- cloud-netconfig
-
- Update to version 1.19
+ Make sure IPADDR variable is stripped of netmask
- Update to version 1.18
+ Fix issue with link-local address routing (bsc#1258730)
- Update to version 1.17
+ Do not set broadcast address explicitly (bsc#1258406)
- Update to version 1.16
+ Fix query of default CLOUD_NETCONFIG_MANAGE (bsc#1253223
+ Fix variable names in the README
- kernel-default
-
- kabi assert ptrace: slightly saner 'get_dumpable()' logic
(bsc#1265308).
- kabi ptrace: slightly saner 'get_dumpable()' logic
(bsc#1265308).
- commit 51e3e5d
- ptrace: slightly saner 'get_dumpable()' logic (bsc#1265308).
- commit a7685e1
- io-wq: check that the predecessor is hashed in
io_wq_remove_pending() (git-fixes).
- commit 447a089
- net: skbuff: propagate shared-frag marker through pskb_copy()
(CVE-2026-46300 bsc#1265209).
- commit 4c684ee
- xfrm: esp: avoid in-place decrypt on shared skb frags (bsc#1264449 bsc#1264450).
- commit f187bc6
- supported.conf: drop rxrpc and afs_fs (bsc#1264450)
- commit c00b898
- x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache (bsc#1264013 CVE-2025-54518).
- commit 5f11806
- python3
-
- Add CVE-2026-6019-Morsel-js_output.patch protects against HTML
injection by Base64-encoding cookie values embedded in JS
(bsc#1262654, CVE-2026-6019, gh#python/cpython#90309).
- Add CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch which rejects
CR/LF in HTTP tunnel request headers (bsc#1261969,
CVE-2026-1502, gh#python/cpython#146211).
- Add CVE-2026-4786-webbrowser-open-action.patch, which fixes
webbrowser %action substitution bypass of dash-prefix check
(bsc#1262319, CVE-2026-4786, gh#python/cpython#148169).
- Add CVE-2026-6100-use-after-free-decompression.patch preventing
dangling pointer which can end in the use-after-free error
(CVE-2026-6100, bsc#1262098, gh#python/cpython#148395).
- Fix calling of sphinx build with non-standard Python
interpreter (including new patch sphinx-set-PYTHON.patch).
- Add CVE-2026-3446-base64-padding.patch preventing ignoring
excess Base64 data after the first padded quad (bsc#1261970,
CVE-2026-3446, gh#python/cpython#145264).
- Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has
the same security model as open(). The documented limitations
ensure compatibility with non-filesystem loaders; Python
doesn't check that. (bsc#1259989, CVE-2026-3479,
gh#python/cpython#146121).
- Add CVE-2026-4519-webbrowser-open-dashes.patch to reject
leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519,
gh#python/cpython#143930).
- Add CVE-2025-13462-tarinfo-header-parse.patch which skips
TarInfo DIRTYPE normalization during GNU long name handling
(bsc#1259611, CVE-2025-13462).
- Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding
unbound C recursion in conv_content_model in pyexpat.c
(bsc#1259735, CVE-2026-4224).
- Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject
control characters in http.cookies.Morsel.update() and
http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644).
- openssh
-
- Added openssh-cve-2026-35385-scp-setuid-modes.patch (bsc#1261427),
ensuring setuid bits default to being masked out by scp.
- Added openssh-cve-2026-35414-mishandled-ca-commas.patch
(bsc#1261430), fixing mishandling of comma characters in CA in
certain situations.
- sed
-
- Add CVE-2026-5958.patch
* Fix CVE-2026-5958 (bsc#1262144):
A TOCTOU race can allow to read attacker-controlled content and write
it to an unintended file
- suse-build-key
-
- import all keys if they are not yet in the RPM db.
- Added post quantum cryptographic keys for SLES 15 and SLES 16.
- build-pqc-15.pem
- build-pqc-16.pem
- xen
-
- bsc#1264066 - VUL-0: CVE-2025-54518: xen: AMD-SN-7052: CPU OP
Cache Corruption
6a034fca-x86-mitigate-AMD-SN-7052.patch
- Upstream security patches
69f0ab8b-gnttab-split-gnttab_map_frame.patch (bsc#1262180)
69f0ab8b-xenstored-make-conn_delete_all_transactions-idempotent.patch (bsc#1262178)
- Drop old security patches in favor of upstream versions.
xsa484.patch
xsa486.patch
- Upstream bug fixes (bsc#1027519)
69d4ab43-EFI-avoid-OOB-config-file-reads.patch
69d8ed8e-x86-time-dont-kill-calibration-timer-on-S3.patch
69e0e400-x86-use-native-TSC-scaling-factors-when-.patch
69e0e401-CPU-round-cpu_khz-calculations.patch
69e26ac9-x86-mkelf32-actually-pad-segment-to-2Mb.patch
- bsc#1262428 - VUL-0: CVE-2025-54505: xen: Floating Point Divider
State Sampling on AMD CPUs AMD-SN-7053 (XSA-488)
69e26aca-x86-mitigate-AMD-SN-7053-FP-DSS.patch
- bsc#1262178 - VUL-0: CVE-2026-23557: xen: Xenstored DoS via
XS_RESET_WATCHES command (XSA-484)
xsa484.patch
- bsc#1262180 - VUL-0: CVE-2026-23558: xen: grant table v2 race in
status page mapping (XSA-486)
xsa486.patch
- Update to Xen 4.20.3 bug fix release (bsc#1027519) (jsc#PED-8907)
* No upstream changelog found in sources or webpage
- Drop patches contained in new tarball
691b3550-x86-ucode-add-rows-to-entrysign-table.patch
69247713-x86-ucode-error-handling-parallel.patch
6926be59-x86-vMSI-X-refcount.patch
6926e01d-x86-vHPET-IRQ-route-sanitization.patch
692896dc-x86-AMD-Zenbleed-mitigation-static.patch
692dc059-x86-AMD-DE_CFG-editing.patch
693a85c2-x86-PoD-decrease_reservation-clearing-M2P.patch
693a85d6-x86-update-log-dirty-bitmap-when-.patch
695f816a-x86-HVM-more-strict-XENMAPSPACE_gmfn-source-types.patch
6964e408-x86-retval-of-has_if_pschange_mc.patch
6978b5a5-x86-shadow-dont-overrun-trace_emul_write_val.patch
6978b5bf-x86-spec-ctrl-incomplete-IBPB-at-cswitch.patch
6978c4b0-x86-AMD-fold-another-DE_CFG-edit.patch
xsa480.patch
xsa481.patch