sles-15-sp4-sap-v20250221-x86-64 Package Source Changes

000release-packages:SLES_SAP-release

n/a

bind

- Limit additional section processing for large RDATA sets.
  When answering queries, don’t add data to the additional
  section if the answer has more than 13 names in the RDATA. This
  limits the number of lookups into the database(s) during a
  single client query, reducing the query-processing load.
  (CVE-2024-11187)
  [bsc#1236596, bind-9.16-CVE-2024-11187.patch]

cloud-regionsrv-client

- Update to 10.3.11 (bsc#1234050)
  + Send registration code for the extensions, not only base product

- Update to 10.3.8 (bsc#1233333)
  + Fix the package requirements for cloud-regionsrv-client
  + Follow changes to suseconnect error reporting from stdout to stderr

kernel-default

- media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED
  in uvc_parse_format (CVE-2024-53104 bsc#1234025).
- commit a0c98f3

- Fix sorting error
  ```
  Error: Current series.conf is not sorted. Please run series_sort.py first and commit the result before adding new patches.
  ```
- commit a81b3e9

- kABI fix for net: defer final 'struct net' free in netns dismantle (CVE-2024-56658 bsc#1235441).
  Upstream commit 0f6ede9fbc74 ("net: defer final 'struct
  net' free in netns dismantle") introduced a new struct element
  `defer_free_list` into `struct net`. In order to preserve the kABI, move
  the newly added element into a hole.
  ```
    struct netns_nexthop       nexthop;              /*   560    72 */
    /* XXX 8 bytes hole, try to pack */
    /* --- cacheline 10 boundary (640 bytes) --- */
    struct netns_ipv4          ipv4 __attribute__((__aligned__(64))); /*   640   704 */
  ```
- commit 3fc1183

- net: defer final 'struct net' free in netns dismantle (CVE-2024-56658 bsc#1235441).
- commit 8694248

- NFS: Trigger the "ls -l" readdir heuristic sooner (bsc#1231847).
- commit eadd17e

- NFS: Improve heuristic for readdirplus (bsc#1231847).
- commit ea10ca2

- NFS: Adjust the amount of readahead performed by NFS readdir
  (bsc#1231847).
- commit ec8e677

- NFS: Do not flush the readdir cache in nfs_dentry_iput()
  (bsc#1231847).
- commit ac72a63

- smb: prevent use-after-free due to open_cached_dir error paths
  (CVE-2024-53177 bsc#1234896).
- commit 43156cd

- net: inet6: do not leave a dangling sk pointer in inet6_create()
  (CVE-2024-56600 bsc#1235217).
- commit 4f3d37a

- blacklist.conf: Not affected byy CVE-2024-44932 and CVE-2024-44964
- Delete
  patches.suse/idpf-fix-UAFs-when-destroying-the-queues.patch.
- Delete
  patches.suse/idpf-fix-memory-leaks-and-crashes-while-performing-a.patch.
  This fixes bsc#1236628
- commit 6ceedf0

- netfilter: x_tables: fix LED ID check in led_tg_check()
  (CVE-2024-56650 bsc#1235430).
- commit a130a9c

- drm/amdkfd: Correct the migration DMA map direction (bsc#1235969 CVE-2024-57897)
- commit e14ed1e

- Refresh patches.suse/drm-dp_mst-Ensure-mst_primary-pointer-is-valid-in-dr.patch.
  Fix warning by removing unused label out_put_primary
- commit 354b3cb

- Update patches.suse/tipc-fix-NULL-deref-in-cleanup_bearer.patch
  (bsc#1235433 CVE-2024-56661 bsc#1234931).
- commit cb91989

- Update
  patches.suse/Bluetooth-hci_event-Align-BR-EDR-JUST_WORKS-paring-w.patch
  (git-fixes bsc#1230697 CVE-2024-8805 CVE-2024-53144
  bsc#1234690).
- commit ea9bf7d

- net: inet: do not leave a dangling sk pointer in inet_create()
  (CVE-2024-56601 bsc#1235230).
- commit b4769c0

- btrfs: fix use-after-free when COWing tree bock and tracing
  is enabled (bsc#1235645 CVE-2024-56759).
- commit e811c1c

- scsi: qla2xxx: Fix use after free on unload (CVE-2024-56623
  bsc#1235466).
- block, bfq: fix bfqq uaf in bfq_limit_depth() (CVE-2024-53166
  bsc#1234884).
- commit 894e940

- Refresh
  patches.suse/x86-xen-don-t-do-PV-iret-hypercall-through-hypercall.patch.
- commit df281af

- x86/static-call: Remove early_boot_irqs_disabled check to fix
  Xen PVH dom0 (git-fixes).
- commit 2c0880a

- ALSA: seq: oss: Fix races at processing SysEx messages
  (CVE-2024-57893 bsc#1235920).
- commit f05049d

- drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() (CVE-2024-57798 bsc#1235818).
- commit bfdad42

- drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() (CVE-2024-57798 bsc#1235818).
- commit 15490f2

- net/smc: check return value of sock_recvmsg when draining clc
  data (CVE-2024-57791 bsc#1235759).
- commit b879d55

- power: supply: gpio-charger: Fix set charge current limits
  (git-fixes CVE-2024-57792 bsc#1235764).
- commit 80ed527

- bpf, sockmap: Fix race between element replace and close()
  (CVE-2024-56664 bsc#1235249).
- commit 03e2626

- s390/cpum_sf: Handle CPU hotplug remove during sampling
  (CVE-2024-57849 bsc#1235814).
- commit e03f9af

- Update
  patches.suse/smb-client-fix-TCP-timers-deadlock-after-rmmod.patch
  (CVE-2024-53095 bsc#1233642 CVE-2024-54680 bsc#1235723).
- commit 6deb1aa

- mm/swapfile: skip HugeTLB pages for unuse_vma (CVE-2024-50199
  bsc#1233112).
- commit 63ec06b

- tipc: fix NULL deref in cleanup_bearer() (bsc#1235433).
- commit a0043a3

- scsi: sg: Fix slab-use-after-free read in sg_release()
  (CVE-2024-56631 bsc#1235480).
- commit 9399f03

- 9p/xen: fix release of IRQ (CVE-2024-56704 bsc#1235584).
- commit 614e74c

- net: ieee802154: do not leave a dangling sk pointer in
  ieee802154_create() (CVE-2024-56602 bsc#1235521).
- commit 4049cc5

- net: hsr: avoid potential out-of-bound access in
  fill_frame_info() (CVE-2024-56648 bsc#1235451).
- commit 0a88cb0

- ovl: Filter invalid inodes with missing lookup function
  (bsc#1235035 CVE-2024-56570).
- commit 54169ab

- NFSv4.0: Fix a use-after-free problem in the asynchronous open()
  (CVE-2024-53173 bsc#1234891).
- commit f801b5b

- tipc: Fix use-after-free of kernel socket in cleanup_bearer()
  (CVE-2024-56642 bsc#1235433).
- commit ec9cc8d

- can: j1939: j1939_session_new(): fix skb reference counting
  (CVE-2024-56645 bsc#1235134).
- commit 5011af1

- Bluetooth: L2CAP: do not leave dangling sk pointer on error
  in l2cap_sock_create() (CVE-2024-56605 bsc#1235061).
- commit c461209

- idpf: trigger SW interrupt when exiting wb_on_itr mode
  (bsc#1235507).
- idpf: add support for SW triggered interrupts (bsc#1235507).
- net: mana: Increase the DEF_RX_BUFFERS_PER_QUEUE to 1024
  (bsc#1235246).
- idpf: enable WB_ON_ITR (bsc#1235507).
- commit 3cbddc0

- smb: client: fix use-after-free of signing key (CVE-2024-53179
  bsc#1234921).
- commit 86400c7

- smb: client: fix TCP timers deadlock after rmmod (git-fixes)
  [hcarvalho: this fixes issue discussed in bsc#1233642].
- commit 3e3e1af

- smb: client: Fix use-after-free of network namespace
  (CVE-2024-53095 bsc#1233642).
  [hcarvalho: remove netfs_tracker_* related code because we don't have
  such infrastructure.]
- commit 97b2d9e

- wifi: mwifiex: Fix memcpy() field-spanning write warning in
  mwifiex_config_scan() (CVE-2024-56539 bsc#1234963).
- commit e27d4b2

- vfio/pci: Properly hide first-in-list PCIe extended capability
  (bsc#1235004 CVE-2024-53214).
- commit f520125

- Bluetooth: RFCOMM: avoid leaving dangling sk pointer in
  rfcomm_sock_alloc() (bsc#1235056 CVE-2024-56604).
- commit cf32d9d

- Bluetooth: Consolidate code around sk_alloc into a helper
  function (bsc#1235056 CVE-2024-56604).
  Refresh
  patches.suse/Bluetooth-SCO-Fix-UAF-on-sco_sock_timeout.patch.
- commit 4de890e

- nilfs2: fix potential out-of-bounds memory access in
  nilfs_find_entry() (bsc#1235224 CVE-2024-56619).
- commit b3f788e

- jfs: array-index-out-of-bounds fix in dtReadFirst (bsc#1235220
  CVE-2024-56598).
- commit 4762f9a

- hfsplus: don't query the device logical block size multiple
  times (bsc#1235073 CVE-2024-56548).
- commit 67473c2

- wifi: ath9k: add range check for conn_rsp_epid in
  htc_connect_service() (CVE-2024-53156 bsc#1234846).
- commit 747e664

- ALSA: 6fire: Release resources at card release (CVE-2024-53239
  bsc#1235054).
- commit 6995b0a

- NFSD: Prevent a potential integer overflow (CVE-2024-53146
  bsc#1234853).
- commit 79b751c

- Update
  patches.suse/tcp-Fix-use-after-free-of-nreq-in-reqsk_timer_handler.patch
  (CVE-2024-50154 bsc#1233070 CVE-2024-53206 bsc#1234960).
- commit cdf9cb8

- Update
  patches.suse/media-s5p_cec-limit-msg.len-to-CEC_MAX_MSG_SIZE.patch
  (git-fixes CVE-2022-49035 bsc#1215304).
- commit d91bb81

- x86/xen: use new hypercall functions instead of hypercall page
  (XSA-466 CVE-2024-53241 bsc#1234282).
- commit 439afbb

- x86/xen: add central hypercall functions (XSA-466 CVE-2024-53241
  bsc#1234282).
- commit 1784c5e

- x86/xen: don't do PV iret hypercall through hypercall page
  (XSA-466 CVE-2024-53241 bsc#1234282).
- commit 9f17f93

- x86/static-call: provide a way to do very early static-call
  updates (XSA-466 CVE-2024-53241 bsc#1234282).
- Refresh patches.kabi/tracepoint-fix.patch.
- commit 2e422a6

- objtool/x86: allow syscall instruction (XSA-466 CVE-2024-53241
  bsc#1234282).
- commit 1f61d5b

- x86: make get_cpu_vendor() accessible from Xen code (XSA-466
  CVE-2024-53241 bsc#1234282).
- commit 4d90703

- xen/netfront: fix crash when removing device (XSA-465
  CVE-2024-53240 bsc#1234281).
- commit f11b367

- Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
  (git-fixes, bsc#1230697, CVE-2024-8805).
- commit cddc976

- Update
  patches.suse/initramfs-avoid-filename-buffer-overrun.patch
  (CVE-2024-53142 bsc#1232436).
- commit 14f79ec

- scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error (git-fixes).
- commit fe5d084

containerd

- Update to containerd v1.7.23. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.23>
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- Update to containerd v1.7.22. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.22>
- Bump minimum Go version to 1.22.
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

curl

- Security fix: [bsc#1236590, CVE-2025-0725]
  * content_encoding: drop support for zlib before 1.2.0.4
  * content_encoding: put the decomp buffers into the writer structs
  * Add curl-CVE-2025-0725.patch

- Security fix: [bsc#1236588, CVE-2025-0167]
  * netrc: 'default' with no credentials is not a match
  * Add curl-CVE-2025-0167.patch

dhcp

- bsc#1192020: Add 'Requires(pre): group(nogroup)' to fix user
  creation in pre scriptlet for dhcp-server.

findutils

- do not crash when file system loop was encountered [bsc#1231472]
- added patches
  fix https://git.savannah.gnu.org/cgit/findutils.git/commit/?id=e5d6eb919b9
  + findutils-avoid-crash-system-loop.patch
- modified patches
  % findutils-xautofs.patch (p1)

glibc

- assert-message-allocation.patch: Fix underallocation of abort_msg_s
  struct (CVE-2025-0395, bsc#1236282, BZ #32582))

google-dracut-config

- Update to 0.0.4
  + Move dracut config files to usr/lib/ dir

- Update to 0.0.3
  + Add provides and conflicts on generic name dracut-instance-change-config
- Update to 0.0.2
  + Rename config for nvme for consistency
  + Add dracut build requirement
  + Add virtio_net, virtio_rng and idpf drivers

google-guest-configs

- Add ggc-no-dup-metasrv-entry.patch
  + Follow up to (bsc#1234289, bsc#1234293). Avoid duplicate entries for
    the metadata server in /etc/hosts

- Update to version 20241205.00 (bsc#1234254, bsc#1234255)
  * Update google_set_multiqueue to configure
    vCPU ranges based on VM platform (#90)
- from version 20241204.00
  * Restore google_set_multiqueue changes for A3Ultra (#93)
  * Depend on networkd-dispatcher in Ubuntu (#94)
- Include components to set hostname and /etc/hosts entries (bsc#1234289, bsc#1234293)
  * Add sysconfig and sysconfig-network to BuildRequires
  * Install google_set_hostname into %{_bindir}
  * Install google_up.sh into %{_sysconfdir}/sysconfig/network/scripts/
  * Add code to add and remove POST_UP_SCRIPT="compat:suse:google_up.sh"
    to /etc/sysconfig/network/ifcfg-eth0 in %post and %postun sections

google-osconfig-agent

- Update to version 20250115.01 (bsc#1236406, bsc#1236407)
  * Bump cloud.google.com/go/osconfig from 1.14.2 to 1.14.3 (#772)
- from version 20250115.00
  * Bump cloud.google.com/go/auth from 0.10.2 to 0.14.0 (#767)
  * Bump go.opentelemetry.io/otel from 1.32.0 to 1.33.0 (#771)
  * Bump google.golang.org/protobuf from 1.35.1 to 1.36.2 (#763)
- from version 20250114.00
  * Bump golang.org/x/time from 0.8.0 to 0.9.0 (#770)
- from version 20250113.01
  * Bump cloud.google.com/go/auth/oauth2adapt from 0.2.5 to 0.2.7 (#766)
- from version 20250113.00
  * Bump golang.org/x/net from 0.31.0 to 0.34.0 (#769)
- from version 20250110.00
  * Bump golang.org/x/crypto from 0.29.0 to 0.31.0 in the go_modules group (#760)
  * Bump cloud.google.com/go/longrunning from 0.6.2 to 0.6.3 (#744)
- from version 20241218.00
  * Scanners fixes (#720)
  * Bump cloud.google.com/go/storage from 1.46.0 to 1.47.0 (#736)
  * Bump go.opentelemetry.io/contrib/detectors/gcp from 1.29.0 to 1.32.0 (#730)
  * Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#738)
  * Bump golang.org/x/net from 0.30.0 to 0.31.0 (#731)
- from version 20241118.01
  * Bump github.com/googleapis/gax-go/v2 from 2.13.0 to 2.14.0 (#737)
- from version 20241118.00
  * move example to appropriate directory (#740)
- from version 20241115.00
  * Replace sles-15-sp3-sap old deprecated image in e2e tests (#739)
  * Bump golang.org/x/time from 0.7.0 to 0.8.0 (#734)
- from version 20241114.03
  * Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp (#735)
- from version 20241114.02
  * Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (#729)
- from version 20241114.01
  * Remove SLES-15-SP2-SAP from e2e tests and add the new SLES-15-SP6 (#733)
  * Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#728)
  * Bump go.opentelemetry.io/otel/sdk/metric from 1.30.0 to 1.32.0 (#727)
- from version 20241114.00
  * Add example to run exec script from the gcs bucket (#732)
  * Bump cel.dev/expr from 0.16.1 to 0.18.0 (#723)
- from version 20241112.00
  * Bump golang.org/x/oauth2 from 0.23.0 to 0.24.0 (#722)
  * Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric (#721)
  * Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#725)
  * Bump github.com/golang/glog from 1.2.2 to 1.2.3 (#715)
  * Bump google.golang.org/api from 0.203.0 to 0.205.0 (#716)
- from version 20241107.01
  * Bump github.com/envoyproxy/go-control-plane from 0.13.0 to 0.13.1 (#717)
  * Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping (#718)
  * Bump cloud.google.com/go/auth from 0.10.0 to 0.10.1 (#719)
- from version 20241107.00
  * Bump cloud.google.com/go/logging from 1.11.0 to 1.12.0 (#709)
  * Bump cloud.google.com/go/iam from 1.2.1 to 1.2.2 (#710)
  * Bump cloud.google.com/go/storage from 1.43.0 to 1.46.0 (#713)
  * Bump cloud.google.com/go/osconfig from 1.14.1 to 1.14.2 (#708)
  * Bump cloud.google.com/go/auth/oauth2adapt from 0.2.4 to 0.2.5 (#712)
- from version 20241106.00
  * Update OWNERS (#714)
- from version 20241029.01
  * remove toolchain override (#706)
  * Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#701)
- from version 20241029.00
  * Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (#702)
- from version 20241028.00
  * Bump cloud.google.com/go/longrunning from 0.6.0 to 0.6.2 (#705)
- from version 20241017.00
  * Add a new CloudBuild trigger config-file for auto updating the
    presubmit test container image on every new commit (#704)
- from version 20241004.00
  * Add new packagebuild presubmit that will use cloud-build (#694)
- from version 20240927.00
  * Third batch of dependencies upgrade (#690)
- Bump the golang compiler version to 1.22.4 (bsc#1225974, CVE-2024-24790)

grub2

- Security fixes for 2024
  * 0001-misc-Implement-grub_strlcpy.patch
- Fix CVE-2024-45781 (bsc#1233617)
  * 0002-fs-ufs-Fix-a-heap-OOB-write.patch
- Fix CVE-2024-56737 (bsc#1234958)
- Fix CVE-2024-45782 (bsc#1233615)
  * 0003-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch
- Fix CVE-2024-45780 (bsc#1233614)
  * 0004-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch
- Fix CVE-2024-45783 (bsc#1233616)
  * 0005-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch
  * 0006-kern-file-Ensure-file-data-is-set.patch
  * 0007-kern-file-Implement-filesystem-reference-counting.patch
- Fix CVE-2025-0624 (bsc#1236316)
  * 0008-net-Fix-OOB-write-in-grub_net_search_config_file.patch
- Fix CVE-2024-45774 (bsc#1233609)
  * 0009-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch
- Fix CVE-2024-45775 (bsc#1233610)
  * 0010-commands-extcmd-Missing-check-for-failed-allocation.patch
- Fix CVE-2025-0622 (bsc#1236317)
  * 0011-commands-pgp-Unregister-the-check_signatures-hooks-o.patch
- Fix CVE-2025-0622 (bsc#1236317)
  * 0012-normal-Remove-variables-hooks-on-module-unload.patch
- Fix CVE-2025-0622 (bsc#1236317)
  * 0013-gettext-Remove-variables-hooks-on-module-unload.patch
- Fix CVE-2024-45776 (bsc#1233612)
  * 0014-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch
- Fix CVE-2024-45777 (bsc#1233613)
  * 0015-gettext-Integer-overflow-leads-to-heap-OOB-write.patch
- Fix CVE-2025-0690 (bsc#1237012)
  * 0016-commands-read-Fix-an-integer-overflow-when-supplying.patch
- Fix CVE-2025-1118 (bsc#1237013)
  * 0017-commands-minicmd-Block-the-dump-command-in-lockdown-.patch
- Fix CVE-2024-45778 (bsc#1233606)
- Fix CVE-2024-45779 (bsc#1233608)
  * 0018-fs-bfs-Disable-under-lockdown.patch
- Fix CVE-2025-0677 (bsc#1237002)
- Fix CVE-2025-0684 (bsc#1237008)
- Fix CVE-2025-0685 (bsc#1237009)
- Fix CVE-2025-0686 (bsc#1237010)
- Fix CVE-2025-0689 (bsc#1237011)
  * 0019-fs-Disable-many-filesystems-under-lockdown.patch
- Fix CVE-2025-1125 (bsc#1237014)
- Fix CVE-2025-0678 (bsc#1237006)
  * 0020-fs-Prevent-overflows-when-allocating-memory-for-arra.patch
- Bump upstream SBAT generation to 5

open-iscsi

- iscsid-clear-scanning-thread-pr_set_io_flusher-flag.patch: fix
  device discovery failure on systems with a large number of
  devices (bsc#1235606).

- Fix issue with yast restarting the iscsid service without
  first restarting the iscsid socket, which upsets systemd
  (bsc#1206132). This is already fixed upstream.

- Branched SLE-15-SP3 from Factory. No longer in sync with
  Tumbleweed.
- Backported upstream commit, which sets 'safe_logout' and
  'startup' in iscsid.conf, to address bsc#1207157
- Updated year in SPEC file

krb5

- Prevent overflow when calculating ulog block size. An authenticated
  attacker can cause kadmind to write beyond the end of the mapped
  region for the iprop log file, likely causing a process crash;
  (CVE-2025-24528); (bsc#1236619).
- Add patch 0014-Prevent-overflow-when-calculating-ulog-block-size.patch

cryptsetup

- luksFormat succeeds despite creating corrupt device [bsc#1234273]
  * Add a better warning if luksFormat ends with image without any space for data.
  * Print warning early if LUKS container is too small for activation.
  * Add patches:
  - cryptsetup-Add-a-better-warning-if-luksFormat-no-space-for-data.patch
  - cryptsetup-Print-warning-early-if-LUKS-container-is-too-small-for-activation.patch

openssl-1_1

- Security fix: [bsc#1236136, CVE-2024-13176]
  * timing side-channel in the ECDSA signature computation
  * Add openssl-CVE-2024-13176.patch

python3

- Add CVE-2025-0938-sq-brackets-domain-names.patch which
  disallows square brackets ([ and ]) in domain names for parsed
  URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)

libtasn1

- Security fix: [bsc#1236878, CVE-2024-12133]
  * Potential DoS in handling of numerous SEQUENCE OF or SET OF elements
  * Add libtasn1-CVE-2024-12133.patch

libxml2

- security update
- added patches
  fix CVE-2022-49043 [bsc#1236460], use-after-free in xmlXIncludeAddNode
  + libxml2-CVE-2022-49043.patch

libzypp

- Create '.keep_packages' in the package cache dir to enforce
  keeping downloaded packages of all repos cahed there (bsc#1232458)
- version 17.35.19 (35)

- Fix missing UID checks in repomanager workflow (fixes #603)
- version 17.35.18 (35)

- Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp (fixes #28)
- Fix 'zypper ps' when running in incus container (bsc#1229106)
  Should apply to lxc and lxd containers as well.
- Re-enable 'rpm --runposttrans' usage for chrooted systems
  (bsc#1216091)
- version 17.35.17 (35)

lifecycle-data-sle-module-live-patching

- Added data for 5_14_21-150400_24_133, 5_14_21-150400_24_136,
  5_14_21-150400_24_141, 5_14_21-150400_24_144,
  5_14_21-150500_55_80, 5_14_21-150500_55_83,
  5_14_21-150500_55_88, 5_3_18-150200_24_203,
  5_3_18-150200_24_206, 5_3_18-150200_24_209,
  5_3_18-150200_24_212, 5_3_18-150300_59_174,
  5_3_18-150300_59_179, 5_3_18-150300_59_182,
  5_3_18-150300_59_185, 6_4_0-150600_23_22,
  6_4_0-150600_23_25, 6_4_0-150600_23_30,
  +kernel-livepatch-5_14_21-150500_13_61-rt,*,+kernel-livepatch-5_14_21-150500_13_67-rt,*,+kernel-livepatch-5_14_21-150500_13_70-rt,*,+kernel-livepatch-5_14_21-150500_13_73-rt,*,+kernel-livepatch-5_14_21-150500_13_76-rt,*,+kernel-livepatch-6_4_0-150600_10_11-rt,*,+kernel-livepatch-6_4_0-150600_10_14-rt,*,+kernel-livepatch-6_4_0-150600_10_17-rt,*,+kernel-livepatch-6_4_0-150600_10_8-rt,*. (bsc#1020320)

openssh

- Backported patch to fix a MitM attack against OpenSSH's
  VerifyHostKeyDNS-enabled client (bsc#1237040, CVE-2025-26465):
  * fix-CVE-2025-26465.patch

python-instance-billing-flavor-check

- Version 0.1.2 (bsc#1234444)
  + Improve detection of IPv4 and IPv6 network setup and use appropriate
    IP version for access the update servers
  + Improve reliability of flavor detection. Try an update server multiple
    times to get an answer, if we hit timeouts return the value flavor
    value from a cahce file.

- Version 0.1.1 (bsc#1235991, bsc#1235992)
  + Add time stamp to log
- From version 0.1.0
  + Doc improvements clarifying exit staus codes

rsync

- Bump protocol version to 32 - make it easier to show server is patched.
  * Add rsync-protocol-version-32.patch

- Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED
  * Added rsync-fix-FLAG_GOT_DIR_FLIST.patch

- Security update,CVE-2024-12747, bsc#1235475 race condition in handling symbolic links
  * Added rsync-CVE-2024-12747.patch

- Security update, fix multiple vulnerabilities:
  * CVE-2024-12085, bsc#1234101 - Info Leak via uninitialized Stack contents defeats ASLR
  * CVE-2024-12086, bsc#1234102 - Server leaks arbitrary client files
  * CVE-2024-12087, bsc#1234103 - Server can make client write files outside of destination directory using symbolic links
  * CVE-2024-12088, bsc#1234104 - --safe-links Bypass
  * Added rsync-CVE-2024-12085.patch
  * Added rsync-CVE-2024-12086_01.patch
  * Added rsync-CVE-2024-12086_02.patch
  * Added rsync-CVE-2024-12086_03.patch
  * Added rsync-CVE-2024-12086_04.patch
  * Added rsync-CVE-2024-12087_01.patch
  * Added rsync-CVE-2024-12087_02.patch
  * Added rsync-CVE-2024-12088.patch
  * Added rsync-fix-compile-missing-my_alloc_ref.patch

000release-packages:sle-ha-release

n/a

000release-packages:sle-module-basesystem-release

n/a

000release-packages:sle-module-containers-release

n/a

000release-packages:sle-module-desktop-applications-release

n/a

000release-packages:sle-module-development-tools-release

n/a

000release-packages:sle-module-live-patching-release

n/a

000release-packages:sle-module-public-cloud-release

n/a

000release-packages:sle-module-python3-release

n/a

000release-packages:sle-module-sap-applications-release

n/a

000release-packages:sle-module-server-applications-release

n/a

000release-packages:sle-module-web-scripting-release

n/a

supportutils-plugin-ha-sap

- Update to version 0.0.7+git.1737125956.a7079fc:
  * Call saphana-check.sh if the script is available in
    /usr/lib/saphana-checks (SUSE package) or in
    /opt/sap/saphana-checks (SAP package)
    (jsc#PED-11748, jsc#PED-11747)
  * to support 'trento checks' on supportutils content
    collect additional information:
    /usr/sap/hostctrl/exe/saphostctrl -function Ping
    corosync-cmapctl -b
    su - <SIDADM> -c disp+work
    su - <SIDADM> -c 'sapcontrol -nr <NR> -function GetVersionInfo'
    ls -lA --time-style=long-iso /etc/polkit-1/rules.d/[0-9][0-9]-SAP[A-Z][A-Z0-9][A-Z0-9]-[0-9][0-9].rules
    content of files in /etc/products.d/
    (jsc#PED-12000, jsc#PED-12001)
  * collect Netweaver version by
    'sapcontrol -nr <NR> -function GetVersionInfo'
  * collect 'operation_mode' setting by
    'python getParameter.py --key=global.ini/system_replication/operation_mode --sapcontrol=1'
  * some shellcheck cleanup
  * adaption to the new used supportconfig.rc
- change requirements
  remove the long deprecated supportconfig-plugin-resource and
  supportconfig-plugin-tag and add instead 'Requires: supportutils'
  (bsc#1235145)

wget

- If wget for an http URL is redirected to a different site (hostname
  parts of URLs differ), then any "Authenticate" and "Cookie" header
  entries are discarded.
  [bsc#1185551, wget-do-not-propagate-credentials.patch,
  bsc#1230795, CVE-2021-31879]

yast2-sap-ha

- yast sap_ha should check if HDB is running on primary
  (bsc#1235773) Build in a check if the DB is running on both nodes.
- 4.4.11

- #458 [doc] Issue in "Constraints for SAPHanaSR-angi"
  https://github.com/SUSE/suse-best-practices/issues/458
- 4.4.10

zypper

- lr: show the repositories keep-packages flag (bsc#1232458)
  It is shown in the  details view or by using -k,--keep-packages.
  In addition libyzpp supports to enforce keeping downloaded
  packages of all repos within a package cache by creating a
  '.keep_packages' file there.
- version 1.14.81

- Try to refresh update repos first to have updated GPG keys on
  the fly (bsc#1234752)
  An update repo may contain a prolonged GPG key for the GA repo.
  Refreshing the update repo first updates a trusted key on the fly
  and avoids a 'key has expired' warning being issued when
  refreshing the GA repo.
- Refresh: restore legacy behavior and suppress Exception
  reporting as non-root (bsc#1235636)
- version 1.14.80

- info: Allow to query a specific version (jsc#PED-11268)
  To query for a specific version simply append "-<version>" or
  "-<version>-<release>" to the "<name>" pattern. Note that the
  edition part must always match exactly.
- version 1.14.79