- Add dac_read_search capability for unix_chkpwd to allow it to read the shadow
  file even if it has 000 permissions. This is needed after the CVE-2024-10041
  fix in PAM.
  * unix-chkpwd-add-read-capability.path, bsc#1241678

- Allow pam_unix to execute unix_chkpwd with abi/3.0
  - remove dovecot-unix_chkpwd.diff
  - Add allow-pam_unix-to-execute-unix_chkpwd.patch
  - Add revert-abi-change-for-unix_chkpwd.patch
  (bsc#1234452, bsc#1232234)

- Add patch, fix for bsc#1239909 / CVE-2025-2588:
  * CVE-2025-2588.patch

- CVE-2025-2312: cifs-utils: cifs.upcall makes an upcall to the wrong
  namespace in containerized environments while trying to get Kerberos
  credentials (bsc#1239680)
  * add New-mount-option-for-cifs.upcall-namespace-reso.patch

- Update to version 1.15
  + Add support for creating IPv6 default route in GCE (bsc#1240869)
  + Minor fix when looking up IPv6 default route

- Update version to 10.4.0
  + Remove repositories when the package is being removed
    We do not want to leave repositories behind refering to the plugin that
    is being removed when the package gets removed (bsc#1240310, bsc#1240311)
  + Turn docker into an optional setup (jsc#PCT-560)
    Change the Requires into a Recommends and adapt the code accordingly
  + Support flexible licenses in GCE (jsc#PCT-531)
  + Drop the azure-addon package it is geting replaced by the
    license-watcher package which has a generic implementation of the
    same functionality.
  + Handle cache inconsistencies (bsc#1218345)
  + Properly handle the zypper root target argument (bsc#1240997)

- Update to containerd v1.7.27. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.27>
  bsc#1239749 CVE-2024-40635
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- Update to containerd v1.7.26. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.26>
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- Update to containerd v1.7.25. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.25>
  <https://github.com/containerd/containerd/releases/tag/v1.7.24>
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- LVM filter behaves unexpectedly for MPIO devices in SLES15SP5 (bsc#1216938)
  * set lvm.conf devices.multipath_wwids_file=""

- Add glib2-CVE-2025-3360.patch:
  Backport 8d60d7dc from upstream, Fix integer overflow when
  parsing very long ISO8601 inputs. This will only happen with
  invalid (or maliciously invalid) potential ISO8601 strings,
  but `g_date_time_new_from_iso8601()` needs to be robust against
  that.
  (CVE-2025-3360, bsc#1240897)

- static-setuid-ld-library-path.patch: elf: Ignore LD_LIBRARY_PATH and
  debug env var for setuid for static (CVE-2025-4802, bsc#1243317)

- pthread-wakeup.patch: pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ
  [#25847])

- Update to version 20250506.01 (bsc#1243254, bsc#1243505)
  * Make sure agent added connections are activated by NM (#534)
- from version 20250506.00
  * wrap NSS cache refresh in a goroutine (#533)
- from version 20250502.01
  * Wicked: Only reload interfaces for which configurations are written or changed. (#524)
- from version 20250502.00
  * Add AuthorizedKeysCompat to windows packaging (#530)
  * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
  * Update guest-logging-go dependency (#526)
  * Add 'created-by' metadata, and pass it as option to logging library (#508)
  * Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
  * Re-enable disabled services if the core plugin was enabled (#522)
  * Enable guest services on package upgrade (#519)
  * oslogin: Correctly handle newlines at the end of modified files (#520)
  * Fix core plugin path (#518)
  * Fix package build issues (#517)
  * Fix dependencies ran go mod tidy -v (#515)
  * Fix debian build path (#514)
  * Bundle compat metadata script runner binary in package (#513)
  * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
  * Update startup/shutdown services to launch compat manager (#503)
  * Bundle new gce metadata script runner binary in agent package (#502)
  * Revert "Revert bundling new binaries in the package (#509)" (#511)
- from version 20250418.00
  * Re-enable disabled services if the core plugin was enabled (#521)
- from version 20250414.00
  * Add AuthorizedKeysCompat to windows packaging (#530)
  * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
  * Update guest-logging-go dependency (#526)
  * Add 'created-by' metadata, and pass it as option to logging library (#508)
  * Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
  * Re-enable disabled services if the core plugin was enabled (#522)
  * Enable guest services on package upgrade (#519)
  * oslogin: Correctly handle newlines at the end of modified files (#520)
  * Fix core plugin path (#518)
  * Fix package build issues (#517)
  * Fix dependencies ran go mod tidy -v (#515)
  * Fix debian build path (#514)
  * Bundle compat metadata script runner binary in package (#513)
  * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
  * Update startup/shutdown services to launch compat manager (#503)
  * Bundle new gce metadata script runner binary in agent package (#502)
  * Revert "Revert bundling new binaries in the package (#509)" (#511)

- Refresh PPC NVMEoF ofpath related patches to newer revision
  * 0002-ieee1275-ofpath-enable-NVMeoF-logical-device-transla.patch
- Patch refreshed
  * 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
- Patch obsoleted
  * 0004-ofpath-controller-name-update.patch
- Fix segmentation fault error in grub2-probe with target=hints_string
  (bsc#1235971) (bsc#1235958) (bsc#1239651)
  * 0001-ofpath-Add-error-check-in-NVMEoF-device-translation.patch

- merge gh#openSUSE/hwinfo#156
- fix network card detection on aarch64 (bsc#1240648)
- 21.88

- avoid spurious cgroup warning (bsc#1234383):
  - ss-Tone-down-cgroup-path-resolution.patch

- Security fix [bsc#1242300, CVE-2025-47268]
  * integer overflow in RTT calculation can lead to undefined behavior
  * Add iputils-CVE-2025-47268.patch

- Don't search for resources in the current directory. It can cause
  unwanted side effects or even infinite loop (bsc#1237230,
  kbd-ignore-working-directory-1.patch,
  kbd-ignore-working-directory-2.patch,
  kbd-ignore-working-directory-3.patch).

- netfilter: conntrack: revisit the gc initial rescheduling bias
  (CVE-2022-49110 bsc#1237981).
- commit 7e1d902

- netfilter: conntrack: fix the gc rescheduling delay
  (CVE-2022-49110 bsc#1237981).
- commit 9cc8bdd

- netfilter: conntrack: revisit gc autotuning (CVE-2022-49110
  bsc#1237981).
- commit da48bfa

- Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt
  (bsc#1238032 CVE-2022-49139).
- commit 2031355

- watch_queue: fix pipe accounting mismatch (CVE-2025-23138 bsc#1241648).
- commit 789ef85

- 9p/trans_fd: always use O_NONBLOCK read/write (CVE-2022-49767 bsc#1242493).
- commit 9dce75d

- Update
  patches.suse/dm-crypt-add-cond_resched-to-dmcrypt_write-fb29.patch
  (git-fixes CVE-2023-53051 bsc#1242284).
- commit 9098844

- x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778).
- x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778).
- x86/bpf: Call branch history clearing sequence on exit
  (bsc#1242778).
- commit 636fe6a

- Update
  patches.suse/can-etas_es58x-es58x_rx_err_msg-fix-memory-leak-in-e.patch
  (git-fixes stable-5.14.19 CVE-2021-47671 bsc#1241421).
- commit 855e2af

- Update
  patches.suse/cifs-fix-potential-null-pointer-use-in-destroy_workqueue-in-init_ci.patch
  (git-fixes CVE-2024-42307 bsc#1229361).
- Update patches.suse/fou-fix-initialization-of-grc.patch
  (CVE-2024-46763 bsc#1230764 CVE-2024-46865 bsc#1231103).
- commit 5bc8269

- Revert "exec: fix the racy usage of fs_struct->in_exec (CVE-2025-22029"
  This reverts commit b68bd5953c15c3c2b21e60fbd6d8a52b0bbb030c.
  This turned out to be not an issue. See https://bugzilla.suse.com/show_bug.cgi?id=1241378#c4
- commit d9d19c1

- exec: fix the racy usage of fs_struct->in_exec (CVE-2025-22029
  bsc#1241378).
- commit b68bd59

- x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
  (CVE-2025-22045 bsc#1241433).
- commit c4ca325

- memstick: rtsx_usb_ms: Fix slab-use-after-free in
  rtsx_usb_ms_drv_remove (bsc#1241280 CVE-2025-22020).
- commit 0f74fae

- drm/vkms: Fix use after free and double free on init error
  (CVE-2025-22097 bsc#1241541).
- commit 02fe040

- jfs: fix slab-out-of-bounds read in ea_get() (bsc#1241625
  CVE-2025-39735).
- commit dfc1530

- fou: fix initialization of grc (CVE-2024-46763 bsc#1230764).
- commit 3a5d26f

- fou: Fix null-ptr-deref in GRO (CVE-2024-46763 bsc#1230764).
- commit 176d11e

- net: fix geneve_opt length integer overflow (CVE-2025-22055
  bsc#1241371).
- commit 15ff527

- net: atm: fix use after free in lec_send() (CVE-2025-22004
  bsc#1240835).
- commit 889e26f

- kABI workaround struct rcu_head and ax25_ptr (CVE-2025-21812
  bsc#1238471).
- commit 1d6ea68

- ax25: rcu protect dev->ax25_ptr (CVE-2025-21812 bsc#1238471).
- Refresh patches.kabi/net-ax25_dev-kabi-workaround.patch.
- commit 88b5c8e

- Update patches.suse/Bluetooth-hci_conn-Fix-memory-leaks.patch
  (git-fixes CVE-2023-53018 bsc#1240211).
- Update patches.suse/acpi-Fix-suspend-with-Xen-PV.patch
  (git-fixes CVE-2023-52994 bsc#1240269).
- Update
  patches.suse/bpf-Skip-invalid-kfunc-call-in-backtrack_insn.patch
  (bsc#1225903 CVE-2023-52928 bsc#1240248).
- Update
  patches.suse/bpf-sockmap-Check-for-any-of-tcp_bpf_prots-when-clon.patch
  (git-fixes CVE-2023-52986 bsc#1240306).
- Update
  patches.suse/dmaengine-tegra-Fix-memory-leak-in-terminate_all.patch
  (git-fixes CVE-2023-53014 bsc#1240295).
- Update
  patches.suse/drm-amdkfd-Add-sync-after-creating-vram-bo.patch
  (bsc#1206843 CVE-2023-53009 bsc#1240314).
- Update
  patches.suse/drm-drm_vma_manager-Add-drm_vma_node_allow_once.patch
  (git-fixes CVE-2023-53001 bsc#1240315).
- Update
  patches.suse/drm-i915-Avoid-potential-vm-use-after-free.patch
  (git-fixes CVE-2023-52931 bsc#1240271).
- Update
  patches.suse/drm-i915-Fix-a-memory-leak-with-reused-mmap_offset.patch
  (git-fixes CVE-2023-53002 bsc#1240230).
- Update
  patches.suse/drm-i915-Fix-request-ref-counting-during-error-captu.patch
  (git-fixes CVE-2023-52981 bsc#1240274).
- Update patches.suse/fpga-m10bmc-sec-Fix-probe-rollback.patch
  (git-fixes CVE-2022-49745 bsc#1240246).
- Update
  patches.suse/fscache-Use-wait_on_bit-to-wait-for-the-freeing-of-re.patch
  (bsc#1210409 CVE-2023-52982 bsc#1240214).
- Update
  patches.suse/kernel-irq-irqdomain.c-fix-memory-leak-with-using-de.patch
  (git-fixes CVE-2023-52936 bsc#1240321).
- Update
  patches.suse/msft-hv-2746-HV-hv_balloon-fix-memory-leak-with-using-debugfs_loo.patch
  (git-fixes CVE-2023-52937 bsc#1240209).
- Update
  patches.suse/powerpc-imc-pmu-Fix-use-of-mutex-in-IRQs-disabled-se.patch
  (bsc#1054914 fate#322448 git-fixes CVE-2023-53031 bsc#1240285).
- Update
  patches.suse/usb-typec-ucsi-Don-t-attempt-to-resume-the-ports-bef.patch
  (git-fixes CVE-2023-52938 bsc#1240228).
- commit 402c01c

- Update
  patches.suse/fbdev-smscufx-fix-error-handling-code-in-ufx_usb_pro.patch
  (git-fixes CVE-2022-49741 bsc#1240747).
- commit 0c9a431

- arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (CVE-2025-21785 bsc#1238747)
- commit 2c96a9a

- netfilter: nf_tables: must hold rcu read lock while iterating
  object type list (CVE-2022-48933 bsc#1229621).
- netfilter: nf_tables: skip transaction if update object is
  not implemented (CVE-2022-48933 bsc#1229621).
- netfilter: nf_tables: NULL pointer dereference in
  nf_tables_updobj() (CVE-2022-48933 bsc#1229621).
- commit 176015d

- netfilter: nf_tables: fix memory leak during stateful obj update
  (CVE-2022-48933 bsc#1229621).
- commit e34cbe9

- netfilter: xtables: fix typo causing some targets not to load
  on IPv6 (CVE-2024-50038 bsc#1231910).
- netfilter: xtables: avoid NFPROTO_UNSPEC where needed
  (CVE-2024-50038 bsc#1231910).
- commit 9a939db

- vrf: use RCU protection in l3mdev_l3_out() (CVE-2025-21791
  bsc#1238512).
- commit 50bbf71

- CIFS: New mount option for cifs.upcall namespace resolution
  (CVE-2025-2312 bsc#1239684).
- commit 8fc41d8

- Delete
  patches.suse/btrfs-defrag-don-t-use-merged-extent-map-for-their-generat.patch.
- Delete
  patches.suse/btrfs-fix-defrag-not-merging-contiguous-extents-due-to-mer.patch.
- Delete
  patches.suse/btrfs-fix-extent-map-merging-not-happening-for-adjacent-ex.patch.
  Reverting ineffective changes for bsc#1239968 and closing it as WONTFIX.
- commit d7eeedb

- padata: avoid UAF for reorder_work (CVE-2025-21726 bsc#1238865).
- commit bfab8c2

- kABI: Fix kABI after backport od CVE-2025-21839 (bsc#1239061 CVE-2025-21839).
- commit 38fa6d3

- KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (bsc#1239061 CVE-2025-21839).
- commit 325b428

- KVM: X86: Set host DR6 only on VMX and for KVM_DEBUGREG_WONT_EXIT (bsc#1239061 CVE-2025-21839).
- commit 8727046

- KVM: X86: Remove unneeded KVM_DEBUGREG_RELOAD (bsc#1239061 CVE-2025-21839).
- commit bbb1715

- add support for lockless ringbuffer (bsc#1241249)
  - kexec-tools-Cleanup-remove-the-read_elf_kcore.patch
  - kexec-tools-Fix-an-error-definition-about-the-variable-fname.patch
  - kexec-tools-Cleanup-move-it-back-from-util_lib-elf_info.c.patch
  - kexec-tools-printk-add-support-for-lockless-ringbuffer.patch

- Add dac_read_search capability for unix_chkpwd to allow it to read the shadow
  file even if it has 000 permissions. This is needed after the CVE-2024-10041
  fix in PAM.
  * unix-chkpwd-add-read-capability.path, bsc#1241678

- Allow pam_unix to execute unix_chkpwd with abi/3.0
  - remove dovecot-unix_chkpwd.diff
  - Add allow-pam_unix-to-execute-unix_chkpwd.patch
  - Add revert-abi-change-for-unix_chkpwd.patch
  (bsc#1234452, bsc#1232234)

- enable brotli support (jsc#PED-12258)

- Modify patch ncurses-5.9-ibm327x.dif
  * Backport sclp terminfo description entry if for s390 sclp terminal lines
  * Add a further sclp entry for qemu s390 based systems
  * Make use of dumb

- 0001-Fix-timespec-conversion-to-avoid-infinite-loop-2108-.patch:
  avoid endless loops (bsc#1242842)

- update suse.patch to 736ea75f25d52fdebb88ed6583468bd7c21190f6
  - fix ReDoS in CGI::Util#escapeElement
    bsc#1237806 CVE-2025-27220
  - fix denial of service in CGI::Cookie.parse
    bsc#1237804 CVE-2025-27219

- update suse.patch to 6bf78da1fc4048a11a8612741216ebc47d9ebb41
  - move the request smuggling patch to the correct place
    actually fixes bsc#1230930 CVE-2024-47220 and now boo#1235773

- build both static and dynamic libraries on new suse distros
- support the apk package and repository format (both v2 and v3)
- new dataiterator_final_{repo,solvable} functions
- bump version to 0.7.32

- Provide a symbol specific for the ruby-version
  so yast does not break across updates (boo#1235598)

- Sync version 3.49.1 from Factory (jsc#SLE-16032):
  * CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws()
    function, introduced in version 3.44.0, that could lead to a
    memory error if the separator string is very large (hundreds
    of megabytes).
  * CVE-2025-29088, bsc#1241078: Enhanced the
    SQLITE_DBCONFIG_LOOKASIDE interface to make it  more robust
    against misuse.
  * Obsoletes sqlite3-rtree-i686.patch

- security update
- added patches
  CVE-2025-32414 [bsc#1241551], out-of-bounds read when parsing text via the Python API
  + libxml2-CVE-2025-32414.patch
  CVE-2025-32415 [bsc#1241453], a crafted XML document may lead to a heap-based buffer under-read
  + libxml2-CVE-2025-32415.patch

- fixed build with boost 1.88.
- XmlReader: Fix detection of bad input streams (fixes #635)
  libxml2 2.14 potentially reads the complete stream, so it may
  have the 'eof' bit set. Which is not 'good' but also not 'bad'.
- rpm: Fix detection of %triggerscript starts (bsc#1222044)
- RepoindexFileReader: add more <repo> related attributes a
  service may set.
  Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck,
  keeppackages, gpgkey, mirrorlist, and metalink with the same
  semantic as in a .repo file.
- version 17.36.7 (35)

- Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172)
- BuildRequires:  %{libsolv_devel_package} >= 0.7.32.
  Code16 moved static libs to libsolv-devel-static.
- Drop usage of SHA1 hash algorithm because it will become
  unavailable in FIPS mode (bsc#1240529)
- Fix zypp.conf dupAllowVendorChange to reflect the correct
  default (false).
  The default was true in Code12 (libzypp-16.x) and changed to
  false with Code15 (libzypp-17.x). Unfortunately this was done by
  shipping a modified zypp.conf file rather than fixing the code.
- zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809)
- version 17.36.6 (35)

- Fix computation of RepStatus if Repo URLs change.
- Fix lost double slash when appending to an absolute FTP url
  (bsc#1238315)
  Ftp actually differs between absolute and relative URL paths.
  Absolute path names begin with a double slash encoded as '/%2F'.
  This must be preserved when manipulating the path.
- version 17.36.5 (35)

- Add a transaction package preloader (fixes openSUSE/zypper#104)
  This patch adds a preloader that concurrently downloads files
  during a transaction commit. It's not yet enabled per default.
  To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1
  in the environment.
- RpmPkgSigCheck_test: Exchange the test package signingkey
  (fixes #622)
- Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626)
- Strip a mediahandler tag from baseUrl querystrings.
- version 17.36.4 (35)

- Added openssh-bsc1241045-kexalgo-gt-256bits.patch (bsc#1241045)
  from upstream, which allows KEX hashes greater than 256 bits.
  Thanks to Ali Abdallah <ali.abdallah@suse.com>.

- Added openssh-cve-2025-32728.patch (bsc#1241012, CVE-2025-32728).
  This fixes an upstream logic error handling the DisableForwarding
  option.

- Update openssh-7.6p1-audit_race_condition.patch (bsc#1232533),
  fixing failures with very large MOTDs. Thanks to Ali Abdallah
  <ali.abdallah@suse.com>.

- Updated openssh-8.1p1-audit.patch (bsc#1228634) with modification
  from Jaroslav Jindrak (jjindrak@suse.com) to fix the hostname
  being left out of the audit output.

- pam_unix/passverify: (get_account_info) [!HELPER_COMPILE]: Always return
  PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file
  entry.
  [passverify-always-run-the-helper-to-obtain-shadow_pwd.patch, bsc#1232234,
  CVE-2024-10041]
- Do not reject the user with a hash assuming it's non-empty.
  [pam_unix-allow-empty-passwords-with-non-empty-hashes.patch]

- add bpftool to patterns enhanced base. jsc#PED-8375

- Add patch CVE-2025-47273.patch to fix A path traversal
  vulnerability.
  (bsc#1243313, CVE-2025-47273, gh#pypa/setuptools@250a6d17978f)

n/a

n/a

n/a

n/a

n/a

n/a

n/a

n/a

- Update to 2025b:
  * New zone for Aysén Region in Chile (America/Coyhaique) which
    moves from -04/-03 to -03
- Refresh patches
  * revert-philippines-historical-data.patch
  * tzdata-china.diff

- Updated translations (bsc#1230267)
- version 1.14.89

- Do not double encode URL strings passed on the commandline
  (bsc#1237587)
  URLs passed on the commandline must have their special chars
  encoded already. We just want to check and encode forgotten
  unsafe chars like a blank. A '%' however must not be encoded
  again.
- version 1.14.88

- Package preloader that concurrently downloads files. It's not yet
  enabled per default. To enable the preview set ZYPP_CURL2=1 and
  ZYPP_PCK_PRELOAD=1 in the environment. (#104)
- BuildRequires:  libzypp-devel >= 17.36.4.
- version 1.14.87

- refresh: add --include-all-archs (fixes #598)
  Future multi-arch repos may allow to download only those metadata
  which refer to packages actually compatible with the systems
  architecture. Some tools however want zypp to provide the full
  metadata of a repository without filtering incompatible
  architectures.
- info,search: add option to search and list Enhances
  (bsc#1237949)
- version 1.14.86