crypto-policies
- Make the supported versions change in the update-crypto-policies(8)
  man page persistent [bsc#1209998].
  * Add patch crypto-policies-supported.patch
  * Rebase patches:
  - crypto-policies-asciidoc.patch
  - crypto-policies-no-build-manpages.patch

- FIPS: Adapt the fips-mode-setup script to use the pbl command
  from the perl-Bootloader package to replace grubby. Add a note
  for transactional systems. Ship the man 8 pages for
  fips-mode-setup and fips-finish-install [jsc#PED-5041].
  * Rebase crypto-policies-FIPS.patch

- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup
  and fips-finish-install commands, add also the man pages.
  * Adapt the fips-mode-setup script for SLE [jsc#PED-5041]
  * Rebase crypto-policies-FIPS.patch
  * Simplify the man pages creation:
  - Rebase crypto-policies-no-build-manpages.patch
  - Add crypto-policies-asciidoc.patch
grub2
- Fix failure to identify recent ext4 filesystem (bsc#1216010)
  * 0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch
  * 0001-fs-ext2-Ignore-the-large_dir-incompat-feature.patch
- Add patch to fix reading files from btrfs with "implicit" holes
  * 0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch

- Fix fadump not working with 1GB/2GB/4GB LMB[P10] (bsc#1216253)
  * 0001-kern-ieee1275-init-ppc64-Restrict-high-memory-in-pre.patch

- Fix detection of encrypted disk's uuid in powerpc to cope with logical disks
  when signed image installation is specified (bsc#1216075)
  * 0003-grub-install-support-prep-environment-block.patch
- grub2.spec: Add support to unlocking multiple encrypted disks in signed
  grub.elf image for logical disks
kernel-default
- netfilter: nf_tables: skip bound chain on rule flush
  (bsc#1215095 CVE-2023-3777).
- commit afb7c25

- Update
  patches.suse/0001-x86-sev-Disable-MMIO-emulation-from-user-mode.patch
  (bsc#1212649 CVE-2023-46813).
- Update
  patches.suse/0002-x86-sev-Check-IOBM-for-IOIO-exceptions-from-user-spa.patch
  (bsc#1212649 CVE-2023-46813).
- Update
  patches.suse/0003-x86-sev-Check-for-user-space-IOIO-pointing-to-kernel.patch
  (bsc#1212649 CVE-2023-46813).
- commit dd6a315

- quota: Fix slow quotaoff (bsc#1216621).
- commit 988e5f4

- x86/sev: Check for user-space IOIO pointing to kernel space
  (bsc#1212649).
- commit 816f817

- x86/sev: Check IOBM for IOIO exceptions from user-space
  (bsc#1212649).
- commit 2b69036

- x86/sev: Disable MMIO emulation from user mode (bsc#1212649).
- commit 5dae47e

- phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins
  (git-fixes).
- phy: mapphone-mdm6600: Fix runtime PM for remove (git-fixes).
- phy: mapphone-mdm6600: Fix runtime disable on probe (git-fixes).
- gpio: vf610: set value before the direction to avoid a glitch
  (git-fixes).
- platform/surface: platform_profile: Propagate error if profile
  registration fails (git-fixes).
- platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c
  events (git-fixes).
- platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from
  0x20 to 0x2e (git-fixes).
- USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
  (git-fixes).
- USB: serial: option: add entry for Sierra EM9191 with new
  firmware (git-fixes).
- USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
  (git-fixes).
- mmc: core: Capture correct oemid-bits for eMMC cards
  (git-fixes).
- Bluetooth: hci_sock: Correctly bounds check and pad
  HCI_MON_NEW_INDEX name (git-fixes).
- Bluetooth: avoid memcmp() out of bounds warning (git-fixes).
- Bluetooth: hci_sock: fix slab oob read in create_monitor_event
  (git-fixes).
- Bluetooth: hci_event: Fix coding style (git-fixes).
- Bluetooth: Reject connection with the device which has same
  BD_ADDR (git-fixes).
- Bluetooth: vhci: Fix race when opening vhci device (git-fixes).
- platform/x86: touchscreen_dmi: Add info for the Positivo C4128B
  (git-fixes).
- drm: panel-orientation-quirks: Add quirk for One Mix 2S
  (git-fixes).
- HID: multitouch: Add required quirk for Synaptics 0xcd7e device
  (git-fixes).
- HID: holtek: fix slab-out-of-bounds Write in
  holtek_kbd_input_event (git-fixes).
- wifi: cfg80211: avoid leaking stack data into trace (git-fixes).
- wifi: mac80211: allow transmitting EAPOL frames with tainted
  key (git-fixes).
- wifi: cfg80211: Fix 6GHz scan configuration (git-fixes).
- wifi: iwlwifi: Ensure ack flag is properly cleared (git-fixes).
- wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len
  (git-fixes).
- Bluetooth: Avoid redundant authentication (git-fixes).
- Bluetooth: btusb: add shutdown function for QCA6174 (git-fixes).
- i2c: mux: Avoid potential false error message in
  i2c_mux_add_adapter (git-fixes).
- gpio: timberdale: Fix potential deadlock on &tgpio->lock
  (git-fixes).
- commit b480af6

- nvme-fc: Prevent null pointer dereference in
  nvme_fc_io_getuuid() (bsc#1214842).
- commit 3b513db

- ubi: Refuse attaching if mtd's erasesize is 0 (CVE-2023-31085
  bsc#1210778).
- commit 86e05f1

- Update
  patches.suse/USB-ene_usb6250-Allocate-enough-memory-for-full-obje.patch
  (bsc#1216051 CVE-2023-45862).
  Retroactively recognized as a security issue
- commit 716929e

- KVM: s390: fix gisa destroy operation might lead to cpu stalls
  (git-fixes bsc#1216512).
- commit 3976fa9

- s390/pci: fix iommu bitmap allocation (git-fixes bsc#1216511).
- commit 2bb6835

- s390/cio: fix a memleak in css_alloc_subchannel (git-fixes
  bsc#1216510).
- commit d475feb

- ACPI: irq: Fix incorrect return value in acpi_register_gsi()
  (git-fixes).
- Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()"
  (git-fixes).
- mtd: rawnand: qcom: Unmap the right resource upon probe failure
  (git-fixes).
- mtd: rawnand: pl353: Ensure program page operations are
  successful (git-fixes).
- mtd: rawnand: arasan: Ensure program page operations are
  successful (git-fixes).
- mtd: spinand: micron: correct bitmask for ecc status
  (git-fixes).
- mtd: physmap-core: Restore map_rom fallback (git-fixes).
- mtd: rawnand: marvell: Ensure program page operations are
  successful (git-fixes).
- mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw
  (git-fixes).
- mmc: core: sdio: hold retuning if sdio in 1-bit mode
  (git-fixes).
- ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe
  errors (git-fixes).
- ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind
  (git-fixes).
- ASoC: codecs: wcd938x: fix unbind tear down order (git-fixes).
- ASoC: codecs: wcd938x: drop bogus bind error handling
  (git-fixes).
- ASoC: pxa: fix a memory leak in probe() (git-fixes).
- drm/i915: Retry gtt fault when out of fence registers
  (git-fixes).
- commit 766bf5d

- net/sched: fix netdevice reference leaks in
  attach_default_qdiscs() (git-fixes).
- commit 31c27cf

- net: sched: add barrier to fix packet stuck problem for lockless
  qdisc (bsc#1216345).
- commit 508758e

- net: sched: fixed barrier to prevent skbuff sticking in qdisc
  backlog (bsc#1216345).
- commit 839637c

- Fix metadata references
- commit 42e4c9a

- net: rfkill: gpio: prevent value glitch during probe
  (git-fixes).
- net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
  (git-fixes).
- gve: Do not fully free QPL pages on prefill errors (git-fixes).
- Bluetooth: hci_event: Fix using memcmp when comparing keys
  (git-fixes).
- Bluetooth: Fix a refcnt underflow problem for hci_conn
  (git-fixes).
- Bluetooth: hci_event: Ignore NULL link key (git-fixes).
- nfc: nci: fix possible NULL pointer dereference in
  send_acknowledge() (git-fixes).
- thunderbolt: Check that lane 1 is in CL0 before enabling lane
  bonding (git-fixes).
- thunderbolt: Workaround an IOMMU fault on certain systems with
  Intel Maple Ridge (git-fixes).
- Input: powermate - fix use-after-free in
  powermate_config_complete (git-fixes).
- Input: xpad - add PXN V900 support (git-fixes).
- Input: goodix - ensure int GPIO is in input for gpio_count ==
  1 && gpio_int_idx == 0 case (git-fixes).
- ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA
  (git-fixes).
- drm/amdgpu: add missing NULL check (git-fixes).
- drm/amd/display: Don't set dpms_off for seamless boot
  (git-fixes).
- pinctrl: avoid unsafe code pattern in find_pinctrl()
  (git-fixes).
- HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
  (git-fixes).
- ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset
  (git-fixes).
- commit e8f9edc

- sched/rt: Fix live lock between select_fallback_rq() and RT push
  (git fixes (sched)).
- sched/rt: Fix sysctl_sched_rr_timeslice intial value (git fixes
  (sched)).
- commit a2350c1

- blacklist.conf: Applies only to RCU tiny configurations
- commit 1d1726b

- blacklist.conf: Cosmetic change for !SMP configurations
- commit c9d6cc0

- blacklist.conf: KABI hazard, only backport in response to a customer bug to justify the complexity
- commit 96bc817

- sched/deadline,rt: Remove unused parameter from
  pick_next_[rt|dl]_entity() (git fixes (sched)).
- Refresh
  patches.suse/sched-rt-pick_next_rt_entity-check-list_entry.patch.
- commit d7f894e

- regmap: fix NULL deref on lookup (git-fixes).
- usb: typec: altmodes/displayport: Signal hpd low when exiting
  mode (git-fixes).
- usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer
  (git-fixes).
- usb: gadget: udc-xilinx: replace memcpy with memcpy_toio
  (git-fixes).
- usb: dwc3: Soft reset phy on probe for host (git-fixes).
- usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap
  call (git-fixes).
- usb: musb: Get the musb_qh poniter after musb_giveback
  (git-fixes).
- usb: musb: Modify the "HWVers" register address (git-fixes).
- usb: cdnsp: Fixes issue with dequeuing not queued requests
  (git-fixes).
- iio: pressure: ms5611: ms5611_prom_is_valid false negative bug
  (git-fixes).
- iio: pressure: dps310: Adjust Timeout Settings (git-fixes).
- iio: pressure: bmp280: Fix NULL pointer exception (git-fixes).
- counter: microchip-tcb-capture: Fix the use of internal GCLK
  logic (git-fixes).
- Input: psmouse - fix fast_reconnect function for PS/2 mode
  (git-fixes).
- dmaengine: stm32-mdma: abort resume if no ongoing transfer
  (git-fixes).
- dmaengine: mediatek: Fix deadlock caused by synchronize_irq()
  (git-fixes).
- dmaengine: idxd: use spin_lock_irqsave before
  wait_event_lock_irq (git-fixes).
- drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid
  overflow (git-fixes).
- drm/msm/dsi: fix irq_of_parse_and_map() error checking
  (git-fixes).
- drm/msm/dsi: skip the wait for video mode done if not applicable
  (git-fixes).
- drm/msm/dp: do not reinitialize phy unless retry during link
  training (git-fixes).
- drm/vmwgfx: fix typo of sizeof argument (git-fixes).
- nfc: nci: assert requested protocol is valid (git-fixes).
- ieee802154: ca8210: Fix a potential UAF in ca8210_probe
  (git-fixes).
- pinctrl: renesas: rzn1: Enable missing PINMUX (git-fixes).
- ALSA: hda/realtek: Change model for Intel RVP board (git-fixes).
- commit 7f63276

- netfilter: nf_tables: unbind non-anonymous set if rule
  construction fails (git-fixes).
- commit b7f718b

- KVM: SVM: Don't kill SEV guest if SMAP erratum triggers in
  usermode (git-fixes).
- commit 5316d19

- KVM: x86/mmu: Reconstruct shadow page root if the guest PDPTEs
  is changed (git-fixes).
- commit 1d58a92

- vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()
  (git-fixes).
- commit d4a31a2

- 9p: virtio: make sure 'offs' is initialized in zc_request
  (git-fixes).
- commit 66e7266

- Update config files: unset CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B
  for Arm
  Configuration option CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B=y is used
  only in the armv7hl + arm64 configurations and appears to be a relic
  from the update procedure in commit 98da1c5f42d ("SLE15-SP4: Update the
  base kernel version to 5.14.").
  Unset it because the option is intended for debugging, not really useful
  for production and makes the text size of vmlinux unnecessarily bigger
  by ~10%
- commit 4229357

- xen-netback: use default TX queue size for vifs (git-fixes).
- commit 84805af

- netfilter: nf_tables: skip immediate deactivate in
  _PREPARE_ERROR (CVE-2023-39193 bsc#1215860).
- commit 6c937af

- kabi: workaround for enum nft_trans_phase (bsc#1215104).
- commit 0a3d3d4

- netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with
  bound set/chain (git-fixes).
- commit 2e62a61

- Update metadata
- commit e780ccd

- net: usb: dm9601: fix uninitialized variable use in
  dm9601_mdio_read (git-fixes).
- commit 236df4a

- crypto: qat - fix crypto capability detection for 4xxx
  (PED-6401).
- crypto: qat - Remove unused function declarations (PED-6401).
- crypto: qat - use kfree_sensitive instead of memset/kfree()
  (PED-6401).
- crypto: qat - replace the if statement with min() (PED-6401).
- crypto: qat - add heartbeat counters check (PED-6401).
- crypto: qat - add heartbeat feature (PED-6401).
- crypto: qat - add measure clock frequency (PED-6401).
- crypto: qat - drop obsolete heartbeat interface (PED-6401).
- crypto: qat - add internal timer for qat 4xxx (PED-6401).
- crypto: qat - add fw_counters debugfs file (PED-6401).
- crypto: qat - change value of default idle filter (PED-6401).
- crypto: qat - do not export adf_init_admin_pm() (PED-6401).
- crypto: qat - expose pm_idle_enabled through sysfs (PED-6401).
- crypto: qat - extend configuration for 4xxx (PED-6401).
- crypto: qat - refactor fw config logic for 4xxx (PED-6401).
- crypto: qat - make fw images name constant (PED-6401).
- crypto: qat - move returns to default case (PED-6401).
- crypto: qat - unmap buffers before free for RSA (PED-6401).
- crypto: qat - unmap buffer before free for DH (PED-6401).
- crypto: qat - update slice mask for 4xxx devices (PED-6401).
- crypto: qat - set deprecated capabilities as reserved
  (PED-6401).
- crypto: qat - add missing function declaration in adf_dbgfs.h
  (PED-6401).
- crypto: qat - move dbgfs init to separate file (PED-6401).
- crypto: qat - drop redundant adf_enable_aer() (PED-6401).
- crypto: qat - fix apply custom thread-service mapping for dc
  service (PED-6401).
- crypto: qat - add support for 402xx devices (PED-6401).
- crypto: qat - make state machine functions static (PED-6401).
- crypto: qat - refactor device restart logic (PED-6401).
- crypto: qat - replace state machine calls (PED-6401).
- crypto: qat - fix concurrency issue when device state changes
  (PED-6401).
- crypto: qat - delay sysfs initialization (PED-6401).
- crypto: qat - Include algapi.h for low-level Crypto API
  (PED-6401).
- crypto: qat - drop log level of msg in get_instance_node()
  (PED-6401).
- Documentation: qat: change kernel version (PED-6401).
- crypto: qat - add qat_zlib_deflate (PED-6401).
- crypto: qat - extend buffer list logic interface (PED-6401).
- crypto: qat - fix spelling mistakes from 'bufer' to 'buffer'
  (PED-6401).
- crypto: qat - remove ADF_STATUS_PF_RUNNING flag from probe
  (PED-6401).
- Documentation: qat: rewrite description (PED-6401).
- commit 3c119b1

- cgroup: Remove duplicates in cgroup v1 tasks file (bsc#1211307).
- commit 555c311

- vmbus_testing: fix wrong python syntax for integer value
  comparison (git-fixes).
- Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present
  CPUs (git-fixes).
- Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc()
  fails (git-fixes).
- commit a15e7ae

- nvmet-tcp: Fix a possible UAF in queue intialization setup
  (bsc#1215768 CVE-2023-5178).
- commit b965ee1

- bpf: Fix incorrect verifier pruning due to missing register
  precision taints (bsc#1215518 CVE-2023-2163).
- bpf: propagate precision in ALU/ALU64 operations (git-fixes).
- commit 71da1d6

- net: mana: Fix oversized sge0 for GSO packets (bsc#1215986).
- net: mana: Fix TX CQE error handling (bsc#1215986).
- commit 3666b58

- xen/events: replace evtchn_rwlock with RCU (bsc#1215745,
  xsa-441, cve-2023-34324).
- commit 291fb99

- netfilter: nfnetlink_osf: avoid OOB read (bsc#1216046
  CVE-2023-39189).
- commit 77dc791

- blacklist.conf: the codebase changed too much to backport the patch
- commit 11474a7

- kabi: blkcg_policy_data fix KABI (bsc#1216062).
- commit cf25442

- blk-cgroup: support to track if policy is online (bsc#1216062).
- commit 45c3300

- mm, memcg: reconsider kmem.limit_in_bytes deprecation
  (bsc#1208788 bsc#1213705).
- commit bdf774a

- Revert "Delete patches.suse/memcg-drop-kmem-limit_in_bytes.patch."
  This reverts commit 52c1db3eb4e2acbdd91aaaefddc26b7207cd4c90.
  It'll be fixed differently in a following commit.
  Restore the commit with upstream commit already for proper sorting.
- commit 8474b47

- blk-cgroup: Fix NULL deref caused by blkg_policy_data being
  installed before init (bsc#1216062).
- commit c2395af

- blacklist.conf: Add 82b90b6c5b38 cgroup:namespace: Remove unused cgroup_namespaces_init()
- commit 6f5ac45

- HID: sony: remove duplicate NULL check before calling
  usb_free_urb() (git-fixes).
- commit 7cd0962

- i2c: mux: gpio: Replace custom acpi_get_local_address()
  (git-fixes).
- commit ef5fd69

- gpio: aspeed: fix the GPIO number passed to
  pinctrl_gpio_set_config() (git-fixes).
- gpio: pxa: disable pinctrl calls for MMP_GPIO (git-fixes).
- platform/x86: think-lmi: Fix reference leak (git-fixes).
- HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit
  (git-fixes).
- HID: sony: Fix a potential memory leak in sony_probe()
  (git-fixes).
- wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling
  (git-fixes).
- wifi: mwifiex: Fix oob check condition in
  mwifiex_process_rx_packet (git-fixes).
- wifi: iwlwifi: mvm: Fix a memory corruption issue (git-fixes).
- wifi: iwlwifi: dbg_ini: fix structure packing (git-fixes).
- wifi: mwifiex: Fix tlv_buf_left calculation (git-fixes).
- net: nfc: llcp: Add lock when modifying device list (git-fixes).
- net: usb: smsc75xx: Fix uninit-value access in
  __smsc75xx_read_reg (git-fixes).
- leds: Drop BUG_ON check for LED_COLOR_ID_MULTI (git-fixes).
- regmap: rbtree: Fix wrong register marked as in-cache when
  creating new node (git-fixes).
- nilfs2: fix potential use after free in
  nilfs_gccache_submit_read_data() (git-fixes).
- Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" (git-fixes).
- serial: 8250_port: Check IRQ data before use (git-fixes).
- firmware: arm_ffa: Don't set the memory region attributes for
  MEM_LEND (git-fixes).
- soc: imx8m: Enable OCOTP clock for imx8mm before reading
  registers (git-fixes).
- firmware: imx-dsp: Fix an error handling path in
  imx_dsp_setup_channels() (git-fixes).
- bus: ti-sysc: Fix missing AM35xx SoC matching (git-fixes).
- bus: ti-sysc: Use fsleep() instead of usleep_range() in
  sysc_reset() (git-fixes).
- i2c: npcm7xx: Fix callback completion ordering (git-fixes).
- ata: libata-core: Do not register PM operations for SAS ports
  (git-fixes).
- ata: libata-core: Fix port and device removal (git-fixes).
- ata: libata-core: Fix ata_port_request_pm() locking (git-fixes).
- ata: libata-sata: increase PMP SRST timeout to 10s (git-fixes).
- ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED
  OPERATION CODES (git-fixes).
- gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip
  (git-fixes).
- clk: tegra: fix error return case for recalc_rate (git-fixes).
- power: supply: ucs1002: fix error code in ucs1002_get_property()
  (git-fixes).
- gpio: tb10x: Fix an error handling path in tb10x_gpio_probe()
  (git-fixes).
- i2c: mux: gpio: Add missing fwnode_handle_put() (git-fixes).
- i2c: mux: demux-pinctrl: check the return value of
  devm_kstrdup() (git-fixes).
- i2c: i801: unregister tco_pdev in i801_probe() error path
  (git-fixes).
- ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link
  (git-fixes).
- ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag
  (git-fixes).
- ALSA: hda: Disable power save for solving pop issue on Lenovo
  ThinkCentre M70q (git-fixes).
- spi: stm32: add a delay before SPI disable (git-fixes).
- spi: nxp-fspi: reset the FLSHxCR1 registers (git-fixes).
- drm/amdgpu: Handle null atom context in VBIOS info ioctl
  (git-fixes).
- drm/amd/display: Don't check registers, if using AUX BL control
  (git-fixes).
- spi: sun6i: fix race between DMA RX transfer completion and
  RX FIFO drain (git-fixes).
- spi: sun6i: reduce DMA RX transfer width to single byte
  (git-fixes).
- watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not
  already running (git-fixes).
- watchdog: iTCO_wdt: No need to stop the timer in probe
  (git-fixes).
- commit 22d41cc

- net: usb: smsc75xx: Fix uninit-value access in
  __smsc75xx_read_reg (git-fixes).
- commit 38bd5fc

- r8152: check budget for r8152_poll() (git-fixes).
- commit b4330ba

- RDMA/core: Require admin capabilities to set system parameters (git-fixes)
- commit 165e98e

- RDMA/cma: Initialize ib_sa_multicast structure to 0 when join (git-fixes)
- commit ad12009

- RDMA/mlx5: Fix NULL string error (git-fixes)
- commit 5556b81

- IB/mlx4: Fix the size of a buffer in add_port_entries() (git-fixes)
- commit 8c4cdf4

- RDMA/cma: Fix truncation compilation warning in make_cma_ports (git-fixes)
- commit a7c580d

- RDMA/uverbs: Fix typo of sizeof argument (git-fixes)
- commit 7e80897

- RDMA/cxgb4: Check skb value for failure to allocate (git-fixes)
- commit 6e18278

- RDMA/siw: Fix connection failure handling (git-fixes)
- commit 107f7c6

- RDMA/srp: Do not call scsi_done() from srp_abort() (git-fixes)
- commit ecb5c5e

- ring-buffer: Do not attempt to read past "commit" (git-fixes).
- commit ee556e0

- ring-buffer: Avoid softlockup in ring_buffer_resize()
  (git-fixes).
- commit bd7050f

- tracing: Make trace_marker{,_raw} stream-like (git-fixes).
- commit fda0bf6

- ring-buffer: Update "shortest_full" in polling (git-fixes).
- commit aad1d04

- ring-buffer: Fix bytes info in per_cpu buffer stats (git-fixes).
- commit 296da6c

- tracing: Have event inject files inc the trace array ref count
  (git-fixes).
- commit 817c093

- tracing: Have option files inc the trace array ref count
  (git-fixes).
- commit 921a48a

- tracing: Have current_trace inc the trace array ref count
  (git-fixes).
- commit 586ee6a

- tracing: Have tracing_max_latency inc the trace array ref count
  (git-fixes).
- commit 322c826

- tracing: Increase trace array ref count on enable and filter
  files (git-fixes).
- commit fa9da0d

- kprobes: Prohibit probing on CFI preamble symbol (git-fixes).
- commit de7b87f

- iommu/amd: Add map/unmap_pages() iommu_domain_ops callback
  support (bsc#1212423).
- iommu/amd/io-pgtable: Implement unmap_pages io_pgtable_ops
  callback (bsc#1212423).
- iommu/amd/io-pgtable: Implement map_pages io_pgtable_ops
  callback (bsc#1212423).
- commit b7a7693

- Update
  patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch
  (bsc#1211592 CVE-2023-2860).
- commit 6e15654

- KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes).
- commit 7ac0d16

- KVM: x86: Fix clang -Wimplicit-fallthrough in do_host_cpuid() (git-fixes).
- commit 14aa242

- s390: add z16 elf platform (git-fixes LTC#203789 bsc#1215956
  LTC#203788 bsc#1215957).
- commit a4355b3

- sched/cpuset: Bring back cpuset_mutex (bsc#1215955).
- cgroup/cpuset: Change references of cpuset_mutex to cpuset_rwsem
  (bsc#1215955).
- commit 59f5010

- blacklist.conf: Add c0f78fd5edcf cgroup/cpuset: Iterate only if DEADLINE tasks are present
  ... and its prereqs
- commit a4ba12c

- blacklist.conf: Add 98dfdd9ee939 sched/psi: Select KERNFS as needed
- commit d326b7e

- x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled (bsc#1213772).
- commit 48235ff

- KVM: x86: Propagate the AMD Automatic IBRS feature to the guest (bsc#1213772).
- commit 237820b

- x86/cpu: Support AMD Automatic IBRS (bsc#1213772).
- Refresh patches.suse/x86-srso-add-ibpb_brtype-support.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 8ed20a4
avahi
- Add avahi-CVE-2023-38470.patch: Ensure each label is at least one
  byte long (bsc#1215947, CVE-2023-38470).

- Add avahi-CVE-2023-38473.patch: derive alternative host name from
  its unescaped version (bsc#1216419 CVE-2023-38473).
gcc13
- Add gcc13-bsc1216664.patch, works around SAP ASE DB crash during
  C++ standard library initialization.  [bsc#1216664]

- add pr111411.patch (bsc#1215427)
openssl-1_1
- Security fix: [bsc#1216922, CVE-2023-5678]
  * Fix excessive time spent in DH check / generation with large Q
    parameter value.
  * Applications that use the functions DH_generate_key() to generate
    an X9.42 DH key may experience long delays. Likewise,
    applications that use DH_check_pub_key(), DH_check_pub_key_ex
    () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
    DH parameters may experience long delays. Where the key or
    parameters that are being checked have been obtained from an
    untrusted source this may lead to a Denial of Service.
  * Add openssl-CVE-2023-5678.patch
pciutils
- Apply "lspci-Fixed-buffer-overflows-in-ls-tree.c.patch" to fix a
  buffer overflow error that would cause lspci to crash on systems
  with complex topologies. [bsc#1215265]
- Add "pciutils.keyring" so that the tarball's signature can be
  verified at build time.
- Use "%license" tag instead of "%doc" to install the package's
  license file.
libtirpc
-  update to 1.3.4 (bsc#1199467)
  * binddynport.c honor ip_local_reserved_ports
  - replaces: binddynport-honor-ip_local_reserved_ports.patch
  * gss-api: expose gss major/minor error in authgss_refresh()
  * rpcb_clnt.c: Eliminate double frees in delete_cache()
  * rpcb_clnt.c: memory leak in destroy_addr
  * portmapper: allow TCP-only portmapper
  * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
  * clnt_raw.c: fix a possible null pointer dereference
  * bindresvport.c: fix a potential resource leakage
- update to 1.3.3 (bsc#1201680, CVE-2021-46828):
  * Fix DoS vulnerability in libtirpc
  - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
  * _rpc_dtablesize: use portable system call
  * libtirpc: Fix use-after-free accessing the error number
  * Fix potential memory leak of parms.r_addr
  - replaces 0001-fix-parms.r_addr-memory-leak.patch
  * rpcb_clnt.c add mechanism to try v2 protocol first
  - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
  * Eliminate deadlocks in connects with an MT environment
  * clnt_dg_freeres() uncleared set active state may deadlock
  * thread safe clnt destruction
  * SUNRPC: mutexed access blacklist_read state variable
  * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c
- drop 0001-Fix-DoS-vulnerability-in-libtirpc.patch (upstream)
- update to 1.3.2:
  * Replace the final SunRPC licenses with BSD licenses
  * blacklist: Add a few more well known ports
  * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS
- Update to libtirpc 1.3.1
  * Remove AUTH_DES interfaces from auth_des.h
    The unsupported  AUTH_DES authentication has be
    compiled out since commit d918e41d889 (Wed Oct 9 2019)
    replaced by API routines that return errors.
  * svc_dg: Free xp_netid during destroy
  * Fix memory management issues of fd locks
  * libtirpc: replace array with list for per-fd locks
  * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
  * __rpc_dtbsize: rlim_cur instead of rlim_max
  * pkg-config: use the correct replacements for libdir/includedir
  Patches replaced by update:
  binddynport-honor-ip_local_reserved_ports.patch (bsc#1199467)
  0001-Fix-DoS-vulnerability-in-libtirpc.patch (bsc#1201680)
  0001-fix-parms.r_addr-memory-leak.patch (bsc#1198752)
  0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
  (bsc#1196647), (bsc#1200800), (bsc#1198176)
  * replaces /etc/netconfig-try-2-first by the environment variable
  RPCB_V2FIRST
libxml2
- Security update:
  * [CVE-2023-45322, bsc#1216129] use-after-free in xmlUnlinkNode()
    in tree.c
  - Added file libxml2-CVE-2023-45322.patch
libzypp
- Preliminary disable 'rpm --runposttrans' usage for chrooted
  systems (bsc#1216091)
  This limits the %transfiletrigger(postun|in) support in the
  default installer if --root is used (as described in bsc#1041742).
  The chrooted execution of the scripts in 'rpm --runposttrans'
  broke in rpm-4.18. It's expected to be fixed in rpm-4.19.
  Then we'll enable the feature again.
- fix comment typo on zypp.conf (boo#1215979)
- version 17.31.22 (22)

- Attempt to delay %transfiletrigger(postun|in) execution if rpm
  supports it (bsc#1041742)
  Decide during installation whether rpm is capable of delayed
  %posttrans %transfiletrigger(postun|in) execution or whether we
  can just handle the packages %posttrans. On TW a delayed
  %transfiletrigger handling is possible since rpm-4.17.
- Make sure the old target is deleted before a new one is created
  (bsc#1203760)
- version 17.31.21 (22)
python-instance-billing-flavor-check
- Version 0.0.4
  Run the command as sudo only

- Version 0.0.3
  Handle exception for Python 3.4
python-urllib3
- Add CVE-2023-45803.patch (bsc#1216377, CVE-2023-45803)
  gh#urllib3/urllib3@4e98d57809da
rsyslog
- fix rsyslog crash in imrelp (bsc#1210286)
  * add: 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch
000release-packages:sle-module-basesystem-release
n/a
000release-packages:sle-module-containers-release
n/a
000release-packages:sle-module-public-cloud-release
n/a
000release-packages:sle-module-server-applications-release
n/a
vim
- Updated to version 9.0 with patch level 2103, fixes the following security problems
  * Fixing bsc#1215940 (CVE-2023-5344) - VUL-0: CVE-2023-5344: vim: Heap-based Buffer Overflow in vim prior to 9.0.1969.
  * Fixing bsc#1216001 (CVE-2023-5441) - VUL-0: CVE-2023-5441: vim: segfault in exmode when redrawing
  * Fixing bsc#1216167 (CVE-2023-5535) - VUL-0: CVE-2023-5535: vim: use-after-free from buf_contents_changed()
  * Fixing bsc#1216696 (CVE-2023-46246) - VUL-0: CVE-2023-46246: vim: Integer Overflow in :history command
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1894...v9.0.2103
xen
- bsc#1216807 - VUL-0: CVE-2023-46836: xen: x86: BTC/SRSO fixes not
  fully effective (XSA-446)
  xsa446.patch

- bsc#1216654 - VUL-0: CVE-2023-46835: xen: x86/AMD: mismatch in
  IOMMU quarantine page table levels (XSA-445)
  xsa445.patch

- bsc#1215145 - VUL-0: CVE-2023-34322: xen: top-level shadow
  reference dropped too early for 64-bit PV guests (XSA-438)
  650abbfe-x86-shadow-defer-PV-top-level-release.patch
- bsc#1215474 - VUL-0: CVE-2023-20588: xen: AMD CPU transitional
  execution leak via division by zero (XSA-439)
  64e5b4ac-x86-AMD-extend-Zenbleed-check.patch
  65087000-x86-spec-ctrl-SPEC_CTRL_EXIT_TO_XEN-confusion.patch
  65087001-x86-spec-ctrl-fold-DO_SPEC_CTRL_EXIT_TO_XEN.patch
  65087002-x86-spec-ctrl-SPEC_CTRL-ENTRY-EXIT-asm-macros.patch
  65087003-x86-spec-ctrl-SPEC_CTRL-ENTER-EXIT-comments.patch
  65087004-x86-entry-restore_all_xen-stack_end.patch
  65087005-x86-entry-track-IST-ness-of-entry.patch
  65087006-x86-spec-ctrl-VERW-on-IST-exit-to-Xen.patch
  65087007-x86-AMD-Zen-1-2-predicates.patch
  65087008-x86-spec-ctrl-Zen1-DIV-leakage.patch
- bsc#1215746 - VUL-0: CVE-2023-34326: xen: x86/AMD: missing IOMMU
  TLB flushing (XSA-442)
  65263470-AMD-IOMMU-flush-TLB-when-flushing-DTE.patch
- bsc#1215747 - VUL-0: CVE-2023-34325: xen: Multiple
  vulnerabilities in libfsimage disk handling (XSA-443)
  65263471-libfsimage-xfs-remove-dead-code.patch
  65263472-libfsimage-xfs-amend-mask32lo.patch
  65263473-libfsimage-xfs-sanity-check-superblock.patch
  65263474-libfsimage-xfs-compile-time-check.patch
  65263475-pygrub-remove-unnecessary-hypercall.patch
  65263476-pygrub-small-refactors.patch
  65263477-pygrub-open-output-files-earlier.patch
  65263478-libfsimage-function-to-preload-plugins.patch
  65263479-pygrub-deprivilege.patch
  6526347a-libxl-allow-bootloader-restricted-mode.patch
  6526347b-libxl-limit-bootloader-when-restricted.patch
- bsc#1215748 - VUL-0: CVE-2023-34327,CVE-2023-34328: xen: x86/AMD:
  Debug Mask handling (XSA-444)
  6526347c-SVM-fix-AMD-DR-MASK-context-switch-asymmetry.patch
  6526347d-x86-PV-auditing-of-guest-breakpoints.patch
- Upstream bug fixes (bsc#1027519)
  64e6459b-revert-VMX-sanitize-rIP-before-reentering.patch
  64eef7e9-x86-reporting-spurious-i8259-interrupts.patch
  64f71f50-Arm-handle-cache-flush-at-top.patch
  65084ba5-x86-AMD-dont-expose-TscFreqSel.patch
- Patches dropped / replaced by newer upstream versions
  xsa438.patch
  xsa439-00.patch
  xsa439-01.patch
  xsa439-02.patch
  xsa439-03.patch
  xsa439-04.patch
  xsa439-05.patch
  xsa439-06.patch
  xsa439-07.patch
  xsa439-08.patch
  xsa439-09.patch
  xsa442.patch
  xsa443-01.patch
  xsa443-02.patch
  xsa443-03.patch
  xsa443-04.patch
  xsa443-05.patch
  xsa443-06.patch
  xsa443-07.patch
  xsa443-08.patch
  xsa443-09.patch
  xsa443-10.patch
  xsa443-11.patch
  xsa444-1.patch
  xsa444-2.patch
zypper
- Return 104 also if info suggests near matches (fixes #504)
- Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422)
- Fix typo (fixes #484)
- version 1.14.66

- Fix some typos and spelling errors found by Lintian (fixes #501)
- Prefer unaliased `grep` to avoid unexpected/wrong completions.
  (#503)
- commit: Insert a headline to separate output of different rpm
  scripts (bsc#1041742)
- Fix typo in changes file.
- version 1.14.65