boost
- CVE-2016-9840: fixed out-of-bounds pointer arithmetic in zlib in beast
  (bsc#1245936)
  - adds patch boost-zlib.patch
crypto-policies
- Update the BSI policy [jsc#PED-12880]
  * BSI: switch to 3072 minimum RSA key size [322f0ba4]
  * BSI: Update BSI policy for new 2024 minimum [64b9dddd]
  * Add patches:
  - crypto-policies-BSI-Update-BSI-policy-for-new-2024-minimum-recommend.patch
  - crypto-policies-BSI-switch-to-3072-minimum-RSA-key-size.patch
docker
- Update to Docker 28.3.3-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/28/#2833>
  CVE-2025-54388 bsc#1247367

- Update to docker-buildx v0.26.1. Upstream changelog:
  <https://github.com/docker/buildx/releases/tag/v0.26.1>

- Update to docker-buildx v0.26.0. Upstream changelog:
  <https://github.com/docker/buildx/releases/tag/v0.26.0>

- Update to Go 1.24 for builds, to match upstream.

- Update to Docker 28.3.2-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/28/#2832>

- Update to Docker 28.3.1-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/28/#2831>

- Update to Docker 28.3.0-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/28/#2830>
  bsc#1246556
- Rebase patches:
  * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
  * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
dracut
- Update to version 059+suse.564.g984c275a:
  * fix(rngd): adjust license to match the license of the whole project
  * fix(dracut): kernel module name normalization in drivers lists (bsc#1241680)
glibc
- regcomp-double-free.patch: posix: Fix double-free after allocation
  failure in regcomp (CVE-2025-8058, bsc#1246965, BZ #33185)

- nscd-gethst-race.patch: Reduce chance of crash when using nscd GETFDHST
  (bsc#1240058)
google-dracut-config
- Add sed and find to requirements bsc#1245352
google-guest-oslogin
- Cherry-pick dont-retry-bad-requests.patch to stop retrying bad
  requests causing timeouts during container startup (bsc#1243992)
grub2
- Skip mount point in grub_find_device function (bsc#1246231)
  * 0001-getroot-Skip-mount-points-in-grub_find_device.patch

- Fix CVE-2024-56738: side-channel attack due to not constant-time
  algorithm in grub_crypto_memcmp (bsc#1234959)
  * grub2-constant-time-grub_crypto_memcmp.patch

- Fix test -f and -s do not work properly over the network files served via
  tftp and http (bsc#1246157) (bsc#1246237)
  * 0001-test-Fix-f-test-on-files-over-network.patch
  * 0002-http-Return-HTTP-status-code-in-http_establish.patch
  * 0003-docs-Clarify-test-for-files-on-TFTP-and-HTTP.patch
  * 0004-tftp-Fix-hang-when-file-is-a-directory.patch
hwinfo
- merge gh#openSUSE/hwinfo#168
- fix usb network card detection (bsc#1245950)
- 21.89
jq
- Add patches CVE-2025-48060-1.patch and CVE-2025-48060-2.patch
  (CVE-2025-48060, bsc#1244116)
gcc14
- Exclude shared objects present for link editing in the GCC specific
  subdirectory from provides processing via __provides_exclude_from.
  [bsc#1244050][bsc#1243991]

- Make cross-*-gcc14-bootstrap package conflict with the non-bootstrap
  variant conflict with the unversioned cross-*-gcc package.

- Disable build of glibc cross to loongarch64 and hppa in SLFO
  and SLE15.

- Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799
- Remove gcc14-pr120061.patch which is now included upstream.

- Add gcc14-pr120061.patch to fix the PR108900 fix instead of
  reverting it.
- Remove gcc14-pr108900.patch

- Add gcc14-pr108900.patch to revert it, fixing libqt6webengine build.

- Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702
  * Remove gcc14-pr118780.patch now on the upstream branch
- Fix build on s390x [bsc#1241549]

- Make sure link editing is done against our own shared library
  copy rather than the installed system runtime.  [bsc#1240788]
- Add gcc14-pr119680.patch to fix cross-compiler builds with
  - -enable-host-pie.
libgcrypt
- Security fix [bsc#1221107, CVE-2024-2236]
  * Add --enable-marvin-workaround to spec to enable workaround
  * Fix  timing based side-channel in RSA implementation ( Marvin attack )
  * Add libgcrypt-CVE-2024-2236.patch
- Fix kdf test and fail accordingly if tests fail under FIPS mode [bsc#1246934]
  * Rebased patches: libgcrypt-FIPS-SLI-kdf-leylength.patch
gnutls
- Fix heap buffer overread when handling the CT SCT extension during X.509
  certificate parsing [bsc#1246233, CVE-2025-32989]
  * Add patch gnutls-CVE-2025-32989.patch
- Fix double-free due to incorrect ownership handling in the export logic of
  SAN entries containing an otherName [bsc#1246232, CVE-2025-32988]
  * Add patch gnutls-CVE-2025-32988.patch
- Fix 1-byte heap buffer overflow when parsing templates with certtool
  [bsc#1246267, CVE-2025-32990]
  * Add patch gnutls-CVE-2025-32990.patch
- Fix NULL pointer dereference when 2nd Client Hello omits PSK
  [bsc#1246299, CVE-2025-6395]
  * Add patch gnutls-CVE-2025-6395.patch
libnvme
- Update to version 1.11+6.g0d17be77:
  * tree: free ctrl attributes when (re)configure ctrl (bsc#1243716)
  * tree: filter tree after scan has completed (bsc#1243716)
open-iscsi
- Update to version 2.1.11.suse+73.1723affc61eb:
  * README for rpm build directory
  * Fix issue with IPv6 adapter interfaces (#508, bsc#1240969)
  * fwparam_ppc.c: Fix the calloc-transposed-args issue (#504)
  * Makefile: fix "No rule to make target 'iscsiuio/Makefile.in" issue (#506)
  * Fix typo in initiator.c (#507)
- Fixed some issues in this changes file
  * One date had incorrect format from 2014
  * Two separator lines were formatted incrrectly
openssl-1_1
- FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test
  instead of NID_secp256k1. [bsc#1246697]
  * Add openssl-fips-ECDSA-KAT.patch
openssl-3
- Increase limit for CRL download [bsc#1247148, bsc#1247144]
  * Add openssl-3-large-CRLs.patch

- FIPS: Fix EMS in crypto-policies FIPS:NO-ENFORCE-EMS
  * [bsc#1230959, bsc#1232326, bsc#1231748, bsc#1246428]
  * Add patch openssl-FIPS-fix-EMS-support.patch
python3
- Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now
  validates archives to ensure member offsets are non-negative
  (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249).

- Add CVE-2025-4435-normalize-lnk-trgts-tarfile.patch
  Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138,
  CVE-2024-12718, CVE-2025-4435 on tarfile (bsc#1244032,
  bsc#1244061, bsc#1244059, bsc#1244060, bsc#1244056).
  The backported fixes do not contain changes for ntpath.py and
  related tests, because the support for symlinks and junctions
  were added later in Python 3.9, and it does not make sense to
  backport them to 3.6 here.
  The patch is contains the following changes:
  - python@42deeab fixes symlink handling for tarfile.data_filter
  - python@9d2c2a8 fixes handling of existing files/symlinks in tarfile
  - python@00af979 adds a new "strict" argument to realpath()
  - python@dd8f187 fixes mulriple CVE fixes in the tarfile module
  - downstream only fixes that makes the changes work and
    compatible with Python 3.6
- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
  case quadratic complexity when processing certain crafted
  malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).

- Add python36-* provides/obsoletes to enable SLE-12 -> SLE-15
  migration, bsc#1233012

- Add ipaddress-update-pr60.patch from gh#phihag/ipaddress!60 to
  update vendored ipaddress module to 3.8 equivalent
- Add gh-128840_parse-IPv6-with-emb-IPv4.patch to limit buffer
  size for IPv6 address parsing (gh#python/cpython#128840,
  bsc#1244401).
- Update CVE-2025-4516-DecodeError-handler.patch not to break
  _PyBytes_DecodeEscape signature.

- Add CVE-2025-4516-DecodeError-handler.patch fixing
  CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
  vulnerability, which could lead to DoS.
libsolv
- add support for product-obsoletes() provides in the product
  autopackage generation code
- bump version to 0.7.34

- improve transaction ordering by allowing more uninst->uninst
  edges [bsc#1243457]
- implement color filtering when adding update targets
- support orderwithrequires dependencies in susedata.xml
- bump version to 0.7.33
sqlite3
- Backpatch the URLs in sqlite3.n from https to http to avoid a
  file conflict with the tcl package on SLE-15-GA up to SP2. In
  SP3 and onwards the Tcl package does not contain the sqlite
  extension anymore.

- Sync version 3.50.2 from Factory:
  * CVE-2025-6965, bsc#1246597:
    Raise an error early if the number of aggregate terms in a
    query exceeds the maximum number of columns, to avoid
    downstream assertion faults.
  * Add subpackage for the lemon parser generator.
    + sqlite-3.49.0-fix-lemon-missing-cflags.patch
    + sqlite-3.6.23-lemon-system-template.patch
systemd
- triggers.systemd: skip update of hwdb, journal-catalog if executed during
  an offline update.

- systemd-repart is no more considered as experimental (jsc#PED-13213)

- Import commit 130293e510ceb4d121d11823e6ebd4b1e8332ea0 (merge of v254.27)
  For a complete list of changes, visit:
  https://github.com/openSUSE/systemd/compare/278fb676146e35a7b4057f52f34a7bbaf1b82369...130293e510ceb4d121d11823e6ebd4b1e8332ea0
libxml2
- security update
- added patches
  CVE-2025-7425 [bsc#1246296], Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr
  + libxml2-CVE-2025-7425.patch
libzypp
- Fix evaluation of libproxy results (bsc#1247690)
- Replace URL variables inside mirrorlist/metalink files
  (fixes #667)
- version 17.37.16 (35)

- Append RepoInfo::path() to the mirror URLs in Preloader
  (bsc#1247054)
- version 17.37.15 (35)

- During installation indicate the backend being used (bsc#1246038)
  If some package actually needs to know, it should test for
  ZYPP_CLASSIC_RPMTRANS being set in the environment.
  Otherwise the transaction is driven by librpm.
- version 17.37.14 (35)

- Workaround 'rpm -vv' leaving scriptlets /var/tmp (bsc#1218459)
- Verbose log libproxy results if PX_DEBUG=1 is set.
- BuildRequires:  cmake >= 3.17.
- version 17.37.13 (35)

- Allow explicit request to probe an added repo's URL
  (bsc#1246466)
- Fix tests with -DISABLE_MEDIABACKEND_TESTS=1 (fixes #661)
- version 17.37.12 (35)

- Add runtime check for a broken rpm-4.18.0 --runpostrans
  (bsc#1246149)
- Add regression test for bsc#1245220 and some other filesize
  related tests.
- version 17.37.11 (35)

- BuildRequires: %{libsolv_devel_package} >= 0.7.34 (bsc#1243486)
  Newer rpm versions no longer allow a ':' in rpm package names or
  obsoletes. So injecting an
    Obsoletes: product:oldproductname < oldproductversion
  into the -release package to indicate a product rename is no longer
  possible.
  Since libsolv-0.7.34 you can and should use:
    Provides: product-obsoletes(oldproductname) < oldproductversion
  in the -release package. libsolv will then inject the appropriate
  Obsoletes into the Product.
- version 17.37.10 (35)

- Ignore DeltaRpm download errors (bsc#1245672)
  DeltaRpms are in fact optional resources. In case of a failure
  the full rpm is downloaded.
- Improve fix for incorrect filesize handling (bsc#1245220)
- version 17.37.9 (35)

- Do not trigger download data exceeded errors on HTTP non data
  responses (bsc#1245220)
  In some cases a HTTP 401 or 407 did trigger a "filesize exceeded"
  error, because the response payload size was compared against the
  expected filesize. This patch adds some checks if the response
  code is in the success range and only then takes expected
  filesize into account. Otherwise the response content-length is
  used or a fallback of 2Mb if no content-length is known.
- version 17.37.8 (35)

- Fix SEGV in MediaDISK handler (bsc#1245452)
- Explicitly selecting DownloadAsNeeded also selects the
  classic_rpmtrans backend.
  DownloadAsNeeded can not be combined with the rpm singletrans
  installer backend because a rpm transaction requires all package
  headers to be available the the beginning of the transaction. So
  explicitly selecting this mode also turns on the classic_rpmtrans
  backend.
- Fix evaluation of libproxy results (bsc#1244710)
- version 17.37.7 (35)

- Enhancements regarding mirror handling during repo refresh.
  Added  means to disable the use of mirrors when downloading
  security relevant files. Requires updaing zypper to 1.14.91.
- Fix autotestcase writer if ZYPP_FULLLOG=1 (bsc#1244042)
  If ZYPP_FULLLOG=1 a solver testcase to
  "/var/log/YaST2/autoTestcase" should be written for each solver
  run. There was no testcase written for the very first solver run.
  This is now fixed.
- Pass $1==2 to %posttrans script if it's an update (bsc#1243279)
- version 17.37.6 (35)
nvme-cli
- Update to version 2.11+26.gfbd2b4f4:
  * nvme: fix mem leak in nvme copy (bsc#1243716)
  * nvme-print: suppress output when no ctrl is present for list-subsys (bsc#1243716)
  * nvme: extend filter to match device name (bsc#1243716)
  * udev-rules-ontap: switch to queue-depth iopolicy (bsc#1246599)
pam
- Make sure that the buffer containing encrypted passwords get's erased
  bedore free.
- Replace to previous CVE fix which led to CPU performance issues.
  [bsc#1246221, CVE-2024-10041,
  + libpam-introduce-secure-memory-erasure-helpers.patch
  + pam_modutil_get-overwrite-password-at-free.patch
  - passverify-always-run-the-helper-to-obtain-shadow_pwd.patch]
perl-Bootloader
- merge gh#openSUSE/perl-bootloader#191
- avoid spurious warning messages when parsing /etc/default/grub
  (bsc#1246373, bsc#1245323)
- 1.25
suse-build-key
- adjust UID (name + email) of SLES16 signing key with official
  names. (bsc#1245223)
suse-module-tools
- Update to version 15.7.6:
  * spec file: add missing util-linux requirement (bsc#1241038)
systemd-rpm-macros
- Bump version to 16

- Introduce %udev_trigger_with_reload() for packages that need to trigger events
  in theirs scriplets. The new macro automatically triggers a reload of the udev
  rule files as this step is often overlooked by packages (bsc#1237143).
zypper
- Fix addrepo to handle explicit --check and --no-check requests
  (bsc#1246466)
- Accept "show" as alias for "info" (bsc#1245985)
- version 1.14.93

- sh: Reset solver options after command (bsc#1245496)
- Explicitly selecting DownloadAsNeeded also selects the
  classic_rpmtrans backend.
- version 1.14.92

- BuildRequires:  libzypp-devel >= 17.37.6.
  Enhancements regarding mirror handling during repo refresh. Adapt
  to libzypp API changes. (bsc#1230267)
- version 1.14.91