aaa_base
- Add patch git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
  * respect /etc/update-alternatives/java when setting JAVA_HOME
    (bsc#1215434,bsc#1107342)
containerd
- Update to containerd v1.7.7. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.7>
- Add patch to fix build on SLE-12:
  + 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- Update to containerd v1.7.6 for Docker v24.0.6-ce. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.6> bsc#1215323

- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
  Kubernetes packages
curl
- Security fixes:
  * [bsc#1215888, CVE-2023-38545] SOCKS5 heap buffer overflow
  * [bsc#1215889, CVE-2023-38546] Cookie injection with none file
  * Add curl-CVE-2023-38545.patch curl-CVE-2023-38546.patch
glibc
- dl-map-segment-align-munmap.patch: elf: Align argument of __munmap to
  page size (bsc#1215891, BZ #28676)

- gai-merge-continue-actions.patch: Simplify allocations and fix merge and
  continue actions (CVE-2023-4813, bsc#1215286, BZ #28931)
grub2
- Fix CVE-2023-4692 (bsc#1215935)
- Fix CVE-2023-4693 (bsc#1215936)
  * 0001-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
  * 0002-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
  * 0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
  * 0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
  * 0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
  * 0006-fs-ntfs-Make-code-more-readable.patch
- Bump upstream SBAT generation to 4

- Fix a boot delay regression in PowerPC PXE boot (bsc#1201300)
  * 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch
kernel-default
- scsi: zfcp: Fix a double put in zfcp_port_enqueue() (git-fixes
  bsc#1215941).
- commit a62865f

- net: xfrm: Fix xfrm_address_filter OOB read (CVE-2023-39194
  bsc#1215861).
- commit 55308cb

- netfilter: xt_sctp: validate the flag_info count (CVE-2023-39193
  bsc#1215860).
- commit 5ec24b7

- netfilter: xt_u32: validate user space input (CVE-2023-39192
  bsc#1215858).
- commit 292c059

- ipv4: fix null-deref in ipv4_link_failure (CVE-2023-42754
  bsc#1215467).
- commit ad87dd3

- KVM: s390: pv: fix external interruption loop not always
  detected (git-fixes bsc#1215916).
- commit f1893aa

- btrfs: fix root ref counts in error handling in
  btrfs_get_root_ref (bsc#1214351 CVE-2023-4389).
- commit 3731029

- KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes
  (git-fixes bsc#1215915).
- commit fe7fbfc

- KVM: s390/diag: fix racy access of physical cpu number in diag
  9c handler (git-fixes bsc#1215911).
- commit 6454286

- fs/smb/client: Reset password pointer to NULL (bsc#1215899
  CVE-2023-5345).
- commit 679511d

- blacklist.conf: kABi breakage (vmalloc)
- commit 10bad47

- KVM: s390: interrupt: use READ_ONCE() before cmpxchg()
  (git-fixes bsc#1215896).
- commit 8726736

- KVM: s390: vsie: fix the length of APCB bitmap (git-fixes
  bsc#1215895).
- commit 9ff1a1e

- KVM: s390: vsie: Fix the initialization of the epoch extension
  (epdx) field (git-fixes bsc#1215894).
- commit 9c5bbd7

- netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro
  for ip_set_hash_netportnet.c (CVE-2023-42753 bsc#1215150).
- commit 7a6be79

- tcp: Reduce chance of collisions in inet6_hashfn()
  (CVE-2023-1206 bsc#1212703).
- commit e3ebd17

- blacklist.conf: workqueue: compiler warning on 32-bit systems with
  Clang (bsc#1215877)
- commit b7e65aa

- blacklist.conf: workqueue: Code refactoring
- commit e204334

- blacklist.conf: printk: the changes look good but they do not fix
  any serious problem
- commit c560ceb

- printk: ringbuffer: Fix truncating buffer size min_t cast
  (bsc#1215875).
- commit e0d3999

- scsi: storvsc: Handle additional SRB status values (git-fixes).
- commit d1a5f2f

- scsi: qedf: Add synchronization between I/O completions and
  abort (bsc#1210658).
- commit 96a8c32

- gve: fix frag_list chaining (bsc#1214479).
- gve: RX path for DQO-QPL (bsc#1214479).
- gve: Tx path for DQO-QPL (bsc#1214479).
- gve: Control path for DQO-QPL (bsc#1214479).
- gve: trivial spell fix Recive to Receive (bsc#1214479).
- gve: use vmalloc_array and vcalloc (bsc#1214479).
- gve: Unify duplicate GQ min pkt desc size constants
  (bsc#1214479).
- gve: Add AF_XDP zero-copy support for GQI-QPL format
  (bsc#1214479).
- gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479).
- gve: Add XDP DROP and TX support for GQI-QPL format
  (bsc#1214479).
- gve: Changes to add new TX queues (bsc#1214479).
- gve: XDP support GQI-QPL: helper function changes (bsc#1214479).
- gve: Fix gve interrupt names (bsc#1214479).
- commit 4dd2d8d

- net: sched: sch_qfq: Fix UAF in qfq_dequeue() (CVE-2023-4921
  bsc#1215275).
- commit 9408063

- fs: no need to check source (bsc#1215752).
- commit 1a42abf

- Refresh
  patches.suse/drm-msm-dpu-drop-enum-dpu_core_perf_data_bus_id.patch
  (git-fixes)
  Alt-commit
- commit f8178cd

- Refresh
  patches.suse/drm-amd-display-check-attr-flag-before-set-cursor-de.patch
  (git-fixes)
  Alt-commit
- commit f507792

- Refresh
  patches.suse/drm-amdgpu-Fix-vram-recover-doesn-t-work-after-whole.patch
  (git-fixes)
  Alt-commit
- commit 38e2a92

- Refresh
  patches.suse/drm-amdgpu-add-a-missing-lock-for-AMDGPU_SCHED.patch
  (git-fixes)
  Alt-commit
- commit 2ecd3e8

- Refresh
  patches.suse/drm-amd-display-fix-flickering-caused-by-S-G-mode.patch
  (git-fixes)
  Alt-commit
- commit 33e82b2

- Refresh
  patches.suse/drm-nouveau-kms-nv50-fix-nv50_wndw_new_-prototype.patch
  (git-fixes)
  Alt-commit
- commit 4c21b50

- SUNRPC: Mark the cred for revalidation if the server rejects it
  (git-fixes).
- NFS/pNFS: Report EINVAL errors from connect() to the server
  (git-fixes).
- nfsd: fix change_info in NFSv4 RENAME replies (git-fixes).
- pNFS: Fix assignment of xprtdata.cred (git-fixes).
- NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ (git-fixes).
- NFS: Guard against READDIR loop when entry names exceed
  MAXNAMELEN (git-fixes).
- nfs/blocklayout: Use the passed in gfp flags (git-fixes).
- NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
  (git-fixes).
- NFSD: da_addr_body field missing in some GETDEVICEINFO replies
  (git-fixes).
- fs: lockd: avoid possible wrong NULL parameter (git-fixes).
- nfsd: Fix race to FREE_STATEID and cl_revoked (git-fixes).
- xprtrdma: Remap Receive buffers after a reconnect (git-fixes).
- NFSv4: fix out path in __nfs4_get_acl_uncached (git-fixes).
- NFSv4.2: fix error handling in nfs42_proc_getxattr (git-fixes).
- NFSv4: Fix dropped lock for racing OPEN and delegation return
  (git-fixes).
- commit 087b1c4

- uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++ (git-fixes).
- commit 68da368

- usb: ehci: move new member has_ci_pec_bug into hole (git-fixes).
- commit bd8b5cf

- usb: ehci: add workaround for chipidea PORTSC.PEC bug
  (git-fixes).
- commit a447793

- net: usb: qmi_wwan: add Quectel EM05GV2 (git-fixes).
- commit 613dba7

- kernel-binary: Move build-time definitions together
  Move source list and build architecture to buildrequires to aid in
  future reorganization of the spec template.
- commit 30e2cef

- net: mana: Add page pool for RX buffers (bsc#1214040).
- bnx2x: new flag for track HW resource allocation (bsc#1202845
  bsc#1215322).
- commit 0f79d4d

- blacklist.conf: Ignore redundant patch
- commit 6d0ecfc

- powerpc/fadump: make is_kdump_kernel() return false when fadump
  is active (bsc#1212639 ltc#202582).
- vmcore: remove dependency with is_kdump_kernel() for exporting
  vmcore (bsc#1212639 ltc#202582).
- commit a5cc68e

- x86/srso: Fix srso_show_state() side effect (git-fixes).
- commit 619e525

- x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes).
- commit 5e42be0

- x86/srso: Don't probe microcode in a guest (git-fixes).
- commit 74b567d

- x86/srso: Set CPUID feature bits independently of bug or mitigation  status (git-fixes).
- commit c6caed4

- platform/x86: intel_scu_ipc: Fail IPC send if still busy
  (git-fixes).
- platform/x86: intel_scu_ipc: Don't override scu in
  intel_scu_ipc_dev_simple_command() (git-fixes).
- platform/x86: intel_scu_ipc: Check status upon timeout in
  ipc_wait_for_interrupt() (git-fixes).
- platform/x86: intel_scu_ipc: Check status after timeout in
  busy_loop() (git-fixes).
- ASoC: imx-audmix: Fix return error with devm_clk_get()
  (git-fixes).
- ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates
  (git-fixes).
- ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol
  (git-fixes).
- ASoC: meson: spdifin: start hw on dai probe (git-fixes).
- ALSA: hda/realtek: Splitting the UX3402 into two separate models
  (git-fixes).
- commit 5e7ab5c

- Update
  patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch.
  (bsc#1207036 CVE-2023-23454)
  Fold downstream fixup of caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12.
- commit 6635291

- scsi: lpfc: Prevent use-after-free during rmmod with mapped
  NVMe rports (git-fixes).
- scsi: lpfc: Early return after marking final NLP_DROPPED flag
  in dev_loss_tmo (git-fixes).
- scsi: lpfc: Fix the NULL vs IS_ERR() bug for
  debugfs_create_file() (git-fixes).
- commit 39e6404

- scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir()
  (git-fixes).
- scsi: qla2xxx: Use raw_smp_processor_id() instead of
  smp_processor_id() (git-fixes).
- commit 2981c3a

- fuse: nlookup missing decrement in fuse_direntplus_link
  (bsc#1215581).
- commit 7cedbed

- Drop amdgpu patch causing spamming (bsc#1215523)
  Deleted:
  patches.suse/drm-amdgpu-install-stub-fence-into-potential-unused-.patch.
- commit 2cab595

- net: mana: Configure hwc timeout from hardware (bsc#1214037).
- commit cc9aa11

- USB: core: Change usb_get_device_descriptor() API (bsc#1213123
  CVE-2023-37453 bsc#1215553 bsc#1215522 bsc#1215552).
  Refresh patches.suse/USB-core-Fix-race-by-not-overwriting-udev-descriptor.patch (add missing hunk)
  Refresh patches.suse/USB-core-Fix-oversight-in-SuperSpeed-initialization.patch (context)
- commit 6271d90

- virtio-net: set queues after driver_ok (git-fixes).
- commit a8caba5

- vhost: handle error while adding split ranges to iotlb
  (git-fixes).
- commit 059dc93

- vhost: allow batching hint without size (git-fixes).
- commit 8c5d403

- kernel-binary: python3 is needed for build
  At least scripts/bpf_helpers_doc.py requires python3 since Linux 4.18
  Other simimlar scripts may exist.
- commit c882efa

- KVM: x86/mmu: Include mmu.h in spte.h (git-fixes).
- commit e049205

- KVM: x86: Fix KVM_CAP_SYNC_REGS's sync_regs() TOCTOU issues
  (git-fixes).
- commit fced801

- blacklist.conf: add b439eb8ab57855, as prereq patch is missing
- commit 7f6a95d

- vhost_vdpa: fix the crash in unmap a large memory (git-fixes).
- commit 5c68686

- iommu/virtio: Detach domain on endpoint release (git-fixes).
- commit b648ef9

- vhost-scsi: unbreak any layout for response (git-fixes).
- commit 374c9ef

- drm/virtio: Use appropriate atomic state in
  virtio_gpu_plane_cleanup_fb() (git-fixes).
- commit 491eae6

- drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling
  (git-fixes).
- commit e8e33de

- virtio-net: fix race between set queues and probe (git-fixes).
- commit 1089568

- virtio_net: Fix probe failed when modprobe virtio_net
  (git-fixes).
- commit 5915735

- virtio_net: add checking sq is full inside xdp xmit (git-fixes).
- commit 87c00dd

- virtio_net: separate the logic of checking whether sq is full
  (git-fixes).
- commit 7064a0d

- virtio_net: reorder some funcs (git-fixes).
- commit 4f7fbb1

- nvme-auth: use chap->s2 to indicate bidirectional authentication
  (bsc#1214543).
- commit 41ae88c

- module: Expose module_init_layout_section() (git-fixes)
- commit 54615cb

- arm64: tegra: Update AHUB clock parent and rate (git-fixes)
- commit d3da4d8

- arm64: module: Use module_init_layout_section() to spot init sections (git-fixes)
- commit f80791e

- arm64: sdei: abort running SDEI handlers during crash (git-fixes)
- commit ec53ad3

- virtio: acknowledge all features before access (git-fixes).
- commit 4e146ad

- hwrng: virtio - Fix race on data_avail and actual data
  (git-fixes).
- commit 6d20bd3

- virtio-rng: make device ready before making request (git-fixes).
- commit c09ce65

- vhost: fix hung thread due to erroneous iotlb entries
  (git-fixes).
- commit cc76cf8

- arm64/fpsimd: Only provide the length to cpufeature for xCR registers (git-fixes)
- commit 89467e1

- arm64: module-plts: inline linux/moduleloader.h (git-fixes)
- commit afca04d

- hwrng: virtio - always add a pending request (git-fixes).
- commit 912363c

- hwrng: virtio - don't waste entropy (git-fixes).
- commit 4771c4e

- hwrng: virtio - don't wait on cleanup (git-fixes).
- commit e9188eb

- af_unix: Fix null-ptr-deref in unix_stream_sendpage()
  (CVE-2023-4622 bsc#1215117).
- commit a6ce336

- hwrng: virtio - add an internal buffer (git-fixes).
- commit 477109e

- net/sched: sch_hfsc: Ensure inner classes have fsc curve
  (CVE-2023-4623 bsc#1215115).
- commit 72e753f

- virtio_ring: fix avail_wrap_counter in virtqueue_add_packed
  (git-fixes).
- commit 60546dd

- net: do not allow gso_size to be set to GSO_BY_FRAGS
  (git-fixes).
- commit b96a7ad

- virtio-mmio: don't break lifecycle of vm_dev (git-fixes).
- commit 45da2ea

- KVM: SEV: remove ghcb variable declarations (CVE-2023-4155
  bsc#1214022).
- KVM: SEV: only access GHCB fields once (CVE-2023-4155
  bsc#1214022).
- KVM: SEV: snapshot the GHCB before accessing it (CVE-2023-4155
  bsc#1214022).
- commit f5b3d4d

- xen: remove a confusing comment on auto-translated guest I/O
  (git-fixes).
- commit 80c5d27

- x86/PVH: avoid 32-bit build warning when obtaining VGA console
  info (git-fixes).
- commit 8d6614d

- blacklist.conf: Append 'Revert "fbcon: Use kzalloc() in fbcon_prepare_logo()"'
- commit 501bd2e

- blacklist.conf: Append 'video/aperture: Only remove sysfb on the default vga pci device'
- commit bfaaaff

- blacklist.conf: Append 'parisc: Flush gatt writes and adjust gatt mask in parisc_agp_mask_memory()'
- commit 30a9db6

- blacklist.conf: Append 'parisc/agp: Annotate parisc agp init functions with __init'
- commit 9eb45cc

- ata: libata: disallow dev-initiated LPM transitions to
  unsupported states (git-fixes).
- i2c: aspeed: Reset the i2c controller when timeout occurs
  (git-fixes).
- selftests: tracing: Fix to unmount tracefs for recovering
  environment (git-fixes).
- drm/amd/display: fix the white screen issue when >= 64GB DRAM
  (git-fixes).
- drm: gm12u320: Fix the timeout usage for usb_bulk_msg()
  (git-fixes).
- commit 1f4e814

- btrfs: don't hold CPU for too long when defragging a file
  (bsc#1214988).
- commit 9b89645

- 9p/xen : Fix use after free bug in xen_9pfs_front_remove due
  to race condition (bsc#1215206, CVE-2023-1859).
- commit f333aa7

- netfilter: nftables: exthdr: fix 4-byte stack OOB write
  (CVE-2023-4881 bsc#1215221).
- commit 0de26c1

- sctp: leave the err path free in sctp_stream_init to
  sctp_stream_free (CVE-2023-2177 bsc#1210643).
- commit 337b7d8

- platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events
  (git-fixes).
- platform/mellanox: mlxbf-pmc: Fix potential buffer overflows
  (git-fixes).
- platform/mellanox: mlxbf-tmfifo: Drop jumbo frames (git-fixes).
- platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more
  descriptors (git-fixes).
- kselftest/runner.sh: Propagate SIGTERM to runner child
  (git-fixes).
- commit 495d04f

- Delete patches.suse/genksyms-add-override-flag.diff.
  Unncessary after KBUILD_OVERRIDE removed.
- commit 870adc7

- x86/sev: Make enc_dec_hypercall() accept a size instead of npages (bsc#1214635).
- commit 834e1c2

- jbd2: restore t_checkpoint_io_list to maintain kABI
  (bsc#1214946).
- commit 1a1980a

- rpm/kernel-binary.spec.in: Drop use of KBUILD_OVERRIDE=1
  Genksyms has functionality to specify an override for each type in
  a symtypes reference file. This override is then used instead of an
  actual type and allows to preserve modversions (CRCs) of symbols that
  reference the type. It is kind of an alternative to doing kABI fix-ups
  with '#ifndef __GENKSYMS__'. The functionality is hidden behind the
  genksyms --preserve option which primarily tells the tool to strictly
  verify modversions against a given reference file or fail.
  Downstream patch patches.suse/genksyms-add-override-flag.diff which is
  present in various kernel-source branches separates the override logic.
  It allows it to be enabled with a new --override flag and used without
  specifying the --preserve option. Setting KBUILD_OVERRIDE=1 in the spec
  file is then a way how the build is told that --override should be
  passed to all invocations of genksyms. This was needed for SUSE kernels
  because their build doesn't use --preserve but instead resulting CRCs
  are later checked by scripts/kabi.pl.
  However, this override functionality was not utilized much in practice
  and the only use currently to be found is in SLE11-SP1-LTSS. It means
  that no one should miss this option and KBUILD_OVERRIDE=1 together with
  patches.suse/genksyms-add-override-flag.diff can be removed.
  Notes for maintainers merging this commit to their branches:
  * Downstream patch patches.suse/genksyms-add-override-flag.diff can be
  dropped after merging this commit.
  * Branch SLE11-SP1-LTSS uses the mentioned override functionality and
  this commit should not be merged to it, or needs to be reverted
  afterwards.
- commit 4aa02b8

- drm/display: Don't assume dual mode adaptors support i2c
  sub-addressing (bsc#1213808).
- commit 9c64306

- blacklist.conf: Add ef73dcaa3121 ("powerpc: xmon: remove unused variables")
- commit 78179fa

- powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
  (bsc#1065729).
- powerpc/xics: Remove unnecessary endian conversion
  (bsc#1065729).
- word-at-a-time: use the same return type for has_zero regardless
  of endianness (bsc#1065729).
- commit bde8063

- mlx4: Delete custom device management logic (bsc#1187236).
- mlx4: Connect the infiniband part to the auxiliary bus
  (bsc#1187236).
- mlx4: Connect the ethernet part to the auxiliary bus
  (bsc#1187236).
- mlx4: Register mlx4 devices to an auxiliary virtual bus
  (bsc#1187236).
- mlx4: Avoid resetting MLX4_INTFF_BONDING per driver
  (bsc#1187236).
- mlx4: Move the bond work to the core driver (bsc#1187236).
- mlx4: Get rid of the mlx4_interface.activate callback
  (bsc#1187236).
- mlx4: Replace the mlx4_interface.event callback with a notifier
  (bsc#1187236).
- commit 0aba257

- mlx4: Use 'void *' as the event param of mlx4_dispatch_event()
  (bsc#1187236).
- mlx4: Rename member mlx4_en_dev.nb to netdev_nb (bsc#1187236).
- mlx4: Get rid of the mlx4_interface.get_dev callback
  (bsc#1187236).
- net/mlx4: Remove many unnecessary NULL values (bsc#1187236).
- kabi/severities: ignore mlx4 internal symbols
- tracing: Fix race issue between cpu buffer write and swap
  (git-fixes).
- tracing: Remove extra space at the end of hwlat_detector/mode
  (git-fixes).
- tracing: Remove unnecessary copying of tr->current_trace
  (git-fixes).
- bpf: Clear the probe_addr for uprobe (git-fixes).
- commit 47e9584

- x86/fpu: Take task_struct* in copy_sigframe_from_user_to_xstate() (git-fixes).
- commit 74c2613

- x86/mm: Avoid incomplete Global INVLPG flushes (git-fixes).
- commit a8877f3

- x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register (git-fixes).
- commit 670fb4d

- x86/resctrl: Fix task CLOSID/RMID update race (git-fixes).
- commit 9871c87

- x86/reboot: Disable virtualization in an emergency if SVM is supported (git-fixes).
- commit 3949a2b

- x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows) (git-fixes).
- commit 4534667

- x86/sgx: Reduce delay and interference of enclave release (git-fixes).
- commit ef6d157

- x86/rtc: Remove __init for runtime functions (git-fixes).
- commit 4511d93

- x86/mm: Do not shuffle CPU entry areas without KASLR (git-fixes).
- commit cb39678

- x86/mce: Retrieve poison range from hardware (git-fixes).
- commit c9f1ddb

- x86/ioremap: Fix page aligned size calculation in __ioremap_caller() (git-fixes).
- commit 96d9365

- x86/mem_encrypt: Unbreak the AMD_MEM_ENCRYPT=n build (git-fixes).
- commit 12a2933

- x86/resctl: fix scheduler confusion with 'current' (git-fixes).
- commit 0d855b9

- x86/purgatory: remove PGO flags (git-fixes).
- commit 9d8ada6

- x86/ioapic: Don't return 0 from arch_dynirq_lower_bound() (git-fixes).
- commit ea0772f

- x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (git-fixes).
- commit c1031f1

- x86/head/64: Switch to KERNEL_CS as soon as new GDT is installed (git-fixes).
- commit bbfad26

- x86/cpu: Add model number for Intel Arrow Lake processor (git-fixes).
- commit bf6d064

- x86/cpu: Add Lunar Lake M (git-fixes).
- commit 7ecc64d

- x86/bugs: Reset speculation control settings on init (git-fixes).
- commit 2a6dd8e

- x86/boot/e820: Fix typo in e820.c comment (git-fixes).
- commit ac06968

- x86/alternative: Fix race in try_get_desc() (git-fixes).
- commit d841323

- uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix (git-fixes).
- commit 11f0960

- KVM: VMX: Fix header file dependency of asm/vmx.h (git-fixes).
- commit cae635f

- KVM: SVM: Remove a duplicate definition of VMCB_AVIC_APIC_BAR_MASK (git-fixes).
- commit 2a03ef8

- Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset"
  (git-fixes).
- PCI: Free released resource after coalescing (git-fixes).
- ntb: Fix calculation ntb_transport_tx_free_entry() (git-fixes).
- ntb: Drop packets when qp link is down (git-fixes).
- ntb: Clean up tx tail index on link down (git-fixes).
- idr: fix param name in idr_alloc_cyclic() doc (git-fixes).
- commit a1c9c68

- ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42
  codecs (git-fixes).
- arm64: csum: Fix OoB access in IP checksum code for negative
  lengths (git-fixes).
- commit f43b75b

- patches.suse/ovl-remove-privs-in-ovl_copyfile.patch:(git-fixes).
- commit daa1815

- s390/qeth: Don't call dev_close/dev_open (DOWN/UP) (bsc#1214873
  git-fixes).
- commit b0dc76c

- nvme-tcp: add recovery_delay to sysfs (bsc#1201284).
- nvme-tcp: delay error recovery until the next KATO interval
  (bsc#1201284).
- nvme-tcp: make 'err_work' a delayed work (bsc#1201284).
- nvme-tcp: Do not terminate commands when in RESETTING
  (bsc#1201284).
- commit 96ee377

- s390/zcrypt: don't leak memory if dev_set_name() fails
  (git-fixes bsc#1215148).
- commit 62bce52

- drm/amd/display: prevent potential division by zero errors
  (git-fixes).
- drm/i915: mark requests for GuC virtual engines to avoid
  use-after-free (git-fixes).
- net: phy: micrel: Correct bit assignments for phy_device flags
  (git-fixes).
- pwm: lpc32xx: Remove handling of PWM channels (git-fixes).
- i3c: master: svc: fix probe failure when no i3c device exist
  (git-fixes).
- drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt()
  (git-fixes).
- commit 3aa0807

- blacklist.conf: kABI
- commit fe6afec

- blacklist.conf: kABI
- commit b1fabe7

- blacklist.conf: kABI
- commit c50e08f

- Input: tca6416-keypad - fix interrupt enable disbalance
  (git-fixes).
- commit de27518

- fs: do not update freeing inode i_io_list (bsc#1214813).
- fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE
  (bsc#1214813).
- commit 2c1c38b

- watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
  (git-fixes).
- backlight: gpio_backlight: Drop output GPIO direction check
  for initial power state (git-fixes).
- USB: serial: option: add FOXCONN T99W368/T99W373 product
  (git-fixes).
- USB: serial: option: add Quectel EM05G variant (0x030e)
  (git-fixes).
- tcpm: Avoid soft reset when partner does not support get_status
  (git-fixes).
- usb: typec: tcpci: clear the fault status bit (git-fixes).
- ARM: pxa: remove use of symbol_get() (git-fixes).
- Bluetooth: btsdio: fix use after free bug in btsdio_remove
  due to race condition (git-fixes).
- usb: typec: tcpci: move tcpci.h to include/linux/usb/
  (git-fixes).
- commit 72d5b0f

- blacklist.conf: add git-fix to ignore
  this one removes unused kABI functions, but
  just leave them in
- commit 8007015

- scsi: snic: Fix double free in snic_tgt_create() (git-fixes).
- commit 1ed2b1b

- blacklist.conf: 9011e49d54dc ("modules: only allow symbol_get of
  EXPORT_SYMBOL_GPL modules") is not really fixing any existing bug.
- commit 550f5fc

- Move upstreamed pinctrl patch into sorted section
- commit 38f70f2

- Update References tag
  patches.suse/Bluetooth-L2CAP-Fix-use-after-free-in-l2cap_sock_rea.patch
  (git-fixes bsc#1214233 CVE-2023-40283).
- commit 731b49d

- ata: pata_falcon: fix IO base selection for Q40 (git-fixes).
- ata: sata_gemini: Add missing MODULE_DESCRIPTION (git-fixes).
- ata: pata_ftide010: Add missing MODULE_DESCRIPTION (git-fixes).
- kconfig: fix possible buffer overflow (git-fixes).
- commit 4a140a1

- powerpc/rtas: mandate RTAS syscall filtering (bsc#1023051).
- commit ac82be8

- Refresh sorted section
- commit a6fbcee

- netfilter: nf_tables: use correct lock to protect gc_list
  (CVE-2023-4563 bsc#1214727).
- netfilter: nf_tables: GC transaction race with abort path
  (CVE-2023-4563 bsc#1214727).
- netfilter: nf_tables: GC transaction race with netns dismantle
  (CVE-2023-4563 bsc#1214727).
- netfilter: nf_tables: fix GC transaction races with netns and
  netlink event exit path (CVE-2023-4563 bsc#1214727).
- netfilter: nf_tables: fix kdoc warnings after gc rework
  (CVE-2023-4563 bsc#1214727).
- refresh
  - patches.kabi/kabi-hide-changes-in-struct-nft_set.patch
- kabi: hide changes in struct nft_set (CVE-2023-4563
  bsc#1214727).
- netfilter: nf_tables: GC transaction API to avoid race with
  control plane (CVE-2023-4563 bsc#1214727).
- commit cfed41c

- quota: add new helper dquot_active() (bsc#1214998).
- commit 26cc2da

- quota: rename dquot_active() to inode_quota_active()
  (bsc#1214997).
- commit c4d7e83

- quota: factor out dquot_write_dquot() (bsc#1214995).
- commit 40e5ccd
libeconf
- Additional info for version 0.5.2:
  * Fixed a stack-buffer-overflow vulnerability in "econf_writeFile"
    function. (CVE-2023-30078, CVE-2023-32181, bsc#1211078)
  * Fixed a stack-buffer-overflow vulnerability in "read_file"
    function. (CVE-2023-30079, CVE-2023-22652, bsc#1211078)

- Update to version 0.5.2:
  * Fixed build for aarch64 and gcc13.
  * Making the output verbose when a test fails.
  * Fixed a stack-buffer-overflow vulnerability in "econf_writeFile"
    function.
  * Fixed a stack-buffer-overflow vulnerability in "read_file"
    function.
  * Added new feature: econf_set_conf_dirs (const char **dir_postfix_list)
    Sets a list of directory structures (with order) which describes
    the directories in which the files have to be parsed.
    E.G. with the given list: {"/conf.d/", ".d/", "/", NULL} files in following
    directories will be parsed:
    "<default_dirs>/<project_name>.<suffix>.d/"
    "<default_dirs>/<project_name>/conf.d/"
    "<default_dirs>/<project_name>.d/"
    "<default_dirs>/<project_name>/"
    The entry "<default_dirs>/<project_name>.<suffix>.d/" will be added
    automatically.
  * General code cleanup.

- Update to version 0.5.1:
  * Reading files in /usr/_vendor_/_example_._suffix_.d/* regardless
    there is a /etc/_example_._suffix_ file. (#175)

- Update to version 0.5.0:
  * API calls econf_read*WithCallback supporting a general (void *)
    argument for user defined data with which the callback function is
    called.
  * Tagged following functions deprecated:
    econf_requireOwner, econf_requireGroup, econf_requirePermissions,
    econf_followSymlinks, econf_reset_security_settings
    Use one of the econf_read*WithCallback functions instead.

- Update to version 0.4.9:
  * libeconf.h: added missing sys/types.h header (#171)
  * new API calls: econf_readFileWithCallback,
    econf_readDirsWithCallback, econf_readDirsHistoryWithCallback (#172)
  * Checking NULL comment parameter in the parsing functions.

- Update to version 0.4.8+git20221114.7ff7704:
  * Parsing files which are containing keys only (#170)
    All delimiters are allowed now : "", " =", " ", "=". But the
    user should use "" in order to be distinct.
  * /usr/etc/shells.d/<file_name> will not be parsed if
    /etc/shells.d/<file_name> is defined too.
  * Lto build fixed (#168)
  * New calls: econf_comment_tag, econf_delimiter_tag, econf_set_comment_tag,
    econf_set_delimiter_tag
  * Checking UID,GroupID, permissions,... of the parsed files (#165)
    New calls: econf_requireOwner, econf_requireGroup, econf_requirePermissions,
    econf_followSymlinks
  * Ignoring Group without brackets; Do not hold brackets in the internal data structure. (#164)
  * Error handling improved for nums and booleans (#163)
nghttp2
- security update
- added patches
  fix CVE-2023-44487 [bsc#1216123], HTTP/2 Rapid Reset Attack
  + nghttp2-CVE-2023-44487.patch

- Fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be
  sent, and nghttp2_on_stream_close_callback fails with a fatal error.
  [CVE-2023-35945 bsc#1215713]
  + nghttp2-CVE-2023-35945.patch
openssl-1_1
- Displays "fips" in the version string (bsc#1215215)
  * Add openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
zlib
- Fix CVE-2023-45853, integer overflow and resultant heap-based buffer
  overflow in zipOpenNewFileInZip4_6, bsc#1216378
  * CVE-2023-45853.patch
zchunk
- Fix CVE-2023-46228, bsc#1216268
  * Handle overflow errors in malformed zchunk files.
- Added patch:
  * CVE-2023-46228.patch
shadow
- bsc#1214806 (CVE-2023-4641):
  Fix potential password leak
- Add shadow-CVE-2023-4641.patch
python-urllib3
- Add CVE-2023-43804.patch (bsc#1215968, CVE-2023-43804)
  gh#urllib3/urllib3#3139
  * Added the Cookie header to the list of headers to strip from
    requests when redirecting to a different host. As before,
    different headers can be set via Retry.remove_headers_on_redirect.
runc
- Update to runc v1.1.9. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.9>.

- Update to runc v1.1.8. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.8>.
samba
- CVE-2023-4091: samba: Client can truncate file with read-only
  permissions; (bsc#1215904); (bso#15439).
- CVE-2023-42669: samba: rpcecho, enabled and running in AD DC,
  allows blocking sleep on request; (bso#1215905); (bso#15474).
- CVE-2023-4154: samba: dirsync allows SYSTEM access with only
  "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES;
  (bsc#1215908); (bso#15424).

- Move libcluster-samba4.so from samba-libs to samba-client-libs;
  (bsc#1213940);
000release-packages:sle-module-basesystem-release
n/a
000release-packages:sle-module-containers-release
n/a
000release-packages:sle-module-public-cloud-release
n/a
000release-packages:sle-module-server-applications-release
n/a
suse-module-tools
- Update to version 15.4.18:
  * blacklist RNDIS modules (bsc#1205767, jsc#PED-5731, CVE-2023-23559)
  * modprobe.d: Blacklist cls_tcindex module (bsc#1210335, CVE-2023-1829)
  (note: this is not a full fix for that CVE)

- Update to version 15.4.17:
  * cert-script: warn only once about non-writable efivarfs
  * cert-script: skip cert handling if efivarfs is not writable
    (bsc#1213428, bsc#1201066)
systemd-rpm-macros
- Bump version to 14

- Switch to `systemd-hwdb` tool when updating the HW database. It's been
  introduced in systemd v219 and replaces the deprecated command `udevadm hwdb`.
vim
- Updated to version 9.0 with patch level 1894, fixes the following security problems
  * Fixing bsc#1214922 (CVE-2023-4738) - VUL-0: CVE-2023-4738: vim: heap-buffer-overflow in vim_regsub_both
  * Fixing bsc#1214924 (CVE-2023-4735) - VUL-0: CVE-2023-4735: vim: OOB Write ops.c
  * Fixing bsc#1214925 (CVE-2023-4734) - VUL-0: CVE-2023-4734: vim: segmentation fault in function f_fullcommand
  * Fixing bsc#1215004 (CVE-2023-4733) - VUL-0: CVE-2023-4733: vim: use-after-free in function buflist_altfpos
  * Fixing bsc#1215006 (CVE-2023-4752) - VUL-0: CVE-2023-4752: vim: Heap Use After Free in function ins_compl_get_exp
  * Fixing bsc#1215033 (CVE-2023-4781) - VUL-0: CVE-2023-4781: vim: heap-buffer-overflow in function vim_regsub_both
- drop patches: disable-unreliable-tests.patch
    ignore-flaky-test-failure.patch
    vim-8.1.0297-dump3.patch
- droped %check - most of tests didn't work correctly in OBS
    and maitenace burden of this was getting too big
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1632...v9.0.1894

- Use app icon generated from vimlogo.eps in source tarball; add
  higher res icons of sizes 128, 256, and 512px as png sources.
  Our current icons deviate from upstream flatpaks for example.
- Updated to version 9.0 with patch level 1632
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1443...v9.0.1632
zypper
- Fix name of the bash completion script (bsc#1215007)
  In 1.14.63 the location of the bash completion script was changed
  to /usr/share/bash-completion/completions/. But the patch failed
  to also rename the completion script. The original script name
  zypper.sh is not recognized at the new location.
- Update notes about failing signature checks (bsc#1214395)
  It might be a transient issue if the server is in the midst of
  receiving new data. Retry after a few minutes might work.
- Improve the SIGINT handler to be signal safe (bsc#1214292)
  This patch updates the SIGINT handling strategy to be signal
  safe. Meaning the signal handler will do not much more than
  setting a flag, which we are going to check in the normal program
  flow as much as possible.
- version 1.14.64