sles-15-sp6-chost-byos-v20250514-arm64 Package Source Changes

apparmor

- Add dac_read_search capability for unix_chkpwd to allow it to read the shadow
  file even if it has 000 permissions. This is needed after the CVE-2024-10041
  fix in PAM.
  * unix-chkpwd-add-read-capability.path, bsc#1241678

- Allow pam_unix to execute unix_chkpwd with abi/3.0
  - remove dovecot-unix_chkpwd.diff
  - Add allow-pam_unix-to-execute-unix_chkpwd.patch
  - Add revert-abi-change-for-unix_chkpwd.patch
  (bsc#1234452, bsc#1232234)

cifs-utils

- CVE-2025-2312: cifs-utils: cifs.upcall makes an upcall to the wrong
  namespace in containerized environments while trying to get Kerberos
  credentials (bsc#1239680)
  * add New-mount-option-for-cifs.upcall-namespace-reso.patch

containerd

- Update to containerd v1.7.27. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.27>
  bsc#1239749 CVE-2024-40635
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- Update to containerd v1.7.26. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.26>
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- Update to containerd v1.7.25. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.25>
  <https://github.com/containerd/containerd/releases/tag/v1.7.24>
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

glib2

- Add glib2-CVE-2025-3360.patch:
  Backport 8d60d7dc from upstream, Fix integer overflow when
  parsing very long ISO8601 inputs. This will only happen with
  invalid (or maliciously invalid) potential ISO8601 strings,
  but `g_date_time_new_from_iso8601()` needs to be robust against
  that.
  (CVE-2025-3360, bsc#1240897)

glibc

- Add support for userspace livepatching for ppc64le (jsc#PED-11850)

iproute2

- avoid spurious cgroup warning (bsc#1234383):
  - ss-Tone-down-cgroup-path-resolution.patch

augeas

- Add patch, fix for bsc#1239909 / CVE-2025-2588:
  * CVE-2025-2588.patch

lvm2

- LVM filter behaves unexpectedly for MPIO devices in SLES15SP5 (bsc#1216938)
  * set lvm.conf devices.multipath_wwids_file=""

freetype2

- enable brotli support (jsc#PED-12258)

libgcrypt

- FIPS: Pad PKCS1.5 signatures with SHA3 correctly [bsc#1241605]
  * Add libgcrypt-FIPS-sha3-asn.patch

openssl-3

- Security fix: [bsc#1240366]
  * Minerva side channel vulnerability in P-384 on PPC arch
  * Add openssl-3-p384-minerva-ppc.patch
  * Add openssl-3-p384-minerva-ppc-p9.patch

- Security fix: [bsc#1240607]
  * Check ssl/ssl3_read_internal null pointer [from commit 38b051a]
  * Add openssl-check-ssl_read_internal-nullptr.patch

- FIPS: Fix EMS in crypto-policies FIPS:NO-ENFORCE-EMS
  * [bsc#1230959, bsc#1232326, bsc#1231748]
  * Add patch openssl-FIPS-fix-EMS-support.patch

libsolv

- build both static and dynamic libraries on new suse distros
- support the apk package and repository format (both v2 and v3)
- new dataiterator_final_{repo,solvable} functions
- bump version to 0.7.32

- Provide a symbol specific for the ruby-version
  so yast does not break across updates (boo#1235598)

sqlite3

- Sync version 3.49.1 from Factory (jsc#SLE-16032):
  * CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws()
    function, introduced in version 3.44.0, that could lead to a
    memory error if the separator string is very large (hundreds
    of megabytes).
  * CVE-2025-29088, bsc#1241078: Enhanced the
    SQLITE_DBCONFIG_LOOKASIDE interface to make it  more robust
    against misuse.
  * Obsoletes sqlite3-rtree-i686.patch

libxml2

- security update
- added patches
  CVE-2025-32414 [bsc#1241551], out-of-bounds read when parsing text via the Python API
  + libxml2-CVE-2025-32414.patch
  CVE-2025-32415 [bsc#1241453], a crafted XML document may lead to a heap-based buffer under-read
  + libxml2-CVE-2025-32415.patch

libzypp

- fixed build with boost 1.88.
- XmlReader: Fix detection of bad input streams (fixes #635)
  libxml2 2.14 potentially reads the complete stream, so it may
  have the 'eof' bit set. Which is not 'good' but also not 'bad'.
- rpm: Fix detection of %triggerscript starts (bsc#1222044)
- RepoindexFileReader: add more <repo> related attributes a
  service may set.
  Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck,
  keeppackages, gpgkey, mirrorlist, and metalink with the same
  semantic as in a .repo file.
- version 17.36.7 (35)

- Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172)
- BuildRequires:  %{libsolv_devel_package} >= 0.7.32.
  Code16 moved static libs to libsolv-devel-static.
- Drop usage of SHA1 hash algorithm because it will become
  unavailable in FIPS mode (bsc#1240529)
- Fix zypp.conf dupAllowVendorChange to reflect the correct
  default (false).
  The default was true in Code12 (libzypp-16.x) and changed to
  false with Code15 (libzypp-17.x). Unfortunately this was done by
  shipping a modified zypp.conf file rather than fixing the code.
- zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809)
- version 17.36.6 (35)

- Fix computation of RepStatus if Repo URLs change.
- Fix lost double slash when appending to an absolute FTP url
  (bsc#1238315)
  Ftp actually differs between absolute and relative URL paths.
  Absolute path names begin with a double slash encoded as '/%2F'.
  This must be preserved when manipulating the path.
- version 17.36.5 (35)

- Add a transaction package preloader (fixes openSUSE/zypper#104)
  This patch adds a preloader that concurrently downloads files
  during a transaction commit. It's not yet enabled per default.
  To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1
  in the environment.
- RpmPkgSigCheck_test: Exchange the test package signingkey
  (fixes #622)
- Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626)
- Strip a mediahandler tag from baseUrl querystrings.
- version 17.36.4 (35)

nvme-cli

- Update to version 2.8+88.g21612f53:
  * sed: perform a tper revert after lsp revert (bsc#1240656)

pam

- pam_unix/passverify: (get_account_info) [!HELPER_COMPILE]: Always return
  PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file
  entry.
  [passverify-always-run-the-helper-to-obtain-shadow_pwd.patch, bsc#1232234,
  CVE-2024-10041]
- Do not reject the user with a hash assuming it's non-empty.
  [pam_unix-allow-empty-passwords-with-non-empty-hashes.patch]

samba

- Fix Samba printers reporting invalid sid during print jobs;
  (bsc#1234210); (bso#15792).

timezone

- Update to 2025b:
  * New zone for Aysén Region in Chile (America/Coyhaique) which
    moves from -04/-03 to -03
- Refresh patches
  * revert-philippines-historical-data.patch
  * tzdata-china.diff

zypper

- Updated translations (bsc#1230267)
- version 1.14.89

- Do not double encode URL strings passed on the commandline
  (bsc#1237587)
  URLs passed on the commandline must have their special chars
  encoded already. We just want to check and encode forgotten
  unsafe chars like a blank. A '%' however must not be encoded
  again.
- version 1.14.88

- Package preloader that concurrently downloads files. It's not yet
  enabled per default. To enable the preview set ZYPP_CURL2=1 and
  ZYPP_PCK_PRELOAD=1 in the environment. (#104)
- BuildRequires:  libzypp-devel >= 17.36.4.
- version 1.14.87

- refresh: add --include-all-archs (fixes #598)
  Future multi-arch repos may allow to download only those metadata
  which refer to packages actually compatible with the systems
  architecture. Some tools however want zypp to provide the full
  metadata of a repository without filtering incompatible
  architectures.
- info,search: add option to search and list Enhances
  (bsc#1237949)
- version 1.14.86