- 000release-packages:SLES_SAP-release
-
n/a
- aaa_base
-
- Add patch git-51-fbf7ee9dc9cd970532a54eed6472d7f3b0e7f431.patch
* If a user switches the login shell respect the already set
PATH environment (bsc#1235481)
- add patch aaa_base-rc.status.patch (bsc#1236033)
(no git, file is gone in factory/tumbleweed)
update detection for systemd in rc.status, mountpoint for
cgroup changed with cgroup2, so just check if pid 1 is systemd
- apparmor
-
- Add dac_read_search capability for unix_chkpwd to allow it to read the shadow
file even if it has 000 permissions. This is needed after the CVE-2024-10041
fix in PAM.
* unix-chkpwd-add-read-capability.path, bsc#1241678
- Allow pam_unix to execute unix_chkpwd with abi/3.0
- remove dovecot-unix_chkpwd.diff
- Add allow-pam_unix-to-execute-unix_chkpwd.patch
- Add revert-abi-change-for-unix_chkpwd.patch
(bsc#1234452, bsc#1232234)
- Add dovecot-unix_chkpwd.diff to allow dovecot-auth to execute
unix_chkpwd, and add a profile for unix_chkpwd. This is needed
for PAM with CVE-2024-10041 (bsc#1234452)
- augeas
-
- Add patch, fix for bsc#1239909 / CVE-2025-2588:
* CVE-2025-2588.patch
- ca-certificates-mozilla
-
- revert the distrusted certs for now. originally these only
distrust "new issued" certs starting after a certain date,
while old certs should still work. (bsc#1240343)
- remove-distrusted.patch: removed
- cifs-utils
-
- CVE-2025-2312: cifs-utils: cifs.upcall makes an upcall to the wrong
namespace in containerized environments while trying to get Kerberos
credentials (bsc#1239680)
* add New-mount-option-for-cifs.upcall-namespace-reso.patch
- cloud-netconfig
-
- Update to version 1.15
+ Add support for creating IPv6 default route in GCE (bsc#1240869)
+ Minor fix when looking up IPv6 default route
- cloud-regionsrv-client
-
- Update version to 10.4.0
+ Remove repositories when the package is being removed
We do not want to leave repositories behind refering to the plugin that
is being removed when the package gets removed (bsc#1240310, bsc#1240311)
+ Turn docker into an optional setup (jsc#PCT-560)
Change the Requires into a Recommends and adapt the code accordingly
+ Support flexible licenses in GCE (jsc#PCT-531)
+ Drop the azure-addon package it is geting replaced by the
license-watcher package which has a generic implementation of the
same functionality.
+ Handle cache inconsistencies (bsc#1218345)
+ Properly handle the zypper root target argument (bsc#1240997)
- kernel-default
-
- Update
patches.suse/can-etas_es58x-es58x_rx_err_msg-fix-memory-leak-in-e.patch
(git-fixes stable-5.14.19 CVE-2021-47671 bsc#1241421).
- commit 855e2af
- Update
patches.suse/net-mana-Fix-error-handling-in-mana_create_txq-rxq-s.patch
(bsc#1240195 CVE-2024-46784 bsc#1230771).
- commit b86bfe4
- Revert "exec: fix the racy usage of fs_struct->in_exec (CVE-2025-22029"
This reverts commit b68bd5953c15c3c2b21e60fbd6d8a52b0bbb030c.
This turned out to be not an issue. See https://bugzilla.suse.com/show_bug.cgi?id=1241378#c4
- commit d9d19c1
- exec: fix the racy usage of fs_struct->in_exec (CVE-2025-22029
bsc#1241378).
- commit b68bd59
- x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
(CVE-2025-22045 bsc#1241433).
- commit c4ca325
- memstick: rtsx_usb_ms: Fix slab-use-after-free in
rtsx_usb_ms_drv_remove (bsc#1241280 CVE-2025-22020).
- commit 0f74fae
- drm/vkms: Fix use after free and double free on init error
(CVE-2025-22097 bsc#1241541).
- commit 02fe040
- net: fix geneve_opt length integer overflow (CVE-2025-22055
bsc#1241371).
- commit 15ff527
- net: atm: fix use after free in lec_send() (CVE-2025-22004
bsc#1240835).
- commit 889e26f
- kABI workaround struct rcu_head and ax25_ptr (CVE-2025-21812
bsc#1238471).
- commit 1d6ea68
- ax25: rcu protect dev->ax25_ptr (CVE-2025-21812 bsc#1238471).
- Refresh patches.kabi/net-ax25_dev-kabi-workaround.patch.
- commit 88b5c8e
- Update
patches.suse/fbdev-smscufx-fix-error-handling-code-in-ufx_usb_pro.patch
(git-fixes CVE-2022-49741 bsc#1240747).
- commit 0c9a431
- Update
patches.suse/RDMA-mlx5-Fix-implicit-ODP-hang-on-parent-deregistra.patch
(git-fixes CVE-2025-21886 bsc#1240188).
- commit 6a0c1b0
- arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (CVE-2025-21785 bsc#1238747)
- commit 2c96a9a
- vrf: use RCU protection in l3mdev_l3_out() (CVE-2025-21791
bsc#1238512).
- commit 50bbf71
- Delete
patches.suse/btrfs-defrag-don-t-use-merged-extent-map-for-their-generat.patch.
- Delete
patches.suse/btrfs-fix-defrag-not-merging-contiguous-extents-due-to-mer.patch.
- Delete
patches.suse/btrfs-fix-extent-map-merging-not-happening-for-adjacent-ex.patch.
Reverting ineffective changes for bsc#1239968 and closing it as WONTFIX.
- commit a1bc1ab
- padata: avoid UAF for reorder_work (CVE-2025-21726 bsc#1238865).
- commit bfab8c2
- kABI: Fix kABI after backport od CVE-2025-21839 (bsc#1239061 CVE-2025-21839).
- commit 38fa6d3
- KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (bsc#1239061 CVE-2025-21839).
- commit 325b428
- KVM: X86: Set host DR6 only on VMX and for KVM_DEBUGREG_WONT_EXIT (bsc#1239061 CVE-2025-21839).
- commit 8727046
- KVM: X86: Remove unneeded KVM_DEBUGREG_RELOAD (bsc#1239061 CVE-2025-21839).
- commit bbb1715
- gfs2: Fix inode height consistency check (git-fixes).
- gfs2: Always check inode size of inline inodes (bsc#1240207
CVE-2022-49739).
- gfs2: Cosmetic gfs2_dinode_{in,out} cleanup (bsc#1240207
CVE-2022-49739).
- commit a949c3f
- Revert "gfs2: Fix inode height consistency check (git-fixes)."
This reverts commit 935054ab3fe2351d6b7c7a49e49bc57d5ae66ce2.
The revert commit will re-add by bsc#1240207 bug fix
- commit f6fc2e8
- Refresh
patches.suse/blk-throttle-Set-BIO_THROTTLED-when-bio-has-been-throttled.patch.
The original version had a back-port mistake that cause aregression.
- commit fb94b71
- mm/khugepaged: fix ->anon_vma race (CVE-2023-52935 bsc#1240276).
- commit 6257477
- net: mana: Fix error handling in mana_create_txq/rxq's NAPI
cleanup (bsc#1240195).
- Refresh
patches.suse/net-mana-Enable-debugfs-files-for-MANA-device.patch.
- commit 15a2f6b
- net: mana: Support holes in device list reply msg (bsc#1240133).
- commit 1dee3f4
- Update
patches.suse/media-cx24116-prevent-overflows-on-SNR-calculus.patch
(CVE-2024-50290 bsc#1233479 bsc#1225742).
- Update
patches.suse/media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch
(CVE-2024-53063 bsc#1233557 bsc#1225742).
- commit 4c491c6
- Update
patches.suse/ALSA-hda-via-Avoid-potential-array-out-of-bound-in-a.patch
(git-fixes CVE-2023-52988 bsc#1240293).
- Update
patches.suse/Bluetooth-Fix-possible-deadlock-in-rfcomm_sk_state_c.patch
(git-fixes CVE-2023-53016 bsc#1240281).
- Update
patches.suse/HID-betop-check-shape-of-output-reports.patch
(git-fixes bsc#1207186 CVE-2023-53015 bsc#1240288).
- Update
patches.suse/NFSD-fix-use-after-free-in-nfsd4_ssc_setup_dul.patch
(git-fixes bsc#1209788 CVE-2023-1652 CVE-2023-53025
bsc#1240264).
- Update
patches.suse/RDMA-core-Fix-ib-block-iterator-counter-overflow.patch
(bsc#1207878 CVE-2023-53026 bsc#1240308).
- Update
patches.suse/Revert-wifi-mac80211-fix-memory-leak-in-ieee80211_if.patch
(git-fixes CVE-2023-53028 bsc#1240212).
- Update
patches.suse/Squashfs-fix-handling-and-sanity-checking-of-xattr_i.patch
(git-fixes CVE-2023-52933 bsc#1240275).
- Update
patches.suse/block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq-b600.patch
(git-fixes CVE-2023-52983 bsc#1240284).
- Update
patches.suse/bnxt-Do-not-read-past-the-end-of-test-names.patch
(jsc#SLE-18978 CVE-2023-53010 bsc#1240290).
- Update
patches.suse/bpf-Fix-pointer-leak-due-to-insufficient-speculative.patch
(bsc#1231375 CVE-2023-53024 bsc#1240272).
- Update
patches.suse/bpf-Skip-task-with-pid-1-in-send_signal_common.patch
(git-fixes CVE-2023-52992 bsc#1240317).
- Update
patches.suse/can-isotp-split-tx-timer-into-transmission-and-timeo.patch
(git-fixes CVE-2023-52941 bsc#1240280).
- Update
patches.suse/cifs-Fix-oops-due-to-uncleared-server-smbd_conn-in-reconnect.patch
(git-fixes CVE-2023-53006 bsc#1240208).
- Update
patches.suse/cifs-fix-potential-memory-leaks-in-session-setup.patch
(bsc#1193629 CVE-2023-53008 bsc#1240318).
- Update
patches.suse/drm-i915-Fix-potential-bit_17-double-free.patch
(git-fixes CVE-2023-52930 bsc#1240304).
- Update
patches.suse/efi-fix-potential-NULL-deref-in-efi_mem_reserve_pers.patch
(git-fixes CVE-2023-52976 bsc#1240283).
- Update
patches.suse/firewire-fix-memory-leak-for-payload-of-request-suba.patch
(git-fixes CVE-2023-52989 bsc#1240266).
- Update
patches.suse/mm-memcg-fix-NULL-pointer-in-mem_cgroup_track_foreign_dirty_slowpath.patch
(bsc#1209262 CVE-2023-52939 bsc#1240231).
- Update
patches.suse/net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch
(git-fixes CVE-2023-53019 bsc#1240286).
- Update
patches.suse/net-nfc-Fix-use-after-free-in-local_cleanup.patch
(git-fixes CVE-2023-53023 bsc#1240309).
- Update
patches.suse/net-phy-dp83822-Fix-null-pointer-access-on-DP83825-D.patch
(git-fixes CVE-2023-52984 bsc#1240279).
- Update
patches.suse/netfilter-nft_payload-incorrect-arithmetics-when-fet.patch
(CVE-2023-0179 bsc#1207034 CVE-2023-53033 bsc#1240210).
- Update
patches.suse/netlink-prevent-potential-spectre-v1-gadgets.patch
(bsc#1209547 CVE-2017-5753 CVE-2023-53000 bsc#1240227).
- Update
patches.suse/octeontx2-pf-Avoid-use-of-GFP_KERNEL-in-atomic-conte.patch
(git-fixes CVE-2023-53030 bsc#1240292).
- Update
patches.suse/octeontx2-pf-Fix-the-use-of-GFP_KERNEL-in-atomic-con.patch
(git-fixes CVE-2023-53029 bsc#1240220).
- Update
patches.suse/scsi-iscsi_tcp-Fix-UAF-during-login-when-accessing-the-shost-ipaddress.patch
(git-fixes CVE-2023-2162 bsc#1210647 CVE-2023-52974
bsc#1240213).
- Update
patches.suse/scsi-iscsi_tcp-Fix-UAF-during-logout-when-accessing-the-shost-ipaddress.patch
(git-fixes CVE-2023-52975 bsc#1240322).
- Update
patches.suse/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch
(git-fixes CVE-2023-52979 bsc#1240282).
- Update
patches.suse/trace_events_hist-add-check-for-return-value-of-create_hist_field.patch
(git-fixes CVE-2023-53005 bsc#1240278).
- Update
patches.suse/tracing-Make-sure-trace_printk-can-output-as-soon-as-it-can-be-used.patch
(git-fixes CVE-2023-53007 bsc#1240229).
- Update
patches.suse/vc_screen-move-load-of-struct-vc_data-pointer-in-vcs.patch
(git-fixes bsc#1213167 CVE-2023-3567 CVE-2023-52973
bsc#1240218).
- Update
patches.suse/x86-i8259-Mark-legacy-PIC-interrupts-with-IRQ_LEVEL.patch
(git-fixes CVE-2023-52993 bsc#1240297).
- commit f69d55e
- Update
patches.suse/VMCI-Use-threaded-irqs-instead-of-tasklets.patch
(git-fixes CVE-2022-49759 bsc#1240245).
- Update
patches.suse/dmaengine-Fix-double-increment-of-client_count-in-dm.patch
(git-fixes CVE-2022-49753 bsc#1240250).
- Update
patches.suse/dmaengine-imx-sdma-Fix-a-possible-memory-leak-in-sdm.patch
(git-fixes CVE-2022-49746 bsc#1240242).
- Update
patches.suse/perf-x86-amd-fix-potential-integer-overflow-on-shift-of-a-int.patch
(git fixes CVE-2022-49748 bsc#1240256).
- Update
patches.suse/usb-gadget-f_fs-Prevent-race-during-ffs_ep0_queue_wa.patch
(git-fixes CVE-2022-49755 bsc#1240247).
- Update
patches.suse/w1-fix-WARNING-after-calling-w1_process.patch
(git-fixes CVE-2022-49751 bsc#1240254).
- commit 67615b0
- Update
patches.suse/can-j1939-fix-errant-WARN_ON_ONCE-in-j1939_session_d.patch
(git-fixes CVE-2021-4454 bsc#1240205).
- commit 3ad7432
- RDMA/mlx5: Fix implicit ODP hang on parent deregistration (git-fixes)
- commit fb96cb5
- RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error (CVE-2025-21732 bsc#1237877)
- commit 4fd8031
- RDMA/mlx5: Fix implicit ODP use after free (CVE-2025-21714 bsc#1237890)
- commit b066549
- can: hi311x: hi3110_can_ist(): fix potential use-after-free
(CVE-2024-56651 bsc#1235528).
- commit c9a4975
- btrfs: fix use-after-free when attempting to join an aborted transaction (CVE-2025-21753 bsc#1237875)
- commit 4b7aa14
- idpf: fix idpf_vc_core_init error path (CVE-2024-53064
bsc#1233558).
- commit f7c6f3c
- btrfs: send: fix invalid clone operation for file that got
its size decreased (bsc#1239969).
- btrfs: send: allow cloning non-aligned extent if it ends at
i_size (bsc#1239969).
- commit 6046fcc
- net: mana: Allow variable size indirection table (bsc#1239016).
- Refresh
patches.suse/net-mana-Enable-debugfs-files-for-MANA-device.patch.
- commit ab31abc
- net: mana: Avoid open coded arithmetic (bsc#1239016).
- RDMA/mana_ib: Prefer struct_size over open coded arithmetic
(bsc#1239016).
- net: mana: Add flex array to struct mana_cfg_rx_steer_req_v2
(bsc#1239016).
- RDMA/mana_ib: Use v2 version of cfg_rx_steer_req to enable RX
coalescing (bsc#1239016).
- commit 3e2838d
- btrfs: fix defrag not merging contiguous extents due to merged
extent maps (bsc#1239968).
- btrfs: fix extent map merging not happening for adjacent extents
(bsc#1239968).
- btrfs: defrag: don't use merged extent map for their generation
check (bsc#1239968).
- commit 7ca0c8b
- scsi: target: tcmu: Fix possible page UAF (CVE-2022-49053
bsc#1237918).
- commit 31de519
- KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()
(CVE-2024-58083 bsc#1239036).
- commit c06a95f
- ACPI: processor: idle: Return an error if both P_LVL{2,3}
idle states are invalid (bsc#1237530).
- commit bc72fe5
- mm/mmu_notifier.c: fix race in mmu_interval_notifier_remove()
(bsc#1239126).
- commit 9ba4a9a
- mm: zswap: move allocations during CPU init outside the lock
(git-fixes).
- commit 2ba6fb9
- mm: zswap: properly synchronize freeing resources during CPU
hotunplug (bsc#1237029 CVE-2025-21693).
- commit a35b49f
- mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx
(bsc#1237029 CVE-2025-21693).
- commit 2a858ad
- partitions: mac: fix handling of bogus partition table
(CVE-2025-21772 bsc#1238911).
- blk-throttle: Set BIO_THROTTLED when bio has been throttled
(CVE-2022-49465 bsc#1238919).
- commit 0fbb2d1
- containerd
-
- Update to containerd v1.7.27. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.27>
bsc#1239749 CVE-2024-40635
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.26. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.26>
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.25. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.25>
<https://github.com/containerd/containerd/releases/tag/v1.7.24>
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- expat
-
- version update to 2.7.1
Bug fixes:
[#980] #989 Restore event pointer behavior from Expat 2.6.4
(that the fix to CVE-2024-8176 changed in 2.7.0);
affected API functions are:
- XML_GetCurrentByteCount
- XML_GetCurrentByteIndex
- XML_GetCurrentColumnNumber
- XML_GetCurrentLineNumber
- XML_GetInputContext
Other changes:
[#976] #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
with Automake that were missing from 2.7.0 release tarballs
[#983] #984 Fix printf format specifiers for 32bit Emscripten
[#992] docs: Promote OpenSSF Best Practices self-certification
[#978] tests/benchmark: Resolve mistaken double close
[#986] Address compiler warnings
[#990] #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
for what these numbers do
Infrastructure:
[#982] CI: Start running Perl XML::Parser integration tests
[#987] CI: Enforce Clang Static Analyzer clean code
[#991] CI: Re-enable warning clang-analyzer-valist.Uninitialized
for clang-tidy
[#981] CI: Cover compilation with musl
[#983] #984 CI: Cover compilation with 32bit Emscripten
[#976] #977 CI: Protect against fuzzer files missing from future
release archives
- version update to 2.7.0 for SLE-15-SP4
- deleted patches
- expat-CVE-2022-25235.patch (upstreamed)
- expat-CVE-2022-25236-relax-fix.patch (upstreamed)
- expat-CVE-2022-25236.patch (upstreamed)
- expat-CVE-2022-25313-fix-regression.patch (upstreamed)
- expat-CVE-2022-25313.patch (upstreamed)
- expat-CVE-2022-25314.patch (upstreamed)
- expat-CVE-2022-25315.patch (upstreamed)
- expat-CVE-2022-40674.patch (upstreamed)
- expat-CVE-2022-43680.patch (upstreamed)
- expat-CVE-2023-52425-1.patch (upstreamed)
- expat-CVE-2023-52425-2.patch (upstreamed)
- expat-CVE-2023-52425-backport-parser-changes.patch (upstreamed)
- expat-CVE-2023-52425-fix-tests.patch (upstreamed)
- expat-CVE-2024-28757.patch (upstreamed)
- expat-CVE-2024-45490.patch (upstreamed)
- expat-CVE-2024-45491.patch (upstreamed)
- expat-CVE-2024-45492.patch (upstreamed)
- expat-CVE-2024-50602.patch (upstreamed)
- version update to 2.7.0 (CVE-2024-8176 [bsc#1239618])
* Security fixes:
[#893] #973 CVE-2024-8176 -- Fix crash from chaining a large number
of entities caused by stack overflow by resolving use of
recursion, for all three uses of entities:
- general entities in character data ("<e>&g1;</e>")
- general entities in attribute values ("<e k1='&g1;'/>")
- parameter entities ("%p1;")
Known impact is (reliable and easy) denial of service:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
(Base Score: 7.5, Temporal Score: 7.2)
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
* Other changes:
[#935] #937 Autotools: Make generated CMake files look for
libexpat.@SO_MAJOR@.dylib on macOS
[#925] Autotools: Sync CMake templates with CMake 3.29
[#945] #962 #966 CMake: Drop support for CMake <3.13
[#942] CMake: Small fuzzing related improvements
[#921] docs: Add missing documentation of error code
XML_ERROR_NOT_STARTED that was introduced with 2.6.4
[#941] docs: Document need for C++11 compiler for use from C++
[#959] tests/benchmark: Fix a (harmless) TOCTTOU
[#944] Windows: Fix installer target location of file xmlwf.xml
for CMake
[#953] Windows: Address warning -Wunknown-warning-option
about -Wno-pedantic-ms-format from LLVM MinGW
[#971] Address Cppcheck warnings
[#969] #970 Mass-migrate links from http:// to https://
[#947] #958 ..
[#974] #975 Document changes since the previous release
[#974] #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
for what these numbers do
- no source changes, just adding jira reference: jsc#SLE-21253
- glib2
-
- Add glib2-CVE-2025-3360.patch:
Backport 8d60d7dc from upstream, Fix integer overflow when
parsing very long ISO8601 inputs. This will only happen with
invalid (or maliciously invalid) potential ISO8601 strings,
but `g_date_time_new_from_iso8601()` needs to be robust against
that.
(CVE-2025-3360, bsc#1240897)
- glibc
-
- static-setuid-ld-library-path.patch: elf: Ignore LD_LIBRARY_PATH and
debug env var for setuid for static (CVE-2025-4802, bsc#1243317)
- pthread-wakeup.patch: pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ
[#25847])
- google-cloud-sap-agent
-
- Update to version v3.7: (bsc#1238831, bsc#1238833)
* No public description
* Moving CG disk validation to CheckPreConditions
* Fix issue with filling in ha_hosts in HANA systems
* Use updated UAP method for Guest Actions
* Fix grep command used for landscape ID discovery
* Correct arguments used by HANA disk discovery.
* Add tagged disks to discovery data sent to Data Warehouse
* Identify disks by mount point in SAP System data.
* Auto updated compiled protocol buffers
* Add collection for WLM Pacemaker alias IP setting.
* Add the Maintenance Events Sample Dashboard
* Auto updated compiled protocol buffers
* Remove obsolete events proto from sapagent
* Auto updated compiled protocol buffers
* Add collection for WLM Pacemaker health check and internal load balancer metrics.
* Auto updated compiled protocol buffers
* Add collection for WLM Pacemaker SAPInstance automatic recover and monitor settings.
* Remove restart logic used in configure OTE. Rely on config poller.
* fixing TypedValue
* migrating from the platform integration/common/shared to sharedlibraries
* Default topology to SCALE_UP for non-HANA DBs.
* Remove restarting from guestactions
- google-guest-agent
-
- Update to version 20250506.01 (bsc#1243254, bsc#1243505)
* Make sure agent added connections are activated by NM (#534)
- from version 20250506.00
* wrap NSS cache refresh in a goroutine (#533)
- from version 20250502.01
* Wicked: Only reload interfaces for which configurations are written or changed. (#524)
- from version 20250502.00
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- from version 20250418.00
* Re-enable disabled services if the core plugin was enabled (#521)
- from version 20250414.00
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- hwinfo
-
- merge gh#openSUSE/hwinfo#156
- fix network card detection on aarch64 (bsc#1240648)
- 21.88
- merge gh#openSUSE/hwinfo#152
- avoid reporting of spurious usb storage devices (bsc#1223330)
- 21.87
- merge gh#openSUSE/hwinfo#151
- do not overdo usb device de-duplication (bsc#1239663)
- 21.86
- icewm
-
- Add icewm-translation-update.patch: Update the latest translation
from https://l10n.opensuse.org/projects/icewm/icewm-1-4-branch/.
- iproute2
-
- avoid spurious cgroup warning (bsc#1234383):
- ss-Tone-down-cgroup-path-resolution.patch
- iputils
-
- Fix bsc#1243284 - ping on s390x prints invalid ttl
* Add iputils-invalid-ttl-s390x.patch
* Fix ipv4 ttl value when using SOCK_DGRAM on big endian systems
- Security fix [bsc#1242300, CVE-2025-47268]
* integer overflow in RTT calculation can lead to undefined behavior
* Add iputils-CVE-2025-47268.patch
- kbd
-
- Don't search for resources in the current directory. It can cause
unwanted side effects or even infinite loop (bsc#1237230,
kbd-ignore-working-directory-1.patch,
kbd-ignore-working-directory-2.patch,
kbd-ignore-working-directory-3.patch).
- resource-agents
-
- L3: fuser returning unexpected list of PIDs to Filesystem RA
(bsc#1241867) Apply upstream patch:
0001-Filesystem-fix-getting-the-wrong-block-device-when-d.patch
- L3: DB2 resource agent forcefully shuts down database, risking data loss — ref:_00D1igLOd._500TrYJM7l:ref
(bsc#1241692)
Add patch:
bsc-1241692.patch
- libapparmor
-
- Add dac_read_search capability for unix_chkpwd to allow it to read the shadow
file even if it has 000 permissions. This is needed after the CVE-2024-10041
fix in PAM.
* unix-chkpwd-add-read-capability.path, bsc#1241678
- Allow pam_unix to execute unix_chkpwd with abi/3.0
- remove dovecot-unix_chkpwd.diff
- Add allow-pam_unix-to-execute-unix_chkpwd.patch
- Add revert-abi-change-for-unix_chkpwd.patch
(bsc#1234452, bsc#1232234)
- Add dovecot-unix_chkpwd.diff to allow dovecot-auth to execute
unix_chkpwd, and add a profile for unix_chkpwd. This is needed
for PAM with CVE-2024-10041 (bsc#1234452)
- freetype2
-
- enable brotli support (jsc#PED-12258)
- mozjs60
-
- Add libtheora-avoid-negative-shift.patch: avoid negative shift in
huffdec.c (bsc#1234837 CVE-2024-56431).
- Explicitly require libicu-devel, rather than using pkgconfig, to
avoid unintentionally building against icu 73.
- ncurses
-
- Modify patch ncurses-5.9-ibm327x.dif
* Backport sclp terminfo description entry if for s390 sclp terminal lines
* Add a further sclp entry for qemu s390 based systems
* Make use of dumb
- pacemaker
-
- pacemaker-attrd: use %PRIu32 format specifier instead of %u for node id (bsc#1239629, gh#ClusterLabs/pacemaker#3860)
* bsc#1239629-0004-Log-pacemaker-attrd-use-PRIu32-format-specifier-inst.patch
- libcrmcluster: correctly log node id (bsc#1239629, gh#ClusterLabs/pacemaker#3860)
* bsc#1239629-0003-Log-libcrmcluster-correctly-log-node-id.patch
- pacemaker-attrd: log the cluster layer id of the changed peer (bsc#1239629, gh#ClusterLabs/pacemaker#3860)
* bsc#1239629-0002-Log-pacemaker-attrd-log-the-cluster-layer-id-of-the-.patch
- pacemaker-attrd: prevent segfault if a peer leaves when its name is unknown yet (bsc#1239629, gh#ClusterLabs/pacemaker#3860)
* bsc#1239629-0001-Fix-pacemaker-attrd-prevent-segfault-if-a-peer-leave.patch
- spec: create a temporary file in /run directory (bsc#1239770)
- libcrmservices: Unref the dbus connection... (gh#ClusterLabs/pacemaker#3841)
* pacemaker#3841-0002-Refactor-libcrmservices-Unref-the-dbus-connection.patch
- libcrmservices: Don't leak msg if systemd_proxy is NULL. (gh#ClusterLabs/pacemaker#3841)
* pacemaker#3841-0001-Low-libcrmservices-Don-t-leak-msg-if-systemd_proxy-i.patch
- cts-scheduler: update tests for considering parents of an unmanaged resource active on the node (gh#ClusterLabs/pacemaker#3842, bsc#1238519)
* bsc#1238519-0002-Test-cts-scheduler-update-tests-for-considering-pare.patch
- libpe_status: consider parents of an unmanaged resource active on the node (gh#ClusterLabs/pacemaker#3842, bsc#1238519)
* bsc#1238519-0001-Fix-libpe_status-consider-parents-of-an-unmanaged-re.patch
- various: address format-overflow warnings (gh#ClusterLabs/pacemaker#3795)
* pacemaker#3795-0001-Low-various-address-format-overflow-warnings.patch
- libpacemaker: set fail-count to INFINITY for fatal failures (gh#ClusterLabs/pacemaker#3772)
* pacemaker#3772-0002-Fix-libpacemaker-set-fail-count-to-INFINITY-for-fata.patch
- libpacemaker: add PCMK__XA_FAILED_START_OFFSET and PCMK__XA_FAILED_STOP_OFFSET (gh#ClusterLabs/pacemaker#3772)
* pacemaker#3772-0001-Refactor-libpacemaker-add-PCMK__XA_FAILED_START_OFFS.patch
- librdkafka
-
- 0001-Fix-timespec-conversion-to-avoid-infinite-loop-2108-.patch:
avoid endless loops (bsc#1242842)
- ruby2.5
-
- update suse.patch to 736ea75f25d52fdebb88ed6583468bd7c21190f6
- fix ReDoS in CGI::Util#escapeElement
bsc#1237806 CVE-2025-27220
- fix denial of service in CGI::Cookie.parse
bsc#1237804 CVE-2025-27219
- update suse.patch to 6bf78da1fc4048a11a8612741216ebc47d9ebb41
- move the request smuggling patch to the correct place
actually fixes bsc#1230930 CVE-2024-47220 and now boo#1235773
- libsolv
-
- build both static and dynamic libraries on new suse distros
- support the apk package and repository format (both v2 and v3)
- new dataiterator_final_{repo,solvable} functions
- bump version to 0.7.32
- Provide a symbol specific for the ruby-version
so yast does not break across updates (boo#1235598)
- sqlite3
-
- Sync version 3.49.1 from Factory (jsc#SLE-16032):
* CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws()
function, introduced in version 3.44.0, that could lead to a
memory error if the separator string is very large (hundreds
of megabytes).
* CVE-2025-29088, bsc#1241078: Enhanced the
SQLITE_DBCONFIG_LOOKASIDE interface to make it more robust
against misuse.
* Obsoletes sqlite3-rtree-i686.patch
- libxml2
-
- security update
- added patches
CVE-2025-32414 [bsc#1241551], out-of-bounds read when parsing text via the Python API
+ libxml2-CVE-2025-32414.patch
CVE-2025-32415 [bsc#1241453], a crafted XML document may lead to a heap-based buffer under-read
+ libxml2-CVE-2025-32415.patch
- libzypp
-
- fixed build with boost 1.88.
- XmlReader: Fix detection of bad input streams (fixes #635)
libxml2 2.14 potentially reads the complete stream, so it may
have the 'eof' bit set. Which is not 'good' but also not 'bad'.
- rpm: Fix detection of %triggerscript starts (bsc#1222044)
- RepoindexFileReader: add more <repo> related attributes a
service may set.
Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck,
keeppackages, gpgkey, mirrorlist, and metalink with the same
semantic as in a .repo file.
- version 17.36.7 (35)
- Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172)
- BuildRequires: %{libsolv_devel_package} >= 0.7.32.
Code16 moved static libs to libsolv-devel-static.
- Drop usage of SHA1 hash algorithm because it will become
unavailable in FIPS mode (bsc#1240529)
- Fix zypp.conf dupAllowVendorChange to reflect the correct
default (false).
The default was true in Code12 (libzypp-16.x) and changed to
false with Code15 (libzypp-17.x). Unfortunately this was done by
shipping a modified zypp.conf file rather than fixing the code.
- zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809)
- version 17.36.6 (35)
- Fix computation of RepStatus if Repo URLs change.
- Fix lost double slash when appending to an absolute FTP url
(bsc#1238315)
Ftp actually differs between absolute and relative URL paths.
Absolute path names begin with a double slash encoded as '/%2F'.
This must be preserved when manipulating the path.
- version 17.36.5 (35)
- Add a transaction package preloader (fixes openSUSE/zypper#104)
This patch adds a preloader that concurrently downloads files
during a transaction commit. It's not yet enabled per default.
To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1
in the environment.
- RpmPkgSigCheck_test: Exchange the test package signingkey
(fixes #622)
- Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626)
- Strip a mediahandler tag from baseUrl querystrings.
- version 17.36.4 (35)
- openssh
-
- Added openssh-bsc1241045-kexalgo-gt-256bits.patch (bsc#1241045)
from upstream, which allows KEX hashes greater than 256 bits.
Thanks to Ali Abdallah <ali.abdallah@suse.com>.
- Added openssh-cve-2025-32728.patch (bsc#1241012, CVE-2025-32728).
This fixes an upstream logic error handling the DisableForwarding
option.
- Update openssh-7.6p1-audit_race_condition.patch (bsc#1232533),
fixing failures with very large MOTDs. Thanks to Ali Abdallah
<ali.abdallah@suse.com>.
- Updated openssh-8.1p1-audit.patch (bsc#1228634) with modification
from Jaroslav Jindrak (jjindrak@suse.com) to fix the hostname
being left out of the audit output.
- pam
-
- pam_unix/passverify: (get_account_info) [!HELPER_COMPILE]: Always return
PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file
entry.
[passverify-always-run-the-helper-to-obtain-shadow_pwd.patch, bsc#1232234,
CVE-2024-10041]
- Do not reject the user with a hash assuming it's non-empty.
[pam_unix-allow-empty-passwords-with-non-empty-hashes.patch]
- patterns-base
-
- add bpftool to patterns enhanced base. jsc#PED-8375
- python-pyzmq
-
- Prevent open files leak by closing sockets on timeout (bsc#1241624)
- Added:
* close-socket-on-timeout.patch
- salt
-
- Fix aptpkg 'NoneType object has no attribute split' error
- Detect openEuler as RedHat family OS
- Ensure the correct crypt module is loaded
- Implement multiple inventory for ansible.targets
- Make x509 module compatible with M2Crypto 0.44.0
- Remove deprecated code from x509.certificate_managed test mode
- Move logrotate config to /usr/etc/logrotate.d where possible
- Add DEB822 apt repository format support
- Make Salt-SSH work with all SSH passwords (bsc#1215484)
- Fix issue of using update-alternatives with alts (#105)
- Added:
* fix-deb822-nonetype-object-has-no-attribute-split-71.patch
* detect-openeuler-as-redhat-family-os.patch
* ensure-the-correct-crypt-module-is-loaded.patch
* implement-multiple-inventory-for-ansible.targets.patch
* make-x509-module-compatible-with-m2crypto-0.44.0.patch
* remove-deprecated-code-from-x509.certificate_managed.patch
* add-deb822-apt-source-format-support-692.patch
* remove-password-from-shell-after-functional-text-mat.patch
- Fix virt_query outputter and add support for block devices
- Make _auth calls visible with master stats
- Repair mount.fstab_present always returning pending changes
- Set virtual grain in Podman systemd container
- Fix crash due wrong client reference on `SaltMakoTemplateLookup`
- Enhace batch async and fix some detected issues
- Added:
* repair-virt_query-outputter-655.patch
* make-_auth-calls-visible-with-master-stats-696.patch
* repair-fstab_present-test-mode-702.patch
* set-virtual-grain-in-podman-systemd-container-703.patch
* fixed-file-client-private-attribute-reference-on-sal.patch
* backport-batch-async-fixes-and-improvements-701.patch
- Enhacement of Salt packaging
* Use update-alternatives for all salt scripts
* Use flexible dependencies for the subpackages
* Make salt-minion to require flavored zypp-plugin
* Make zyppnotify to use update-alternatives
* Drop unused yumnotify plugin
* Add dependency to python3-dnf-plugins-core for RHEL based
- Fix tests failures after "repo.saltproject.io" deprecation
- Fix error to stat '/root/.gitconfig' on gitfs
(bsc#1230944) (bsc#1234881) (bsc#1220905)
- Adapt to removal of hex attribute in pygit2 v1.15.0 (bsc#1230642)
- Enhance smart JSON parsing when garbage is present (bsc#1231605)
- Fix virtual grains for VMs running on Nutanix AHV (bsc#1234022)
- Fix issues running on Python 3.12 and 3.13
- Added:
* fix-tests-failures-after-repo.saltproject.io-depreca.patch
* fix-failed-to-stat-root-.gitconfig-issue-on-gitfs-bs.patch
* update-for-deprecation-of-hex-in-pygit2-1.15.0-and-a.patch
* enhance-find_json-garbage-filtering-bsc-1231605-688.patch
* fix-virtual-grains-for-vms-running-on-nutanix-ahv-bs.patch
* fix-issues-that-break-salt-in-python-3.12-and-3.13-6.patch
- python3-setuptools
-
- Add patch CVE-2025-47273.patch to fix A path traversal
vulnerability.
(bsc#1243313, CVE-2025-47273, gh#pypa/setuptools@250a6d17978f)
- rubygem-bundler
-
- also includes
VUL-0: CVE-2020-36327: Bundler chooses a dependency source based
on the highest gem version number, which means that a rogue gem
found at a public source may be chosen (bsc#1185842)
- updated to version 2.2.34
VUL-0: CVE-2021-43809: rubygem-bundler: remote execution via Gemfile argument injection (bsc#1193578)
- removed 7416.patch and CVE-2021-43809.patch which are included
in suse.patch now
- removed series as it is unused
- rubygem-rack
-
- security update
- added patches
fix CVE-2025-32441 [bsc#1242899], Rack Session Reuse Vulnerability
+ rubygem-rack-CVE-2025-32441.patch
- security update
- added patches
fix CVE-2025-46727 [bsc#1242894], Unbounded-Parameter DoS in Rack:QueryParser
+ rubygem-rack-CVE-2025-46727.patch
- scap-security-guide
-
- creation of a new request
- removed tables reference related to almalinux9 builds
- fix a bug in redhad package description for almalinux9 builds
- updates redhat package to include almalinux9 builds
- added build support for almalinux9
- removed ssg-reproducable.patch: upstream
- updated to 0.1.76 (jsc#ECO-3319)
- Add new product for Ubuntu 24.04 and draft CIS profiles
- Add pyproject.toml for the ssg package
- AlmaLinux OS 9 as a new product
- Documentation for ssg library
- Extend SSG library to more easily collect profile selections
- Extend SSG with functions to manage variables
- 000release-packages:sle-ha-release
-
n/a
- 000release-packages:sle-module-basesystem-release
-
n/a
- 000release-packages:sle-module-containers-release
-
n/a
- 000release-packages:sle-module-desktop-applications-release
-
n/a
- 000release-packages:sle-module-development-tools-release
-
n/a
- 000release-packages:sle-module-public-cloud-release
-
n/a
- 000release-packages:sle-module-sap-applications-release
-
n/a
- 000release-packages:sle-module-server-applications-release
-
n/a
- supportutils
-
- Changes to version 3.2.10
+ network.txt collect all firewalld zones (pr#233)
+ Collects gfs2 info (PED-11853, pr#235, pr#236)
+ Ignore tasks/threads to prevent collecting duplicate fd data in open_files (bsc#1230371, pr#237)
+ Added openldap2_5 support for SLES (pr#238)
+ Collects additional hawk details (pr#239)
+ Optimized filtering D/Z processes (pr#241)
+ Collect firewalld permanent configuration (pr#243)
+ ldap_info: support for multiple DBs and sanitize olcRootPW (bsc#1231838, pr#247)
+ Added dbus_info for dbus.txt (bsc#1222650, pr#248)
- Changes to version 3.2.9
+ Map running PIDs to RPM package owner aiding BPF program detection (bsc#1222896, bsc#1213291, PED-8221)
+ Supportconfig available in current distro (PED-7131)
+ Corrected display issues (bsc#1231396)
+ NFS takes too long, showmount times out (bsc#1231423)
+ Merged sle15 and master branches (bsc#1233726, PED-11669)
- sysstat
-
- Remove cron dependency (bsc#1239297).
- Introduce systemd timers.
- Delete sysstat.cron.suse.
- timezone
-
- Update to 2025b:
* New zone for Aysén Region in Chile (America/Coyhaique) which
moves from -04/-03 to -03
- Refresh patches
* revert-philippines-historical-data.patch
* tzdata-china.diff
- zypper
-
- Updated translations (bsc#1230267)
- version 1.14.89
- Do not double encode URL strings passed on the commandline
(bsc#1237587)
URLs passed on the commandline must have their special chars
encoded already. We just want to check and encode forgotten
unsafe chars like a blank. A '%' however must not be encoded
again.
- version 1.14.88
- Package preloader that concurrently downloads files. It's not yet
enabled per default. To enable the preview set ZYPP_CURL2=1 and
ZYPP_PCK_PRELOAD=1 in the environment. (#104)
- BuildRequires: libzypp-devel >= 17.36.4.
- version 1.14.87
- refresh: add --include-all-archs (fixes #598)
Future multi-arch repos may allow to download only those metadata
which refer to packages actually compatible with the systems
architecture. Some tools however want zypp to provide the full
metadata of a repository without filtering incompatible
architectures.
- info,search: add option to search and list Enhances
(bsc#1237949)
- version 1.14.86