avahi
- Add avahi-CVE-2023-1981.patch: emit error if requested service
  is not found (boo#1210328 CVE-2023-1981).
c-ares
- Update to version 1.19.1
  Security:
  * CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
    (bsc#1211604)
  * CVE-2023-31147 Moderate. Insufficient randomness in generation
    of DNS query IDs (bsc#1211605)
  * CVE-2023-31130. Moderate. Buffer Underwrite in
    ares_inet_net_pton() (bsc#1211606)
  * CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE
    during cross compilation (bsc#1211607)
  Bug fixes:
  * Fix uninitialized memory warning in test
  * ares_getaddrinfo() should allow a port of 0
  * Fix memory leak in ares_send() on error
  * Fix comment style in ares_data.h
  * Fix typo in ares_init_options.3
  * Sync ax_pthread.m4 with upstream
  * Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support
containerd
- unversion to golang requires to always use the current default go. (bsc#1210298)
- Update to containerd v1.6.19 for Docker v23.0.2-ce. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.6.19>
  Includes fixes for:
  - CVE-2023-25153 bsc#1208423
  - CVE-2023-25173 bsc#1208426
- Re-build containerd to use updated golang-packaging. jsc#1342
- Update to containerd v1.6.16 for Docker v23.0.1-ce. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.6.16>
- Update to containerd v1.6.12 to fix CVE-2022-23471 bsc#1206235. Upstream
  release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.6.12>
cups
- cups-2.2.7-CVE-2023-32324.patch fixes CVE-2023-32324
  "/Heap buffer overflow in cupsd"/
  https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
  bsc#1211643
- 0001-cups-dests.c-cupsGetNamedDest-set-IPP_STATUS_ERROR_N.patch
  improves logging on 'IPP_STATUS_ERROR_NOT_FOUND' error
  that fixes bsc#1191467, bsc#1198932:
  "/lpr reports 'No such file or directory' for missing catalogue files"/
  "//usr/bin/lpr: No such file or directory"/
- after-network_target-sssd_service.patch
  is derived from https://github.com/apple/cups/issues/5550 with its
  https://github.com/apple/cups/commit/aaebca5660fdd7f7b6f30461f0788d91ef6e2fee
  and SUSE PTF:24471 cups.SUSE_SLE-15_Update cups-2.2.7-wait-for-network.patch
  to add "/After=network.target sssd.service"/ to the systemd unit
  source files cupsd.service.in and cups.cups-lpdAT.service.in
  to fix bsc#1201234, bsc#1200321:
  "/Missing network dependency in systemd unit for cups-2.2.7"/
  "/CUPS may not always start if sssd is in use"/
- cups-branch-2.2-commit-876fdc1c90a885a58644c8757bc1283c9fd5bcb7.diff
  is https://github.com/OpenPrinting/cups/commit/876fdc1c90a885a58644c8757bc1283c9fd5bcb7
  which belongs to https://github.com/OpenPrinting/cups/issues/308
  that fixes bsc#1191525, bsc#1203446:
  "/Print jobs on cups.sock return with EAGAIN (Resource temporarily unavailable)"/
  "//usr/bin/lpr: Error - The printer or class does not exist."/
curl
- Security fixes:
  * [bsc#1211231, CVE-2023-28320] siglongjmp race condition
  - Add curl-CVE-2023-28320.patch
  * [bsc#1211232, CVE-2023-28321] IDN wildcard matching
  - Add curl-CVE-2023-28321.patch [bsc#1211339]
  * [bsc#1211233, CVE-2023-28322] POST-after-PUT confusion
  - Add curl-CVE-2023-28322.patch
- Security fixes:
  * [bsc#1209209, CVE-2023-27533] TELNET option IAC injection
    Add curl-CVE-2023-27533-no-sscanf.patch curl-CVE-2023-27533.patch
  * [bsc#1209210, CVE-2023-27534] SFTP path ~ resolving discrepancy
    Add curl-CVE-2023-27534.patch curl-CVE-2023-27534-dynbuf.patch
  * [bsc#1209211, CVE-2023-27535] FTP too eager connection reuse
    Add curl-CVE-2023-27535.patch
  * [bsc#1209212, CVE-2023-27536] GSS delegation too eager connection re-use
    Add curl-CVE-2023-27536.patch
  * [bsc#1209214, CVE-2023-27538] SSH connection too eager reuse still
    Add curl-CVE-2023-27538.patch
- Security Fix: [bsc#1207992, CVE-2023-23916]
  * HTTP multi-header compression denial of service
  * Add curl-CVE-2023-23916.patch
dmidecode
- use-read_file-to-read-from-dump.patch: Fix an old harmless bug
  which would prevent root from using the --from-dump option since
  the latest security fixes (bsc#1210418).
Security fixes (CVE-2023-30630)
- dmidecode-split-table-fetching-from-decoding.patch: dmidecode:
  Clean up function dmi_table so that it does only one thing
  (bsc#1210418).
- dmidecode-write-the-whole-dump-file-at-once.patch: When option
  - -dump-bin is used, write the whole dump file at once, instead of
  opening and closing the file separately for the table and then
  for the entry point (bsc#1210418).
- dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch:
  Make sure that the file passed to option --dump-bin does not
  already exist (bsc#1210418).
- ensure-dev-mem-is-a-character-device-file.patch: Add a safety
  check on the type of the mem device file we are asked to read
  from, if we are root (bsc#1210418).
  3 recommended fixes from upstream:
- dmidecode-fortify-entry-point-length-checks.patch: Ensure that
  the SMBIOS entry point is long enough to include all the fields
  we need.
- dmidecode-fix-the-alignment-of-type-25-name.patch: Drop a stray
  tabulation before the name of DMI record type 25.
- dmidecode-print-type-33-name-unconditionally.patch: Display the
  name of DMI record type 33 even if we can't decode it.
docker
- update to 20.10.23-ce.
  * see upstream changelog at https://docs.docker.com/engine/release-notes/#201023
- drop kubic flavor as kubic is EOL. this removes:
  kubelet.env docker-kubic-service.conf 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
- Update to Docker 20.10.21-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#201021>. bsc#1206065
  bsc#1205375 CVE-2022-36109
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
  * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
  * 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- The PRIVATE-REGISTRY patch will now output a warning if it is being used (in
  preparation for removing the feature). This feature was never meant to be
  used by users directly (and is only available in the -kubic/CaaSP version of
  the package anyway) and thus should not affect any users.
- Fix wrong After: in docker.service, fixes bsc#1188447
- Add apparmor-parser as a Recommends to make sure that most users will end up
  with it installed even if they are primarily running SELinux.
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser.
- Change to using systemd-sysusers
dracut
- Update to version 049.1+suse.253.g1008bf13:
  * fix(network-legacy): handle do_dhcp calls without arguments (bsc#1210640)
- Update to version 049.1+suse.251.g0b8dad5:
  * fix(dracut.sh): omission is an addition to other omissions in conf files (bsc#1208929)
  * fix(nfs): chown using rpc default group (bsc#1204929)
elfutils
- 0001-libelf-Fixup-SHF_COMPRESSED-sh_addralign-in-elf_upda.patch:
  make debuginfo extraction from go1.19 built binaries work again.
  (bsc#1203599)
glib2
- Update glib2-fix-normal-form-handling-in-gvariant.patch:
  Backported from upstream to fix regression on s390x.
  (bsc#1210135, glgo#GNOME/glib!2978)
- Add glib2-fix-normal-form-handling-in-gvariant.patch: Backported
  from upstream to fix normal form handling in GVariant.
  (CVE-2023-24593, CVE-2023-25180, bsc#1209714, bsc#1209713,
  glgo#GNOME/glib!3125)
glibc
- amd-cacheinfo.patch: x86: Cache computation for AMD architecture
  (bsc#1207957)
- gmon-hash-table-size.patch: gmon: Fix allocated buffer overflow
  (CVE-2023-0687, bsc#1207975, BZ #29444)
- strncmp-avx2-boundary.patch: Fix avx2 strncmp offset compare condition
  check (bsc#1208358, BZ #25933)
- dlopen-filter-object.patch: elf: Allow dlopen of filter object to work
  (bsc#1207571, BZ #16272)
- powerpc-tst-ucontext.patch: powerpc: Fix unrecognized instruction errors
  with recent GCC
grub2
- Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064)
  (bsc#1209234)
  * 0001-grub-core-modify-sector-by-sysfs-as-disk-sector.patch
- Fix installation over serial console ends up in infinite boot loop
  (bsc#1187810) (bsc#1209667) (bsc#1209372)
  * 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
- Fix aarch64 kiwi image's file not found due to '/@' prepended to path in
  btrfs filesystem. (bsc#1209165)
  * grub2-btrfs-05-grub2-mkconfig.patch
- Make grub more robust against storage race condition causing system boot
  failures (bsc#1189036)
  * 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch
- Make grub.cfg invariant to efi and legacy platforms (bsc#1205200)
- Removed patch linuxefi
  * grub2-secureboot-provide-linuxefi-config.patch
  * grub2-secureboot-use-linuxefi-on-uefi-in-os-prober.patch
  * grub2-secureboot-use-linuxefi-on-uefi.patch
- Rediff
  * grub2-btrfs-05-grub2-mkconfig.patch
  * grub2-efi-xen-cmdline.patch
  * grub2-s390x-05-grub2-mkconfig.patch
  * grub2-suse-remove-linux-root-param.patch
- Move unsupported zfs modules into 'extras' packages
  (bsc#1205554) (PED-2947)
hwdata
- update to 0.368:
  * Update pci, usb and vendor ids
- update to 0.367:
  * Update pci, usb and vendor ids
- update to 0.366:
  * Update pci, usb and vendor ids
kernel-default
- xfs: verify buffer contents when we skip log replay (bsc#1210498
  CVE-2023-2124).
- commit 8eed3d3
- io_uring: prevent race on registering fixed files (1210414
  CVE-2023-1872).
- commit e53cfa3
- KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS
  (bsc#1206992 CVE-2022-2196).
- commit f66a218
- keys: Fix linking a duplicate key to a keyring's assoc_array
  (bsc#1207088).
- commit 527a5be
- xirc2ps_cs: Fix use after free bug in xirc2ps_detach
  (bsc#1209871 CVE-2023-1670).
- commit cfec974
- Drivers: vmbus: Check for channel allocation before looking
  up relids (git-fixes).
- commit de13f74
- scsi: iscsi_tcp: Fix UAF during login when accessing the shost
  ipaddress (bsc#1210647 CVE-2023-2162).
- commit d0a859e
- RDMA/core: Refactor rdma_bind_addr (bsc#1210629 CVE-2023-2176)
- commit 5886145
- RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests (bsc#1210629 CVE-2023-2176)
- commit 8b6288f
- RDMA/cma: Do not change route.addr.src_addr outside state checks (bsc#1210629 CVE-2023-2176)
- commit c706a03
- RDMA/cma: Make the locking for automatic state transition more clear (bsc#1210629 CVE-2023-2176)
- commit 7a43827
- vmxnet3: use gro callback when UPT is enabled (bsc#1209739).
- commit f513a6e
- x86/speculation: Allow enabling STIBP with legacy IBRS
  (bsc#1210506 CVE-2023-1998).
- commit d03ef09
- cifs: fix negotiate context parsing (bsc#1210301).
- commit 5d87bbe
- power: supply: da9150: Fix use after free bug in
  da9150_charger_remove due to race condition (CVE-2023-30772
  bsc#1210329).
- commit 61aa622
- k-m-s: Drop Linux 2.6 support
- commit 22b2304
- Remove obsolete KMP obsoletes (bsc#1210469).
- commit 7f325c6
- udmabuf: add back sanity check (git-fixes bsc#1210453
  CVE-2023-2008).
- commit b2b9158
- hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove
  due to race condition (CVE-2023-1855 bsc#1210202).
- commit 4401c6f
- netlink: limit recursion depth in policy validation
  (CVE-2020-36691 bsc#1209613).
- Refresh
  patches.suse/netlink-prevent-potential-spectre-v1-gadgets.patch.
- commit 374a1af
- nfc: st-nci: Fix use after free bug in ndlc_remove due to race
  condition (git-fixes bsc#1210337 CVE-2023-1990).
- commit 775e632
- Bluetooth: btsdio: fix use after free bug in btsdio_remove
  due to unfinished work (CVE-2023-1989 bsc#1210336).
- commit e27c00d
- Update
  patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch
  (bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
  patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch
  (bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
  patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch
  (bsc#1205128 CVE-2022-43945 bsc#1210124).
  Fix performance problem with these patches - bsc@1210124
- commit 4dbd22d
- btrfs: fix race between quota disable and quota assign ioctls
  (CVE-2023-1611 bsc#1209687).
- commit 3fdcd22
- Fix double fget() in vhost_net_set_backend() (bsc#1210203
  CVE-2023-1838).
- commit 7e671a8
- Define kernel-vanilla as source variant
  The vanilla_only macro is overloaded. It is used for determining if
  there should be two kernel sources built as well as for the purpose of
  determmioning if vanilla kernel should be used for kernel-obs-build.
  While the former can be determined at build time the latter needs to be
  baked into the spec file template. Separate the two while also making
  the latter more generic.
  $build_dtbs is enabled on every single rt and azure branch since 15.3
  when the setting was introduced, gate on the new $obs_build_variant
  setting as well.
- commit 36ba909
- series.conf: cleanup
- update upstream references and resort:
  - patches.suse/wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch
- commit 9bae747
- net/ulp: use consistent error code when blocking ULP
  (CVE-2023-0461 bsc#1208787).
- net/ulp: prevent ULP without clone op from entering the LISTEN
  status (CVE-2023-0461 bsc#1208787).
- commit 028f0fd
- rpm/constraints.in: increase the disk size for armv6/7 to 24GB
  It grows and the build fails recently on SLE15-SP4/5.
- commit 41ac816
- seq_buf: Fix overflow in seq_buf_putmem_hex() (bsc#1209549
  CVE-2023-28772).
- commit 5c5e4d3
- PCI: hv: Add a per-bus mutex state_lock (bsc#1209785).
- Revert "/PCI: hv: Fix a timing issue which causes kdump to fail
  occasionally"/ (bsc#1209785).
- PCI: hv: Remove the useless hv_pcichild_state from struct
  hv_pci_dev (bsc#1209785).
- PCI: hv: Fix a race condition in hv_irq_unmask() that can
  cause panic (bsc#1209785).
- PCI: hv: fix a race condition bug in hv_pci_query_relations()
  (bsc#1209785).
- commit 6b9e385
- kvm: initialize all of the kvm_debugregs structure before
  sending it to userspace (bsc#1209532 CVE-2023-1513).
- commit bd9c11d
- Bluetooth: Fix double free in hci_conn_cleanup (bsc#1209052
  CVE-2023-28464).
- commit 677d920
- net: tls: fix possible race condition between
  do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
  (bsc#1209366 CVE-2023-28466).
- commit 5f7c4a6
- Move ENA upstream fix to sorted section.
- commit aff6c71
- RDMA/core: Don't infoleak GRH fields (bsc#1209778 CVE-2021-3923)
- commit 50ba48b
- tipc: fix NULL deref in tipc_link_xmit() (bsc#1209289
  CVE-2023-1390).
- commit b2c1533
- tun: avoid double free in tun_free_netdev (bsc#1209635
  CVE-2022-4744).
- commit c5cf205
- net/sched: tcindex: update imperfect hash filters respecting
  rcu (CVE-2023-1281 bsc#1209634).
- commit 97b3f9d
- fs/proc: task_mmu.c: don't read mapcount for migration entry
  (CVE-2023-1582, bsc#1209636).
- commit 35d5c42
- af_unix: Get user_ns from in_skb in unix_diag_get_exact()
  (bsc#1209290 CVE-2023-28327).
- commit 000517c
- netlink: prevent potential spectre v1 gadgets (bsc#1209547
  CVE-2017-5753).
- commit cec3f24
- tipc: add an extra conn_get in tipc_conn_alloc (bsc#1209288
  CVE-2023-1382).
- commit 6a58da4
- tipc: set con sock in tipc_conn_alloc (bsc#1209288
  CVE-2023-1382).
- commit 06eaf34
- Refresh
  patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch.
- commit 890554b
- media: dvb-usb: az6027: fix null-ptr-deref in  az6027_i2c_xfer()
  (bsc#1209291 CVE-2023-28328).
- commit af7b7eb
- rpm/group-source-files.pl: Fix output difference when / is in location
  While previous attempt to fix group-source-files.pl in 6d651362c38
  "/rpm/group-source-files.pl: Deal with {pre,post}fixed / in location"/
  breaks the infinite loop, it does not properly address the issue. Having
  prefixed and/or postfixed forward slash still result in different
  output.
  This commit changes the script to use the Perl core module File::Spec
  for proper path manipulation to give consistent output.
- commit 4161bf9
- Require suse-kernel-rpm-scriptlets at all times.
  The kernel packages call scriptlets for each stage, add the dependency
  to make it clear to libzypp that the scriptlets are required.
  There is no special dependency for posttrans, these scriptlets run when
  transactions are resolved. The plain dependency has to be used to
  support posttrans.
- commit 56c4dbe
- Replace mkinitrd dependency with dracut (bsc#1202353).
  Also update mkinitrd refrences in documentation and comments.
- commit e356c9b
- prlimit: do_prlimit needs to have a speculation check
  (bsc#1209256 CVE-2017-5753).
- commit a2ac7fb
- rpm/kernel-obs-build.spec.in: Remove SLE11 cruft
- commit 871eeb4
- rds: rds_rm_zerocopy_callback() correct order for
  list_add_tail() (CVE-2023-1078 bsc#1208601).
- rds: rds_rm_zerocopy_callback() use list_first_entry()
  (CVE-2023-1078 bsc#1208601).
- commit ec0c93c
- net/tls: tls_is_tx_ready() checked list_entry (CVE-2023-1075
  bsc#1208598).
- commit d651270
- tap: tap_open(): correctly initialize socket uid (CVE-2023-1076
  bsc#1208599).
- tun: tun_chr_open(): correctly initialize socket uid
  (CVE-2023-1076 bsc#1208599).
- net: add sock_init_data_uid() (CVE-2023-1076 bsc#1208599).
- netfilter: nf_tables: fix null deref due to zeroed list head
  (CVE-2023-1095 bsc#1208777).
- commit b65b67b
- cifs: fix use-after-free caused by invalid pointer `hostname`
  (bsc#1208971).
- commit d1a37f1
- HID: bigben: use spinlock to safely schedule workers
  (CVE-2023-25012 bsc#1207560).
- HID: bigben_worker() remove unneeded check on report_field
  (CVE-2023-25012 bsc#1207560).
- HID: bigben: use spinlock to protect concurrent accesses
  (CVE-2023-25012 bsc#1207560).
- commit 3c79258
- malidp: Fix NULL vs IS_ERR() checking (bsc#1208843
  CVE-2023-23004).
- commit a8f9557
- Do not sign the vanilla kernel (bsc#1209008).
- commit cee4d89
- rpm/group-source-files.pl: Deal with {pre,post}fixed / in location
  When the source file location provided with -L is either prefixed or
  postfixed with forward slash, the script get stuck in a infinite loop
  inside calc_dirs() where $path is an empty string.
  user@localhost:/tmp> perl "/$HOME/group-source-files.pl"/ -D devel.files -N nondevel.files -L /usr/src/linux-5.14.21-150500.41/
  ...
  path = /usr/src/linux-5.14.21-150500.41/Documentation/Kconfig
  path = /usr/src/linux-5.14.21-150500.41/Documentation
  path = /usr/src/linux-5.14.21-150500.41
  path = /usr/src
  path = /usr
  path =
  path =
  path =
  ... # Stuck in an infinite loop
  This workarounds the issue by breaking out the loop once path is an
  empty string. For a proper fix we'd want something that
  filesystem-aware, but this workaround should be enough for the rare
  occation that this script is ran manually.
  Link: http://mailman.suse.de/mlarch/SuSE/kernel/2023/kernel.2023.03/msg00024.html
- commit 6d65136
- media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
  (CVE-2023-1118 bsc#1208837).
- phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node
  function (CVE-2023-23000 bsc#1208816).
- commit 52c897a
- scsi: qla2xxx: Add option to disable FC2 Target support
  (bsc#1198438 bsc#1206103).
- Delete
  patches.suse/revert-scsi-qla2xxx-Changes-to-support-FCP2-Target.patch.
- commit 5959f82
- drm/virtio: Fix NULL vs IS_ERR checking in
  virtio_gpu_object_shmem_init (bsc#1208776 CVE-2023-22998).
- commit 2fd8a08
- net/mlx5: DR, Fix NULL vs IS_ERR checking in
  dr_domain_init_resources (bsc#1208845 CVE-2023-23006).
- commit 14082ec
- mm/slub: fix panic in slab_alloc_node() (bsc#1208023).
- commit b092aa9
- kernel-module-subpackage: Fix expansion with -b parameter (bsc#1208179).
  When -b is specified the script is prefixed with KMP_NEEDS_MKINITRD=1
  which sets the variable for a simple command.
  However, the script is no longer a simple command. Export the variable
  instead.
- commit 152a069
- README.BRANCH: Update
  Relieve Ivan Ivanov of his duties as branch maintainer as I am back.
- commit 1da55f1
- usb: dwc3: dwc3-qcom: Add missing platform_device_put() in
  dwc3_qcom_acpi_register_core (bsc#1208741 CVE-2023-22995).
- commit 7a31d48
- net: mpls: fix stale pointer if allocation fails during device
  rename (bsc#1208700 CVE-2023-26545).
- commit 18d9ec7
- s390/kexec: fix ipl report address for kdump (bsc#1207575).
- commit 7a62f13
- x86/mm: Randomize per-cpu entry area (bsc#1207845
  CVE-2023-0597).
- commit 3a695c7
- vmxnet3: move rss code block under eop descriptor (bsc#1208212).
- commit f589074
- usb: rndis_host: Secure rndis_query check against int overflow
  (CVE-2023-23559 bsc#1207051).
- commit d9a137b
- net: mana: Assign interrupts to CPUs based on NUMA nodes
  (bsc#1208153).
- Refresh
  patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch.
- commit 342fb4d
- net: mana: Fix accessing freed irq affinity_hint (bsc#1208153).
- genirq: Provide new interfaces for affinity hints (bsc#1208153).
- commit 4d24191
- drm/vmwgfx: Avoid NULL-ptr deref in vmw_cmd_dx_define_query() (bsc#1203331 CVE-2022-38096)
- commit 1f21d95
- module: Don't wait for GOING modules (bsc#1196058, bsc#1186449,
  bsc#1204356, bsc#1204662).
- commit 77af0b0
- drm/vmwgfx: Validate the box size for the snooped cursor (bsc#1203332 CVE-2022-36280)
- commit f246cad
- Refresh
  patches.kabi/scsi-kABI-fix-for-eh_should_retry_cmd.patch (bsc#1206351).
  The former kABI fix only move the newly added member to scsi_host_template to
  the end of the struct. But that is usually allocated statically, even by 3rd
  party modules relying on kABI. Before we use the member we need to signalize
  that it is to be expected. As we only expect it to be allocated by in-tree
  modules that we can control, we can use a space in the bitfield to signalize
  that.
- commit 0e772e8
- net: mana: Fix IRQ name - add PCI and queue number
  (bsc#1207875).
- commit f2c8c19
- x86/bugs: Flush IBP in ib_prctl_set() (bsc#1207773
  CVE-2023-0045).
- commit baf6bec
- net: ena: optimize data access in fast-path code (bsc#1208137).
- commit 09cfdc0
- net: sched: fix race condition in qdisc_graft() (CVE-2023-0590
  bsc#1207795).
- net_sched: add __rcu annotation to netdev->qdisc (CVE-2023-0590
  bsc#1207795).
- commit c6f042b
- Update
  patches.suse/net-mlx5-Allocate-individual-capability.patch
  (bsc#1195175).
- Update
  patches.suse/net-mlx5-Dynamically-resize-flow-counters-query-buff.patch
  (bsc#1195175).
- Update
  patches.suse/net-mlx5-Fix-flow-counters-SF-bulk-query-len.patch
  (bsc#1195175).
- Update
  patches.suse/net-mlx5-Reduce-flow-counters-bulk-query-buffer-size.patch
  (bsc#1195175).
- Update
  patches.suse/net-mlx5-Reorganize-current-and-maximal-capabilities.patch
  (bsc#1195175).
- Update
  patches.suse/net-mlx5-Use-order-0-allocations-for-EQs.patch
  (bsc#1195175).
  Fixed bugzilla reference.
- commit e56868b
- ipv6: raw: Deduct extension header length in
  rawv6_push_pending_frames (bsc#1207168).
- commit ad4a091
ldb
- Remove no longer needed ldb-memory-bug-15096-4.15-ldbonly.patch
- Add cve-2023-0614.patch: Address CVE-2023-0614
- CVE-2023-0614: samba: Access controlled AD LDAP attributes can be
  discovered; (bsc#1209485); (bso#15270);
- Update to version 2.4.4
  + CVE-2022-32746 ldb: db: Use-after-free occurring in
    database audit logging module; (bso#15009); (bsc#1201490).
  + CVE-2022-32746: samba: ldb: Use-after-free occurring in
    database audit logging module; (bso#15009); (bsc#1201490).
librelp
- update to librelp 1.11.0 (bsc#1210649)
  the previous version became incompatible with current rsyslog
  version 8.2106.0
- Important changes per version
  Version 1.11.0 - 2023-01-10
- code cleanup
- AIX: Changed ERRNO handling after connect in tcp.c
- AIX: Add handling for other ERRNO codes in tcp.c
- bugfix/TCP: relpTcpGetRtryDirection onyl needs to check direction if SSL is active.
- AIX: in relpTcpRcv we need to set RETRY_recv if errno is 0
- openssl: fix openssl exit code avoid double free of ctx
- librelp hardening: Fix multiple minor issues causing debugging trouble
- OpenSSL: fix depreacted API issues for OpenSSL 3.x
- bugfix: compatiblity problem with openssl 1.1
- bugfix: Forward return code from relpEngineSetTLSLib to relpEngineSetTLSLibName
- bugfix: make relpEngineSetTLSLib debug safe
- bugfix: warnings reported by coverity scan
- gnutls drvr bugfix: library called exit() under some circumstances
  Version 1.10.0 - 2021-02-16
- TLS handling bugfix
  Version 1.9.0 - 2020-11-24
- openssl bugfix: preprocessor check for tlsconfigcmd code
- solaris compatibility fix: add strndup compatibility code
  Version 1.8.0 - 2020-09-29
- gnutls "/bugfix"/: handle receives who break connection on close
- gnutls bugfix: per-session memory leak
- tls bugfix: RETRY not correctly handled in TLS Mode & CI improvement
- bugfix: librelp.h contains duplicate function definition
- removed some more externally visible symbols not being part of API
  Version 1.7.0 - 2020-08-25
- some internal cleanup (const attributes and such)
- bugfix: library did export non-API symbols
- openssl: Fix chained certificate files for older OpenSSL Version.
- fix FD leak when socket shutdown is one-sided
- TLS: Added call to destruct OpenSSL remains to relpEngineDestruct
- fix memory leak on session break
  Version 1.6.0 - 2020-04-21
- fix namespace pollution - some non-API functions were exported
- replsess: fix double free of sendbuf in some cases.
- improve support for libressl
- Modified GnuTLS priority according to standard crypto-policy guideline
- tcp: Missing pUsr Copy to relpTcp Pointer fixed in relpTcpAcceptConnReq
- report io errors for plain tcp connections
  Version 1.5.0 - 2020-01-14
- bugfix: too late termination of relp Engine on shutdown
- build system fix: invalid default in configure help text
- error message on invalid TLS library request added
  Version 1.4.0 - 2019-03-05
- build system: enable openssl by default, this means both TLS drivers
  are now build by default
- support that both GnuTLS and openssl TLS drivers are active together
- portability: use GCC __attribute__ only where supported
- bugfix: build problem when HAVE_STRERROR_R is undefined
- bugfix: openssl driver did not properly handle retries when sending
- bugfix: in openssl mode, cert name validation did not work properly
- bugfix: invalid handling of connection fail could lead to abort
- a couple of minor and cosmetic nitfixes, improvements and cleanup
  Version 1.3.0 - 2018-12-11
- improved error reporting
- bugfix openssl: anon mode did not work with openssl 1.1.0+
- bugfix: do not send multiple open commands
  Version 1.2.18 - 2018-09-18
- added non-standard "/certvalid"/ auth mode to TLS authentication
- bugfix CI: make distcheck did not work
  Version 1.2.17 - 2018-08-02
- added support for openssl
- improve code quality: replace strerror() by portable equivalent
- improve error message on connection failure
- bugfix: 100% CPU utilization due to busy loop
- bugfix: do not expose symbols that are not part of public API
- bugfix: potential segfault when listener could not be bound
  Version 1.2.16 - 2018-05-14
- API changes
  * add new API: relpSrvSetOversizeMode()
  * add new API: relpSrvSetLstnAddr()
- support additional hashes for fingerprint mode
- bugfix: potential memory leak
- bugfix: memory leak on protocol error
- fixed a couple of minor issues:
  * fix memory leak when relp frame construction fails
  * removed unnecessary code
  * fix memory leak
  * fix memory leak on relpSrvRun() error
  * fix memory leak on relp listener construction error
  * also resolved all other issues reported by Coverity scan
libsolv
- handle learnt rules in solver_alternativeinfo()
- support x86_64_v[234] architecture levels
- implement decision sorting for package decisionlists
- add back findutils requires for the libsolv-tools packagse
  [bsc#1195633]
- bump version to 0.7.24
- fix "/keep installed"/ jobs not disabling "/best update"/ rules
- do not autouninstall suse ptf packages
- ensure duplinvolvedmap_all is reset when a solver is reused
- special case file dependencies in the testcase writer
- support stringification of multiple solvables
- new weakdep introspection interface similar to ruleinfos
- support decision reason queries
- support merging of related decissions
- support stringification of ruleinfo, decisioninfo and decision reasons
- support better info about alternatives
- new '-P' and '-W' options for testsolv
- bump version to 0.7.23
libxml2
- Security update:
  * [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings
    isn't deterministic
  - Added patch libxml2-CVE-2023-29469.patch
  * [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in
    xmlSchemaFixupComplexType
  - Added patch libxml2-CVE-2023-28484-1.patch
  - Added patch libxml2-CVE-2023-28484-2.patch
- Fix changelog entries in both .changes files.
- Apply al patches correctly for libxml2 and python-libxml2.
- Add libxml2-python3-string-null-check.patch: fix NULL pointer
    dereference when parsing invalid data (bsc#1065270
    glgo#libxml2!15).).
- clean with spec-cleaner
- libxml2-python3-unicode-errors.patch: work around an issue with
  libxml2 supplied error strings being undecodable UTF-8 (bsc#1065270)
- convert to singlespec, build a python 3 version
- change build instructions to use setup.py (and %python_build macros)
  instead of makefile-based approach
- add python3.6-verify_fd.patch that fixes libxml2 on python 3.6
- rename to python-libxml2-python to conform to package naming policy
  (PyPI name is "/libxml2-python"/)
libzypp
- curl: Trim user agent string (bsc#1212187)
  HTTP/2 RFC 9113 forbids fields ending with a space. Violation
  results in curl error: 92: HTTP/2 PROTOCOL_ERROR.
- version 17.31.13 (22)
- Do not unconditionally release a medium if provideFile failed
  (bsc#1211661)
- libzypp.spec.cmake: remove duplicate file listing.
- version 17.31.12 (22)
- MediaCurl: Fix endless loop if wrong credentials are stored in
  credentials.cat (bsc#1210870)
  Since libzypp-17.31.7 wrong credentials stored in credentials.cat
  may lead to an endless loop. Rather than asking for the right
  credentials, the stored ones are used again and again.
- zypp.conf: Introduce 'download.connect_timeout' [60 sec.]
  (bsc#1208329)
  Maximum time in seconds that you allow the connection phase to
  the server to take. This only limits the connection phase, it has
  no impact once it has connected. (see also CURLOPT_CONNECTTIMEOUT)
- commit: Try to provide /dev fs if not present (fixes #444)
- fix build with boost 1.82.
- version 17.31.11 (22)
- fix build with boost 1.82
- BuildRequires: libsolv-devel >= 0.7.24 for x86_64_v[234]
  support.
- version 17.31.10 (22)
- Workround bsc#1195633 while libsolv <= 0.7.23 is used.
- Fix potential endless loop in new ZYPP_MEDIANETWORK.
- ZYPP_METALINK_DEBUG=1: Log URL and priority of the mirrors
  parsed from a metalink file.
- multicurl: propagate ssl settings stored in repo url
  (boo#1127591)
  Closes #335.
- Teach MediaNetwork to retry on HTTP2 errors.
- fix CapDetail to return Rel::NONE if an EXPRESSION is used as a
  NAMED cap.
- Capability: support parsing richdeps from string.
- defaultLoadSystem: default to LS_NOREFRESH if not root.
- Detect x86_64_v[234]: Fix LZCNT bit used in detection (fixes
  [#439])
  Merges rpm-software-management/rpm#2412: The bit for LZCNT is in
  CPUID 0x80000001, not 1.
- Detect x86_64_v[234] architecture levels (fixes #439)
- Support x86_64_v[234] architecture levels (for #439)
- version 17.31.9 (22)
- ProgressData: enforce reporting the INIT||END state
  (bsc#1206949)
- ps: fix service detection on newer Tumbleweed systems
  (bsc#1205636)
- version 17.31.8 (22)
- Hint to "/zypper removeptf"/ to remove PTFs.
- Removing a PTF without enabled repos should always fail
  (bsc#1203248)
  Without enabled repos, the dependent PTF-packages would be
  removed (not replaced!) as well. To remove a PTF "/zypper install
  - - -PTF"/ or a dedicated "/zypper removeptf PTF"/ should be used.
  This will update the installed PTF packages to theit latest
  version.
- version 17.31.7 (22)
- Avoid calling getsockopt when we know the info already.
  This patch hopefully fixes logging on WSL, getsockopt seems to
  not be fully supported but the code required it when accepting
  new socket connections. (for bsc#1178233)
- Enhance yaml-cpp detection (fixes #428)
- No need to redirect 'history.logfile=/dev/null' into the target.
- MultiCurl: Make sure to reset the progress function when
  falling back.
- version 17.31.6 (22)
- Create '.no_auto_prune' in the package cache dir to prevent auto
  cleanup of orphaned repositories (bsc#1204956)
- properly reset range requests (bsc#1204548)
- version 17.31.5 (22)
- Do not clean up MediaSetAccess before using the geoip file
  (fixes #424)
- version 17.31.4 (22)
- Improve download of optional files (fixes #416)
- Do not use geoip rewrites if the repo has explicit country
  settings.
- Implement geoIP feature for zypp.
  This patch adds a feature to rewrite request URLs to the repo
  servers by querying a geoIP file from download.opensuse.org. This
  file can return a redirection target depending on the clients IP
  adress, this way we can directly contact a local mirror of d.o.o
  instead. The redir target stays valid for 24hrs.
  This feature can be disabled in zypp.conf by setting
  'download.use_geoip_mirror = false'.
- Use a dynamic fallback for BLKSIZE in downloads.
  When not receiving a blocklist via metalink file from the server
  MediaMultiCurl used to fallback to a fixed, relatively small
  BLKSIZE. This patch changes the fallback into a dynamic value
  based on the filesize using a similar metric as the MirrorCache
  implementation on the server side.
- Skip media.1/media download for http repo status calc.
  This patch allows zypp to skip a extra media.1/media download to
  calculate if a repository needs to be refreshed. This
  optimisation only takes place if the repo does specify only
  downloading base urls.
- version 17.31.3 (22)
ncurses
- Modify patch ncurses-6.1.dif
  * Secure writing terminfo entries by setfs[gu]id in s[gu]id
    (boo#1210434, CVE-2023-29491)
  * Reading is done since 2000/01/17
nfs-utils
- Rename all drop-in options.conf files as 10-options.conf
  This makes it easier for other packages to over-ride
  with a drop-in with a later sequence number.
  resource-agents does this.
  (bsc#1207843)
- 0026-modprobe-avoid-error-messages-if-sbin-sysctl-fail.patch
  Avoid modprobe errors when sysctl is not installed.
  (bsc#1200710 bsc#1207022 bsc#1206781)
- 0027-nfsd-allow-server-scope-to-be-set-with-config-or-com.patch
  Add "/-S scope"/ option to rpc.nfsd to simplify fail-over cluster
  config.
  (bsc#1203746)
openldap2
- bsc#1211795 - CVE-2023-2953 - Null pointer deref in ber_memalloc_x
  * 0244-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
openssh
- Revert addition of openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish:
  This caused invalid and irrelevant environment assignments (bsc#1207014).
openssl-1_1
- Security Fix: [CVE-2023-2650, bsc#1211430]
  * Possible DoS translating ASN.1 object identifiers
  * Add openssl-CVE-2023-2650.patch
- Security Fix: [CVE-2023-0465, bsc#1209878]
  * Invalid certificate policies in leaf certificates are silently ignored
  * Add openssl-CVE-2023-0465.patch
- Security Fix: [CVE-2023-0466, bsc#1209873]
  * Certificate policy check not enabled
  * Add openssl-CVE-2023-0466.patch
- Security Fix: [CVE-2023-0464, bsc#1209624]
  * Excessive Resource Usage Verifying X.509 Policy Constraints
  * Add openssl-CVE-2023-0464.patch
procps
- Add patch bsc1209122-a6c0795d.patch
  * Fix for bsc#1209122 to allow `-´ as leading character to ignore
    possible errors on systctl entries
python-packaging
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Add patch to fix testsuite on big-endian targets
  + fix-big-endian-build.patch
- Ignore python3.6.2 since the test doesn't support it.
- update to 21.3:
  * Add a pp3-none-any tag (gh#pypa/packaging#311)
  * Replace the blank pyparsing 3 exclusion with a 3.0.5 exclusion
    (gh#pypa/packaging#481), (gh#pypa/packaging#486)
  * Fix a spelling mistake (gh#pypa/packaging#479)
- update to 21.2:
  * Update documentation entry for 21.1.
  * Update pin to pyparsing to exclude 3.0.0.
  * PEP 656: musllinux support
  * Drop support for Python 2.7, Python 3.4 and Python 3.5.
  * Replace distutils usage with sysconfig
  * Add support for zip files in ``parse_sdist_filename``
  * Use cached ``_hash`` attribute to short-circuit tag equality comparisons
  * Specify the default value for the ``specifier`` argument to ``SpecifierSet``
  * Proper keyword-only "/warn"/ argument in packaging.tags
  * Correctly remove prerelease suffixes from ~= check
  * Fix type hints for ``Version.post`` and ``Version.dev``
  * Use typing alias ``UnparsedVersion``
  * Improve type inference for ``packaging.specifiers.filter()``
  * Tighten the return type of ``canonicalize_version()``
- Add Provides: for python*dist(packaging): work around boo#1186870
- skip tests failing because of no-legacyversion-warning.patch
- add no-legacyversion-warning.patch to restore compatibility with 20.4
- update to 20.9:
  * Run [isort](https://pypi.org/project/isort/) over the code base (:issue:`377`)
  * Add support for the ``macosx_10_*_universal2`` platform tags (:issue:`379`)
  * Introduce ``packaging.utils.parse_wheel_filename()`` and ``parse_sdist_filename()``
- update to 20.8:
  * Revert back to setuptools for compatibility purposes for some Linux distros (:issue:`363`)
  * Do not insert an underscore in wheel tags when the interpreter version number
    is more than 2 digits (:issue:`372`)
  * Fix flit configuration, to include LICENSE files (:issue:`357`)
  * Make `intel` a recognized CPU architecture for the `universal` macOS platform tag (:issue:`361`)
  * Add some missing type hints to `packaging.requirements` (issue:`350`)
  * Officially support Python 3.9 (:issue:`343`)
  * Deprecate the ``LegacyVersion`` and ``LegacySpecifier`` classes (:issue:`321`)
  * Handle ``OSError`` on non-dynamic executables when attempting to resolve
    the glibc version string.
- update to 20.4:
  * Canonicalize version before comparing specifiers. (:issue:`282`)
  * Change type hint for ``canonicalize_name`` to return
  ``packaging.utils.NormalizedName``.
  This enables the use of static typing tools (like mypy) to detect mixing of
  normalized and un-normalized names.
python3
- Add bpo-44434-libgcc_s-for-pthread_cancel.patch
  which eliminates unnecessary and dangerous calls to
  PyThread_exit_thread() (bsc#1203355).
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters
runc
- Update to runc v1.1.5. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.5>.
  Includes fixes for the following CVEs:
  - CVE-2023-25809 bsc#1209884
  - CVE-2023-27561 bsc#1208962
  - CVE-2023-28642 bsc#1209888
  * Fix the inability to use `/dev/null` when inside a container.
  * Fix changing the ownership of host's `/dev/null` caused by fd redirection
    (a regression in 1.1.1). bsc#1168481
  * Fix rare runc exec/enter unshare error on older kernels.
  * nsexec: Check for errors in `write_log()`.
- Drop version-specific Go requirement.
samba
- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords
  in cleartext; (bso#15315); (bsc#1209481).
- CVE-2023-0225: Samba AD DC "/dnsHostname"/ attribute can be
  deleted by unprivileged authenticated users; (bso#15276);
  (bsc#1209483).
- CVE-2023-0614: samba: Access controlled AD LDAP attributes can
  be discovered; (bso#15270); (bsc#1209485).
- Prevent use after free of messaging_ctdb_fde_ev structs;
  (bso#15293); (bsc#1207416).
shadow
- bsc#1210507 (CVE-2023-29383):
  Check for control characters
- Add shadow-CVE-2023-29383.patch
shim
- Updated shim.changes to add CVE-2022-28737 number for bsc#1198458.
  The issue be fixed by upgrade to shim 15.7. (bsc#1198458, CVE-2022-28737)
- Sometimes SLE shim signature be Microsoft updated before openSUSE shim
  signature. When submit request on IBS for updating SLE shim, the submitreq
  project be generated, but it always be blocked by checking the signature
  of openSUSE shim.
  It doesn't make sense checking openSUSE shim signature when building
  SLE shim on SLE platform, and vice versa. So the following change adds the
  logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse).
  When and only when hash mismatch and distro_id match with suffix, stop
  building.
    [#] compare suffix (sles, opensuse) with distro_id (sle, opensuse)
    [#] when hash mismatch and distro_id match with suffix, stop building
- Upgrade shim-install for bsc#1210382
  After closing Leap-gap project since Leap 15.3, openSUSE Leap direct
  uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot
  CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no,
  so all files in /boot/efi/EFI/boot are not updated.
  The 86b73d1 patch added the logic that using ID field in os-release for
  checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure
  Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated.
- https://github.com/SUSE/shim-resources (git log --oneline)
  86b73d1 Fix that bootx64.efi is not updated on Leap
  f2e8143 Use the long name to specify the grub2 key protector
  7283012 cryptodisk: support TPM authorized policies
  49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst
  26c6bd5 Have grub take a snapshot of "/relevant"/ TPM PCRs
  5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot
  a5c5734 Introduce --no-grub-install option
- Updated shim signature after shim 15.7 be signed back:
  signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458, CVE-2022-28737)
- Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to
  disable the NX compatibility flag when using post-process-pe because
  grub2 is not ready. (bsc#1205588)
  - Kernel can boot with the NX compatibility flag since 82e0d6d76a2a7
    be merged to v5.19. On the other hand, upstream is working on
    improve compressed kernel stage for NX:
    [PATCH v3 00/24] x86_64: Improvements at compressed kernel stage
    https://www.spinics.net/lists/kernel/msg4599636.html
- Add shim-Enable-the-NX-compatibility-flag-by-default.patch to
  enable the NX compatibility flag by default. (jsc#PED-127)
- Drop upstreamed patch:
  - shim-Enable-TDX-measurement-to-RTMR-register.patch
  - Enable TDX measurement to RTMR register (jsc#PED-1273)
  - 4fd484e4c2	15.7
- Update to 15.7 (bsc#1198458)(jsc#PED-127)
  - Patches (git log --oneline --reverse 15.6..15.7)
  0eb07e1 Make SBAT variable payload introspectable
  092c2b2 Reference MokListRT instead of MokList
  8b59b69 Add a link to the test plan in the readme.
  4fd484e Enable TDX measurement to RTMR register
  14d6339 Discard load-options that start with a NUL
  5c537b3 shim: Flush the memory region from i-cache before execution
  2d4ebb5 load_cert_file: Fix stack issue
  ea4911c load_cert_file: Use EFI RT memory function
  0cf43ac Add -malign-double to IA32 compiler flags
  17f0233 pe: Fix image section entry-point validation
  5169769 make-archive: Build reproducible tarball
  aa1b289 mok: remove MokListTrusted from PCR 7
  53509ea CryptoPkg/BaseCryptLib: fix NULL dereference
  616c566 More coverity modeling
  ea0d0a5 Update shim's .sbat to sbat,3
  dd8be98 Bump grub's sbat requirement to grub,3
  1149161 (HEAD -> main, tag: 15.7, origin/main, origin/HEAD) Update version to 15.7
  - 15.7 release note https://github.com/rhboot/shim/releases
  Make SBAT variable payload introspectable by @chrisccoulson in #483
  Reference MokListRT instead of MokList by @esnowberg in #488
  Add a link to the test plan in the readme. by @vathpela in #494
  [V3] Enable TDX measurement to RTMR register by @kenplusplus in #485
  Discard load-options that start with a NUL by @frozencemetery in #505
  load_cert_file bugs by @esnowberg in #523
  Add -malign-double to IA32 compiler flags by @nicholasbishop in #516
  pe: Fix image section entry-point validation by @iokomin in #518
  make-archive: Build reproducible tarball by @julian-klode in #527
  mok: remove MokListTrusted from PCR 7 by @baloo in #519
  - Drop upstreamed patch:
  - shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
  - Cryptlib/CryptAuthenticode: fix NULL pointer dereference in  AuthenticodeVerify()
  - 53509eaf22	15.7
  - shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch
  - For backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127)
  - The following patches are merged to 15.7
  aa1b289a1a mok: remove MokListTrusted from PCR 7
  0cf43ac6d7 Add -malign-double to IA32 compiler flags
  ea4911c2f3 load_cert_file: Use EFI RT memory function
  2d4ebb5a79 load_cert_file: Fix stack issue
  5c537b3d0c shim: Flush the memory region from i-cache before execution
  14d6339829 Discard load-options that start with a NUL
  092c2b2bbe Reference MokListRT instead of MokList
  0eb07e11b2 Make SBAT variable payload introspectable
- Update shim.changes, added missed shim 15.6-rc1 and 15.6 changelog to
  the item in Update to 15.6. (bsc#1198458)
- Add shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch for backporting the following
  patches between 15.6 with aa1b289a1a (jsc#PED-127):
    aa1b289a1a16774afc3143b8948d97261f0872d0 mok: remove MokListTrusted from PCR 7
    0cf43ac6d78c6f47f8b91210639ac1aa63665f0b Add -malign-double to IA32 compiler flags
    ea4911c2f3ce8f8f703a1476febac86bb16b00fd load_cert_file: Use EFI RT memory function
    2d4ebb5a798aafd3b06d2c3cb9c9840c1caa41ef load_cert_file: Fix stack issue
    5c537b3d0cf8c393dad2e61d49aade68f3af1401 shim: Flush the memory region from i-cache before execution
    14d63398298c8de23036a4cf61594108b7345863 Discard load-options that start with a NUL
    092c2b2bbed950727e41cf450b61c794881c33e7 Reference MokListRT instead of MokList
    0eb07e11b20680200d3ce9c5bc59299121a75388 Make SBAT variable payload introspectable
- Add shim-Enable-TDX-measurement-to-RTMR-register.patch to support
  enhance shim measurement to TD RTMR. (jsc#PED-1273)
- For pushing openSUSE:Factory/shim to SLE15-SP5, sync the shim.spec
  and shim.changes: (jsc#PED-127)
  - Add some change log from SLE shim.changes to Factory shim.changes
    Those messages are added "/(sync shim.changes from SLE)"/ tag.
  - Add the following changes to shim.spec
  - only apply Patch100, the shim-bsc1198101-opensuse-cert-prompt.patch
    on openSUSE.
  - Enable the AArch64 signature check for SLE:
  [#] AArch64 signature
  signature=%{SOURCE13}
- shim-install: ensure grub.cfg created is not overwritten after
  installing grub related files
- Add logic to shim.spec to only set sbat policy when efivarfs is writeable.
  (bsc#1201066)
- Add logic to shim.spec for detecting --set-sbat-policy option before
  using mokutil to set sbat policy. (bsc#1202120)
- Change the URL in SBAT section to mail:security@suse.de. (bsc#1193282)
- Revoked the change in shim.spec for "/use common SBAT values (boo#1193282)"/
  - we need to build openSUSE Tumbleweed's shim on Leap 15.4 because Factory
    is unstable for building out a stable shim binary for signing. (bsc#1198458)
  - But the rpm-config-suse package in Leap 15.4 is direct copied from SLE 15.4
    because closing-the-leap-gap. So sbat_distro_* variables are SLE version,
    not for openSUSE. (bsc#1198458)
- Update to 15.6 (bsc#1198458)
  - shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76
    which is from upstream grub2.cve_2021_3695.ms keybase channel.
  - For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy needs to
    support efi-app-aarch64 target. So we need the following patches in bintuils:
  - binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch
    b69c9d41e8 AArch64: Add support for AArch64 EFI (efi-*-aarch64).
  - binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch
    32384aa396 Re: AArch64: Add support for AArch64 EFI (efi-*-aarch64)
  - binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch
    d91c67e873 Re: Add support for AArch64 EFI (efi-*-aarch64)
  - Patches (git log --oneline --reverse 15.5~..77144e5a4)
    448f096 MokManager: removed Locate graphic output protocol fail error message (bsc#1193315, bsc#1198458)
    a2da05f shim: implement SBAT verification for the shim_lock protocol
    bda03b8 post-process-pe: Fix a missing return code check
    af18810 CI: don't cancel testing when one fails
    ba580f9 CI: remove EOL Fedoras from github actions
    bfeb4b3 Remove aarch64 build tests before f35
    38cc646 CI: Add f36 and centos9 CI build tests.
    b5185cb post-process-pe: Fix format string warnings on 32-bit platforms
    31094e5 tests: also look for system headers in multi-arch directories
    4df989a mock-variables.c: fix gcc warning
    6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled
    2670c6a Allow MokListTrusted to be enabled by default
    5c44aaf Add code of conduct
    d6eb9c6 Modernize aarch64
    9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail
    de87985 make: don't treat cert.S specially
    803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode
    6402f1f SBAT matching: Break out of the inner sbat loop if we find the entry.
    bb4b60e Add verify_image
    acfd48f Abstract out image reading
    35d7378 Load additional certs from a signed binary
    8ce2832 post-process-pe: there is no 's' argument.
    465663e Add some missing PE image flag definitions
    226fee2 PE Loader: support and require NX
    df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX
    b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT
    f81a7cc SBAT revocation management
    abe41ab make: unbreak scan-build again for gnu-efi
    610a1ac sbat.h: minor reformatting for legibility
    f28833f peimage.h: make our signature macros force the type
    5d789ca Always initialize data/datasize before calling read_image()
    a50d364 sbat policy: make our policy change actions symbolic
    5868789 load_certs: trust dir->Read() slightly less.
    a78673b mok.c: fix a trivial dead assignment
    759f061 Fix preserve_sbat_uefi_variable() logic
    aa61fdf Give the Coverity scanner some more GCC blinders...
    0214cd9 load_cert_file(): don't defererence NULL
    1eca363 mok import: handle OOM case
    75449bc sbat: Make nth_sbat_field() honor the size limit
    c0bcd04 shim-15.6~rc1
    77144e5 SBAT Policy latest should be a one-shot
  - 15.5 release note https://github.com/rhboot/shim/releases
  Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357
  mok: allocate MOK config table as BootServicesData by @lcp in #361
  Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364
  Relax the check for import_mok_state() by @lcp in #372
  SBAT.md: trivial changes by @hallyn in #389
  shim: another attempt to fix load options handling by @chrisccoulson in #379
  Add tests for our load options parsing. by @vathpela in #390
  arm/aa64: fix the size of .rela* sections by @lcp in #383
  mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365
  mok: relax the maximum variable size check by @lcp in #369
  Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378
  fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396
  httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403
  Fallback allocation errors by @vathpela in #402
  shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406
  str: remove duplicate parameter check by @xypron in #408
  fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359
  Test mok mirror by @vathpela in #394
  Modify sbat.md to help with readability. by @eshiman in #398
  csv: detect end of csv file correctly by @xypron in #404
  Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413
  tests: add "/include-fixed"/ GCC directory to include directories by @diabonas in #415
  pe: simplify generate_hash() by @xypron in #411
  Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414
  Fallback to default loader if parsed one does not exist by @julian-klode in #393
  fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422
  Better console checks by @vathpela in #416
  docs: update SBAT UEFI variable name by @nicholasbishop in #421
  Don't parse load options if invoked from removable media path by @julian-klode in #399
  fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433
  shim: Don't stop forever at "/Secure Boot not enabled"/ notification by @rmetrich in #438
  Shim 15.5 coverity by @vathpela in #439
  Allocate mokvar table in runtime memory. by @vathpela in #447
  Remove post-process-pe on 'make clean' by @vathpela in #448
  pe: missing perror argument by @xypron in #443
  - 15.6-rc1 release note https://github.com/rhboot/shim/releases
  MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441
  shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456
  post-process-pe: Fix a missing return code check by @vathpela in #462
  Update github actions matrix to be more useful by @frozencemetery in #469
  Add f36 and centos9 CI builds by @vathpela in #470
  post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464
  tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466
  tests: fix gcc warnings by @akodanev in #463
  Allow MokListTrusted to be enabled by default by @esnowberg in #455
  Add code of conduct by @frozencemetery in #427
  Re-add ARM AArch64 support by @vathpela in #468
  Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428
  make: don't treat cert.S specially by @vathpela in #475
  shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474
  Break out of the inner sbat loop if we find the entry. by @vathpela in #476
  Support loading additional certificates by @esnowberg in #446
  Add support for NX (W^X) mitigations. by @vathpela in #459
  Misc fixups from scan-build. by @vathpela in #477
  Fix preserve_sbat_uefi_variable() logic by @jsetje in #478
  - 15.6 release note https://github.com/rhboot/shim/releases
  MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441
  shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456
  post-process-pe: Fix a missing return code check by @vathpela in #462
  Update github actions matrix to be more useful by @frozencemetery in #469
  Add f36 and centos9 CI builds by @vathpela in #470
  post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464
  tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466
  tests: fix gcc warnings by @akodanev in #463
  Allow MokListTrusted to be enabled by default by @esnowberg in #455
  Add code of conduct by @frozencemetery in #427
  Re-add ARM AArch64 support by @vathpela in #468
  Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428
  make: don't treat cert.S specially by @vathpela in #475
  shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474
  Break out of the inner sbat loop if we find the entry. by @vathpela in #476
  Support loading additional certificates by @esnowberg in #446
  Add support for NX (W^X) mitigations. by @vathpela in #459
  Misc fixups from scan-build. by @vathpela in #477
  Fix preserve_sbat_uefi_variable() logic by @jsetje in #478
  SBAT Policy latest should be a one-shot by @jsetje in #481
  pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson
  pe: Perform image verification earlier when loading grub by @chriscoulson
  Update advertised sbat generation number for shim by @jsetje
  Update SBAT generation requirements for 05/24/22 by @jsetje
  Also avoid CVE-2022-28737 in verify_image() by @vathpela
  - Drop upstreamed patch:
  - shim-bsc1184454-allocate-mok-config-table-BS.patch
  - Allocate MOK config table as BootServicesData to avoid the error message
  from linux kernel
  - 4068fd42c8		15.5-rc1~70
  - shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
  - Handle ignore_db and user_insecure_mode correctly
  - 822d07ad4f07		15.5-rc1~73
  - shim-bsc1185621-relax-max-var-sz-check.patch
  - Relax the maximum variable size check for u-boot
  - 3f327f546c219634b2	15.5-rc1~49
  - shim-bsc1185261-relax-import_mok_state-check.patch
  - Relax the check for import_mok_state() when Secure Boot is off
  - 9f973e4e95b113	15.5-rc1~67
  - shim-bsc1185232-relax-loadoptions-length-check.patch
  - Relax the check for the LoadOptions length
  - ada7ff69bd8a95	15.5-rc1~52
  - shim-fix-aa64-relsz.patch
  - Fix the size of rela* sections for AArch64
  - 34e3ef205c5d65	15.5-rc1~51
  - shim-bsc1187260-fix-efi-1.10-machines.patch
  - Don't call QueryVariableInfo() on EFI 1.10 machines
  - 493bd940e5		15.5-rc1~69
  - shim-bsc1185232-fix-config-table-copying.patch
  - Avoid buffer overflow when copying the MOK config table
  - 7501b6bb44		15.5-rc1~50
  - shim-bsc1187696-avoid-deleting-rt-variables.patch
  - Avoid deleting the mirrored RT variables
  - b1fead0f7c9		15.5-rc1~37
  - Add "/rm -f *.o"/ after building MokManager/fallback in shim.spec
    to make sure all object files gets rebuilt
  - reference: https://github.com/rhboot/shim/pull/461
- The following fix-CVE-2022-28737-v6 patches against bsc#1198458 are included
  in shim-15.6.tar.bz2
  - shim-bsc1198458-pe-Fix-a-buffer-overflow-when-SizeOfRawData-VirtualS.patch
    pe: Fix a buffer overflow when SizeOfRawData VirtualSize
  - shim-bsc1198458-pe-Perform-image-verification-earlier-when-loading-g.patch
    pe: Perform image verification earlier when loading grub
  - shim-bsc1198458-Update-advertised-sbat-generation-number-for-shim.patch
    Update advertised sbat generation number for shim
  - shim-bsc1198458-Update-SBAT-generation-requirements-for-05-24-22.patch
    Update SBAT generation requirements for 05/24/22
  - shim-bsc1198458-Also-avoid-CVE-2022-28737-in-verify_image.patch
    Also avoid CVE-2022-28737 in verify_image()
  - 0006-shim-15.6-rc2.patch
  - 0007-sbat-add-the-parsed-SBAT-variable-entries-to-the-deb.patch
    sbat: add the parsed SBAT variable entries to the debug log
  - 0008-bump-version-to-shim-15.6.patch
- Add mokutil command to post script for setting sbat policy to latest mode
  when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created.
  (bsc#1198458)
- Add shim-bsc1198101-opensuse-cert-prompt.patch back to openSUSE shim to
  show the prompt to ask whether the user trusts openSUSE certificate or not
  (bsc#1198101)
- Updated vendor dbx binary and script (bsc#1198458)
  - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding
    SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
  - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding
    openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
  - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt
    and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment.
  - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin
    file which includes all .der for testing environment.
- use common SBAT values (boo#1193282)
- Update the SLE signatures (sync shim.changes from SLE)
(sync shim.changes from SLE)
- Add shim-bsc1185232-fix-config-table-copying.patch to avoid
  buffer overflow when copying data to the MOK config table
  (bsc#1185232)
- Add shim-disable-export-vendor-dbx.patch to disable exporting
  vendor-dbx to MokListXRT since writing a large RT variable
  could crash some machines (bsc#1185261)
- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the
  potential crash when calling QueryVariableInfo in EFI 1.10
  machines (bsc#1187260)
- Add shim-fix-aa64-relsz.patch to fix the size of rela sections
  for AArch64
  Fix: https://github.com/rhboot/shim/issues/371
- Add shim-bsc1185232-relax-loadoptions-length-check.patch to
  ignore the odd LoadOptions length (bsc#1185232)
- shim-install: reset def_shim_efi to "/shim.efi"/ if the given
  file doesn't exist
- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax
  the check for import_mok_state() when Secure Boot is off.
  (bsc#1185261)
  (sync shim.changes from SLE)
- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the
  maximum variable size check for u-boot (bsc#1185621)
- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
  to handle ignore_db and user_insecure_mode correctly
  (bsc#1185441, bsc#1187071)
- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
  vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
  the size of MokListXRT (bsc#1185261)
  + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
- Enable the AArch64 signature check for SLE (sync shim.changes from SLE)
- Update the SLE signatures (sync shim.changes from SLE)
sudo
- Fix CVE-2023-28486, sudo does not escape control characters in
  log messages, (CVE-2023-28486, bsc#1209362)
  * Add sudo-CVE-2023-28486.patch
- Fix CVE-2023-28487, sudo does not escape control characters in
  sudoreplay output (CVE-2023-28487, bsc#1209361)
- sudo-dont-enable-read-after-pty_finish.patch
  * bsc#1203201
  * Do not re-enable the reader when flushing the buffers as part
    of pty_finish().
  * While sudo-observe-SIGCHLD patch applied earlier prevents a
    race condition from happening, this fixes a related buffer hang.
- Added sudo-fix_NULL_deref_RunAs.patch
  * bsc#1206483
  * Fix a situation where "/sudo -U otheruser -l"/ would dereference
    a NULL pointer.
supportutils-plugin-suse-public-cloud
- Update to version 1.0.7 (bsc#1209026)
  + Include information about the cached registration data
  + Collect the data that is sent to the update infrastructure during
    registration
systemd-presets-common-SUSE
- Enable systemd-pstore.service by default (jsc#PED-2663)
timezone
- timezone update 2023c:
  * Revert changes made in 2023b
- timezone update 2023b:
  * Lebanon delays the start of DST this year.
- timezone update 2023a:
  * Egypt now uses DST again, from April through October.
  * This year Morocco springs forward April 23, not April 30.
  * Palestine delays the start of DST this year.
  * Much of Greenland still uses DST from 2024 on.
  * America/Yellowknife now links to America/Edmonton.
  * tzselect can now use current time to help infer timezone.
  * The code now defaults to C99 or later.
- Refresh tzdata-china.diff
util-linux
- Add upstream patch fix-lib-internal-cache-size.patch
  bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
util-linux-systemd
- Add upstream patch fix-lib-internal-cache-size.patch
  bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
vim
- Fixing bsc#1211144 - [Build 96.1] openQA test fails in zypper_migration - conflict between xxd and vim
  * Make xxd conflicting the previous vim packages
- Updated to version 9.0 with patch level 1443, fixes the following security problems
  * Fixing bsc#1209042 (CVE-2023-1264) - VUL-0: CVE-2023-1264: vim: NULL Pointer Dereference vim prior to 9.0.1392
  * Fixing bsc#1209187 (CVE-2023-1355) - VUL-0: CVE-2023-1355: vim: NULL Pointer Dereference prior to 9.0.1402.
  * Fixing bsc#1208828 (CVE-2023-1127) - VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown()
- drop vim-8.0-ttytype-test.patch as it changes test_options.vim which we
  remove during %prep anyway. And this breaks quilt setup.
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1386...v9.0.1443
- Updated to version 9.0 with patch level 1386, fixes the following security problems
  * Fixing bsc#1207780 - (CVE-2023-0512) VUL-0: CVE-2023-0512: vim: Divide By Zero in GitHub repository vim/vim prior to 9.0.1247
  * Fixing bsc#1208957 - (CVE-2023-1175) VUL-0: CVE-2023-1175: vim: Incorrect Calculation of Buffer Size
  * Fixing bsc#1208959 - (CVE-2023-1170) VUL-0: CVE-2023-1170: vim: Heap-based Buffer Overflow in vim prior to 9.0.1376
  * Fixing bsc#1208828 - (CVE-2023-1127) VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown()
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1234...v9.0.1386
xen
- bsc#1209017 - VUL-0: CVE-2022-42332: xen: x86 shadow plus
  log-dirty mode use-after-free (XSA-427)
  xsa427.patch
- bsc#1209018 - VUL-0: CVE-2022-42333,CVE-2022-42334: xen: x86/HVM
  pinned cache attributes mis-handling (XSA-428)
  xsa428-1.patch
  xsa428-2.patch
- bsc#1209019 - VUL-0: CVE-2022-42331: xen: x86: speculative
  vulnerability in 32bit SYSCALL path (XSA-429)
  xsa429.patch
zlib
- Fix deflateBound() before deflateInit(), bsc#1210593
  bsc1210593.patch
- Add DFLTCC support for using inflate() with a small window,
  fixes bsc#1206513
  * bsc1206513.patch
zstd
- Fix CVE-2022-4899, bsc#1209533
  * Disallow empty --output-dir-flat=
- Added patch:
  * Disallow-empty-output-directory.patch
zypper
- Fix selecting installed patterns from picklist (bsc#1209406)
- man: better explanation of --priority (fixes #480)
- version 1.14.60
- BuildRequires:  libzypp-devel >= 17.31.7.
- Provide "/removeptf"/ command (bsc#1203249)
  A remove command which prefers replacing dependant packages to
  removing them as well.
  A PTF is typically removed as soon as the fix it provides is
  applied to the latest official update of the dependant packages.
  But you don't want the dependant packages to be removed together
  with the PTF, which is what the remove command would do. The
  removeptf command however will aim to replace the dependant
  packages by their official update versions.
- patterns: Avoid dispylaing superfluous @System entries
  (bsc#1205570)
- version 1.14.59
- Update man page and explain '.no_auto_prune' (bsc#1204956)
- Allow to (re)add a service with the same URL (bsc#1203715)
- Explain outdatedness of repos (fixes #463)
- BuildRequires:  libzypp-devel >= 17.31.5
- version 1.14.58