Update to version 20181225:
  * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)
- Update to version 20181225:
procps
- Add the patches
  * procps-3.3.17-library-bsc1181475.patch
  * procps-3.3.17-top-bsc1181475.patch
  which are backports of current newlib tree to solve bug bsc#1181475
  * 'free' command reports misleading "/used"/ value
python-M2Crypto
- Add CVE-2020-25657-Bleichenbacher-attack.patch (CVE-2020-25657,
  bsc#1178829), which mitigates the Bleichenbacher timing attacks
  in the RSA decryption API.
- Add python-M2Crypto.keyring to verify GPG signature of tarball.
python-lxml
- add CVE-2022-2309.patch (bsc#1201253, CVE-2022-2309)
python-psutil
- Add patch mem-used-bsc1181475.patch (bsc#1181475)
  * Adopt change of used memory calculation from upstream of procps
python-py
- Update in SLE-15 (bsc#1195916, bsc#1196696, jsc#PM-3356, jsc#SLE-23972)
- Drop CVE-2020-29651.patch, issue fixed upstream in 1.10.0
- Update to 1.10.0
  * Fix a regular expression DoS vulnerability in the py.path.svnwc
    SVN blame functionality (CVE-2020-29651)
- Devendor apipkg and iniconfig
- Add pr_222.patch to activate test suite
- Update to 1.9.0
  * Add type annotation stubs
python3
- Add patch CVE-2021-28861-double-slash-path.patch:
  * http.server: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
regionServiceClientConfigGCE
- Update to version 4.0.0 (bsc#1199668)
  + Move the cert location to /usr for compatibility with ro setup of
    SLE-Micro
  + Fix url in spec file to pint to the proper location of the source
release-notes-sles
- 15.2.20220614 (tracked in bsc#933411)
- Added note about schedutil (bsc#1176440)
- Added note about disabled RAID auto assembly (bsc#1192592)
rsync
- Add support for --trust-sender parameter (patch by Jie Gong in
  bsc#1202970). (related to CVE-2022-29154, bsc#1201840)
  * Added patch rsync-CVE-2022-29154-trust-sender-1.patch
  * Added patch rsync-CVE-2022-29154-trust-sender-2.patch
- Apply "/rsync-CVE-2022-29154.patch"/ to fix a security vulnerability
  in the do_server_recv() function. [bsc#1201840, CVE-2022-29154]
rsyslog
- - fix segfault in qDeqLinkedList during shutdown (bsc#1199283)
  * add 0001-queue-Add-NULL-check-in-qDeqLinkedList.patch
ruby2
- Update suse.patch to 41adc98ad1:
  - Cookie Prefix Spoofing in CGI::Cookie.parse (boo#1193081 CVE-2021-41819)
- add back some lost chunks to the suse.patch
runc
- Update to runc v1.1.4. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.4.
  * Fix mounting via wrong proc fd. When the user and mount namespaces are
    used, and the bind mount is followed by the cgroup mount in the spec,
    the cgroup was mounted using the bind mount's mount fd.
  * Switch kill() in libcontainer/nsenter to sane_kill().
  * Fix "/permission denied"/ error from runc run on noexec fs.
  * Fix failed exec after systemctl daemon-reload. Due to a regression
    in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and
    was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded.
    (boo#1202821)
salt
- Handle non-UTF-8 bytes in core grains generation (bsc#1202165)
- Fix Syndic authentication errors (bsc#1199562)
- Add Amazon EC2 detection for virtual grains (bsc#1195624)
- Fix the regression in schedule module releasded in 3004 (bsc#1202631)
- Fix state.apply in test mode with file state module on user/group checking (bsc#1202167)
- Change the delimeters to prevent possible tracebacks on some packages with dpkg_lowpkg
- Make zypperpkg to retry if RPM lock is temporarily unavailable (bsc#1200596)
- Fix test_ipc unit test
- Added:
  * change-the-delimeters-to-prevent-possible-tracebacks.patch
  * fix-state.apply-in-test-mode-with-file-state-module-.patch
  * add-amazon-ec2-detection-for-virtual-grains-bsc-1195.patch
  * fix-test_ipc-unit-tests.patch
  * backport-syndic-auth-fixes.patch
  * retry-if-rpm-lock-is-temporarily-unavailable-547.patch
  * ignore-non-utf8-characters-while-reading-files-with-.patch
  * fix-the-regression-in-schedule-module-releasded-in-3.patch
- Add support for gpgautoimport in zypperpkg module
- Update Salt to work with Jinja >= and <= 3.1.0 (bsc#1198744)
- Fix salt.states.file.managed() for follow_symlinks=True and test=True (bsc#1199372)
- Make Salt 3004 compatible with pyzmq >= 23.0.0 (bsc#1201082)
- Add support for name, pkgs and diff_attr parameters to upgrade function for zypper and yum (bsc#1198489)
- Fix ownership of salt thin directory when using the Salt Bundle
- Set default target for pip from VENV_PIP_TARGET environment variable
- Normalize package names once with pkg.installed/removed using yum (bsc#1195895)
- Save log to logfile with docker.build
- Use Salt Bundle in dockermod
- Ignore erros on reading license files with dpkg_lowpkg (bsc#1197288)
- Added:
  * fix-62092-catch-zmq.error.zmqerror-to-set-hwm-for-zm.patch
  * fix-jinja2-contextfuntion-base-on-version-bsc-119874.patch
  * normalize-package-names-once-with-pkg.installed-remo.patch
  * add-support-for-name-pkgs-and-diff_attr-parameters-t.patch
  * use-salt-bundle-in-dockermod.patch
  * add-support-for-gpgautoimport-539.patch
  * fix-ownership-of-salt-thin-directory-when-using-the-.patch
  * fix-salt.states.file.managed-for-follow_symlinks-tru.patch
  * ignore-erros-on-reading-license-files-with-dpkg_lowp.patch
  * set-default-target-for-pip-from-venv_pip_target-envi.patch
  * save-log-to-logfile-with-docker.build.patch
- Fix PAM auth issue due missing check for PAM_ACCT_MGM return value (CVE-2022-22967) (bsc#1200566)
samba
- CVE-2022-32742:SMB1 code does not correct verify SMB1write,
  SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085);
  (bsc#1201496).
sqlite3
- update to 3.39.3:
  * Use a statement journal on DML statement affecting two or more
    database rows if the statement makes use of a SQL functions
    that might abort.
  * Use a mutex to protect the PRAGMA temp_store_directory and
    PRAGMA data_store_directory statements, even though they are
    decremented and documented as not being threadsafe.
- update to 3.39.2:
  * Fix a performance regression in the query planner associated
    with rearranging the order of FROM clause terms in the
    presences of a LEFT JOIN.
  * Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and
    1345947, forum post 3607259d3c, and other minor problems
    discovered by internal testing. [boo#1201783]
- update to 3.39.1:
  * Fix an incorrect result from a query that uses a view that
    contains a compound SELECT in which only one arm contains a
    RIGHT JOIN and where the view is not the first FROM clause term
    of the query that contains the view
  * Fix a long-standing problem with ALTER TABLE RENAME that can
    only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set
    to a very small value.
  * Fix a long-standing problem in FTS3 that can only arise when
    compiled with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time
    option.
  * Fix the initial-prefix optimization for the REGEXP extension so
    that it works correctly even if the prefix contains characters
    that require a 3-byte UTF8 encoding.
  * Enhance the sqlite_stmt virtual table so that it buffers all of
    its output.
- update to 3.39.0:
  * Add (long overdue) support for RIGHT and FULL OUTER JOIN
  * Add new binary comparison operators IS NOT DISTINCT FROM and
    IS DISTINCT FROM that are equivalent to IS and IS NOT,
    respective, for compatibility with PostgreSQL and SQL standards
  * Add a new return code (value "/3"/) from the sqlite3_vtab_distinct()
    interface that indicates a query that has both DISTINCT and
    ORDER BY clauses
  * Added the sqlite3_db_name() interface
  * The unix os interface resolves all symbolic links in database
    filenames to create a canonical name for the database before
    the file is opened
  * Defer materializing views until the materialization is actually
    needed, thus avoiding unnecessary work if the materialization
    turns out to never be used
  * The HAVING clause of a SELECT statement is now allowed on any
    aggregate query, even queries that do not have a GROUP BY
    clause
  * Many microoptimizations collectively reduce CPU cycles by about
    2.3%.
- drop sqlite-src-3380100-atof1.patch, included upstream
- add sqlite-src-3390000-func7-pg-181.patch to skip float precision
  related test failures on 32 bit
- update to 3.38.5:
  * Fix a blunder in the CLI of the 3.38.4 release
- includes changes from 3.38.4:
  * fix a byte-code problem in the Bloom filter pull-down
    optimization added by release 3.38.0 in which an error in the
    byte code causes the byte code engine to enter an infinite loop
    when the pull-down optimization encounters a NULL key
- update to 3.38.3:
  * Fix a case of the query planner be overly aggressive with
    optimizing automatic-index and Bloom-filter construction,
    using inappropriate ON clause terms to restrict the size of the
    automatic-index or Bloom filter, and resulting in missing rows
    in the output.
  * Other minor patches. See the timeline for details.
- update to 3.38.2:
  * Fix a problem with the Bloom filter optimization that might
    cause an incorrect answer when doing a LEFT JOIN with a WHERE
    clause constraint that says that one of the columns on the
    right table of the LEFT JOIN is NULL.
  * Other minor patches.
- Remove obsolete configure flags
- Package the Tcl bindings here again so that we only ship one copy
  of SQLite (bsc#1195773).
- update to 3.38.1:
  * Fix problems with the new Bloom filter optimization that might
    cause some obscure queries to get an incorrect answer.
  * Fix the localtime modifier of the date and time functions so
    that it preserves fractional seconds.
  * Fix the sqlite_offset SQL function so that it works correctly
    even in corner cases such as when the argument is a virtual
    column or the column of a view.
  * Fix row value IN operator constraints on virtual tables so that
    they work correctly even if the virtual table implementation
    relies on bytecode to filter rows that do not satisfy the
    constraint.
  * Other minor fixes to assert() statements, test cases, and
    documentation. See the source code timeline for details.
- add upstream patch to run atof1 tests only on x86_64
  sqlite-src-3380100-atof1.patch
- update to 3.38.0
  * Add the -> and ->> operators for easier processing of JSON
  * The JSON functions are now built-ins
  * Enhancements to date and time functions
  * Rename the printf() SQL function to format() for better
    compatibility, with alias for backwards compatibility.
  * Add the sqlite3_error_offset() interface for helping localize
    an SQL error to a specific character in the input SQL text
  * Enhance the interface to virtual tables
  * CLI columnar output modes are enhanced to correctly handle tabs
    and newlines embedded in text, and add options like "/--wrap N"/,
    "/--wordwrap on"/, and "/--quote"/ to the columnar output modes.
  * Query planner enhancements using a Bloom filter to speed up
    large analytic queries, and a balanced merge tree to evaluate
    UNION or UNION ALL compound SELECT statements that have an
    ORDER BY clause.
  * The ALTER TABLE statement is changed to silently ignores
    entries in the sqlite_schema table that do not parse when
    PRAGMA writable_schema=ON
- update to 3.37.2:
  * Fix a bug introduced in version 3.35.0 (2021-03-12) that can
    cause database corruption if a SAVEPOINT is rolled back while
    in PRAGMA temp_store=MEMORY mode, and other changes are made,
    and then the outer transaction commits
  * Fix a long-standing problem with ON DELETE CASCADE and ON
    UPDATE CASCADE in which a cache of the bytecode used to
    implement the cascading change was not being reset following a
    local DDL change
- update to 3.37.1:
  * Fix a bug introduced by the UPSERT enhancements of version
    3.35.0 that can cause incorrect byte-code to be generated for
    some obscure but valid SQL, possibly resulting in a NULL-
    pointer dereference.
  * Fix an OOB read that can occur in FTS5 when reading corrupt
    database files.
  * Improved robustness of the --safe option in the CLI.
  * Other minor fixes to assert() statements and test cases.
- SQLite3 3.37.0:
  * STRICT tables provide a prescriptive style of data type
    management, for developers who prefer that kind of thing.
  * When adding columns that contain a CHECK constraint or a
    generated column containing a NOT NULL constraint, the
    ALTER TABLE ADD COLUMN now checks new constraints against
    preexisting rows in the database and will only proceed if no
    constraints are violated.
  * Added the PRAGMA table_list statement.
  * Add the .connection command, allowing the CLI to keep multiple
    database connections open at the same time.
  * Add the --safe command-line option that disables dot-commands
    and SQL statements that might cause side-effects that extend
    beyond the single database file named on the command-line.
  * CLI: Performance improvements when reading SQL statements that
    span many lines.
  * Added the sqlite3_autovacuum_pages() interface.
  * The sqlite3_deserialize() does not and has never worked
    for the TEMP database. That limitation is now noted in the
    documentation.
  * The query planner now omits ORDER BY clauses on subqueries and
    views if removing those clauses does not change the semantics
    of the query.
  * The generate_series table-valued function extension is modified
    so that the first parameter ("/START"/) is now required. This is
    done as a way to demonstrate how to write table-valued
    functions with required parameters. The legacy behavior is
    available using the -DZERO_ARGUMENT_GENERATE_SERIES
    compile-time option.
  * Added new sqlite3_changes64() and sqlite3_total_changes64()
    interfaces.
  * Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
  * Use less memory to hold the database schema.
  * bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert
    extension when a column has no collating sequence.
sudo
- Added sudo-1-8-27-bsc1201462-ignore-no-sudohost.patch
  * Ignore entries when converting LDAP to sudoers. Prevents empty
    host list being treated as "/ALL"/ wildcard.
  * bsc#1201462
  * Sourced from https://www.sudo.ws/repos/sudo/rev/484d0d3b892e
sysconfig
- version 0.85.9
- spec: revert to recommend wicked-service on <= 15.4
- netconfig: remove sed dependency
- netconfig/dns-resolver: remove search limit of 6 domains (bsc#1199093)
- netconfig: cleanup /var/run leftovers (bsc#1194557)
- netconfig: update ntp man page documentation, fix typos
- spec: drop legacy migration (from sle11) and rpm-utils
- version 0.85.8
- netconfig: revert NM default policy change change (boo#1185882)
  With the change to the default policy, netconfig with NetworkManager
  as network.service accepted settings from all services/programs
  directly instead only from NetworkManager, where plugins/services
  have to deliver their settings to apply them.
- version 0.85.7
- spec: Drop hard dependency on /sbin/ifup
- spec: Suggest instead of recommend wicked-service
- spec: Mention that the .spec file is in git as well
- Also support service(network) provides
systemd
- Import commit 5183646e041a0ac78107bc4e5b06594e3a27657f
  8187a5e5f6 Allow control characters in environment variable values (bsc#1200170)
  da394cc0b0 test-env-util: Verify that r is disallowed in env var values
  da0120492d test-env-util: print function headers
  0702ce5b4e basic/env-util: Allow newlines in values of environment variables
  6fda9a8c7b udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
  52174bfc1a man: tweak description of auto/noauto (bsc#1191502)
  8a57b62f90 shared/install: ignore failures for auxiliary files
  86079f3522 systemctl: supress enable/disable messages when -q is given (#7067)
  aa4b7b7925 shared/install: fix error codes returned by install_context_apply()
  ce671cf6e3 shared/install: avoid overwriting 'r' counter with a partial result (bsc#1148309)
systemd-presets-common-SUSE
- enable ignition-delete-config by default (bsc#1199524)
- Modify branding-preset-states to fix systemd-presets-common-SUSE
  not enabling new user systemd service preset configuration just
  as it handles system service presets. By passing an (optional)
  second parameter "/user"/, the save/apply-changes commands now
  work with user services instead of system ones (boo#1200485)
- Add the wireplumber user service preset to enable it by default
  in SLE15-SP4 where it replaced pipewire-media-session, but keep
  pipewire-media-session preset so we don't have to branch the
  systemd-presets-common-SUSE package for SP4 (boo#1200485)
tar
- bsc1200657.patch was previously incomplete leading to deadlocks
  * bsc#1202436
  * bsc1200657.patch updated
- Fix race condition while creating intermediate subdirectories,
  bsc#1200657
  * bsc1200657.patch
telnet
- Fix CVE-2022-39028, NULL pointer dereference in telnetd
  (CVE-2022-39028, bsc#1203759)
  CVE-2022-39028.patch
timezone
- Update to reflect new Chile DST change, bsc#1202310
  * bsc1202310.patch
unzip
- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string
  to a local string (CVE-2022-0530, bsc#1196177)
  * CVE-2022-0530.patch
- Fix CVE-2022-0529, Heap out-of-bound writes and reads during
  conversion of wide string to local string (CVE-2022-0529, bsc#1196180)
  * CVE-2022-0529.patch
util-linux
- su: Change owner and mode for pty (bsc#1200842,
  util-linux-login-move-generic-setting-to-ttyutils.patch,
  util-linux-su-change-owner-and-mode-for-pty.patch).
- mesg: use only stat() to get the current terminal status
  (bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
  util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
  in utab (bsc#1198731,
  util-linux-libmount-moving-mount-point-sub-mounts.patch,
  util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
util-linux-systemd
- su: Change owner and mode for pty (bsc#1200842,
  util-linux-login-move-generic-setting-to-ttyutils.patch,
  util-linux-su-change-owner-and-mode-for-pty.patch).
- mesg: use only stat() to get the current terminal status
  (bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
  util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
  in utab (bsc#1198731,
  util-linux-libmount-moving-mount-point-sub-mounts.patch,
  util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
vim
- Updated to version 9.0 with patch level 0313, fixes the following problems
  * Fixing bsc#1200884 Vim: Error on startup
  * Fixing bsc#1200902 VUL-0: CVE-2022-2183: vim: Out-of-bounds Read through get_lisp_indent() Mon 13:32
  * Fixing bsc#1200903 VUL-0: CVE-2022-2182: vim: Heap-based Buffer Overflow through parse_cmd_address() Tue 08:37
  * Fixing bsc#1200904 VUL-0: CVE-2022-2175: vim: Buffer Over-read through cmdline_insert_reg() Tue 08:37
  * Fixing bsc#1201249 VUL-0: CVE-2022-2304: vim: stack buffer overflow in spell_dump_compl()
  * Fixing bsc#1201356 VUL-1: CVE-2022-2343: vim: Heap-based Buffer Overflow in GitHub repository vim prior to 9.0.0044
  * Fixing bsc#1201359 VUL-1: CVE-2022-2344: vim: Another Heap-based Buffer Overflow vim prior to 9.0.0045
  * Fixing bsc#1201363 VUL-1: CVE-2022-2345: vim: Use After Free in GitHub repository vim prior to 9.0.0046.
  * Fixing bsc#1201620 PUBLIC SUSE Linux Enterprise Server 15 SP4 Basesystem zbalogh@suse.com NEW --- SLE-15-SP4-Full-x86_64-GM-Media1 and vim-plugin-tlib-1.27-bp154.2.18.noarch issue
  * Fixing bsc#1202414 VUL-1: CVE-2022-2819: vim: Heap-based Buffer Overflow in compile_lock_unlock()
  * Fixing bsc#1202552 VUL-1: CVE-2022-2874: vim: NULL Pointer Dereference in generate_loadvar()
  * Fixing bsc#1200270 VUL-1: CVE-2022-1968: vim: use after free in utf_ptr2char
  * Fixing bsc#1200697 VUL-1: CVE-2022-2124: vim: out of bounds read in current_quote()
  * Fixing bsc#1200698 VUL-1: CVE-2022-2125: vim: out of bounds read in get_lisp_indent()
  * Fixing bsc#1200700 VUL-1: CVE-2022-2126: vim: out of bounds read in suggest_trie_walk()
  * Fixing bsc#1200701 VUL-1: CVE-2022-2129: vim: out of bounds write in vim_regsub_both()
  * Fixing bsc#1200732 VUL-1: CVE-2022-1720: vim: out of bounds read in grab_file_name()
  * Fixing bsc#1201132 VUL-1: CVE-2022-2264: vim: out of bounds read in inc()
  * Fixing bsc#1201133 VUL-1: CVE-2022-2284: vim: out of bounds read in utfc_ptr2len()
  * Fixing bsc#1201134 VUL-1: CVE-2022-2285: vim: negative size passed to memmove() due to integer overflow
  * Fixing bsc#1201135 VUL-1: CVE-2022-2286: vim: out of bounds read in ins_bytes()
  * Fixing bsc#1201136 VUL-1: CVE-2022-2287: vim: out of bounds read in suggest_trie_walk()
  * Fixing bsc#1201150 VUL-1: CVE-2022-2231: vim: null pointer dereference skipwhite()
  * Fixing bsc#1201151 VUL-1: CVE-2022-2210: vim: out of bounds read in ml_append_int()
  * Fixing bsc#1201152 VUL-1: CVE-2022-2208: vim: null pointer dereference in diff_check()
  * Fixing bsc#1201153 VUL-1: CVE-2022-2207: vim: out of bounds read in ins_bs()
  * Fixing bsc#1201154 VUL-1: CVE-2022-2257: vim: out of bounds read in msg_outtrans_special()
  * Fixing bsc#1201155 VUL-1: CVE-2022-2206: vim: out of bounds read in msg_outtrans_attr()
  * Fixing bsc#1201863 VUL-1: CVE-2022-2522: vim: out of bounds read via nested autocommand
  * Fixing bsc#1202046 VUL-1: CVE-2022-2571: vim: Heap-based Buffer Overflow related to ins_comp_get_next_word_or_line()
  * Fixing bsc#1202049 VUL-1: CVE-2022-2580: vim: Heap-based Buffer Overflow related to eval_string()
  * Fixing bsc#1202050 VUL-1: CVE-2022-2581: vim: Out-of-bounds Read related to cstrchr()
  * Fixing bsc#1202051 VUL-1: CVE-2022-2598: vim: Undefined Behavior for Input to API related to diff_mark_adjust_tp() and ex_diffgetput()
  * Fixing bsc#1202420 VUL-1: CVE-2022-2817: vim: Use After Free in f_assert_fails()
  * Fixing bsc#1202421 VUL-1: CVE-2022-2816: vim: Out-of-bounds Read in check_vim9_unlet()
  * Fixing bsc#1202511 VUL-1: CVE-2022-2862: vim: use-after-free in compile_nested_function()
  * Fixing bsc#1202512 VUL-1: CVE-2022-2849: vim: Invalid memory access related to mb_ptr2len()
  * Fixing bsc#1202515 VUL-1: CVE-2022-2845: vim: Buffer Over-read related to display_dollar()
  * Fixing bsc#1202599 VUL-1: CVE-2022-2889: vim: use-after-free in find_var_also_in_script() in evalvars.c
  * Fixing bsc#1202687 VUL-1: CVE-2022-2923: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240
  * Fixing bsc#1202689 VUL-1: CVE-2022-2946: vim: use after free in function vim_vsnprintf_typval
  * Fixing bsc#1202862 VUL-1: CVE-2022-3016: vim: Use After Free in vim prior to 9.0.0285 Mon 12:00
xen
- bsc#1200549 VUL-0: CVE-2022-21123,CVE-2022-21125,CVE-2022-21166:
  xen: x86: MMIO Stale Data vulnerabilities (XSA-404)
  xsa404-1.patch
  xsa404-2.patch
  xsa404-3.patch
- bsc#1201469 - VUL-0: CVE-2022-23816,CVE-2022-23825,CVE-2022-29900:
  xen: retbleed - arbitrary speculative code execution with return
  instructions (XSA-407)
  xsa407-0a.patch
  xsa407-0b.patch
  xsa407-0c.patch
  xsa407-0d.patch
  xsa407-0e.patch
  xsa407-0f.patch
  xsa407-0g.patch
  xsa407-0h.patch
  xsa407-0i.patch
  xsa407-1.patch
  xsa407-2.patch
  xsa407-3.patch
  xsa407-4.patch
  xsa407-5.patch
  xsa407-6.patch
  xsa407-7.patch
  xsa407-8.patch
- Upstream bug fix (bsc#1027519)
  61d5687a-x86-spec-ctrl-opt_srb_lock-default.patch
- bsc#1201394 - VUL-0: CVE-2022-33745: xen: insufficient TLB flush
  for x86 PV guests in shadow mode (XSA-408)
  xsa408.patch
- bsc#1199965 - VUL-0: CVE-2022-26362: xen: Race condition in
  typeref acquisition (XSA-401)
  fix xsa401-1.patch
- bsc#1199966 - VUL-0: EMBARGOED: CVE-2022-26363,CVE-2022-26364: xen:
  Insufficient care with non-coherent mappings
  use upstream fix in xsa402-5.patch
yast2-network
- AY: Added missing route extrapara element to the networking
  section (bsc#1201129)
- 4.2.110
yast2-schema
- Add 'extrapara' to routes in the networking section (bsc#1201129)
- 4.2.17
zlib
- Fix heap-based buffer over-read or buffer overflow in inflate via
  large gzip header extra field (bsc#1202175, CVE-2022-37434,
  CVE-2022-37434-extra-header-1.patch,
  CVE-2022-37434-extra-header-2.patch).
zypper
- BuildRequires:  libzypp-devel >= 17.31.2.
- Fix --[no]-allow-vendor-change feedback in install command
  (bsc#1201972)
- version 1.14.57
- UsrEtc: Store logrotate files in %{_distconfdir} if defined
  (fixes #441, fixes #444)
- Remove unneeded code to compute the PPP status.
  Since libzypp 17.23.0 the PPP status is auto established. No
  extra solver run is needed.
- Make sure 'up' respects solver related CLI options (bsc#1201972)
- Fix tests to use locale "/C.UTF-8"/ rather than "/en_US"/.
- Fix man page (fixes #451)
- version 1.14.56
- lr: Allow shortening the Name column if table is wider than the
  terminal (bsc#1201638)
- Don't accepts install/remove modifier without argument
  (bsc#1201576)
- zypper-download: Set correct ExitInfoCode when failing to
  resolve argument.
- zypper-download: Handle unresolvable arguments as error.
  This commit changes zypper-download such that it behaves more
  consistent to zypper-install when an argument can't be resolved.
- version 1.14.55
- Fix building with GCC 13 (fixes #448)
- Put signing key supplying repository name in quotes.
- version 1.14.54
- Basic JobReport for "/cmdout/monitor"/.
- versioncmp: if verbose, also print the edition 'parts' which are
  compared.
- Make sure MediaAccess is closed on exception (bsc#1194550)
- Display plus-content hint conditionally (fixes #433)
- Honor the NO_COLOR environment variable when auto-detecting
  whether to use color (fixes #432)
- Define table columns which should be sorted natural [case
  insensitive] (fixes #391, closes #396, fixes #424)
- lr/ls: Use highlight color on name and alias as well.
- version 1.14.53