sles-15-sp7-v20260520-arm64 Package Source Changes

cloud-netconfig

- Update to version 1.19
  + Make sure IPADDR variable is stripped of netmask

- Update to version 1.18
  +  Fix issue with link-local address routing (bsc#1258730)

- Update to version 1.17
  + Do not set broadcast address explicitly (bsc#1258406)

- Update to version 1.16
  + Fix query of default CLOUD_NETCONFIG_MANAGE (bsc#1253223
  + Fix variable names in the README

kernel-default

- kabi assert ptrace: slightly saner 'get_dumpable()' logic
  (bsc#1265308).
- kabi ptrace: slightly saner 'get_dumpable()' logic
  (bsc#1265308).
- commit 51e3e5d

- ptrace: slightly saner 'get_dumpable()' logic (bsc#1265308).
- commit a7685e1

- io-wq: check that the predecessor is hashed in
  io_wq_remove_pending() (git-fixes).
- commit 447a089

- net: skbuff: propagate shared-frag marker through pskb_copy()
  (CVE-2026-46300 bsc#1265209).
- commit 4c684ee

- xfrm: esp: avoid in-place decrypt on shared skb frags (bsc#1264449 bsc#1264450).
- commit f187bc6

- supported.conf: drop rxrpc and afs_fs (bsc#1264450)
- commit c00b898

- x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's  op cache (bsc#1264013 CVE-2025-54518).
- commit 5f11806

python3

- Add CVE-2026-6019-Morsel-js_output.patch protects against HTML
  injection by Base64-encoding cookie values embedded in JS
  (bsc#1262654, CVE-2026-6019, gh#python/cpython#90309).

- Add CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch which rejects
  CR/LF in HTTP tunnel request headers (bsc#1261969,
  CVE-2026-1502, gh#python/cpython#146211).

- Add CVE-2026-4786-webbrowser-open-action.patch, which fixes
  webbrowser %action substitution bypass of dash-prefix check
  (bsc#1262319, CVE-2026-4786, gh#python/cpython#148169).

- Add CVE-2026-6100-use-after-free-decompression.patch preventing
  dangling pointer which can end in the use-after-free error
  (CVE-2026-6100, bsc#1262098, gh#python/cpython#148395).

- Fix calling of sphinx build with non-standard Python
  interpreter (including new patch sphinx-set-PYTHON.patch).

- Add CVE-2026-3446-base64-padding.patch preventing ignoring
  excess Base64 data after the first padded quad (bsc#1261970,
  CVE-2026-3446, gh#python/cpython#145264).

- Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has
  the same security model as open(). The documented limitations
  ensure compatibility with non-filesystem loaders; Python
  doesn't check that. (bsc#1259989, CVE-2026-3479,
  gh#python/cpython#146121).

- Add CVE-2026-4519-webbrowser-open-dashes.patch to reject
  leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519,
  gh#python/cpython#143930).

- Add CVE-2025-13462-tarinfo-header-parse.patch which skips
  TarInfo DIRTYPE normalization during GNU long name handling
  (bsc#1259611, CVE-2025-13462).

- Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding
  unbound C recursion in conv_content_model in pyexpat.c
  (bsc#1259735, CVE-2026-4224).

- Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject
  control characters in http.cookies.Morsel.update() and
  http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644).

openssh

- Added openssh-cve-2026-35385-scp-setuid-modes.patch (bsc#1261427),
  ensuring setuid bits default to being masked out by scp.
- Added openssh-cve-2026-35414-mishandled-ca-commas.patch
  (bsc#1261430), fixing mishandling of comma characters in CA in
  certain situations.

sed

- Add CVE-2026-5958.patch
  * Fix CVE-2026-5958 (bsc#1262144):
    A TOCTOU race can allow to read attacker-controlled content and write
    it to an unintended file

suse-build-key

- import all keys if they are not yet in the RPM db.

- Added post quantum cryptographic keys for SLES 15 and SLES 16.
  - build-pqc-15.pem
  - build-pqc-16.pem