aaa_base
- fix git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
  to actually apply

- replace git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
  by git-47-056fc66c699a8544c7692a03c905fca568f5390b.patch
  * fix the issues from bsc#1107342 and bsc#1215434 and just
    use the settings from update-alternatives to set JAVA_HOME
antlr3
- Remove dependency on maven2

- Added patches:
  * reproducible-order.patch
    + ensure reproducible elements order by sorting
  * reproducible-timestamp.patch
    + support SOURCE_DATE_EPOCH for generatedTimestamp
- Modified patch:
  * antlr3-generated_sources.patch
    + regenerate in cycle with stringtemplate4 to correspond to
    the reproducible build changes

- Override build date (boo#1047218)"
apache-commons-codec
- Update to 1.16.1:
  * New features:
    + Add Maven property project.build.outputTimestamp for build
    reproducibility
  * Fixed Bugs:
    + CODEC-295: Test clean ups
    + CODEC-295: Correct error in Base64 Javadoc
    + CODEC-295: Add minimum Java version in changes.xml
    + CODEC-310: Documentation update for the
    org.apache.commons.codec.digest.* package
    + Precompile regular expression in UnixCrypt.crypt(byte[],
    String)
    + CODEC-315: Fix possible IndexOutOfBoundException in
    PhoneticEngine.encode method
    + CODEC-313: Fix possible ArrayIndexOutOfBoundsException in
    QuotedPrintableCodec.encodeQuotedPrintable() method
    + CODEC-312: Fix possible StringIndexOutOfBoundException in
    MatchRatingApproachEncoder.encode() method
    + CODEC-311: Fix possible ArrayIndexOutOfBoundException in
    RefinedSoundex.getMappingCode()
    + CODEC-314: Fix possible IndexOutOfBoundsException in
    PercentCodec.insertAlwaysEncodeChars() method
    + Deprecate UnixCrypt 0-argument constructor
    + Deprecate Md5Crypt 0-argument constructor
    + Deprecate Crypt 0-argument constructor
    + Deprecate StringUtils 0-argument constructor
    + Deprecate Resources 0-argument constructor
    + Deprecate Charsets 0-argument constructor
    + Deprecate CharEncoding 0-argument constructor

- Update to 1.16.0:
  * Minor improvements #67. Fixes CODEC-295.
  * Remove duplicated words from Javadocs.
  * Simplify assertion #84. Fixes CODEC-301.
  * Simplify assertion #84. Fixes CODEC-300.
  * Use Standard Charset object #82. Fixes CODEC-298.
  * Use String.contains() functions #125.
  * Avoid use toString() or substring() in favor of a simplified expression #126.
  * Fix byte-skipping in Base16 decoding #135. Fixes CODEC-305.
  * Fix several typos, improve writing in some javadocs #139.
  * BaseNCodecOutputStream.eof() should not throw IOException.
  * Javadoc improvements and cleanups.
  * Deprecate BaseNCodec.isWhiteSpace(byte) and use Character.isWhitespace(int).
  * Add support for Blake3 family of hashes. Fixes CODEC-296.
  * Add github/codeql-action.
  * Bump actions/cache from v2 to v3.0.10 #75, #99, #119, #138, #149, #152.
  * Bump actions/setup-java from v1.4.1 to 3.5.1 #60, #62, #121.
  * Bump actions/checkout from 2.3.2 to 3.1.0 #65, #98, #114, #153.
  * Bump commons-parent from 52 to 58, #147, #165, #170.
  * Bump junit from 4.13.1 to 5.9.1 #76, #39, #140, #148. Fixes CODEC-285.
  * Bump Java 7 to 8.
  * Bump japicmp-maven-plugin from 0.14.3 to 0.17.1.
  * Bump jacoco-maven-plugin from 0.8.5 to 0.8.8 (Fixes Java 15 builds).
  * Bump maven-surefire-plugin from 2.22.2 to 3.0.0-M7 #122, #134.
  * Bump maven-javadoc-plugin from 3.2.0 to 3.4.1.
  * Bump animal-sniffer-maven-plugin from 1.19 to 1.22.
  * Bump maven-pmd-plugin from 3.13.0 to 3.19.0, #133, #142, #145.
  * Bump pmd from 6.47.0 to 6.52.0.
  * Bump maven-checkstyle-plugin from 2.17 to 3.2.0 #143.
  * Bump checkstyle from 8.45.1 to 9.3 #97, #100, #101, #103.
  * Bump taglist-maven-plugin from 2.4 to 3.0.0 #102.
  * Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.
apache-commons-compress
- Use %patch -P N instead of deprecated %patchN.

- Upgrade to 1.26
  * Fixing several vulnerabilities
    + bsc#1220068, CVE-2024-26308
    + bsc#1220070, CVE-2024-25710
  * New Features
    + Add and use ZipFile.builder(), ZipFile.Builder, and deprecate
    constructors
    + Add and use SevenZFile.builder(), SevenZFile.Builder, and
    deprecate constructors
    + Add and use ArchiveInputStream.getCharset()
    + Add and use ArchiveEntry.resolveIn(Path)
    + Add Maven property project.build.outputTimestamp for build
    reproducibility
  * Fixed Bugs
    + COMPRESS-632: Check for invalid PAX values in TarArchiveEntry
    + COMPRESS-632: Fix for zero size headers in ArjInputStream
    + COMPRESS-632: Fixes and tests for ArInputStream
    + COMPRESS-632: Fixes for dump file parsing
    + COMPRESS-632: Improve CPIO exception detection and handling
    + Deprecate SkipShieldingInputStream without replacement (no
    longer used)
    + Reuse commons-codec, don't duplicate class PureJavaCrc32C
    (removed package-private class)
    + Reuse commons-codec, don't duplicate class XXHash32
    (deprecated class)
    + Reuse commons-io, don't duplicate class Charsets (deprecated
    class)
    + Reuse commons-io, don't duplicate class IOUtils (deprecated
    methods)
    + Reuse commons-io, don't duplicate class BoundedInputStream
    (deprecated class)
    + Reuse commons-io, don't duplicate class FileTimes (deprecated
    TimeUtils methods)
    + Reuse Arrays.equals(byte[], byte[]) and deprecate
    ArchiveUtils.isEqual(byte[], byte[])
    + Add a null-check for the class loader of OsgiUtils
    + Add a null-check in Pack200.newInstance(String, String)
    + Deprecate ChecksumCalculatingInputStream in favor of
    java.util.zip.CheckedInputStream
    + Deprecate CRC32VerifyingInputStream
    .CRC32VerifyingInputStream(InputStream, long, int)
    + COMPRESS-655: FramedSnappyCompressorOutputStream produces
    incorrect output when writing a large buffer
    + COMPRESS-657: Fix TAR directory entries being misinterpreted
    as files
    + Deprecate unused method FileNameUtils.getBaseName(String)
    + Deprecate unused method FileNameUtils.getExtension(String)
    + ArchiveInputStream.BoundedInputStream.read() incorrectly adds
    1 for EOF to the bytes read count
    + Deprecate IOUtils.read(File, byte[])
    + Deprecate IOUtils.copyRange(InputStream, long, OutputStream,
    int)
    + COMPRESS-653: ZipArchiveOutputStream multi archive updates
    metadata in incorrect file
    + Deprecate ByteUtils.InputStreamByteSupplier
    + Deprecate ByteUtils.fromLittleEndian(InputStream, int)
    + Deprecate ByteUtils.toLittleEndian(DataOutput, long, int)
    + Reduce duplication by having ArchiveInputStream extend
    FilterInputStream
    + Support preamble garbage in ZipArchiveInputStream
    + COMPRESS-658: Fix formatting the lowest expressable DOS time
    + Drop reflection from ExtraFieldUtils static initialization
    + Preserve exception causation in
    ExtraFieldUtils.register(Class)
- Upgrade to 1.25.0
  * New features:
    + Add GzipParameters.getFileName() and deprecate getFilename()
    + Add GzipParameters.setFileName(String) and deprecate
    setFilename(String)
    + Add FileNameUtil.getCompressedFileName(String) and deprecate
    getCompressedFilename(String)
    + Add FileNameUtil.getUncompressedFileName(String) and deprecate
    getUncompressedFilename(String)
    + Add FileNameUtil.isCompressedFileName(String) and deprecate
    isCompressedFilename(String)
    + Add BZip2Utils.getCompressedFileName(String) and deprecate
    getCompressedFilename(String)
    + Add BZip2Utils.getUncompressedFileName(String) and deprecate
    getUncompressedFilename(String)
    + Add BZip2Utils.isCompressedFileName(String) and deprecate
    isCompressedFilename(String)
    + Add LZMAUtils.getCompressedFileName(String) and deprecate
    getCompressedFilename(String)
    + Add LZMAUtils.getUncompressedFileName(String) and deprecate
    getUncompressedFilename(String)
    + Add LZMAUtils.isCompressedFileName(String) and deprecate
    isCompressedFilename(String)
    + Add XYUtils.getCompressedFileName(String) and deprecate
    getCompressedFilename(String)
    + Add XYUtils.getUncompressedFileName(String) and deprecate
    getUncompressedFilename(String)
    + Add XYUtils.isCompressedFileName(String) and deprecate
    isCompressedFilename(String)
    + Add GzipUtils.getCompressedFileName(String) and deprecate
    getCompressedFilename(String)
    + Add GzipUtils.getUncompressedFileName(String) and deprecate
    getUncompressedFilename(String)
    + Add GzipUtils.isCompressedFileName(String) and deprecate
    isCompressedFilename(String)
    + Add SevenZOutputFile.putArchiveEntry(SevenZArchiveEntry) and
    deprecate putArchiveEntry(ArchiveEntry)
    + Add generics to ChangeSet and ChangeSetPerformer
    + Add generics to ArchiveStreamProvider and friends
    + Add a generic type parameter to ArchiveOutputStream and avoid
    unchecked/unconfirmed type casts in subclasses
    + Add a generic type parameter to ArchiveInputStream and
    deprecate redundant get methods in subclasses
    + COMPRESS-648: Add ability to restrict autodetection in
    CompressorStreamFactory
  * Fixed Bugs:
    + Precompile regular expression in
    ArArchiveInputStream.isBSDLongName(String)
    + Precompile regular expression in
    ArArchiveInputStream.isGNULongName(String)
    + Precompile regular expression in
    TarArchiveEntry.parseInstantFromDecimalSeconds(String)
    + Precompile regular expression in
    ChangeSet.addDeletion(Change)
    + COMPRESS-649: Improve performance in
    BlockLZ4CompressorOutputStream
    + Null-guard Lister.main(String[]) for programmatic invocation
    + NPE in pack200.NewAttributeBands.Reference
    .addAttributeToBand(NewAttribute, InputStream)
    + Incorrect lazy initialization and update of static field in
    pack200.CodecEncoding.getSpecifier(Codec, Codec)
    + Incorrect string comparison in unpack200.AttributeLayout
    .numBackwardsCallables()
    + Inefficient use of keySet iterator instead of entrySet
    iterator in pack200.PackingOptions
    .addOrUpdateAttributeActions(List, Map, int)
    + Package private class pack200.IcBands.IcTuple should be a
    static inner class
    + Private class ZipFile.BoundedFileChannelInputStream should be
    a static inner class
    + Refactor internal SevenZ AES256SHA256Decoder InputStream into
    a named static inner class
    + Refactor internal SevenZ AES256SHA256Decoder OutputStream into
    a named static inner class
    + Use the root Locale for string conversion of command line
    options in org.apache.commons.compress.archivers.sevenz.CLI
    + Calling PackingUtils.config(PackingOptions) with null now
    closes the internal FileHandler
    + COMPRESS-650: LZ4 compressor throws IndexOutOfBoundsException
    + COMPRESS-632: LZWInputStream.initializeTables(int) should
    throw IllegalArgumentException instead of
    ArrayIndexOutOfBoundsException
    + COMPRESS-647: Throw IOException instead of
    ArrayIndexOutOfBoundsException when reading Zip with data
    descriptor entries
- Update to 1.24.0
  * New features:
    + Make ZipArchiveEntry.getLocalHeaderOffset() public
  * Fixed Bugs:
    + Use try-with-resources in ArchiveStreamFactory
    + Javadoc and code comments: Sanitize grammar issues and typos
    + Remove redundant (null) initializations
    + [StepSecurity] ci: Harden GitHub Actions
- Update to 1.23.0
  * New features:
    + COMPRESS-614: Use FileTime for time fields in
    SevenZipArchiveEntry
    + COMPRESS-621: Fix calculation the offset of the first ZIP
    central directory entry
    + COMPRESS-633:Add encryption support for SevenZ
    + COMPRESS-613: Support for extra time data in Zip archives
    + COMPRESS-621: Add org.apache.commons.compress.archivers.zip
    .DefaultBackingStoreSupplier to write to a custom folder
    instead of the default temporary folder.
    + COMPRESS-600: Add capability to configure Deflater strategy
    in GzipCompressorOutputStream:
    GzipParameters.setDeflateStrategy(int).
  * Fixed Bugs:
    + Implicit narrowing conversion in compound assignment
    + Avoid NPE in FileNameUtils.getBaseName(Path) for paths with
    zero elements like root paths
    + Avoid NPE in FileNameUtils.getExtension(Path) for paths with
    zero elements like root paths
    + LZMA2Decoder.decode() looses original exception
    + Extract conditions and avoid duplicate code.
    + Remove duplicate conditions. Use switch instead.
    + Replace JUnit 3 and 4 with JUnit 5
    + Make 'ZipFile.offsetComparator' static
    + COMPRESS-638: The GzipCompressorOutputStream#writeHeader()
    uses ISO_8859_1 to write the file name and comment. If the
    strings contains non-ISO_8859_1 characters, unknown characters
    are displayed after decompression. Use percent encoding for
    non ISO_8859_1 characters.
    + Port some code from IO to NIO APIs
    + pack200: Fix FileBands misusing InputStream#read(byte[])
    + COMPRESS-641: Add TarArchiveEntry.getLinkFlag()
    + COMPRESS-642: Integer overflow ArithmeticException in
    TarArchiveOutputStream
    + COMPRESS-642: org.apache.commons.compress.archivers.zip
    .ZipFile.finalize() should not write to std err.
  * Removed:
    + Remove BZip2CompressorOutputStream.finalize() which only wrote
    to std err
- Update to 1.22
  * New features:
    + COMPRESS-602: Migrate zip package to use NIO
    + Add APK file extension constants: ArchiveStreamFactory.APK,
    APKM, APKS, XAPK
    + ArchiveStreamFactory.createArchiveInputStream(String,
    InputStream, String) supports the "APK" format (it's a JAR)
    + Expander example now has NIO Path versions of IO File APIs
    + COMPRESS-612: Improve TAR support for file times
    + Add SevenZArchiveEntry.setContentMethods(SevenZMethodConfiguration...)
  * Fixed Bugs:
    + Fix some compiler warnings in pack200 packages
    + Close File input stream after unpacking in
    Pack200UnpackerAdapter.unpack(File, JarOutputStream)
    + Pack200UnpackerAdapter.unpack(InputStream, JarOutputStream)
    should not close its given input stream
    + COMPRESS-596: Fix minor problem in examples.
    + COMPRESS-584: Add a limit to the copy buffer in
    IOUtils.readRange() to avoid reading more from a channel than
    asked for
    + Documentation nits
    + Replace wrapper Collections.sort is with an instance method
    directly
    + Replace manual comparisons with Comparator.comparingInt()
    + Replace manual copy of array contents with System.arraycopy()
    + Fix thread safety issues when encoding 7z password
    + bzip2: calculate median-of-3 on unsigned values
    + Use Math.min and Math.max calculations.
    + COMPRESS-603: Expander should be able to work if an entry's
    name is "./".
    + COMPRESS-604: Ensure compatibility with Java 8
    + Use StringBuilder instead of StringBuffer.
    + Inline variable. Remove redundant local variable.
    + Use compare method
    + Remove Unnecessary interface modifiers
    + Avoid use C-style array declaration.
    + ChecksumVerifyingInputStream.read() does not always validate
    checksum at end-of-stream
    + Fix TarFileTest
    + COMPRESS-625: Update Wikipedia link in TarUtils.java:627.
    + COMPRESS-626: OutOfMemoryError on malformed pack200 input
    (attributes).
    + COMPRESS-628: OutOfMemoryError on malformed pack200 input
    (org.apache.commons.compress.harmony.pack200.NewAttributeBands
    .readNextUnionCase).
    + COMPRESS-628: OutOfMemoryError on malformed unpack200 input
    (org.apache.commons.compress.harmony.unpack200
    .NewAttributeBands.readNextUnionCase).
    + Some input streams are not closed in org.apache.commons
    .compress.harmony.pack200.PackingUtils
    + COMPRESS-627: Pack200 causes a 'archive.3E' error if it's not
    in the system class loader.
- Modified patches:
  * 0001-Remove-Brotli-compressor.patch
  * 0002-Remove-ZSTD-compressor.patch
  * 0003-Remove-Pack200-compressor.patch
    + rediff to changed context
- Removed patch:
  * fix_java_8_compatibility.patch
    + not needed, since we handle the compatibility differently
apache-commons-daemon
- Update to 1.3.4:
  * Procrun. Configured stack size now applies to the main thread
    when running in JVM mode. Fixes DAEMON-451.
  * Procrun. If the specified log directory does not exist, attempt
    to create any missing parent directories, as well as the
    specified directory, when the service starts. Fixes DAEMON-452.
  * Procrun. Allow Windows service dependencies to be managed by
    Procrun or by 'sc config ...'. Fixes DAEMON-458.
  * jsvc. Fix DaemonController.reload() only working the first time
    it is called. Fixes DAEMON-459. Thanks to Klaus Malorny.
  * jsvc. Remove incorrent definition 'supported_os' which defined
    in psupport.m4 file to fix jsvc build error on riscv64.
  * Bump commons-parent from 54 to 57 #71, #91.

- Update to 1.3.3:
  * Fixes:
  - Procrun. Follow-up to ensure all child processes are cleaned
    up if the service does not stop cleanly.
  - Procrun. Fix creation of duplicate ACL entries on some
    Windows platforms.
  * Updates:
  - Bump actions/cache from 3.0.8 to 3.0.11.
  - Bump actions/checkout from 3.0.2 to 3.1.0.
  - Bump actions/setup-java from 3.5.1 to 3.6.0.
  - Bump spotbugs-maven-plugin from 4.7.2.0 to 4.7.3.0.
apache-commons-io
- Upgrade to 2.15.1
  * Fixed Bugs:
    + Fix wrong issue id in change log
    + Add test for FileChannels.contentEquals()
    + Fix FileChannels.contentEquals()
    + Fix some Javadoc issues in LineIterator and IOUtils
    + Simplify FileAlterationObserver internal processing
    + Avoid NullPointerException in RegexFileFilter
    .RegexFileFilter(Pattern)
    + Avoid NullPointerException in RegexFileFilter
    .accept(Path, BasicFileAttributes)
    + Fix SpotBugs error: Class org.apache.commons.io.filefilter
    .RegexFileFilter defines non-transient non-serializable
    instance field pathToString [org.apache.commons.io.filefilter
    .RegexFileFilter] In RegexFileFilter.java SE_BAD_FIELD
    + Fix SpotBugs error: Class org.apache.commons.io.filefilter
    .DelegateFileFilter defines non-transient non-serializable
    instance field fileFilter [org.apache.commons.io.filefilter
    .DelegateFileFilter] In DelegateFileFilter.java SE_BAD_FIELD
    + Fix SpotBugs error: Class org.apache.commons.io.filefilter
    .DelegateFileFilter defines non-transient non-serializable
    instance field fileNameFilter [org.apache.commons.io
    .filefilter.DelegateFileFilter] In DelegateFileFilter.java
    SE_BAD_FIELD
    + Fix SpotBugs error: org.apache.commons.io.function.IOStream$1
    .next() cannot throw NoSuchElementException [org.apache
    .commons.io.function.IOStream$1] At IOStream.java:[line 98]
    IT_NO_SUCH_ELEMENT
    + Fix SpotBugs error: org.apache.commons.io.monitor
    .FileAlterationMonitor.getObservers() may expose internal
    representation by returning FileAlterationMonitor.observers
    [org.apache.commons.io.monitor.FileAlterationMonitor] At
    FileAlterationMonitor.java:[line 124] EI_EXPOSE_REP
    + Fix SpotBugs error: Class org.apache.commons.io.monitor
    .FileAlterationObserver defines non-transient non-serializable
    instance field fileFilter [org.apache.commons.io.monitor
    .FileAlterationObserver] In FileAlterationObserver.java
    SE_BAD_FIELD
    + Fix SpotBugs error: Class org.apache.commons.io.monitor
    .FileAlterationObserver defines non-transient non-serializable
    instance field listeners [org.apache.commons.io.monitor
    .FileAlterationObserver] In FileAlterationObserver.java
    SE_BAD_FIELD
    + Fix SpotBugs error: org.apache.commons.io.FileCleaningTracker
    .getDeleteFailures() may expose internal representation by
    returning FileCleaningTracker.deleteFailures [org.apache
    .commons.io.FileCleaningTracker] At
    FileCleaningTracker.java:[line 218] EI_EXPOSE_REP
    + Fix SpotBugs error: org.apache.commons.io.IOExceptionList
    .getCauseList() may expose internal representation by
    returning IOExceptionList.causeList [org.apache.commons.io
    .IOExceptionList] At IOExceptionList.java:[line 118]
    EI_EXPOSE_REP
    + Fix SpotBugs error: org.apache.commons.io.IOExceptionList
    .getCauseList(Class) may expose internal representation by
    returning IOExceptionList.causeList [org.apache.commons.io
    .IOExceptionList] At IOExceptionList.java:[line 129]
    EI_EXPOSE_REP
    + Fix SpotBugs error: org.apache.commons.io.file
    .AccumulatorPathVisitor.getDirList() may expose internal
    representation by returning AccumulatorPathVisitor.dirList
    [org.apache.commons.io.file.AccumulatorPathVisitor] At
    AccumulatorPathVisitor.java:[line 179] EI_EXPOSE_REP
    + Fix SpotBugs error: org.apache.commons.io.file
    .AccumulatorPathVisitor.getFileList() may expose internal
    representation by returning AccumulatorPathVisitor.fileList
    [org.apache.commons.io.file.AccumulatorPathVisitor] At
    AccumulatorPathVisitor.java:[line 188] EI_EXPOSE_REP
    + Fix SpotBugs error: org.apache.commons.io.input
    .ObservableInputStream.getObservers() may expose internal
    representation by returning ObservableInputStream.observers
    [org.apache.commons.io.input.ObservableInputStream] At
    ObservableInputStream.java:[line 187] EI_EXPOSE_REP
    + Fix SpotBugs error: Exception thrown in class org.apache
    .commons.io.input.UnsynchronizedByteArrayInputStream at new
    org.apache.commons.io.input
    .UnsynchronizedByteArrayInputStream(byte[], int) will leave
    the constructor. The object under construction remains
    partially initialized and may be vulnerable to Finalizer
    attacks. [org.apache.commons.io.input
    .UnsynchronizedByteArrayInputStream, org.apache.commons.io
    .input.UnsynchronizedByteArrayInputStream] At
    UnsynchronizedByteArrayInputStream.java:[line 202]
    CT_CONSTRUCTOR_THROW
    + Fix SpotBugs error: Exception thrown in class org.apache
    .commons.io.input.UnsynchronizedByteArrayInputStream at new
    org.apache.commons.io.input
    .UnsynchronizedByteArrayInputStream(byte[], int, int) will
    leave the constructor. The object under construction remains
    partially initialized and may be vulnerable to Finalizer
    attacks. [org.apache.commons.io.input
    .UnsynchronizedByteArrayInputStream, org.apache.commons.io
    .input.UnsynchronizedByteArrayInputStream] At
    UnsynchronizedByteArrayInputStream.java:[line 223]
    CT_CONSTRUCTOR_THROW
- Upgrade to 2.15.0
  * New features:
    + Add org.apache.commons.io.channels.FileChannels
    + Add RandomAccessFiles#contentEquals(RandomAccessFile,
    RandomAccessFile)
    + Add RandomAccessFiles#reset(RandomAccessFile)
    + Add PathUtilsContentEqualsBenchmark
    + Add org.apache.commons.io.StreamIterator
    + Add MessageDigestInputStream and deprecate
    MessageDigestCalculatingInputStream
  * Fixed Bugs:
    + IO-815: XmlStreamReader encoding match RE is too strict
    + IO-810: Javadoc in FileUtils does not reflect code for thrown
    exceptions
    + IO-812: Javadoc should mention closing Streams based on file
    resources
    + IO-811: In tests, Files.walk() direct and indirect callers
    fail to close the returned Stream
    + IO-811: FileUtils.listFiles(File, String[], boolean) fails to
    close its internal Stream
    + IO-811: FileUtils.iterateFiles(File, String[], boolean) fails
    to close its internal Stream
    + IO-811: StreamIterator fails to close its internal Stream
    + IO-814: Don't throw UncheckedIOException
    + IO-414: Don't write a BOM on every (or any) line
    + IO-814: RandomAccessFileMode.create(Path) provides a better
    NullPointerException message
    + Improve performance of PathUtils.fileContentEquals(Path, Path,
    LinkOption[], OpenOption[]) by about 60%, see
    PathUtilsContentEqualsBenchmark
    + Improve performance of PathUtils.fileContentEquals(Path, Path)
    by about 60%, see PathUtilsContentEqualsBenchmark
    + Improve performance of FileUtils.contentEquals(File, File) by
    about 60%, see PathUtilsContentEqualsBenchmark
    + Remove unused test code
    + [Javadoc] IOUtils#contentEquals does not throw
    NullPointerException
    + Fix CodeQL warnings in UnsynchronizedBufferedInputStream:
    Implicit narrowing conversion in compound assignment
    + MessageDigestCalculatingInputStream
    .MessageDigestMaintainingObserver
    .MessageDigestMaintainingObserver(MessageDigest) now throws a
    NullPointerException if the MessageDigest is null
    + MessageDigestCalculatingInputStream
    .MessageDigestCalculatingInputStream(InputStream,
    MessageDigest) now throws a NullPointerException if the
    MessageDigest is null
    + IO-816: UnsynchronizedBufferedInputStream.read(byte[], int,
    int) does not use buffer

- Build with source and target levels 8

- Update to 2.14.0:
  * Lots of new features, fixes and updates.
  * https://commons.apache.org/proper/commons-io/changes-report.html#a2.14.0
bind
- Update to release 9.16.48
  Feature Changes:
  * The IP addresses for B.ROOT-SERVERS.NET have been updated to
    170.247.170.2 and 2801:1b8:10::b.
  Security Fixes:
  * Validating DNS messages containing a lot of DNSSEC signatures
    could cause excessive CPU load, leading to a denial-of-service
    condition. This has been fixed. (CVE-2023-50387)
    [bsc#1219823]
  * Preparing an NSEC3 closest encloser proof could cause excessive
    CPU load, leading to a denial-of-service condition. This has
    been fixed. (CVE-2023-50868)
    [bsc#1219826]
  * Parsing DNS messages with many different names could cause
    excessive CPU load. This has been fixed. (CVE-2023-4408)
    [bsc#1219851]
  * Specific queries could cause named to crash with an assertion
    failure when nxdomain-redirect was enabled. This has been
    fixed. (CVE-2023-5517)
    [bsc#1219852]
  * A bad interaction between DNS64 and serve-stale could cause
    named to crash with an assertion failure, when both of these
    features were enabled. This has been fixed. (CVE-2023-5679)
    [bsc#1219853]
  * Query patterns that continuously triggered cache database
    maintenance could cause an excessive amount of memory to be
    allocated, exceeding max-cache-size and potentially leading to
    all available memory on the host running named being exhausted.
    This has been fixed. (CVE-2023-6516)
    [bsc#1219854]
  Removed Features:
  * Support for using AES as the DNS COOKIE algorithm
    (cookie-algorithm aes;) has been deprecated and will be removed
    in a future release. Please use the current default,
    SipHash-2-4, instead.
cloud-netconfig
- Add Provides/Obsoletes for dropped cloud-netconfig-nm
- Install dispatcher script into /etc/NetworkManager/dispatcher.d
  on older distributions
- Add BuildReqires: NetworkManager to avoid owning dispatcher.d
  parent directory

- Update to version 1.11:
  + Revert address metadata lookup in GCE to local lookup (bsc#1219454)
  + Fix hang on warning log messages
  + Check whether getting IPv4 addresses from metadata failed and abort
    if true
  + Only delete policy rules if they exist
  + Skip adding/removing IPv4 ranges if metdata lookup failed
  + Improve error handling and logging in Azure
  + Set SCRIPTDIR when installing netconfig wrapper

- Update to version 1.10:
  + Drop cloud-netconfig-nm sub package and include NM dispatcher
    script in main packages (bsc#1219007)
  + Spec file cleanup

- Update to version 1.9:
  + Drop package dependency on sysconfig-netconfig
  + Improve log level handling
  + Support IPv6 IMDS endpoint in EC2 (bsc#1218069)
cloud-regionsrv-client
- Update to version 10.1.7 (bsc#1220164, bsc#1220165)
  + Fix the failover path to a new target update server. At present a new
    server is not found since credential validation fails. We targeted
    the server detected in down condition to verify the credentials instead
    of the replacement server.

- Update EC2 plugin to 1.0.4 (bsc#1219156, bsc#1219159)
  + Fix the algorithm to determine the region from the availability zone
    information retrieved from IMDS.
- Update to version 10.1.6
  + Support specifying an IPv6 address for a manually configured target
    update server.

- Update to version 10.1.5 (bsc#1217583)
  + Fix fallback path when IPv6 network path is not usable
  + Enable an IPv6 fallback path in IMDS access if it cannot be accessed
    over IPv4
  + Enable IMDS access over IPv6
cobbler
- Build the appendline correctly for RHEL-family <= 9 (bsc#1216437)

- Notify to "systemd" when cobblerd startup is finished (bsc#1215982)

- Enable ppc64(le) buildiso support (bsc#1214077)
containerd
- Add patch for bsc#1217952:
  + 0002-shim-Create-pid-file-with-0644-permissions.patch

- Update to containerd v1.7.10. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.10>
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
cpio
- Fix cpio not working after the fix in bsc#1218571, fixes bsc#1219238
  * fix-bsc1219238.patch

- Fix CVE-2023-7207, path traversal vulnerability (bsc#1218571)
  * fix-CVE-2023-7207.patch
gcc7
- Add gcc7-pr88345-min-func-alignment.diff to add support for
  - fmin-function-alignment.  [bsc#1214934]

- Use %{_target_cpu} to determine host and build.

- Add gcc7-pr87723.patch to avoid ICE when hitting a broken pattern
  in the s390 backend.

- Add gcc7-bsc1216488.patch to avoid creating recursive DIE references
  through DW_AT_abstract_origin when using LTO.  [bsc#1216488]
curl
- Fix: libssh: Implement SFTP packet size limit (bsc#1216987)
  * Add curl-libssh_Implement_SFTP_packet_size_limit.patch
lvm2
- Error creating linux volume on SAN device lvmlockd (bsc#1215229)
  + bug-1215229_lvmlockd-use-4K-sector-size-when-any-dev-is-4K.patch
docker
- Vendor latest buildkit v0.11:
  Add patch 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch that
  vendors in the latest v0.11 buildkit branch including bugfixes for the following:
  * bsc#1219438: CVE-2024-23653
  * bsc#1219268: CVE-2024-23652
  * bsc#1219267: CVE-2024-23651
- rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- switch from %patchN to %patch -PN syntax
- remove unused rpmlint filters and add filters to silence pointless bash & zsh
  completion warnings

- Update to Docker 24.0.7-ce. See upstream changelong online at
  <https://docs.docker.com/engine/release-notes/24.0/#2407>. bsc#1217513
  * Deny containers access to /sys/devices/virtual/powercap by default.
  - CVE-2020-8694 bsc#1170415
  - CVE-2020-8695 bsc#1170446
  - CVE-2020-12912 bsc#1178760
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch

- Add a patch to fix apparmor on SLE-12, reverting the upstream removal of
  version-specific templating for the default apparmor profile. bsc#1213500
  + 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch

- Update to Docker 24.0.6-ce. See upstream changelong online at
  <https://docs.docker.com/engine/release-notes/24.0/#2406>. bsc#1215323
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch
- Switch from disabledrun to manualrun in _service.
- Add a docker.socket unit file, but with socket activation effectively
  disabled to ensure that Docker will always run even if you start the socket
  individually. Users should probably just ignore this unit file. bsc#1210141
ecj
- Added patch:
  * ecj-java8compat.patch
    + Allow building ecj with language levels 8 (bsc#1219862)
- Distribute the bundled javax17api.jar under maven coordinate of
  org.eclipse:javax17api:17, so that it can be used if needed

- Upgrade to eclipse 4.23 ecj (jsc#PED-2979)
  * No changelog was made available.
- Use the bundled javax17api.jar stubs, but don't distribute
  them
- Removed patches:
  * encoding.patch
    + handled by a simple sed run
  * javaAPI.patch
    + not needed with this version
google-guest-agent
- Add explicit versioned dependency on google-guest-oslogin (bsc#1219642)

- Update to version 20231031.01 (bsc#1216547, bsc#1216751)
  * Add prefix to scheduler logs (#325)
- from version 20231030.00
  * Test configuration files are loaded in the documented
    order. Fix initial integration test. (#324)
  * Enable mTLS by default (#323)
- from version 20231026.00
  * Rotate MDS root certificate (#322)
- from version 20231020.00
  * Update response struct, add tests (#315)
  * Don't try to schedule mTLS job twice (#317)
- from version 20231019.00
  * snapshot: Add context cancellation handling (#318)

- Bump the golang compiler version to 1.21 (bsc#1216546)

- Update to version 20231016.00
  * instance setup: trust/rely on metadata package's retry (#316)
- from version 20231013.01
  * Update known cert dirs for updaters (#314)
- from version 20231011.00
  * Verify cert refresher is enabled before running (#312)
- from version 20231009.00
  * Add support for the SSH key options (#296)
- from version 20231006.01
  * Events interface improvement (#290)
- from version 20231006.00
  * Refactor script runner to use common metadata package (#311)
  * Schedule MTLS job before notifying systemd (#310)
  * Refactor authorized keys to use metadata package (#300)
- from version 20231005.00
  * docs update: add configuration and event manager's docs. (#309)
- from version 20231004.01
  * Fix license header (#301)
  * packaging(deb): add epoch to oslogin dep declaration (#308)
- from version 20231004.00
  * packaging(deb): ignore suffix of version (#306)
  * packaging: force epoch and ignore suffix of version (#305)
- from version 20231003.01
  * oslogin: declare explicitly dependency (#304)
  * oslogin: remove Unstable.pamless_auth_stack feature flag (#303)
- from version 20231003.00
  * oslogin: resort ssh configuration keys (#299)
- from version 20230925.00
  * oslogin: introduce a feature flag to cert auth (#298)
- from version 20230923.00
  * gitignore: unify ignore in the root dir (#297)
- from version 20230921.01
  * managers: we accidentally disabled addressMgr, bring it back (#295)
  * cfg: fix typos (#294)
  * cfg: config typos (#293)
  * cfg: introduce a configuration management package (#288)
- from version 20230921.00
  * mtls: bring it back (#292)
- from version 20230920.01
  * Fix permissions on file created by SaferWriteFile() (#291)
- from version 20230920.00
  * sshca: re-enable the event watcher & handler (#289)
- from version 20230919.01
  * oslogin: add PAMless Authorization Stack configuration (#285)
- from version 20230919.00
  * Preparing it for review (#287)
  * sshca: make sure to restore SELinux context of the pipe (#286)
  * remove deprecated usage, fix warnings (#282)
  * Update system store (#278)
  * Update workload certificate endpoints, use metadata package (#275)
  * metadata: use url package to form metadata URLs (#284)
- from version 20230913.00
  * release prep: disable ssh trusted ca module (#281)
- from version 20230912.00
  * New Guest Agent Release (#280)
- from version 20230909.00
  * Revert "service: remove the use of the service library (#273)" (#276)
  * service: remove the use of the service library (#273)
- from version 20230906.01
  * Store keys to machine keyset (#272)
- from version 20230905.00
  * restorecon: first try to determine if it's installed (#271)
  * run: change all commands to use CommandContext (#268)
  * Notify systemd after scheduling required jobs (#270)
  * Store certs in ProgramData instead of Program Files (#269)
  * metadata watcher: remove local retry & implement unit tests (#267)
  * run: split command running utilities into its own package (#265)

- Update to version 20230828.00
  * snapshot: Use main context rather than create its own (#266)
- from version 20230825.01
  * Verify if cert was successfully added to certpool (#264)
- from version 20230825.00
  * Find previous cert for cleanup using one stored on disk (#263)
- from version 20230823.00
  * Revert "sshtrustedca: configure selinux context
    for sshtrustedca pipe (#256)" (#262)
  * Update credentials directory on Linux (#260)
- from version 20230821.00
  * Update owners (#261)
- from version 20230819.00
  * Revert "guest-agent: prepare for public release (#258)" (#259)
- from version 20230817.00
  * guest-agent: prepare for public release (#258)
- from version 20230816.01
  * Enable telemetry collection by default (#253)
- from version 20230816.00
  * Add pkcs12 license and update retry logic (#257)
  * sshtrustedca: Configure selinux context for sshtrustedca pipe (#256)
  * Store windows certs in certstore (#255)
  * events: Multiplex event watchers (#250)
  * Scheduler fixes (#254)
  * Update license files (#251)
  * Run telemetry every 24 hours, record pretty name on linux (#248)

- Update to version 20230811.00
  * sshca: move the event handler to its own package (#247)
- from version 20230809.02
  * Move scheduler package to google_guest_agent (#249)
- from version 20230809.01
  * Add scheduler utility to run jobs at interval (#244)
- from version 20230809.00
  * sshca: transform the format from json to openssh (#246)
- from version 20230803.00
  * Add support for reading UEFI variables on windows (#243)
- from version 20230801.03
  * sshtrustedca watcher: fix concurrency error (#242)
- from version 20230801.02
  * metadata: add a delta between http client timeout and hang (#241)
- from version 20230801.00
  * metadata: properly set request config (#240)
  * main: bring back the mds client initialization (#239)
  * metadata: don't try to use metadata before agentInit() is done (#238)
  * Add (disabled) telemetry logic to GuestAgent (#219)
  * metadata event handler: updates and bug fixes (#235)
  * Verify client credentials are signed by root CA before writing on disk (#236)
  * metadata: properly handle context cancelation (#234)
  * metadata: fix context cancelation error check (#233)
  * metadata: remove the sleep around metadata in instance setup (#232)
  * metadata: implement backoff strategy (#231)
  * Decrypt and store client credentials on disk (#230)
  * Upgrade Go version 1.20 (#228)
  * Fetch guest credentials and add MDS response proto (#226)
  * metadata: pass main context to WriteGuestAttributes() (#227)
  * Support for reading & writing Root CA cert from UEFI variable (#225)
  * ssh_trusted_ca: enable the feature (#224)
  * sshTrustedCA: add pipe event handler (#222)
  * events: start using events layer (#223)
- from version 20230726.00
  * events: introducing a events handling subsystem (#221)
- from version 20230725.00
  * metadata: add metadata client interface (#220)
- from version 20230711.00
  * metadata: moving to its own package (#218)
- from version 20230707.00
  * snapshot: fix request handling error (#217)
- Bump Go API version to 1.20
google-guest-oslogin
- Add explicit versioned dependency on google-guest-agent (bsc#1219642)

- Update to version 20231101.00 (bsc#1216548, bsc#1216750)
  * Fix HTTP calls retry logic (#117)

- Update to version 20231004
  * packaging: Make the dependency explicit (#120)

- update to 20230926.00:
  * fix suse build
  * selinux: fix selinux build (#114)
  * test: align CXX Flags
  * sshca: Make the implementation more C++ like
  * sshca: Add a SysLog wrapper
  * oslogin_utils: introduce AuthorizeUser() API
  * sshca: move it out of pam dir
  * pam: start disabling the use of oslogin_sshca
  * sshca: consider sshca API to assume a cert only
  * authorized principals: introduce the new command
  * authorize keys: update to use new APIs
  * pam modules: remove pam_*_admin and update pam_*_login
  * cache_refresh: should be catching by reference.

- Update to version 20230823.00
  * selinux: Add sshd_key_t type enforcement to trusted user ca (#113)
- from version 20230822.00
  * sshca: Add tests with fingerprint and multiple extensions (#111)
- from version 20230821.01
  * sshca: Support method token and handle multi line (#109)
- from version 20230821.00
  * Update owners (#110)

- Update to version 20230808.00
  * byoid: extract and apply the ca fingerprint to policy call (#106)

- Update to version 20230502.00
  * Improve the URL in 2fa prompt (#104)
- from version 20230406.02
  * Check open files (#101)
- from version 20230406.01
  * Initialize variables (#100)
  * Fix formatting (#102)
- from version 20230406.00
  * PAM cleanup: remove duplicates (#97)
- from version 20230405.00
  * NSS cleanup (#98)
- from version 20230403.01
  * Cleanup Makefiles (#95)
- from version 20230403.00
  * Add anandadalton to the owners list (#96)

- Update to version 20230217.00
  * Update OWNERS (#91)
- from version 20230202.00
  * Update owners file (#89)
hwdata
- update to 0.378:
  * Update pci, usb and vendor ids

- update to 0.377:
  * Fixed trailing spaces in pnp.ids

- update to 0.376:
  * Update pci, usb and vendor ids

- update to 0.373:
  * Update pci, usb and vendor ids

- update to 0.372:
  * Update pci, usb and vendor ids
jackson-annotations
- Update to 2.15.2
  * no subsantial changes from 2.15.0
  * 2.15.0 (23-Apr-2023)
    + #211: Add 'JsonFormat.Feature's:
    READ_UNKNOWN_ENUM_VALUES_AS_NULL,
    READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE
    + #214: Add NOTICE file with copyright information
    + #221: Add
    'JsonFormat.Feature.READ_DATE_TIMESTAMPS_AS_NANOSECONDS'
  * 2.14.0 (05-Nov-2022)
    + #204: Allow explicit 'JsonSubTypes' repeated names check

- Update to 2.13.3
  * no substantial changes, just version allignment to other
    jackson packages
jackson-core
- Update to 2.15.2
  * 2.15.2 (30-May-2023)
    + #1019: Allow override of 'StreamReadContraints' default with
    'overrideDefaultStreamReadConstraints()'
    + #1027: Extra module-info.class in 2.15.1
    + #1028: Wrong checksums in 'module.json' (2.15.0, 2.15.1)
    + #1032: 'LICENSE' missing from 2.15.1 jar
  * 2.15.1 (16-May-2023))
    + #999: Gradle metadata for 'jackson-core' '2.15.0' adds
    dependency on 'ch.randelshofer:fastdoubleparser'
    + #1003: Add FastDoubleParser section to 'NOTICE'
    + #1014: Increase default max allowed String value length from
    5 megs to 20 megs
    + #1023: Problem with 'FilteringGeneratorDelegate' wrt
    'TokenFilter.Inclusion.INCLUDE_NON_NULL'
  * 2.15.0 (23-Apr-2023)
    + #827: Add numeric value size limits via
    'StreamReadConstraints' (fixes 'sonatype-2022-6438')
    + #844: Add SLSA provenance via build script
    + #851: Add 'StreamReadFeature.USE_FAST_BIG_DECIMAL_PARSER' to
    enable faster 'BigDecimal', 'BigInteger' parsing
    + #863: Add 'StreamReadConstraints' limit for longest textual
    value to allow (default: 5M)
    + #865: Optimize parsing 19 digit longs
    + #898: Possible flaw in 'TokenFilterContext#skipParentChecks()'
    + #902: Add 'Object JsonParser.getNumberValueDeferred()' method
    to allow for deferred decoding in some cases
    + #921: Add 'JsonFactory.Feature.CHARSET_DETECTION' to disable
    charset detection
    + #948: Use 'StreamConstraintsException' in name canonicalizers
    + #962: Offer a way to directly set 'StreamReadConstraints' via
    'JsonFactory' (not just Builder)
    + #965: 2.15.0-rc1 missing Gradle module metadata marker in
    pom.xml
    + #968: Prevent inefficient internal conversion from
    'BigDecimal' to 'BigInteger' wrt ultra-large scale
    + #984: Add 'JsonGenerator.copyCurrentEventExact' as alternative
    to 'copyCurrentEvent()'
  * 2.14.3 (05-May-2023)
    + #909: Revert schubfach changes in #854
    + #912: Optional padding Base64Variant still throws exception on
    missing padding character
    + #967: Address performance issue with 'BigDecimalParser'
    + #990: Backport removal of BigDecimal to BigInt conversion
    (#987)
    + #1004: FastDoubleParser license
    + #1012: Got 'NegativeArraySizeException' when calling
    'writeValueAsString()'
  * 2.14.2 (28-Jan-2023)
    + #854: Backport schubfach changes from v2.15#8
    + #882: Allow TokenFIlter to skip last elements in arrays
    + #886: Avoid instance creations in fast parser code
    + #890: 'FilteringGeneratorDelegate' does not create new
    'filterContext' if 'tokenFilter' is null
  * 2.14.0 (05-Nov-2022)
    + #478: Provide implementation of async JSON parser fed by
    'ByteBufferFeeder'
    + #577: Allow use of faster floating-point number parsing with
    'StreamReadFeature.USE_FAST_DOUBLE_PARSER'
    + #684: Add "JsonPointer#appendProperty" and
    "JsonPointer#appendIndex"
    + #715: Allow TokenFilters to keep empty arrays and objects
    + #717: Hex capitalization for JsonWriter should be configurable
    (add 'JsonWriteFeature.WRITE_HEX_UPPER_CASE')
    + #733: Add 'StreamReadCapability.EXACT_FLOATS' to indicate
    whether parser reports exact floating-point values or not
    + #736: 'JsonPointer' quadratic memory use: OOME on deep inputs
    + #745: Change minimum Java version to 8
    + #749: Allow use of faster floating-point number serialization
    ('StreamWriteFeature.USE_FAST_DOUBLE_WRITER')
    + #751: Remove workaround for old issue with a particular double
    + #753: Add 'NumberInput.parseFloat()'
    + #757: Update ParserBase to support floats directly
    + #759: JsonGenerator to provide current value to the context
    before starting objects
    + #762: Make 'JsonPointer' 'java.io.Serializable'
    + #763: 'JsonFactory.createParser()' with 'File' may leak
    'InputStream's
    + #764: 'JsonFactory.createGenerator()' with 'File' may leak
    'OutputStream's
    + #773: Add option to accept non-standard trailing decimal point
    ('JsonReadFeature.ALLOW_TRAILING_DECIMAL_POINT_FOR_NUMBERS')
    + #774: Add a feature to allow leading plus sign
    ('JsonReadFeature.ALLOW_LEADING_PLUS_SIGN_FOR_NUMBERS')
    + #788: 'JsonPointer.empty()' should NOT indicate match of a
    property with key of ""
    + #798: Avoid copy when parsing 'BigDecimal'
    + #811: Add explicit bounds checks for 'JsonGenerator' methods
    that take 'byte[]'/'char[]'/String-with-offsets input
    + #812: Add explicit bounds checks for
    'JsonFactory.createParser()' methods that take
    'byte[]'/'char[]'-with-offsets input
    + #814: Use 'BigDecimalParser' for BigInteger parsing very long
    numbers
    + #818: Calling 'JsonPointer.compile(...)' on very deeply nested
    expression throws 'StackOverflowError'
    + #828: Make 'BigInteger' parsing lazy
    + #830: Make 'BigDecimal' parsing lazy
    + #834: ReaderBaseJsonParser._verifyRootSpace() can cause buffer
    boundary failure
- Added patch:
  * 0001-Remove-ch.randelshofer.fastdoubleparser.patch
    + we don't have 'ch.randelshofer:fastdoubleparser'

- Update to 2.13.3
  * 2.13.3 (14-May-2022)
    + #744: Limit size of exception message in BigDecimalParser
  * 2.13.2 (06-Mar-2022)
    + #732: Update Maven wrapper
    + #739: 'JsonLocation' in 2.13 only uses identity comparison
    for "content reference"
  * 2.13.1 (19-Dec-2021)
    + #713: Incorrect parsing of single-quoted surrounded String
    values containing double quotes
jackson-databind
- Update to 2.15.2
  * 2.15.2 (30-May-2023)
    + #3938: Record setter not included from interface
    (2.15 regression)
  * 2.15.1 (16-May-2023)
    + #3882: Error in creating nested 'ArrayNode's with
    'JsonNode.withArray()'
    + #3894: Only avoid Records fields detection for deserialization
    + #3895: 2.15.0 breaking behaviour change for records and Getter
    Visibility
    + #3897: 2.15.0 breaks deserialization when POJO/Record only has
    a single field and is marked 'Access.WRITE_ONLY'
    + #3913: Issue with deserialization when there are unexpected
    properties (due to null 'StreamReadConstraints')
    + #3914: Fix TypeId serialization for
    'JsonTypeInfo.Id.DEDUCTION', native type ids
  * 2.15.0 (23-Apr-2023)
    + #2536: Add 'EnumFeature.READ_ENUM_KEYS_USING_INDEX' to work
    with existing "WRITE_ENUM_KEYS_USING_INDEX"#
    + #2667: Add '@EnumNaming', 'EnumNamingStrategy' to allow use of
    naming strategies for Enums
    + #2968: Deserialization of '@JsonTypeInfo' annotated type fails
    with missing type id even for explicit concrete subtypes
    + #2974: Null coercion with '@JsonSetter' does not work with
    'java.lang.Record'
    + #2992: Properties naming strategy do not work with Record
    + #3053: Allow serializing enums to lowercase
    ('EnumFeature.WRITE_ENUMS_TO_LOWERCASE')
    + #3180: Support '@JsonCreator' annotation on record classes
    + #3262: InvalidDefinitionException when calling
    mapper.createObjectNode().putPOJO
    + #3297: '@JsonDeserialize(converter = ...)' does not work with
    Records
    + #3342: 'JsonTypeInfo.As.EXTERNAL_PROPERTY' does not work with
    record wrappers
    + #3352: Do not require the usage of opens in a modular app when
    using records
    + #3566: Cannot use both 'JsonCreator.Mode.DELEGATING' and
    'JsonCreator.Mode.PROPERTIES' static creator factory methods
    for Enums
    + #3637: Add enum features into '@JsonFormat.Feature'
    + #3638: Case-insensitive and number-based enum deserialization
    are (unnecessarily) mutually exclusive
    + #3651: Deprecate "exact values" setting from 'JsonNodeFactory',
    replace with
    'JsonNodeFeature.STRIP_TRAILING_BIGDECIMAL_ZEROES'
    + #3654: Infer '@JsonCreator(mode = Mode.DELEGATING)' from use
    of '@JsonValue')
    + #3676: Allow use of '@JsonCreator(mode = Mode.PROPERTIES)'
    creator for POJOs with"empty String" coercion
    + #3680: Timestamp in classes inside jar showing 02/01/1980
    + #3682: Transient 'Field's are not ignored as Mutators if there
    is visible Getter
    + #3690: Incorrect target type for arrays when disabling
    coercion
    + #3708: Seems like 'java.nio.file.Path' is safe for Android API
    level 26
    + #3730: Add support in 'TokenBuffer' for lazily decoded (big)
    numbers
    + #3736: Try to avoid auto-detecting Fields for Record types
    + #3742: schemaType of 'LongSerializer' is wrong
    + #3745: Deprecate classes in package
    'com.fasterxml.jackson.databind.jsonschema'
    + #3748: 'DelegatingDeserializer' missing override of
    'getAbsentValue()' (and couple of other methods)
    + #3771: Classloader leak: DEFAULT_ANNOTATION_INTROSPECTOR holds
    annotation reference
    + #3791: Flush readonly map together with shared on
    'SerializerCache.flush()'
    + #3796: Enum Deserialisation Failing with Polymorphic type
    validator
    + #3809: Add Stream-friendly alternative to
    'ObjectNode.fields()': 'Set<Map.Entry<String, JsonNode>>
    properties()'
    + #3814: Enhance 'StdNodeBasedDeserializer' to support
    'readerForUpdating'
    + #3816: TokenBuffer does not implement writeString(Reader
    reader, int len)
    + #3819: Add convenience method
    'SimpleBeanPropertyFilter.filterOutAll()' as counterpart of
    'serializeAll()'
    + #3836: 'Optional<Boolean>' is not recognized as boolean field
    + #3853: Add 'MapperFeature.REQUIRE_TYPE_ID_FOR_SUBTYPES' to
    enable/disable strict subtype Type Id handling
    + #3876: 'TypeFactory' cache performance degradation with
    'constructSpecializedType()'
  * 2.14.3 (05-May-2023)
    + #3784: 'PrimitiveArrayDeserializers$ByteDeser.deserialize'
    ignores 'DeserializationProblemHandler' for invalid Base64
    content
    + #3837: Set transformer factory attributes to improve
    protection against XXE
  * 2.14.2 (28-Jan-2023)
    + #1751: '@JsonTypeInfo' does not work if the Type Id is an
    Integer value
    + #3063: '@JsonValue' fails for Java Record
    + #3699: Allow custom 'JsonNode' implementations
    + #3711: Enum polymorphism not working correctly with DEDUCTION
    + #3741: 'StdDelegatingDeserializer' ignores 'nullValue' of
    '_delegateDeserializer'.
  * 2.14.1 (21-Nov-2022)
    + #3655: 'Enum' values can not be read from single-element array
    even with 'DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS'
    + #3665: 'ObjectMapper' default heap consumption increased
    significantly from 2.13.x to 2.14.0
  * 2.14.0 (05-Nov-2022)
    + #1980: Add method(s) in 'JsonNode' that works like combination
    of 'at()' and 'with()': 'withObject(...)' and 'withArray(...)'
    + #2541: Cannot merge polymorphic objects
    + #3013: Allow disabling Integer to String coercion via
    'CoercionConfig'
    + #3212: Add method 'ObjectMapper.copyWith(JsonFactory)'
    + #3311: Add serializer-cache size limit to avoid Metaspace
    issues from caching Serializers
    + #3338: 'configOverride.setMergeable(false)' not supported by
    'ArrayNode'
    + #3357: '@JsonIgnore' does not if together with '@JsonProperty'
    or '@JsonFormat'
    + #3373: Change 'TypeSerializerBase' to skip
    'generator.writeTypePrefix()' for 'null' typeId
    + #3394: Allow use of 'JsonNode' field for '@JsonAnySetter'
    + #3405: Create DataTypeFeature abstraction (for JSTEP-7) with
    placeholder features
    + #3417: Allow (de)serializing records using
    Bean(De)SerializerModifier even when reflection is unavailable
    + #3419: Improve performance of 'UnresolvedForwardReference' for
    forward reference resolution
    + #3421: Implement 'JsonNodeFeature.READ_NULL_PROPERTIES' to
    allow skipping of JSON 'null' values on reading
    + #3443: Do not strip generic type from 'Class<C>' when
    resolving 'JavaType'
    + #3447: Deeply nested JsonNode throws StackOverflowError for
    toString()
    + #3475: Support use of fast double parse
    + #3476: Implement 'JsonNodeFeature.WRITE_NULL_PROPERTIES' to
    allow skipping JSON 'null' values on writing
    + #3481: Filter method only got called once if the field is null
    when using '@JsonInclude(value = JsonInclude.Include.CUSTOM,
    valueFilter = SomeFieldFilter.class)'
    + #3484: Update 'MapDeserializer' to support
    'StreamReadCapability.DUPLICATE_PROPERTIES'
    + #3497: Deserialization of Throwables with
    PropertyNamingStrategy does not work
    + #3500: Add optional explicit 'JsonSubTypes' repeated names
    check
    + #3503: 'StdDeserializer' coerces ints to floats even if
    configured to fail
    + #3505: Fix deduction deserializer with
    DefaultTypeResolverBuilder
    + #3528: 'TokenBuffer' defaults for parser/stream-read features
    neither passed from parser nor use real defaults
    + #3530: Change LRUMap to just evict one entry when maxEntries
    reached
    + #3533: Deserialize missing value of 'EXTERNAL_PROPERTY' type
    using custom 'NullValueProvider'
    + #3535: Replace 'JsonNode.with()' with 'JsonNode.withObject()'
    + #3559: Support 'null'-valued 'Map' fields with "any setter"
    + #3568: Change 'JsonNode.with(String)' and 'withArray(String)'
    to consider argument as 'JsonPointer' if valid expression
    + #3590: Add check in primitive value deserializers to avoid
    deep wrapper array nesting wrt 'UNWRAP_SINGLE_VALUE_ARRAYS'
    [CVE-2022-42003, bsc#1204370]
    + #3609: Allow non-boolean return type for "is-getters" with
    'MapperFeature.ALLOW_IS_GETTERS_FOR_NON_BOOLEAN'
    + #3613: Implement 'float' and 'boolean' to 'String' coercion
    config
    + #3624: Legacy 'ALLOW_COERCION_OF_SCALARS' interacts poorly
    with Integer to Float coercion
    + #3633: Expose 'translate()' method of standard
    'PropertyNamingStrategy' implementations
  * 2.13.5 (23-Jan-2023)
    + #3659: Improve testing (likely via CI) to try to ensure
    compatibility with specific Android SDKs
    + #3661: Jackson 2.13 uses Class.getTypeName() that is only
    available on Android SDK 26 (with fix works on ASDK 24)
java-11-openjdk
- Upgrade to upstream tag jdk-11.0.22+7 (January 2024 CPU)
  * Security fixes
    + JDK-8308204: Enhanced certificate processing
    + JDK-8314295, CVE-2024-20919, bsc#1218903: Enhance
    verification of verifier
    + JDK-8314284, CVE-2024-20926, bsc#1218906: Enhance Nashorn
    performance
    + JDK-8314307, CVE-2024-20921, bsc#1218905: Improve loop
    handling
    + JDK-8314468, CVE-2024-20918, bsc#1218907: Improve Compiler
    loops
    + JDK-8316976, CVE-2024-20945, bsc#1218909: Improve signature
    handling
    + JDK-8317547, CVE-2024-20952, bsc#1218911: Enhance TLS
    connection support
  * Other fixes
    + JDK-6381945: (cal) Japanese calendar unit test system should
    avoid multiple static imports
    + JDK-6445283: ProgressMonitorInputStream not large file aware
    (>2GB)
    + JDK-8026393: jarsigner never shows a warning in badKeyUsage
    case
    + JDK-8041447: Test javax/swing/dnd/7171812/bug7171812.java
    fails with java.lang.RuntimeException: Test failed, scroll on
    drag doesn't work
    + JDK-8053479: (dc) DatagramChannel.read() throws exception
    instead of discarding data when buffer too small
    + JDK-8067250: [mlvm] vm/mlvm/mixed/stress/regression/b6969574
    fails and perf regression
    + JDK-8153090: TAB key cannot change input focus after the
    radio button in the Color Selection dialog
    + JDK-8168408: Test java/awt/Focus/ActualFocusedWindowTest/
    /ActualFocusedWindowBlockingTest.java fails intermittentently
    on windows
    + JDK-8183374: Refactor java/lang/Runtime shell tests to java
    + JDK-8185531: [TESTBUG] Improve test configuration for shared
    strings
    + JDK-8195589: T6587786.java failed after JDK-8189997
    + JDK-8197825: [Test] Intermittent timeout with javax/swing
    JColorChooser Test
    + JDK-8205467: javax/management/remote/mandatory/connection/
    /MultiThreadDeadLockTest.java possible deadlock
    + JDK-8207166: jdk/jshell/
    /JdiHangingLaunchExecutionControlTest.java - launch timeout
    + JDK-8210168: JCK test .vm.classfmt.ins.code__002.code__00201m1
    .code__00201m1 hangs with -noverify
    + JDK-8210265: Crash in HSpaceCounters::update_used()
    + JDK-8211045: [Testbug] Fix for 8144279 didn't define a test
    case!
    + JDK-8212997: [TESTBUG] Remove defmeth tests for class file
    versions 50 and 51
    + JDK-8213898: CDS dumping of springboot asserts in
    G1ArchiveAllocator::alloc_new_region
    + JDK-8214694: cleanup rawtypes warnings in open jndi tests
    + JDK-8217329: JTREG: Clean up, remove unused imports in gc
    folder
    + JDK-8218178: vmTestbase/vm/mlvm/mixed/stress/regression/
    /b6969574/INDIFY_Test.java fails with -Xcomp
    + JDK-8220083: Remove hard-coded 127.0.0.1 loopback address in
    JDK networking tests
    + JDK-8221396: Clean up serviceability/sa/TestUniverse.java
    + JDK-8223145: Replace wildcard address with loopback or local
    host in tests - part 1
    + JDK-8223788: [macos] JSpinner buttons in JColorChooser dialog
    may capture focus using TAB Key.
    + JDK-8224035: Replace wildcard address with loopback or local
    host in tests - part 9
    + JDK-8224204: Replace wildcard address with loopback or local
    host in tests - part 10
    + JDK-8226825: Replace wildcard address with loopback or local
    host in tests - part 19
    + JDK-8230435: Replace wildcard address with loopback or local
    host in tests - part 22
    + JDK-8230858: Replace wildcard address with loopback or local
    host in tests - part 23
    + JDK-8231556: Wrong font ligatures used when 2 versions of
    same font used
    + JDK-8231931: [TESTBUG] serviceability/sa/TestUniverse.java
    looks for wrong string with Shenandoah
    + JDK-8232135: Add diagnostic output to test
    java/util/ProcessBuilder/Basic.java
    + JDK-8232513: java/net/DatagramSocket/PortUnreachable.java
    still fails intermittently with BindException
    + JDK-8232933: Javac inferred type does not conform to equality
    constraint
    + JDK-8233000: Mark vmTestbase/vm/mlvm/meth/stress/compiler/
    /deoptimize test as stress test
    + JDK-8233847: (sctp) Flx link-local IPv6 scope handling and
    test cleanup.
    + JDK-8237858: PlainSocketImpl.socketAccept() handles EINTR
    incorrectly
    + JDK-8238740: java/net/httpclient/whitebox/FlowTestDriver.java
    should not specify a TLS protocol
    + JDK-8240235: jdk.test.lib.util.JarUtils updates jar files
    incorrectly
    + JDK-8240604: Rewrite sun/management/jmxremote/bootstrap/
    /CustomLauncherTest.java test to make binaries from source
    file
    + JDK-8240754: Instrument FlowTest.java to provide more debug
    traces.
    + JDK-8242330: Arrays should be cloned in several JAAS Callback
    classes
    + JDK-8244508: JFR: FlightRecorderOptions reset date format
    + JDK-8249812: java/net/DatagramSocket/PortUnreachable.java
    still fails intermittently with SocketTimeoutException
    + JDK-8251177: [macosx] The text "big" is truncated in
    JTabbedPane
    + JDK-8252713: jtreg time out of CtrlASCII.java seems to hang
    the Xserver.
    + JDK-8254711: Add java.security.Provider.getService JFR Event
    + JDK-8255548: Missing coverage for
    javax.xml.crypto.dom.DOMCryptoContext
    + JDK-8258914: javax/net/ssl/DTLS/RespondToRetransmit.java
    timed out
    + JDK-8259266: com/sun/jdi/JdbOptions.java failed with
    "RuntimeException: 'prop[boo] = >foo 2<' missing from
    stdout/stderr"
    + JDK-8260035: Deproblemlist few problemlisted test
    + JDK-8260431: com/sun/jdi/JdbOptions.java failed with
    "RuntimeException: 'prop[boo] = >foo<' missing from
    stdout/stderr"
    + JDK-8263530: sun.awt.X11.ListHelper.removeAll() should use
    clear()
    + JDK-8265586: [windows] last button is not shown in AWT Frame
    with BorderLayout and MenuBar set.
    + JDK-8265678: Test java/awt/Focus/ActualFocusedWindowTest/
    /ActualFocusedWindowBlockingTest.java fails intermittentently
    on windows
    + JDK-8266249: javax/swing/JPopupMenu/7156657/bug7156657.java
    fails on macOS
    + JDK-8267860: Off-by-one bug when searching arrays in
    AlpnGreaseTest
    + JDK-8268916: Tests for AffirmTrust roots
    + JDK-8271519: java/awt/event/SequencedEvent/
    /MultipleContextsFunctionalTest.java failed with
    "Total [200] - Expected [400]"
    + JDK-8273804: Platform.isTieredSupported should handle the
    no-compiler case
    + JDK-8275329: ZGC: vmTestbase/gc/gctests/SoftReference/soft004/
    /soft004.java fails with assert(_phases->length() <= 1000)
    failed: Too many recored phases?
    + JDK-8275333: Print count in "Too many recored phases?" assert
    + JDK-8278456: Define jtreg jdk_desktop test group time-based
    sub-tasks for use by headful testing.
    + JDK-8280004: DCmdArgument<jlong>::parse_value() should handle
    NULL input
    + JDK-8282143: Objects.requireNonNull should be ForceInline
    + JDK-8282404: DrawStringWithInfiniteXform.java failed with
    "RuntimeException: drawString with InfiniteXform transform
    takes long time"
    + JDK-8284331: Add sanity check for signal handler modification
    warning.
    + JDK-8285612: Remove jtreg tag manual=yesno for
    java/awt/print/PrinterJob/ImagePrinting/ClippedImages.java
    + JDK-8285687: Remove jtreg tag manual=yesno for
    java/awt/print/PrinterJob/PageRangesDlgTest.java
    + JDK-8286707: JFR: Don't commit JFR internal
    jdk.JavaMonitorWait events
    + JDK-8288325: [windows] Actual and Preferred Size of AWT
    Non-resizable frame are different
    + JDK-8288415: java/awt/PopupMenu/PopupMenuLocation.java is
    unstable in MacOS machines
    + JDK-8288993: Make AwtFramePackTest generic by removing
    @requires tag
    + JDK-8289077: Add manual tests to open
    + JDK-8289238: Refactoring changes to PassFailJFrame Test
    Framework
    + JDK-8289547: Update javax/swing/Popup/TaskbarPositionTest.java
    + JDK-8289584: (fs) Print size values in
    java/nio/file/FileStore/Basic.java when they differ by > 1GiB
    + JDK-8289745: JfrStructCopyFailed uses heap words instead of
    bytes for object sizes
    + JDK-8289917: Metadata for regionsRefilled of
    G1EvacuationStatistics event is wrong
    + JDK-8290067: Show stack dimensions in UL logging when
    attaching threads
    + JDK-8290469: Add new positioning options to PassFailJFrame
    test framework
    + JDK-8292407: Improve Weak CAS VarHandle/Unsafe tests
    resilience under spurious failures
    + JDK-8292683: Remove BadKeyUsageTest.java from Problem List
    + JDK-8292713: Unsafe.allocateInstance should be intrinsified
    without UseUnalignedAccesses
    + JDK-8293098: GHA: Harmonize GCC version handling for host and
    cross builds
    + JDK-8293107: GHA: Bump to Ubuntu 22.04
    + JDK-8293166: jdk/jfr/jvm/TestDumpOnCrash.java fails on Linux
    ppc64le and Linux aarch64
    + JDK-8293361: GHA: dump config.log in case of configure failure
    + JDK-8293466: libjsig should ignore non-modifying sigaction
    calls
    + JDK-8293811: Provide a reason for PassFailJFrame.forceFail
    + JDK-8294281: Allow warnings to be disabled on a per-file basis
    + JDK-8294427: Check boxes and radio buttons have rendering
    issues on Windows in High DPI env
    + JDK-8294673: JFR: Add SecurityProviderService#threshold to
    TestActiveSettingEvent.java
    + JDK-8294941: GHA: Cut down cross-compilation sysroots
    + JDK-8294956: GHA: qemu-debootstrap is deprecated, use the
    regular one
    + JDK-8295213: Run GHA manually with user-specified make and
    configure arguments
    + JDK-8295885: GHA: Bump gcc versions 8313428: GHA: Bump GCC
    versions for July 2023 updates
    + JDK-8296275: Write a test to verify setAccelerator  method of
    JMenuItem
    + JDK-8297296: java/awt/Mouse/EnterExitEvents/
    /DragWindowTest.java fails with "No MouseReleased event on
    label!"
    + JDK-8297640: Increase buffer size for buf
    (insert_features_names) in
    Abstract_VM_Version::insert_features_names
    + JDK-8298905: Test "java/awt/print/PrinterJob/ImagePrinting/
    /PrintARGBImage.java" fails because the frames of instruction
    does not display
    + JDK-8299255: Unexpected round errors in FreetypeFontScaler
    + JDK-8299330: Minor improvements in MSYS2 Workflow handling
    + JDK-8300259: Add test coverage for processing of pending
    block files in signed JARs
    + JDK-8300272: Improve readability of the test
    JarWithOneNonDisabledDigestAlg
    + JDK-8300405: Screen capture for test
    JFileChooserSetLocationTest.java, failure case
    + JDK-8301065: Handle control characters in
    java_lang_String::print
    + JDK-8301167: Update VerifySignedJar to actually exercise and
    test verification
    + JDK-8301570: Test  runtime/jni/nativeStack/ needs to detach
    the native thread
    + JDK-8302017: Allocate BadPaddingException only if it will be
    thrown
    + JDK-8302525: Write a test to check various components send
    Events while mouse and key are used simultaneously
    + JDK-8303607: SunMSCAPI provider leaks memory and keys
    + JDK-8306134: Open source some AWT tests relating to Button
    and a few other classes
    + JDK-8306135: Clean up and open source some AWT tests
    + JDK-8306280: Open source several choice AWT tests
    + JDK-8306372: Open source AWT CardLayout and Checkbox tests
    + JDK-8306430: Open source some AWT tests related to
    TextComponent and Toolkit
    + JDK-8306575: Clean up and open source four Dialog related
    tests
    + JDK-8306765: Some client related jtreg problem list entries
    are malformed
    + JDK-8306883: Thread stacksize is reported with wrong units in
    os::create_thread logging
    + JDK-8307079: Update test java/awt/Choice/DragOffNoSelect.java
    + JDK-8307165: java/awt/dnd/NoFormatsDropTest/
    /NoFormatsDropTest.java timed out
    + JDK-8308592: Framework for CA interoperability testing
    + JDK-8308910: Allow executeAndLog to accept running process
    + JDK-8309095: Remove UTF-8 character from
    TaskbarPositionTest.java
    + JDK-8310265: (process) jspawnhelper should not use argv[0]
    + JDK-8310549: avoid potential leaks in KeystoreImpl.m related
    to JNU_CHECK_EXCEPTION early returns
    + JDK-8311285: report some fontconfig related environment
    variables in hs_err file
    + JDK-8311813: C1: Uninitialized PhiResolver::_loop field
    + JDK-8312065: Socket.connect does not timeout when profiling
    + JDK-8312126: NullPointerException in CertStore.getCRLs after
    8297955
    + JDK-8312489: Increase jdk.jar.maxSignatureFileSize default
    which is too low for JARs such as WhiteSource/Mend unified
    agent jar
    + JDK-8312535: MidiSystem.getSoundbank() throws unexpected
    SecurityException
    + JDK-8312573: Failure during CompileOnly parsing leads to
    ShouldNotReachHere
    + JDK-8312972: Bump update version for OpenJDK: jdk-11.0.22
    + JDK-8313576: GCC 7 reports compiler warning in bundled
    freetype 2.13.0
    + JDK-8313626: C2 crash due to unexpected exception control flow
    + JDK-8313657: com.sun.jndi.ldap.Connection.cleanup does not
    close connections on SocketTimeoutErrors
    + JDK-8313691: use close after failing os::fdopen in vmError
    and ciEnv
    + JDK-8313707: GHA: Bootstrap sysroots with --variant=minbase
    + JDK-8313792: Verify 4th party information in
    src/jdk.internal.le/share/legal/jline.md
    + JDK-8313815: The exception messages printed by jcmd
    ManagementAgent.start are corrupted on Japanese Windows
    + JDK-8314063: The socket is not closed in
    Connection::createSocket when the handshake failed for LDAP
    connection
    + JDK-8314094: java/lang/ProcessHandle/InfoTest.java fails on
    Windows when run as user with Administrator privileges
    + JDK-8314242: Update applications/scimark/Scimark.java to
    accept VM flags
    + JDK-8314262: GHA: Cut down cross-compilation sysroots deeper
    + JDK-8314263: Signed jars triggering Logger finder recursion
    and StackOverflowError
    + JDK-8314730: GHA: Drop libfreetype6-dev transitional package
    in favor of libfreetype-dev
    + JDK-8315020: The macro definition for LoongArch64 zero build
    is not accurate.
    + JDK-8315062: [GHA] get-bootjdk action should return the
    abolute path
    + JDK-8315135: Memory leak in the native implementation of
    Pack200.Unpacker.unpack()
    + JDK-8315214: Do not run sun/tools/jhsdb tests concurrently
    + JDK-8315480: [11u] Harmonize GHA cross-compilation block with
    mainline
    + JDK-8315683: Parallelize java/util/concurrent/tck/
    /JSR166TestCase.java
    + JDK-8315692: Parallelize
    gc/stress/TestStressRSetCoarsening.java test
    + JDK-8315696: SignedLoggerFinderTest.java test failed
    + JDK-8315766: Parallelize gc/stress/
    /TestStressIHOPMultiThread.java test
    + JDK-8315770: serviceability/sa/TestJmapCoreMetaspace.java
    should run with -XX:-VerifyDependencies
    + JDK-8315862: [11u] Backport 8227337: javax/management/remote/
    /mandatory/connection/ReconnectTest.java NoSuchObjectException
    no such object in table
    + JDK-8315863: [GHA] Update checkout action to use v4
    + JDK-8315937: Enable parallelism in
    vmTestbase/nsk/stress/numeric tests
    + JDK-8316087: Test SignedLoggerFinderTest.java is still failing
    + JDK-8316178: Better diagnostic header for CodeBlobs
    + JDK-8316206: Test StretchedFontTest.java fails for Baekmuk
    font
    + JDK-8316380: [11u] Backport 8170089:
    nsk/jdi/EventSet/resume/resume008: ERROR: suspendCounts don't
    match for : Common-Cleaner
    + JDK-8316514: Better diagnostic header for VtableStub
    + JDK-8316710: Exclude java/awt/font/Rotate/RotatedTextTest.java
    + JDK-8316746: Top of lock-stack does not match the unlocked
    object
    + JDK-8316906: Clarify TLABWasteTargetPercent flag
    + JDK-8317373: Add Telia Root CA v2
    + JDK-8317374: Add Let's Encrypt ISRG Root X2
    + JDK-8317920: JDWP-agent sends broken exception event with
    onthrow option
    + JDK-8317967: Enhance test/jdk/javax/net/ssl/TLSCommon/
    /SSLEngineTestCase.java to handle default cases
    + JDK-8318669: Target OS detection in 'test-prebuilt' makefile
    target is incorrect when running on MSYS2
    + JDK-8318705: [macos] ProblemList
    java/rmi/registry/multipleRegistries/MultipleRegistries.java
    + JDK-8318759: Add four DigiCert root certificates
    + JDK-8319187: Add three eMudhra emSign roots
    + JDK-8320597: RSA signature verification fails on signed data
    that does not encode params correctly
    + JDK-8323423: [11u] Remove designator
    DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.22
jose4j
- Check iteration of Pbes2HmacShaWithAesKey algorithm
  CVE-2023-31582 (bsc#1216609)
  Added: PBES2-check-iteration-count.patch
kernel-default
- vhost: use kzalloc() instead of kmalloc() followed by memset()
  (CVE-2024-0340, bsc#1218689).
- commit 4c5a740

- README.BRANCH: Update cve/linux-5.14 maintainers
  Add myself to match SLE15-SP5 consumer + fix typo in branch name.
- commit da26653

- Refresh patches.suse/nfsd-fix-RELEASE_LOCKOWNER.patch.
  Accidentally removed nfs4_get_stateowner
- commit d77a474

- Bluetooth: Fix atomicity violation in {min,max}_key_size_set
  (git-fixes bsc#1219608 CVE-2024-24860).
- commit a1186fd

- README.BRANCH: update branch name to cve/linux-5.14, update maintainers
  as requested
- commit 8e34879

- netfilter: nf_tables: check if catch-all set element is active
  in next generation (CVE-2024-1085 bsc#1219429).
- commit 7b3f4c4

- netfilter: nf_tables: reject QUEUE/DROP verdict parameters
  (CVE-2024-1086 bsc#1219434).
- commit 5f917ff

- Update
  patches.suse/drm-amdgpu-Fix-potential-fence-use-after-free-v2.patch
  (bsc#1219128 CVE-2023-51042 git-fixes).
- commit 4b937fc

- rpm/mkspec: sort entries in _multibuild
  Otherwise it creates unnecessary diffs when tar-up-ing. It's of course
  due to readdir() using "random" order as served by the underlying
  filesystem.
  See for example:
  https://build.opensuse.org/request/show/1144457/changes
- commit d1155de

- Revert "tracing: Increase trace array ref count on enable and
  filter files" (bsc#1219490).
  Deleted:
  patches.suse/tracing-Increase-trace-array-ref-count-on-enable-and-filter-files.patch
  patches.suse/tracing-Have-event-inject-files-inc-the-trace-array-ref-count.patch
  Backported commit f5ca233e2e66 ("tracing: Increase trace array ref count
  on enable and filter files") causes a kernel panic and its upstream
  fix-up bb32500fb9b7 ("tracing: Have trace_event_file have ref counters")
  cannot be easily backported because it affects kABI. Revert the commit
  and its one related + dependent patch, at least for now.
- commit 90d885a

- README.BRANCH: SLE15-SP4 became LTSS, update maintainers
- commit 94325df

- atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780
  bsc#1218730).
- commit 658d424

- xen-netback: don't produce zero-size SKB frags (CVE-2023-46838,
  XSA-448, bsc#1218836).
- commit 9a897ff

- Update
  patches.suse/ext4-fix-kernel-BUG-in-ext4_write_inline_data_end.patch
  (CVE-2021-33631 bsc#1219412 bsc#1206894).
- commit 96c942c

- kabi, vmstat: skip periodic vmstat update for isolated CPUs
  (bsc#1217895).
- commit 8cb5798

- sched/isolation: add cpu_is_isolated() API (bsc#1217895).
- trace,smp: Add tracepoints around remotelly called functions
  (bsc#1217895).
- vmstat: skip periodic vmstat update for isolated CPUs
  (bsc#1217895).
- Refresh
  patches.suse/0002-kernel-smp-make-csdlock-timeout-depend-on-boot-param.patch.
- commit 668c0e0

- kernel-source: Fix description typo
- commit 8abff35

- nvmet-tcp: Fix the H2C expected PDU len calculation
  (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
  CVE-2023-6356).
- nvmet-tcp: remove boilerplate code (bsc#1217987 bsc#1217988
  bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356).
- nvmet-tcp: fix a crash in nvmet_req_complete() (bsc#1217987
  bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
  CVE-2023-6356).
- nvmet-tcp: Fix a kernel panic when host sends an invalid H2C
  PDU length (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535
  CVE-2023-6536 CVE-2023-6356).
- commit d968940

- clocksource: Skip watchdog check for large watchdog intervals
  (bsc#1217217).
- commit 63b1d6d

- clocksource: disable watchdog checks on TSC when TSC is watchdog
  (bsc#1215885).
- commit 2f92dd8

- nfsd4: add refcount for nfsd4_blocked_lock (bsc#1218968
  bsc#1219349).
- commit d38f35d

- wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
  (CVE-2023-47233 bsc#1216702).
- commit 433859d

- rpm/constraints.in: set jobs for riscv to 8
  The same workers are used for x86 and riscv and the riscv builds take
  ages. So align the riscv jobs count to x86.
- commit b2c82b9

- net: sched: sch_qfq: Use non-work-conserving warning handler
  (CVE-2023-4921 bsc#1215275).
- commit b50ba0e

- mkspec: Use variant in constraints template
  Constraints are not applied consistently with kernel package variants.
  Add variant to the constraints template as appropriate, and expand it
  in mkspec.
- commit cc68ab9

- rpm/constraints.in: add static multibuild packages
  Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for
  constraints on multibuild) added "kernel-source:" prefix to the
  dynamically generated kernels. But there are also static ones like
  kernel-docs. Those fail to build as the constraints are still not
  applied.
  So add the prefix also to the static ones.
  Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it
  will ever be multibuilt...
- commit c2e0681

- Update
  patches.suse/drm-atomic-Fix-potential-use-after-free-in-nonblocki.patch
  (bsc#1219120 CVE-2023-51043 git-fixes).
- commit d004027

- Revert "Limit kernel-source build to architectures for which the kernel binary"
  This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132.
  The fix for bsc#1108281 directly causes bsc#1218768, revert.
- commit 2943b8a

- mkspec: Include constraints for both multibuild and plain package always
  There is no need to check for multibuild flag, the constraints can be
  always generated for both cases.
- commit 308ea09

- rpm/mkspec: use kernel-source: prefix for constraints on multibuild
  Otherwise the constraints are not applied with multibuild enabled.
- commit 841012b

- rpm/kernel-source.rpmlintrc: add action-ebpf
  Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf
  plugin) added this precompiled binary blob. Adapt rpmlintrc for
  kernel-source.
- commit b5ccb33

- block: Fix kabi header include (bsc#1218929).
- commit 8f511ac

- scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old
  The previous change added the manual entry from kernel-sources.change.old
  to old_changelog.txt unnecessarily.  Let's fix it.
- commit fb033e8

- Update
  patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch
  (bsc#1213017 bsc#1219053 CVE-2024-0775).
- commit 97ea702

- block: free the extended dev_t minor later (bsc#1218930).
- commit 0972f94

- rpm/kernel-docs.spec.in: fix build with 6.8
  Since upstream commit f061c9f7d058 (Documentation: Document each netlink
  family), the build needs python yaml.
- commit 6a7ece3

- hv_netvsc: rndis_filter needs to select NLS (git-fixes).
- commit 6f3116b

- nfsd: fix RELEASE_LOCKOWNER (bsc#1218968).
- commit 605df5b

- netfilter: nf_tables: Reject tables of unsupported family
  (bsc#1218752 CVE-2023-6040).
- commit e03f1d3

- bcache: revert replacing IS_ERR_OR_NULL with IS_ERR (git-fixes).
- bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in
  btree_gc_coalesce() (git-fixes).
- rbd: take header_rwsem in rbd_dev_refresh() only when updating
  (git-fixes).
- dm: don't lock fs when the map is NULL during suspend or resume
  (git-fixes).
- commit fe9ee72

- tipc: fix a potential deadlock on &tx->lock (bsc#1218916
  CVE-2024-0641).
- commit c872674

- Update metadata
- commit d121b79

- tipc: fix a potential deadlock on &tx->lock (bsc#1218916
  CVE-2024-0641).
- commit 7953be2

- Update metadata
- commit c015ae2

- smb: client: fix OOB in receive_encrypted_standard()
  (bsc#1218832 CVE-2024-0565).
- commit 3cac9c2

- ida: Fix crash in ida_free when the bitmap is empty (bsc#1218804
  CVE-2023-6915).
- commit 7caa324

- dm-integrity: don't modify bio's immutable bio_vec in
  integrity_metadata() (git-fixes).
- dm-verity: align struct dm_verity_fec_io properly (git-fixes).
- dm verity: don't perform FEC for failed readahead IO
  (git-fixes).
- bcache: avoid NULL checking to c->root in run_cache_set()
  (git-fixes).
- bcache: add code comments for bch_btree_node_get() and
  __bch_btree_node_alloc() (git-fixes).
- bcache: fixup multi-threaded bch_sectors_dirty_init() wake-up
  race (git-fixes).
- bcache: fixup lock c->root error (git-fixes).
- bcache: fixup init dirty data errors (git-fixes).
- bcache: prevent potential division by zero error (git-fixes).
- bcache: remove redundant assignment to variable cur_idx
  (git-fixes).
- bcache: check return value from btree_node_alloc_replacement()
  (git-fixes).
- bcache: avoid oversize memory allocation by small stripe_size
  (git-fixes).
- dm-delay: fix a race between delay_presuspend and delay_bio
  (git-fixes).
- dm zoned: free dmz->ddev array in dmz_put_zoned_devices
  (git-fixes).
- rbd: decouple parent info read-in from updating rbd_dev
  (git-fixes).
- rbd: decouple header read-in from updating rbd_dev->header
  (git-fixes).
- rbd: move rbd_dev_refresh() definition (git-fixes).
- rbd: prevent busy loop when requesting exclusive lock
  (git-fixes).
- rbd: retrieve and check lock owner twice before blocklisting
  (git-fixes).
- rbd: harden get_lock_owner_info() a bit (git-fixes).
- rbd: make get_lock_owner_info() return a single locker or NULL
  (git-fixes).
- dm cache policy smq: ensure IO doesn't prevent cleaner policy
  progress (git-fixes).
- dm raid: clean up four equivalent goto tags in raid_ctr()
  (git-fixes).
- dm raid: fix missing reconfig_mutex unlock in raid_ctr()
  error paths (git-fixes).
- dm integrity: reduce vmalloc space footprint on 32-bit
  architectures (git-fixes).
- dm thin metadata: Fix ABBA deadlock by resetting dm_bufio_client
  (git-fixes).
- bcache: fixup btree_cache_wait list damage (git-fixes).
- bcache: Fix __bch_btree_node_alloc to make the failure behavior
  consistent (git-fixes).
- bcache: Remove unnecessary NULL point check in node allocations
  (git-fixes).
- dm thin metadata: check fail_io before using data_sm
  (git-fixes).
- commit 7e800d7

- rbd: get snapshot context after exclusive lock is ensured to
  be held (git-fixes).
- Refresh for the above change,
  patches.suse/rbd-export-some-functions-used-by-lio-rbd-backend.patch.
  patches.suse/target_core_rbd-fix-rbd_img_request.snap_id-assignme.patch.
- commit dcd100d

- rbd: move RBD_OBJ_FLAG_COPYUP_ENABLED flag setting (git-fixes).
- Rebased for the above change,
  patches.suse/rbd-add-support-for-COMPARE_AND_WRITE-CMPEXT.patch.
- commit b5f85f8

- nbd: Fix debugfs_create_dir error checking (git-fixes).
- dm: don't lock fs when the map is NULL in process of resume
  (git-fixes).
- dm flakey: fix a crash with invalid table line (git-fixes).
- dm integrity: call kmem_cache_destroy() in dm_integrity_init()
  error path (git-fixes).
- dm clone: call kmem_cache_destroy() in dm_clone_init() error
  path (git-fixes).
- dm verity: fix error handling for check_at_most_once on FEC
  (git-fixes).
- nbd: fix incomplete validation of ioctl arg (git-fixes).
- null_blk: Always check queue mode setting from configfs
  (git-fixes).
- dm stats: check for and propagate alloc_percpu failure
  (git-fixes).
- dm crypt: avoid accessing uninitialized tasklet (git-fixes).
- dm crypt: add cond_resched() to dmcrypt_write() (git-fixes).
- commit ad93a37

- dm thin: fix deadlock when swapping to thin device
  (bsc#1177529).
- Delete the in-house patch by the above upstream patch,
  patches.suse/Avoid-deadlock-for-recursive-I-O-on-dm-thin-when-used-as-swap-4905.patch.
- commit 13bcec1

- rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create()
  fails (git-fixes).
- dm cache: add cond_resched() to various workqueue loops
  (git-fixes).
- dm thin: add cond_resched() to various workqueue loops
  (git-fixes).
- dm: add cond_resched() to dm_wq_work() (git-fixes).
- dm: remove flush_scheduled_work() during local_exit()
  (git-fixes).
- dm: send just one event on resize, not two (git-fixes).
- dm flakey: fix logic when corrupting a bio (git-fixes).
- dm flakey: don't corrupt the zero page (git-fixes).
- dm init: add dm-mod.waitfor to wait for asynchronously probed
  block devices (git-fixes).
- loop: suppress uevents while reconfiguring the device
  (git-fixes).
- commit 2a9583d

- nbd: use the correct block_device in nbd_bdev_reset (git-fixes).
- Refresh for the above change,
  patches.suse/0019-nbd-fix-io-hung-while-disconnecting-device.patch.
  patches.suse/0031-nbd-Fix-hung-when-signal-interrupts-nbd_start_device_ioctl.patch.
- commit 2cb1a83

- blacklist.conf: add non-backport git-fixes commit
- commit ab480ce

- dm verity: skip redundant verity_handle_err() on I/O errors
  (git-fixes).
- commit 7d823a7

- Update
  patches.kabi/NFS-Fix-another-fsync-issue-after-a-server-reboot.patch
  (git-fixes, bsc#1217670).
- commit 69dfe32

- blacklist.conf: df1c357f25d8 netfs: Only call folio_start_fscache() one time for each folio
- commit 049ab09

- intel_idle: add Emerald Rapids Xeon support (bsc#1216016).
- commit 30bac4b

- Update patch reference for rose fix (CVE-2023-51782 bsc#1218757)
- commit da9f8e9

- blacklist.conf: c4d361f66ac9 fuse: share lookup state between submount and its parent
- commit 3180cfa

- powerpc/pseries/iommu: enable_ddw incorrectly returns direct
  mapping for SR-IOV device (bsc#1212091 ltc#199106 git-fixes).
- commit f20e9a0

- Store the old kernel changelog entries in kernel-docs package (bsc#1218713)
  The old entries are found in kernel-docs/old_changelog.txt in docdir.
  rpm/old_changelog.txt can be an optional file that stores the similar
  info like rpm/kernel-sources.changes.old.  It can specify the commit
  range that have been truncated.  scripts/tar-up.sh expands from the
  git log accordingly.
- commit c9a2566

- x86/entry/ia32: Ensure s32 is sign extended to s64 (bsc#1193285).
- commit 8afebed

- fuse: dax: set fc->dax to NULL in fuse_dax_conn_free()
  (bsc#1218659).
- commit 4ee6819

- swiotlb-xen: provide the "max_mapping_size" method (git-fixes).
- commit a036bcf

- xen/events: fix delayed eoi list handling (git-fixes).
- commit eb0149c

- xen-pciback: Consider INTx disabled when MSI/MSI-X is enabled
  (git-fixes).
- commit f6ed3e4

- swiotlb: fix a braino in the alignment check fix (bsc#1216559).
- swiotlb: fix slot alignment checks (bsc#1216559).
- commit a41e3fe

- vsock/virtio: Fix unsigned integer wrap around in
  virtio_transport_has_space() (git-fixes).
- commit db5c328

- vhost: Allow null msg.size on VHOST_IOTLB_INVALIDATE
  (git-fixes).
- commit ad9e29a

- virtio_balloon: Fix endless deflation and inflation on arm64
  (git-fixes).
- commit 6583f74

- virtio-mmio: fix memory leak of vm_dev (git-fixes).
- commit d624528

- KVM: SVM: Update EFER software model on CR0 trap for SEV-ES
  (git-fixes).
- commit 8696527

- KVM: x86: Mask LVTPC when handling a PMI (jsc#PED-7322).
- commit 146bca2

- io_uring/af_unix: disable sending io_uring over sockets
  (bsc#1218447, CVE-2023-6531).
- commit fdc256b

- smb: client: fix potential OOB in smb2_dump_detail()
  (bsc#1217946 CVE-2023-6610).
- commit cfca7f7

- x86/purgatory: Remove LTO flags (git-fixes).
- commit bbd4f84

- x86/fpu/xstate: Prevent false-positive warning in __copy_xstate_uabi_buf() (git-fixes).
- commit 46d60b3

- x86/fpu: Invalidate FPU state correctly on exec() (git-fixes).
- commit 7686df9

- x86/cpu: Fix amd_check_microcode() declaration (git-fixes).
- Refresh patches.suse/x86-srso-set-cpuid-feature-bits-independently-of-bug-or-mitigation-status.patch.
- commit c22f4b4

- x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405 (git-fixes).
- commit d74349c

- vsprintf/kallsyms: Prevent invalid data when printing symbol
  (bsc#1217602).
- commit 8dab9cc

- Limit kernel-source build to architectures for which the kernel binary
  is built (bsc#1108281).
- commit 08a9e44

- x86/boot: Fix incorrect startup_gdt_descr.size (git-fixes).
- commit fdc98a7

- x86/boot/compressed: Reserve more memory for page tables  (git-fixes).
- commit 6bf16e1

- gfs2: Silence "suspicious RCU usage in gfs2_permission" warning
  (git-fixes).
- commit 3929c70

- x86/alternatives: Sync core before enabling interrupts (git-fixes).
- commit 4a0b72a

- x86/alternatives: Disable KASAN in apply_alternatives() (git-fixes).
- commit 7029135

- x86/smp: Use dedicated cache-line for mwait_play_dead() (git-fixes).
- commit 8087b92

- x86/srso: Add SRSO mitigation for Hygon processors (git-fixes).
- commit 7b8dfd1

- x86/srso: Fix SBPB enablement for (possible) future fixed HW   (git-fixes).
- Refresh
  patches.suse/x86-srso-fix-vulnerability-reporting-for-missing-microcode.patch.
- commit b121d1d

- x86/CPU/AMD: Check vendor in the AMD microcode callback (git-fixes).
- commit 43e31d9

- x86/srso: Fix vulnerability reporting for missing microcode (git-fixes).
- commit 98085ae

- x86/unwind/orc: Unwind ftrace trampolines with correct ORC entry (git-fixes).
- commit 270b9c8

- x86/alternatives: Disable interrupts and sync when optimizing NOPs in  place (git-fixes).
- commit 1bd102b

- gfs2: fix an oops in gfs2_permission (git-fixes).
- commit 60a8e84

- iov_iter, x86: Be consistent about the __user tag on copy_mc_to_user() (git-fixes).
- commit a2dd84b

- gfs2: ignore negated quota changes (git-fixes).
- commit c2a4d43

- x86/resctrl: Fix kernel-doc warnings (git-fixes).
- commit 50de71c

- gfs2: Fix possible data races in gfs2_show_options()
  (git-fixes).
- commit 7592b99

- gfs2: Fix inode height consistency check (git-fixes).
- commit 935054a

- gfs2: jdata writepage fix (git-fixes).
- commit e5f9516

- gfs2: Improve gfs2_make_fs_rw error handling (git-fixes).
- commit 86c44aa

- gfs2: Check sb_bsize_shift after reading superblock (git-fixes).
- commit 130df3d

- gfs2: Switch from strlcpy to strscpy (git-fixes).
- commit 3054547

- gfs2: use i_lock spin_lock for inode qadata (git-fixes).
- commit 4e4b75a

- gfs2: Fix filesystem block deallocation for short writes
  (git-fixes).
- commit 87cd867

- gfs2: Make sure FITRIM minlen is rounded up to fs block size
  (git-fixes).
- commit 62669a7

- gfs2: gfs2_setattr_size error path fix (git-fixes).
- commit d0e789c

- gfs2: Fix gfs2_release for non-writers regression (git-fixes).
- commit 1a34aa3

- gfs2: Fix length of holes reported at end-of-file (git-fixes).
- commit 09da26e

- gfs2: Clean up function may_grant (git-fixes).
- commit ce33b14

- gfs2: Add wrapper for iomap_file_buffered_write (git-fixes).
- commit e045f1b

- locks: fix KASAN: use-after-free in
  trace_event_raw_event_filelock_lock (git-fixes).
- commit 4758492

- fs: avoid empty option when generating legacy mount string
  (git-fixes).
- commit 00945db

- statfs: enforce statfs[64] structure initialization (git-fixes).
- commit d4a18c5

- orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()
  (git-fixes).
- commit b9e9b76

- orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
  (git-fixes).
- commit 1d47e4a

- orangefs: Fix sysfs not cleanup when dev init failed
  (git-fixes).
- commit f7a82d1

- fs/remap: constrain dedupe of EOF blocks (git-fixes).
- commit e861bd6

- fs: fix an infinite loop in iomap_fiemap (git-fixes).
- commit 41989d9

- orangefs: Fix the size of a memory allocation in
  orangefs_bufmap_alloc() (git-fixes).
- commit 6623b23

- iomap: Fix iomap_dio_rw return value for user copies
  (git-fixes).
- commit 2b65ea1

- ubifs: Fix memory leak of bud->log_hash (git-fixes).
- commit dfe9a1f

- ubifs: fix possible dereference after free (git-fixes).
- commit 971dae9

- fs: ocfs2: namei: check return value of ocfs2_add_entry()
  (git-fixes).
- commit 63eae38

- jfs: fix array-index-out-of-bounds in diAlloc (git-fixes).
- commit 8906b9a

- jfs: fix array-index-out-of-bounds in dbFindLeaf (git-fixes).
- commit 28815ad

- fs/jfs: Add validity check for db_maxag and db_agpref
  (git-fixes).
- commit 39d5b5e

- fs/jfs: Add check for negative db_l2nbperpage (git-fixes).
- commit f831778

- jfs: validate max amount of blocks before allocation
  (git-fixes).
- commit 4be1419

- jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount
  (git-fixes).
- commit 5b4b023

- fs/jfs: prevent double-free in dbUnmount() after failed
  jfs_remount() (git-fixes).
- commit 51a993a

- reiserfs: Replace 1-element array with C99 style flex-array
  (git-fixes).
- commit 6ad83f4

- reiserfs: Check the return value from __getblk() (git-fixes).
- commit 0e912c9

- afs: Fix use-after-free due to get/remove race in volume tree
  (git-fixes).
- commit f4a57bf

- afs: Fix overwriting of result of DNS query (git-fixes).
- commit fe0f4c6

- afs: Fix dynamic root lookup DNS check (git-fixes).
- commit 1e86064

- afs: Fix the dynamic root's d_delete to always delete unused
  dentries (git-fixes).
- commit 3d5b3d7

- afs: Fix refcount underflow from error handling race
  (git-fixes).
- commit 0a9c8bb

- afs: Fix file locking on R/O volumes to operate in local mode
  (git-fixes).
- commit 5431cb3

- afs: Return ENOENT if no cell DNS record can be found
  (git-fixes).
- commit 863355b

- afs: Make error on cell lookup failure consistent with OpenAFS
  (git-fixes).
- commit 5fcd2cf

- afs: Fix afs_server_list to be cleaned up with RCU (git-fixes).
- commit 8fc4f69

- remove unnecessary WARN_ON_ONCE() (bsc#1214823 bsc#1218569).
- commit 6bd8135

- Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg
  (CVE-2023-51779 bsc#1218559).
- commit b8b3309

- Delete doc/config-options.changes (jsc#PED-5021)
  Following on adedbd2a5c6 ("kernel-source: Remove config-options.changes
  (jsc#PED-5021)"), remove the now unused file from the tree.
- commit d1b9e97

- tracing: Fix blocked reader of snapshot buffer (git-fixes).
- commit f6f3907

- ring-buffer: Fix wake ups when buffer_percent is set to 100
  (git-fixes).
- commit 21c1070

- tracing / synthetic: Disable events after testing in
  synth_event_gen_test_init() (git-fixes).
- commit e21c29f

- tracing/synthetic: fix kernel-doc warnings (git-fixes).
- commit 62cdcf8

- Revert "PCI/ASPM: Remove pcie_aspm_pm_state_change()"
  (git-fixes).
- commit 9be35d2

- mkspec: Add multibuild support (JSC-SLE#5501, boo#1211226, bsc#1218184)
  When MULTIBUILD option in config.sh is enabled generate a _multibuild
  file listing all spec files.
- commit f734347

- Build in the correct KOTD repository with multibuild
  (JSC-SLE#5501, boo#1211226, bsc#1218184)
  With multibuild setting repository flags is no longer supported for
  individual spec files - see
  https://github.com/openSUSE/open-build-service/issues/3574
  Add ExclusiveArch conditional that depends on a macro set up by
  bs-upload-kernel instead. With that each package should build only in
  one repository - either standard or QA.
  Note: bs-upload-kernel does not interpret rpm conditionals, and only
  uses the first ExclusiveArch line to determine the architectures to
  enable.
- commit aa5424d

- blacklist.conf: Add c98c18270be1 sched, cgroup: Restore meaning to hierarchical_quota
- commit 6115840

- mm: kmem: drop __GFP_NOFAIL when allocating objcg vectors
  (bsc#1218515).
- commit 00f113e

- blacklist.conf: e63a57303599 blk-cgroup: bypass blkcg_deactivate_policy after destroying
- commit 895355e

- ring-buffer: Fix slowpath of interrupted event (git-fixes).
- commit dbe7edd

- ring-buffer: Remove useless update to write_stamp in
  rb_try_to_discard() (git-fixes).
- commit 64ff947

- RDMA/hfi1: Workaround truncation compilation error (git-fixes)
- commit 2302fb3

- RDMA/hns: The UD mode can only be configured with DCQCN (git-fixes)
- commit ca9d38d

- RDMA/hns: Add check for SL (git-fixes)
- commit cf9e8e3

- RDMA/hns: Fix signed-unsigned mixed comparisons (git-fixes)
- commit 34178f4

- RDMA/hns: Fix uninitialized ucmd in hns_roce_create_qp_common() (git-fixes)
- commit 47c4074

- RDMA/hns: Fix printing level of asynchronous events (git-fixes)
- commit 892f8ec

- IB/mlx5: Fix rdma counter binding for RAW QP (git-fixes)
- commit ffaf04e

- RDMA/hfi1: Use FIELD_GET() to extract Link Width (git-fixes)
- commit 4b8aeed

- RDMA/core: Use size_{add,sub,mul}() in calls to struct_size() (git-fixes)
- commit 605983a

- uapi: propagate __struct_group() attributes to the container
  union (jsc#SLE-18978).
- commit 3b553e2

- Update References
  patches.suse/Bluetooth-Reject-connection-with-the-device-which-ha.patch
  (git-fixes bsc#1215237 CVE-2020-26555).
- commit 0b8be40

- Update References
  patches.suse/Bluetooth-hci_event-Ignore-NULL-link-key.patch
  (git-fixes bsc#1215237 CVE-2020-26555).
- commit 3386934

- iio: adc: ti_am335x_adc: Fix return value check of
  tiadc_request_dma() (git-fixes).
- iio: triggered-buffer: prevent possible freeing of wrong buffer
  (git-fixes).
- iio: imu: inv_mpu6050: fix an error code problem in
  inv_mpu6050_read_raw (git-fixes).
- iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion
  time table (git-fixes).
- interconnect: Treat xlate() returning NULL node as an error
  (git-fixes).
- Input: ipaq-micro-keys - add error handling for devm_kmemdup
  (git-fixes).
- lib/vsprintf: Fix %pfwf when current node refcount == 0
  (git-fixes).
- ASoC: hdmi-codec: fix missing report for jack initial status
  (git-fixes).
- i2c: aspeed: Handle the coalesced stop conditions with the
  start conditions (git-fixes).
- pinctrl: at91-pio4: use dedicated lock class for IRQ
  (git-fixes).
- wifi: mac80211: mesh_plink: fix matches_local logic (git-fixes).
- net: rfkill: gpio: set GPIO direction (git-fixes).
- wifi: iwlwifi: pcie: add another missing bh-disable for
  rxq->lock (git-fixes).
- ARM: OMAP2+: Fix null pointer dereference and memory leak in
  omap_soc_device_init (git-fixes).
- spi: atmel: Fix clock issue when using devices with different
  polarities (git-fixes).
- soundwire: stream: fix NULL pointer dereference for multi_link
  (git-fixes).
- Revert "PCI: acpiphp: Reassign resources on bridge if necessary"
  (git-fixes).
- PCI: loongson: Limit MRRS to 256 (git-fixes).
- ALSA: hda/realtek: Apply mute LED quirk for HP15-db (git-fixes).
- ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170
  variants (git-fixes).
- ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB
  (git-fixes).
- net/rose: Fix Use-After-Free in rose_ioctl (git-fixes).
- net: usb: qmi_wwan: claim interface 4 for ZTE MF290 (git-fixes).
- usb: aqc111: check packet for fixup for true limit (git-fixes).
- commit ed00079

- Drop PCI AER patch that has been reverted on stable trees
  Deleted:
  patches.suse/PCI-portdrv-Don-t-disable-AER-reporting-in-get_port_.patch
- commit 43c7676

- Drop drm/bridge lt9611uxc patches that have been reverted on stable trees
- commit b9351c7

- smb: client: fix OOB in smbCalcSize() (bsc#1217947
  CVE-2023-6606).
- commit 97b24d1

- Update References
  patches.suse/tty-n_gsm-fix-the-UAF-caused-by-race-condition-in-gs.patch
  (git-fixes bsc#1218335 CVE-2023-6546).
- commit ad12641

- perf: Fix perf_event_validate_size() lockdep splat
  (CVE-2023-6931 bsc#1218258).
- perf: Fix perf_event_validate_size() (CVE-2023-6931
  bsc#1218258).
- commit 00427a6

- nvme-pci: always return an ERR_PTR from nvme_pci_alloc_dev
  (git-fixes).
- commit 6c500e1

- s390/vx: fix save/restore of fpu kernel context (git-fixes
  bsc#1218357).
- commit 4f47f85

- blacklist.conf: add nvme entries
- commit 9216151

- nvme-pci: Add sleep quirk for Kingston drives (git-fixes).
- nvmet-auth: complete a request only after freeing the dhchap
  pointers (git-fixes).
- nvme: sanitize metadata bounce buffer for reads (git-fixes).
- nvme-rdma: do not try to stop unallocated queues (git-fixes).
- nvme-pci: do not set the NUMA node of device if it has none
  (git-fixes).
- nvme-pci: factor out a nvme_pci_alloc_dev helper (git-fixes).
- nvme-pci: factor the iod mempool creation into a helper
  (git-fixes).
  Refresh:
  - patches.suse/nvme-pci-fix-page-size-checks.patch
- commit 19bc755

- Rename to
  patches.suse/nvme-auth-use-chap-s2-to-indicate-bidirectional-auth.patch.
  and move the patch into the sorted section
- commit 633cfe2

- net/smc: Fix pos miscalculation in statistics (bsc#1218139).
- commit 513a67c

- bus: ti-sysc: Flush posted write only after srst_udelay
  (git-fixes).
- commit c942b7c

- reset: Fix crash when freeing non-existent optional resets
  (git-fixes).
- commit 6de5ad5

- HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad
  (git-fixes).
- commit 60dd723

- HID: hid-asus: reset the backlight brightness level on resume
  (git-fixes).
- commit 79eff80

- HID: hid-asus: add const to read-only outgoing usb buffer
  (git-fixes).
- commit 1c939ed

- HID: add ALWAYS_POLL quirk for Apple kb (git-fixes).
- commit d088123

- restore renamed device IDs for USB HID devices (git-fixes).
- commit 5519e39

- HID: glorious: fix Glorious Model I HID report (git-fixes).
- commit ad69d7e

- scsi: lpfc: use unsigned type for num_sge (bsc#1214747).
- commit 513fc35

- r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en() (git-fixes).
- commit 3ae518f

- r8152: Add RTL8152_INACCESSIBLE to r8153_pre_firmware_1()
  (git-fixes).
- commit d714a95

- r8152: Add RTL8152_INACCESSIBLE to r8156b_wait_loading_flash()
  (git-fixes).
- commit ad9ad0d

- bpf: Adjust insufficient default bpf_jit_limit (bsc#1218234 git-fixes).
- commit 697b74c

- ipv4: igmp: fix refcnt uaf issue when receiving igmp query
  packet (bsc#1218253 CVE-2023-6932).
- commit 87dfb84

- Refresh patches.suse/gve-Tx-path-for-DQO-QPL.patch.
  Fix backport.
- commit f5531ee

- Input: xpad - add HyperX Clutch Gladiate Support (git-fixes).
- commit 6d0690b

- Input: i8042 - add quirk for TUXEDO Gemini 17 Gen1/Clevo PD70PN
  (git-fixes).
- commit 8fa7ef8

- ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs
  (git-fixes).
- commit a4fe241

- ring-buffer: Do not try to put back write_stamp (git-fixes).
- commit df9fac1

- ring-buffer: Have saved event hold the entire event (git-fixes).
- commit 5347597

- ring-buffer: Do not update before stamp when switching
  sub-buffers (git-fixes).
- commit 9c594ba

- tracing: Update snapshot buffer on resize if it is allocated
  (git-fixes).
- commit d5996f1

- ring-buffer: Fix memory leak of free page (git-fixes).
- commit ee5f869

- ring-buffer: Fix writing to the buffer with max_data_size
  (git-fixes).
- commit bb90d48

- blacklist.conf: cleanup
- commit 16dcb62

- usb: hub: Guard against accesses to uninitialized BOS
  descriptors (git-fixes).
- commit 573da1a

- kABI: restore void return to typec_altmode_attention
  (git-fixes).
- commit 9821aa3

- usb: typec: bus: verify partner exists in
  typec_altmode_attention (git-fixes).
- commit 5fea3d2

- blacklist.conf: it changes only logging
- commit 3cbbd08

- r8152: Add RTL8152_INACCESSIBLE checks to more loops
  (git-fixes).
- commit f62163f

- r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE
  (git-fixes).
- commit 064cc95

- Documentation: drop more IDE boot options and ide-cd.rst
  (git-fixes).
- commit 7993dcc

- Update patches.suse/spi-tegra210-quad-Fix-duplicate-resource-error.patch (git-fixes, jsc#PED-3459
  Add reference to PED-3459
- commit c4a5ea6

- Update patches.suse/spi-tegra210-quad-Multi-cs-support.patch (bsc#1212584, jsc#PED-3459
  Add reference to PED-3459.
- commit fc374a4

- Update patches.suse/spi-tegra210-quad-Fix-combined-sequence.patch (bsc#1212584, jsc#PED-3459)
  Add reference to PED-3459.
- commit bff7fca

- Drop Documentation/ide/ (git-fixes).
- commit d3eb72d

- padata: Fix refcnt handling in padata_free_shell() (git-fixes).
- commit 5219779

- tracing: Set actual size after ring buffer resize (git-fixes).
- commit b915dbf

- tracing/perf: Add interrupt_context_level() helper (git-fixes).
- commit 9da609b

- tracing: Reuse logic from perf's get_recursion_context()
  (git-fixes).
- commit adc2c65

- tracing: relax trace_event_eval_update() execution with
  cond_resched() (git-fixes).
- commit 017c09c

- ring-buffer: Force absolute timestamp on discard of event
  (git-fixes).
- commit 703d47b

- tracing: Disable snapshot buffer when stopping instance tracers
  (git-fixes).
- commit ea1804c

- tracing: Stop current tracer when resizing buffer (git-fixes).
- commit 416045c

- tracing: Always update snapshot buffer size (git-fixes).
- commit ab3ac02

- kprobes: consistent rcu api usage for kretprobe holder
  (git-fixes).
- commit bd133f6

- tracing/kprobes: Fix the order of argument descriptions
  (git-fixes).
- commit 4822ad0

- tracing: Have the user copy of synthetic event address use
  correct context (git-fixes).
- commit ee4a2b2

- KVM: s390/mm: Properly reset no-dat (git-fixes bsc#1218056).
- commit 5b3fa66

- kabi/severities: ignore kABI for asus-wmi drivers
  Tolerate the kABI changes, as used only locally for asus-wmi stuff
- commit 42dad1e

- platform/x86: asus-wmi: Add support for ROG X13 tablet mode
  (git-fixes).
- commit 1640ab2

- serial: sc16is7xx: address RX timeout interrupt errata
  (git-fixes).
- parport: Add support for Brainboxes IX/UC/PX parallel cards
  (git-fixes).
- hwmon: (nzxt-kraken2) Fix error handling path in kraken2_probe()
  (git-fixes).
- hwmon: (acpi_power_meter) Fix 4.29 MW bug (git-fixes).
- ALSA: pcm: fix out-of-bounds in snd_pcm_state_names (git-fixes).
- ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5
  (git-fixes).
- ALSA: usb-audio: Add Pioneer DJM-450 mixer controls (git-fixes).
- nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
  (git-fixes).
- nilfs2: fix missing error check for sb_set_blocksize call
  (git-fixes).
- platform/x86: wmi: Skip blocks with zero instances (git-fixes).
- platform/x86: asus-wmi: Move i8042 filter install to shared
  asus-wmi code (git-fixes).
- drm/amdgpu: correct the amdgpu runtime dereference usage count
  (git-fixes).
- kconfig: fix memory leak from range properties (git-fixes).
- i2c: designware: Fix corrupted memory seen in the ISR
  (git-fixes).
- drm/amdgpu: correct chunk_ptr to a pointer to chunk (git-fixes).
- drm/amd/amdgpu: Fix warnings in amdgpu/amdgpu_display.c
  (git-fixes).
- platform/x86: asus-wmi: Fix kbd_dock_devid tablet-switch
  reporting (git-fixes).
- platform/x86: wmi: Allow duplicate GUIDs for drivers that use
  struct wmi_driver (git-fixes).
- platform/x86: asus-wmi: Simplify tablet-mode-switch handling
  (git-fixes).
- platform/x86: asus-wmi: Simplify tablet-mode-switch probing
  (git-fixes).
- platform/x86: asus-wmi: Adjust tablet/lidflip handling to use
  enum (git-fixes).
- commit e47d99c

- tracing/kprobes: Fix the description of variable length
  arguments (git-fixes).
- commit ee78d8b

- neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section
  (git-fixes).
- commit 946e077

- netfilter: nf_tables: bail out on mismatching dynset and set
  expressions (bsc#1217938 CVE-2023-6622).
- commit de1dd10

- HID: lenovo: Restrict detection of patched firmware only to
  USB cptkbd (git-fixes).
- commit 1bd99d4

- ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate
  (git-fixes).
- Bluetooth: hci_qca: Fix the teardown problem for real
  (git-fixes).
- Documentation: qat: Use code block for qat sysfs example
  (git-fixes).
- commit c75f6d8

- ALSA: hda/realtek: Add supported ALC257 for ChromeOS
  (git-fixes).
- ALSA: hda/realtek: Headset Mic VREF to 100% (git-fixes).
- ALSA: hda: intel-dsp-cfg: add LunarLake support (git-fixes).
- ACPI: x86: s2idle: Catch multiple ACPI_TYPE_PACKAGE objects
  (git-fixes).
- ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad
  Z470 (git-fixes).
- ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer (git-fixes).
- ALSA: seq: oss: Fix racy open/close of MIDI devices (git-fixes).
- commit 200c0a2

- blacklist.conf: add two ceph commits
- commit d8d4641

- ceph: fix type promotion bug on 32bit systems (bsc#1217982).
- libceph: use kernel_connect() (bsc#1217981).
- ceph: fix incorrect revoked caps assert in ceph_fill_file_size()
  (bsc#1217980).
- commit e3e482f

- arm64: mm: Fix "rodata=on" when CONFIG_RODATA_FULL_DEFAULT_ENABLED=y (git-fixes)
- commit 794f0e7

- arm64: dts: imx8mn: Add sound-dai-cells to micfil node (git-fixes)
- commit 4dcfded

- arm64: dts: imx8mm: Add sound-dai-cells to micfil node (git-fixes)
- commit 0fd1b8d

- arm64: dts: arm: add missing cache properties (git-fixes)
- commit 710ea40

- blacklist.conf: ("arm64: dts: broadcom: bcmbca: bcm4908: fix LED nodenames")
- commit 37fe1b1

- arm64: dts: imx8mq-librem5: Remove dis_u3_susphy_quirk from (git-fixes)
- commit 8cd5213

- net/tg3: fix race condition in tg3_reset_task() (bsc#1217801).
- commit 68db0d6

- tracing: Fix a possible race when disabling buffered events
  (bsc#1217036).
- commit 26540da

- tracing: Fix a warning when allocating buffered events fails
  (bsc#1217036).
- commit ec57b73

- tracing: Fix incomplete locking when disabling buffered events
  (bsc#1217036).
- commit 2d81a3a

- tracing: Disable preemption when using the filter buffer
  (bsc#1217036).
- commit 0ade134

- tracing: Use __this_cpu_read() in
  trace_event_buffer_lock_reserver() (bsc#1217036).
- commit 8aa5d9a

- tracing: Fix warning in trace_buffered_event_disable()
  (git-fixes, bsc#1217036).
- commit b71b6ff

- usb: typec: ucsi: acpi: add quirk for ASUS Zenbook UM325
  (git-fixes).
- commit 19f2446

- nvmet: nul-terminate the NQNs passed in the connect command
  (bsc#1217250 CVE-2023-6121).
- commit e359ed1

- KVM: s390: vsie: fix wrong VIR 37 when MSO is used (git-fixes
  bsc#1217933).
- commit e39e7a6

- gpiolib: sysfs: Fix error handling on failed export (git-fixes).
- Revert "xhci: Loosen RPM as default policy to cover for AMD
  xHC 1.1" (git-fixes).
- usb: typec: class: fix typec_altmode_put_partner to put plugs
  (git-fixes).
- ARM: PL011: Fix DMA support (git-fixes).
- serial: 8250: 8250_omap: Clear UART_HAS_RHR_IT_DIS bit
  (git-fixes).
- serial: 8250: 8250_omap: Do not start RX DMA on THRI interrupt
  (git-fixes).
- misc: mei: client.c: fix problem of return '-EOVERFLOW' in
  mei_cl_write (git-fixes).
- misc: mei: client.c: return negative error code in mei_cl_write
  (git-fixes).
- commit 09a57bf

- md/raid1: fix error: ISO C90 forbids mixed declarations
  (git-fixes).
- md: raid0: account for split bio in iostat accounting
  (git-fixes).
- md/raid1: hold the barrier until handle_read_error() finishes
  (git-fixes).
- md/raid1: free the r1bio before waiting for blocked rdev
  (git-fixes).
- md: raid1: fix potential OOB in raid1_remove_disk() (git-fixes).
- md/md-bitmap: hold 'reconfig_mutex' in backlog_store()
  (git-fixes).
- md/md-bitmap: remove unnecessary local variable in
  backlog_store() (git-fixes).
- md/raid10: use dereference_rdev_and_rrdev() to get devices
  (git-fixes).
- md/raid10: factor out dereference_rdev_and_rrdev() (git-fixes).
- md: restore 'noio_flag' for the last mddev_resume() (git-fixes).
- Revert "md: unlock mddev before reap sync_thread in
  action_store" (git-fixes).
- md/raid0: add discard support for the 'original' layout
  (git-fixes).
- md/raid10: fix the condition to call bio_end_io_acct()
  (git-fixes).
- md/raid10: prevent soft lockup while flush writes (git-fixes).
- md/raid10: fix io loss while replacement replace rdev
  (git-fixes).
- md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request
  (git-fixes).
- md/raid10: fix wrong setting of max_corr_read_errors
  (git-fixes).
- md/raid10: fix overflow of md/safe_mode_delay (git-fixes).
- md/raid5: fix miscalculation of 'end_sector' in
  raid5_read_one_chunk() (git-fixes).
- md/raid10: don't call bio_start_io_acct twice for bio which
  experienced read error (git-fixes).
- md/raid10: fix memleak of md thread (git-fixes).
- md/raid10: fix memleak for 'conf->bio_split' (git-fixes).
- md/raid10: fix leak of 'r10bio->remaining' for recovery
  (git-fixes).
- md/raid10: fix null-ptr-deref in raid10_sync_request
  (git-fixes).
- commit 75c9e76

- md/raid10: fix task hung in raid10d (git-fixes).
- Refresh patches.suse/md-display-timeout-error.patch for the above change.
- commit 90d12ef

- md: avoid signed overflow in slot_store() (git-fixes).
- md/raid10: factor out code from wait_barrier() to
  stop_waiting_barrier() (git-fixes).
- commit c35659b

- md: Set MD_BROKEN for RAID1 and RAID10 (git-fixes).
- Update patches.suse/md-display-timeout-error.patch for the above change.
- commit 77abf5c

- md: raid10 add nowait support (git-fixes).
- md: drop queue limitation for RAID1 and RAID10 (git-fixes).
- md/bitmap: don't set max_write_behind if there is no write
  mostly device (git-fixes).
- commit 44a1c08

- blacklist.conf: add non-backport commits
- commit 731fcaa

- kernel-source: Remove config-options.changes (jsc#PED-5021)
  The file doc/config-options.changes was used in the past to document
  kernel config changes. It was introduced in 2010 but haven't received
  any updates on any branch since 2015. The file is renamed by tar-up.sh
  to config-options.changes.txt and shipped in the kernel-source RPM
  package under /usr/share/doc. As its content now only contains outdated
  information, retaining it can lead to confusion for users encountering
  this file.
  Config changes are nowadays described in associated Git commit messages,
  which get automatically collected and are incorporated into changelogs
  of kernel RPM packages.
  Drop then this obsolete file, starting with its packaging logic.
  For branch maintainers: Upon merging this commit on your branch, please
  correspondingly delete the file doc/config-options.changes.
- commit adedbd2

- doc/README.SUSE: Simplify the list of references (jsc#PED-5021)
  Reduce indentation in the list of references, make the style consistent
  with README.md.
- commit 70e3c33

- regmap: fix bogus error on regcache_sync success (git-fixes).
- platform/surface: aggregator: fix recv_buf() return value
  (git-fixes).
- commit e5d6930

- doc/README.SUSE: Add how to update the config for module signing
  (jsc#PED-5021)
  Configuration files for SUSE kernels include settings to integrate with
  signing support provided by the Open Build Service. This creates
  problems if someone tries to use such a configuration file to build
  a "standalone" kernel as described in doc/README.SUSE:
  * Default configuration files available in the kernel-source repository
  unset CONFIG_MODULE_SIG_ALL to leave module signing to
  pesign-obs-integration. In case of a "standalone" build, this
  integration is not available and the modules don't get signed.
  * The kernel spec file overrides CONFIG_MODULE_SIG_KEY to
  ".kernel_signing_key.pem" which is a file populated by certificates
  provided by OBS but otherwise not available. The value ends up in
  /boot/config-$VERSION-$RELEASE-$FLAVOR and /proc/config.gz. If someone
  decides to use one of these files as their base configuration then the
  build fails with an error because the specified module signing key is
  missing.
  Add information on how to enable module signing and where to find the
  relevant upstream documentation.
- commit a699dc3

- doc/README.SUSE: Remove how to build modules using kernel-source
  (jsc#PED-5021)
  Remove the first method how to build kernel modules from the readme. It
  describes a process consisting of the kernel-source installation,
  configuring this kernel and then performing an ad-hoc module build.
  This method is not ideal as no modversion data is involved in the
  process. It results in a module with no symbol CRCs which can be wrongly
  loaded on an incompatible kernel.
  Removing the method also simplifies the readme because only two main
  methods how to build the modules are then described, either doing an
  ad-hoc build using kernel-devel, or creating a proper Kernel Module
  Package.
- commit 9285bb8

- blacklist.conf: just in case fix for a corner case
- commit a3fc582

- xhci: Clear EHB bit only at end of interrupt handler
  (git-fixes).
- commit d5adf2a

- usb: config: fix iteration issue in 'usb_get_bos_descriptor()'
  (git-fixes).
- commit 5cdcb2d

- usb: host: xhci-plat: fix possible kernel oops while resuming
  (git-fixes).
- commit b0504f4

- NFS: More fixes for nfs_direct_write_reschedule_io()
  (bsc#1211162).
- NFS: Use the correct commit info in nfs_join_page_group()
  (bsc#1211162).
- NFS: More O_DIRECT accounting fixes for error paths
  (bsc#1211162).
- NFS: Fix O_DIRECT locking issues (bsc#1211162).
- NFS: Fix error handling for O_DIRECT write scheduling
  (bsc#1211162).
- NFS: Fix a potential data corruption (bsc#1211162).
- NFS: Fix a use after free in nfs_direct_join_group()
  (bsc#1211162).
- nfs: only issue commit in DIO codepath if we have uncommitted
  data (bsc#1211162).
- NFS: Fix a few more clear_bit() instances that need release
  semantics (bsc#1211162).
- commit e61bcf9

- xfs: make sure maxlen is still congruent with prod when rounding
  down (git-fixes).
- commit 2b9fc44

- xfs: fix units conversion error in xfs_bmap_del_extent_delay
  (git-fixes).
- commit 95e2620

- xfs: fix agf_fllast when repairing an empty AGFL (git-fixes).
- commit bfb62b0

- xfs: return EINTR when a fatal signal terminates scrub
  (git-fixes).
- commit e6f4fe7

- xfs: fix a bug in the online fsck directory leaf1 bestcount
  check (git-fixes).
- commit e328537

- xfs: fix incorrect unit conversion in scrub tracepoint
  (git-fixes).
- Refresh
  patches.suse/xfs-standardize-AG-block-number-formatting-in-ftrace-output.patch.
- Refresh
  patches.suse/xfs-standardize-AG-number-formatting-in-ftrace-output.patch.
- commit e256630

- xfs: decode scrub flags in ftrace output (git-fixes).
- commit d1fe7f7

- xfs: remove the xfs_dsb_t typedef (git-fixes).
- commit 4e9f379

- xfs: fix uninit warning in xfs_growfs_data (git-fixes).
- commit e9c4821

- xfs: convert flex-array declarations in struct xfs_attrlist*
  (git-fixes).
- commit e33e297

- xfs: remove the xfs_dinode_t typedef (git-fixes).
- commit c807e19

- xfs: convert flex-array declarations in xfs attr shortform
  objects (git-fixes).
- commit 757cbc7

- xfs: convert flex-array declarations in xfs attr leaf blocks
  (git-fixes).
- commit 1823624

- xfs: use swap() to make dabtree code cleaner (git-fixes).
- commit d160cc2

- xfs: fix silly whitespace problems with kernel libxfs
  (git-fixes).
- commit d822e52

- xfs: rename xfs_has_attr() (git-fixes).
- commit fe8702c

- xfs: Rename __xfs_attr_rmtval_remove (git-fixes).
- commit 6ea2cef

- xfs: sysfs: use default_groups in kobj_type (git-fixes).
- commit 74d9b5c

- xfs: replace snprintf in show functions with sysfs_emit
  (git-fixes).
- commit 84db35d

- xfs: simplify two-level sysctl registration for xfs_table
  (git-fixes).
- commit 0321d28

- xfs: add selinux labels to whiteout inodes (git-fixes).
- commit 8dc479c

- xfs: Use kvcalloc() instead of kvzalloc() (git-fixes).
- Refresh
  patches.suse/xfs-reject-crazy-array-sizes-being-fed-to-XFS_IOC_GE.patch.
- commit 89900e3

- xfs: clean up "%Ld/%Lu" which doesn't meet C standard
  (git-fixes).
- commit dbcc289

- xfs: aborting inodes on shutdown may need buffer lock
  (git-fixes).
- commit 8b202be

- xfs: remove the xfs_dqblk_t typedef (git-fixes).
- commit 4747a77

- xfs: dump log intent items that cannot be recovered due to
  corruption (git-fixes).
- commit 6f8c678

- xfs: sb verifier doesn't handle uncached sb buffer (git-fixes).
- commit c0c7079

- xfs: remove kmem_alloc_io() (git-fixes).
- commit 831b642

- x86/platform/uv: Use alternate source for socket to node data
  (bsc#1215696 bsc#1217790).
- commit ec7f699
avahi
- Add avahi-CVE-2023-38472.patch: Fix reachable assertion in
  avahi_rdata_parse (bsc#1216853, CVE-2023-38472).
util-linux
- Add upstream patch
  util-linux-libuuid-avoid-truncate-clocks.txt-to-improve-perform.patch
  bsc#1207987 gh#util-linux/util-linux@1d98827edde4
libxcrypt
- fix variable name for datamember in 'struct crypt_data' [bsc#1215496]
- added patches
  fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2
  + libxcrypt-man-fix-variable-name.patch
mozilla-nss
- update to NSS 3.90.2
  * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA
    decryption in TLS. (bsc#1216198)
  * bmo#1867408 - add a defensive check for large ssl_DefSend
    return values.

- update to NSS 3.90.1
  * bmo#1813401 - regenerate NameConstraints test certificates.
  * bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
- Remove nss-fix-bmo1813401.patch which is now upstream.

- Add nss-fix-bmo1813401.patch to fix bsc#1214980
giflib
- Update to version 5.2.2
  * Fixes for CVE-2023-48161 (bsc#1217390), CVE-2022-28506
    (bsc#1198880)
  * Address SF issue #138 Documentation for obsolete utilities still
    installed
  * Address SF issue #139: Typo in "LZW image data" page
    ("110_2 = 4_10")
  * Address SF issue #140: Typo in "LZW image data" page ("LWZ")
  * Address SF issue #141: Typo in "Bits and bytes" page ("filed")
  * Note as already fixed SF issue #143: cannot compile under mingw
  * Address SF issue #144: giflib-5.2.1 cannot be build on windows
    and other platforms using c89
  * Address SF issue #145: Remove manual pages installation for
    binaries that are not installed too
  * Address SF issue #146: [PATCH] Limit installed man pages to
    binaries, move giflib to section 7
  * Address SF issue #147 [PATCH] Fixes to doc/whatsinagif/ content
  * Address SF issue #148: heap Out of Bound Read in gif2rgb.c:298
    DumpScreen2RGB
  * Declared no-info on SF issue #150: There is a denial of service
    vulnerability in GIFLIB 5.2.1
  * Declared Won't-fix on SF issue 149: Out of source builds no
    longer possible
  * Address SF issue #151: A heap-buffer-overflow in gif2rgb.c:294:45
  * Address SF issue #152: Fix some typos on the html documentation
    and man pages
  * Address SF issue #153: Fix segmentation faults due to non
    correct checking for args
  * Address SF issue #154: Recover the giffilter manual page
  * Address SF issue #155: Add gifsponge docs
  * Address SF issue #157: An OutofMemory-Exception or Memory Leak
    in gif2rgb
  * Address SF issue #158: There is a null pointer problem in
    gif2rgb
  * Address SF issue #159 A heap-buffer-overflow in GIFLIB5.2.1
    DumpScreen2RGB() in gif2rgb.c:298:45
  * Address SF issue #163: detected memory leaks in
    openbsd_reallocarray giflib/openbsd-reallocarray.c
  * Address SF issue #164: detected memory leaks in GifMakeMapObject
    giflib/gifalloc.c
  * Address SF issue #166: a read zero page leads segment fault in
    getarg.c and memory leaks in gif2rgb.c and gifmalloc.c
  * Address SF issue #167: Heap-Buffer Overflow during Image Saving
    in DumpScreen2RGB Function at Line 321 of gif2rgb.c
- Added patch:
  * giflib-5.2.2-no-imagemagick.patch
    + do not use ImageMagick to resize one gif file. It creates a
    build cycle.
  * 0001-Clean-up-memory-better-at-end-of-run-CVE-2021-40633.patch
    + upstream fix for CVE-2021-40633 (bsc#1200551)
- Modified patches:
  * PIE.patch
  * reproducible.patch
    + rediff to changed context

- Define make_build for distributions which do not define them in
  system macros

- add reproducible.patch to avoid timestamp patching in the build
  section and allowing it to build with -Werror=date-time
gnutls
- Security fix: [bsc#1218862, CVE-2024-0567]
  * gnutls: rejects certificate chain with distributed trust
  * Cockpit (which uses gnuTLS) rejects certificate chain with
    distributed trust.
  * Add gnutls-CVE-2024-0567.patch

- Security fix: [bsc#1218865, CVE-2024-0553]
  * Incomplete fix for CVE-2023-5981.
  * The response times to malformed ciphertexts in RSA-PSK
    ClientKeyExchange differ from response times of ciphertexts
    with correct PKCS#1 v1.5 padding.
  * Add gnutls-CVE-2024-0553.patch

- Security fix: [bsc#1217277, CVE-2023-5981]
  * Fix timing side-channel inside RSA-PSK key exchange.
  * auth/rsa_psk: side-step potential side-channel
  * Add curl-CVE-2023-5981.patch
ncurses
- Add patch bsc1218014-cve-2023-50495.patch
  * Fix CVE-2023-50495: segmentation fault via _nc_wrap_entry()

- Add patch boo1201384.patch
  * Do not fully reset serial lines
nftables
- port python-single-spec logic from Factory package to allow shipment of
  python311 modules as well (bsc#1219253).
polkit
- Change permissions for rules folders (bsc#1209282)
postgresql16
- Upgrade to 16.2:
  * bsc#1219679, CVE-2024-0985: Tighten security restrictions
    within REFRESH MATERIALIZED VIEW CONCURRENTLY.
    One step of a concurrent refresh command was run under weak
    security restrictions. If a materialized view's owner could
    persuade a superuser or other high-privileged user to perform a
    concurrent refresh on that view, the view's owner could control
    code executed with the privileges of the user running REFRESH.
    Fix things so that all user-determined code is run as the
    view's owner, as expected
  * If you use GIN indexes, you may need to reindex after updating
    to this release.
  * LLVM 18 is now supported.
  * https://www.postgresql.org/docs/release/16.2/
procps
- Submit latest procps 3.3.17 to SLE-15 tree for jira#PED-3244
  and jira#PED-6369
- The patches now upstream had been dropped meanwhile
  * procps-vmstat-1b9ea611.patch (bsc#1185417)
  - For support up to 2048 CPU as well
  * bsc1209122-a6c0795d.patch (bnc#1209122)
  - allow `-ยด as leading character to ignore possible errors
    on systctl entries
  * patch procps-ng-3.3.9-bsc1121753-Cpus.patch (bsc#1121753)
  - was a backport of an upstream fix to get the first CPU
    summary correct
- Enable pidof for SLE-15 as this is provided by sysvinit-tools
- Use a check on syscall __NR_pidfd_open to decide if
  the pwait tool and its manual page will be build

- Modify patches
  * procps-ng-3.3.9-w-notruncate.diff
  * procps-ng-3.3.17-logind.patch
  to real to not truncate output of w with option -n

- procps-ng-3.3.17-logind.patch: Backport from 4.x git, prefer
  logind over utmp (jsc#PED-3144)
python3
- Refresh CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
sg3_utils
- Make sure initrd is rebuilt when sg3_utils is updated
  (bsc#1215772)

- Update to version 1.47+15.b6898b8:
  * rescan-scsi-bus.sh: remove /tmp/rescan-scsi-mpath-info.txt
  (gh#doug-gilbert/sg3_utils#44)
  * rescan_scsi_bus.sh: fix multipath issue when called with -s and
  without -u (bsc#1215720, bsc#1216355)
net-snmp
- Update to net-snmp-5.9.4 (bsc#1214364).
  add (rename):
  * net-snmp-5.9.4-add-lustre-fs-support.patch
  * net-snmp-5.9.4-add-netgroups-functionality.patch
  * net-snmp-5.9.4-fix-create-v3-user-outfile.patch
  * net-snmp-5.9.4-fixed-python2-bindings.patch
  * net-snmp-5.9.4-fix-Makefile.PL.patch
  * net-snmp-5.9.4-modern-rpm-api.patch
  * net-snmp-5.9.4-net-snmp-config-headercheck.patch
  * net-snmp-5.9.4-perl-tk-warning.patch
  * net-snmp-5.9.4-pie.patch
  * net-snmp-5.9.4-snmpstatus-suppress-output.patch
  * net-snmp-5.9.4-socket-path.patch
  * net-snmp-5.9.4-subagent-set-response.patch
  * net-snmp-5.9.4-suse-systemd-service-files.patch
  * net-snmp-5.9.4-testing-empty-arptable.patch
  delete (now part of v5.9.4):
  * net-snmp-5.9.3-disallow_SET_requests_with_NULL_varbind.patch
  delete (rename):
  * net-snmp-5.9.1-add-lustre-fs-support.patch
  * net-snmp-5.9.1-fix-Makefile.PL.patch
  * net-snmp-5.9.1-modern-rpm-api.patch
  * net-snmp-5.9.1-net-snmp-config-headercheck.patch
  * net-snmp-5.9.1-perl-tk-warning.patch
  * net-snmp-5.9.1-snmpstatus-suppress-output.patch
  * net-snmp-5.9.1-socket-path.patch
  * net-snmp-5.9.1-subagent-set-response.patch
  * net-snmp-5.9.1-suse-systemd-service-files.patch
  * net-snmp-5.9.1-testing-empty-arptable.patch
  * net-snmp-5.9.1-velocity-mib.patch
  * net-snmp-5.9.3-fix-create-v3-user-outfile.patch
  * net-snmp-5.9.3-pie.patch
  * net-snmp-5.9.3-fixed-python2-bindings.patch
- Removing legacy MIBs used by Velocity Software (jira#PED-6416).
- Re-add support for hostname netgroups that was removed accidentally and
  previously added with FATE#316305 (bsc#1207697).
  '@hostgroup' can be specified for multiple hosts
- Hardening systemd services setting "ProtectHome=true" caused home directory
  size and allocation to be listed incorrectly (bsc#1206044).
  add (rename):
  * net-snmp-5.9.4-harden_snmpd.service.patch
  * net-snmp-5.9.4-harden_snmptrapd.service.patch
  delete (rename):
  * net-snmp-5.9.3-harden_snmpd.service.patch
  * net-snmp-5.9.3-harden_snmptrapd.service.patch
libsolv
- build for multiple python versions [jsc#PED-6218]
- bump version to 0.7.28

- add zstd support for the installcheck tool
- add putinowndirpool cache to make file list handling in
  repo_write much faster
- bump version to 0.7.27

- fix evr roundtrip in testcases
- do not use deprecated headerUnload with newer rpm versions
- bump version to 0.7.26

- support complex deps in SOLVABLE_PREREQ_IGNOREINST
- fix minimization not prefering installed packages in some cases
- reduce memory usage in repo_updateinfoxml
- fix lock-step interfering with architecture selection
- fix choice rule handing for package downgrades
- fix complex dependencies with an "else" part sometimes leading
  to unsolved dependencies
- bump version to 0.7.25
libssh
- Fix regression parsing IPv6 addresses provided as hostname (bsc#1220385)
  * Added libssh-fix-ipv6-hostname-regression.patch

- Update to version 0.9.8
  * Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209)
  * Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126)
  * Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186)
  * Allow @ in usernames when parsing from URI composes
- Update to version 0.9.7
  * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm
    guessing (bsc#1211188)
  * Fix CVE-2023-2283: a possible authorization bypass in
    pki_verify_data_signature under low-memory conditions (bsc#1211190)
  * Fix several memory leaks in GSSAPI handling code
suseconnect-ng
- Update to version 1.7.0~git0.5338270
  * Allow SUSEConnect on read write transactional systems (bsc#1219425)

- Update to version 1.6.0
  * Disable EULA display for addons (bsc#1218649 and bsc#1217961)

- Update to version 1.5.0
  * Configure docker credentials for registry authentication
  * Feature: Support usage from Agama + Cockpit for ALP Micro system registration (bsc#1218364)
  * Add --json output option
systemd
- Import commit 2cb4d40f1c6a388706af8a83d5344fc0de3c6f4d (merge of v249.17)
  c8578cef7f resolved: actually check authenticated flag of SOA transaction

- Import commit 86f0670d3a01c1a2d4df17f1c68d03f1586195e3
  ba7f1df7a5 vconsole-setup: simplify error handling
  94f4eaea77 Introduce RET_GATHER and use it in src/shared/
  e02406fcc1 mount: replace UNIT_DEPENDENCY_MOUNTINFO_OR_FILE with UNIT_DEPENDENCY_MOUNTINFO/UNIT_DEPENDENCY_MOUNT_FILE
  0b8db54511 mount: drop UNIT_DEPENDENCY_MOUNTINFO_IMPLICIT and UNIT_DEPENDENCY_MOUNTINFO_DEFAULT
  98ba536bd1 mount: always use UNIT_DEPENDENCY_FILE in mount_add_quota_dependencies()
  73c7b2bb48 core/mount: make device deps from /proc/self/mountinfo and .mount unit file exclusive
  ba585a28d7 core: Add trace logging to mount_add_device_dependencies()
  36e0a4f80f core/mount: also remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
  bc107c86c3 core/mount: set Mount.from_proc_self_mountinfo flag before adding default dependencies
  ce4907c7c3 core: wrap some long comment

- Import commit e677079182c975ecdad88a76f657fecb4de523d9
  7692c5bda8 utmp-wtmp: handle EINTR gracefully when waiting to write to tty
  29c3eb4681 utmp-wtmp: fix error in case isatty() fails
  98970eb90b homed: handle EINTR gracefully when waiting for device node
  0305809edd resolved: handle -EINTR returned from fd_wait_for_event() better
  40db4d6abe sd-netlink: handle EINTR from poll() gracefully, as success
  5e681711c6 varlink: also handle EINTR gracefully when waiting for EIO via ppoll()
  6bbd70f092 stdio-bridge: don't be bothered with EINTR
  f978feb591 sd-bus: handle -EINTR return from bus_poll() (bsc#1215241)
  746962ff40 core: replace slice dependencies as they get added (bsc#1214668)

- systemd.spec: add missing `%tmpfiles_create systemd-resolve.conf`

- Rename 0001-restore-var-run-and-var-lock-bind-mount-if-they-aren.patch into
  1013-strip-the-domain-part-from-etc-hostname-when-setting.patch
- Rename 0003-strip-the-domain-part-from-etc-hostname-when-setting.patch into
  1014-udev-create-default-symlinks-for-primary-cd_dvd-driv.patch
- Rename 0005-udev-create-default-symlinks-for-primary-cd_dvd-driv.patch into
  1015-networkd-make-network.service-an-alias-of-systemd-ne.patch
- Rename 0007-networkd-make-network.service-an-alias-of-systemd-ne.patch into
  1016-core-disable-session-keyring-per-system-sevice-entir.patch
- Rename 0011-core-disable-session-keyring-per-system-sevice-entir.patch into
  1017-restore-var-run-and-var-lock-bind-mount-if-they-aren.patch
  Hence these patch files can be easily identified as SLE specific ones.
libtcnative-1-0
- Version update to version 1.2.38:
  * Align default pass phrase prompt with HTTPd.
  * #66669: Fix memory leak in SNI processing.
  * Update the recommended minimum version of OpenSSL to 1.1.1v.
  * Update the recommended minimum version of APR to 1.7.4.
  * Document the TLS rengotiation behaviour.
  * Add HOWTO-RELEASE.txt that describes the release process.
  * Refactor library initialization so it is compatible with Tomcat
    10.1.x onwards where a number of Java classes have been removed.
  * Map the OpenSSL 3.x FIPS behaviour to the OpenSSL 1.x API to
    allow clients to determine if the FIPS provider is being used
    when Tomcat Native is compiled against OpenSSL 3.x.
  * #66035: Fix crash when attempting to read TLS session ID after
    a handshake failure.
  * Enable download_deps.sh to be called from any directory.
  * Fix release script so it works with the current git layout.
  * #65441: Correct previous fix that enabled building to continue
    with OpenSSL 3.x.
  * #65659: Remove remaining reference to pkg-config which is no
    longer included in the Tomcat Native distribution.
  * #65181: Additional changes required to provided support for
    using OpenSSL Engines that use proprietary key formats.
  * #65329: Correct handling of WINVER in make file to use correct
    constant for Windows 7. Add constants for Windows 8, Windows 8.1
    and Windows 10. Rename WINNT to WIN2k as it is used for Windows
    2000 upwards, not Windows NT upwards.
  * Add a patch for APR that fixes an issue where some Windows
    systems in some configurations would only listen on IPv6
    addresses on dual stack systems even though configured to listen
    on both IPv6 and IPv4 addresses.
  * Correct a regression in the fix for 65181 that prevented an
    error message from being displayed if an invalid key file was
    provided and no OpenSSL Engine was configured.
  * #65181: Improve support for using OpenSSL Engines that use
    proprietary key formats.
  * Enable building to continue against OpenSSL 3.x and 1.1.1.
  * Incomplete name mangling fix for C++ compilers in tcn_api.h.
  * Improve OS-specific header include for native thread id.
  * Disable keylog callback support for LibreSSL.
  * Add support for SSLContext.addChainCertificateRaw() with
    LibreSSL 2.9.1 and up.
  * Add support for HP-UX's _lwp_self() in our ssl_thread_id(void).
  * Remove default option passed for rpath to linker on HP-UX.
  * Add an option to allow the OCSP responder check to be bypassed.
    Note that if OCSP is enabled, a missing responder is now treated
    as an error.
  * #64429: Fix compilation with LibreSSL.
  * #63671: libtcnative does not compile with OpenSSL < 1.1.0 and
    APR w/o threading support.
  * Correct configure message for OpenSSL libdir.
  * #64260: Clean up install target.
  * #64315: configure output for OpenSSL wrong/incomplete sometimes.
  * Drop obsolete build time workarounds for HP-UX.
  * Add support for FreeBSD's pthread_getthreadid_np() in our
    ssl_thread_id(void).
  * #64316: Introduce tcn_get_thread_id(void) to reduce code
    duplication.
  * Fix linking against OpenSSL in non-standard locations on FreeBSD.
- Removed patch:
  * libtcnative-1-0-bsc1199170.patch
    + fix integrated
libxml2
- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader
  * Added libxml2-CVE-2024-25062.patch
libzypp
- tui: allow to access the underlying ostream of out::Info.
- Add MLSep: Helper to produce not-NL-terminated multi line
  output.
- version 17.31.31 (22)

- applydeltaprm: Create target directory if it does not exist
  (bsc#1219442)
- Add ProblemSolution::skipsPatchesOnly (for openSUSE/zypper#514)
- Fix problems with EINTR in ExternalDataSource::getline (fixes
  bsc#1215698)
- version 17.31.30 (22)

- CheckAccessDeleted: fix running_in_container detection
  (bsc#1218782)
- Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime
  (bsc#1218831)
- Make Wakeup class EINTR safe.
- Add a way to cancel media operations on shutdown
  (openSUSE/zypper#522)
  This patch adds a mechanism to signal libzypp that a shutdown was
  requested, usually when CTRL+C was pressed by the user. Currently
  only the media backend will utilize this, but can be extended to
  all code paths that use g_poll() to wait for events.
- Manually poll fds for curl in MediaCurl.
  Using curl_easy_perform does not give us the required control on
  when we want to cancel a download. Switching to the MultiCurl
  implementation with a external poll() event loop will give us
  much more freedom and helps us to improve our Ctrl+C handling.
- Move reusable curl poll code to curlhelper.h.
- version 17.31.29 (22)

- Fix to build with libxml 2.12.x (fixes #505)
- version 17.31.28 (22)

- CheckAccessDeleted: fix 'running in container' filter
  (bsc#1218291)
- version 17.31.27 (22)

- Call zypp commit plugins during transactional update (fixes #506)
- Add support for loongarch64 (fixes #504)
- Teach MediaMultiCurl to download HTTP Multibyte ranges.
- Teach zsync downloads to MultiCurl.
- Expand RepoVars in URLs downloading a .repo file (bsc#1212160)
  Convenient and helps documentation as it may refer to a single
  command for a bunch of distributions. Like e.g. "zypper ar
  'https://server.my/$releasever/my.repo'".
- version 17.31.26 (22)

- Fix build issue with zchunk build flags (fixes #500)
- version 17.31.25 (22)

- Open rpmdb just once during execution of %posttrans scripts
  (bsc#1216412)
- Avoid using select() since it does not support fd numbers >
  1024 (fixes #447)
- tools/DownloadFiles: use standard zypp progress bar (fixes #489)
- Revert "Color download progress bar" (fixes #475)
  Cyan is already used for the output of RPM scriptlets. Avoid this
  colorific collision between download progress bar and scriptlet
  output.
- Fix ProgressBar's calculation of the printed tag position (fixes #494)
- Switch zypp::Digest to Openssl 3.0 Provider API (fixes #144)
- Fix usage of deprecated CURL features (fixes #486)
- version 17.31.24 (22)

- Stop using boost version 1 timer library (fixes #489,
  bsc#1215294)
- version 17.31.23 (22)
netcfg
- Add krb-prop entry, fix for bsc#1211886.
objectweb-asm
- Upgrade to version 9.6
  * new Opcodes.V22 constant for Java 22
  * bug fixes
    + 317991: Analyzer produces frames that have different locals
    than those detected by JRE bytecode verifier
    + 317995: Invalid stackmap generated when the instruction
    stream has new instruction after invokespecial to <init>
    + 317998: Analyzer can fail to catch thrown exceptions
    + 318002: asm-analysis Frame allocates an array unnecessarily
    inside executeInvokeInsn
    + bug in CheckFrameAnalyzer with static methods

- Upgrade to version 9.5
  * new Opcodes.V21 constant for Java 21
  * new readBytecodeInstructionOffset hook in ClassReader
  * more detailed exception messages
  * Javadoc improvements and fixes
  * bug fixes
    + 317989: Silent removal of zero-valued entries from the
    line-number table

- Upgrade to version 9.4
  * new Opcodes.V20 constant for Java 20
  * more checks in CheckClassAdapter
  * Javadoc improvements and fixes
  * module-info classes can be built without Gradle and Bnd
  * parent POM updated to org.ow2:ow2:1.5.1
  * bug fixes
    + 317977: CheckClassAdapter is no longer transparent for MAXLOCALS
    + 317981: Add public getDelegate method to all visitor classes
    + Analyzer does not compute optimal maxLocals for static methods
    + Fix SignatureWriter when a generic type has a depth over 30
    + Skip remap inner class name if not changed in Remapper
openssh
- Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385).
  This limits the use of shell metacharacters in host- and
  user names.

- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795).
  This mitigates a prefix truncation attack that could be used to
  undermine channel security.

- Enhanced SELinux functionality. Added
  * openssh-7.8p1-role-mls.patch
    Proper handling of MLS systems and basis for other SELinux
    improvements
  * openssh-6.6p1-privsep-selinux.patch
    Properly set contexts during privilege separation
  * openssh-6.6p1-keycat.patch
    Add ssh-keycat command to allow retrival of authorized_keys
    on MLS setups with polyinstantiation
  * openssh-6.6.1p1-selinux-contexts.patch
    Additional changes to set the proper context during privilege
    separation
  * openssh-7.6p1-cleanup-selinux.patch
    Various changes and putting the pieces together
  For now we don't ship the ssh-keycat command, but we need the patch
  for the other SELinux infrastructure
  This change fixes issues like bsc#1214788, where the ssh daemon
  needs to act on behalf of a user and needs a proper context for this
pam
- Add missing O_DIRECTORY flag in `protect_dir()` for pam_namespace module.
  [bsc#1218475, pam-bsc1218475-pam_namespace-O_DIRECTORY-flag.patch]

- pam_lastlog: check localtime_r() return value (bsc#1217000)
  * Added: pam-bsc1217000-pam_lastlog-check-localtime_r-return-value.patch
patterns-suse-manager
- Add liberate-formula to the required packages for the server
  to get it installed by default
postfix
- (bsc#1218304) VUL-0: postfix: new SMTP smuggling attack
  (bsc#1218314) SMTP Smuggling - Spoofing E-Mails Worldwide
  Apply patch containing the feature smtpd_forbid_unauth_pipelining
  as default yes.
  add patch:
    postfix-3.7-patch06
- Security: the Postfix SMTP server optionally disconnects remote
  SMTP clients that violate RFC 2920 (or 5321) command pipelining
  constraints. The server replies with "554 5.5.0 Error: SMTP protocol
  synchronization" and logs the unexpected remote SMTP client input.
  Specify "smtpd_forbid_unauth_pipelining = yes" to enable.
- Workaround to limit collateral damage from OS distributions that
  crank up security to 11, increasing the number of plaintext email
  deliveries. This introduces basic OpenSSL configuration file support,
  with two new parameters "tls_config_file" and "tls_config_name".
  Details are in the postconf(5) manpage under "tls_config_file" and
  "tls_config_name".
postgresql
- bsc#1219340: Require fillup.
postgresql-jdbc
- fix postgresql vulnerable to SQL Injection via line comment
  generation CVE-2024-1597 (bsc#1220644)
  Added: CVE-2024-1597.patch
- change patching commands:
  Modified: fix-createTempFile-vulnerability-CVE-2022-41946.patch
postgresql14
- Upgrade to 14.11:
  * bsc#1219679, CVE-2024-0985: Tighten security restrictions
    within REFRESH MATERIALIZED VIEW CONCURRENTLY.
    One step of a concurrent refresh command was run under weak
    security restrictions. If a materialized view's owner could
    persuade a superuser or other high-privileged user to perform a
    concurrent refresh on that view, the view's owner could control
    code executed with the privileges of the user running REFRESH.
    Fix things so that all user-determined code is run as the
    view's owner, as expected
  * If you use GIN indexes, you may need to reindex after updating
    to this release.
  * LLVM 18 is now supported.
  * https://www.postgresql.org/docs/release/14.11/
python-instance-billing-flavor-check
- Version 0.0.6 (bsc#1218561)
  Support proxy setup on the client to access the update infrastructure
  API

- Version 0.0.5
  Add IPv6 support (bsc#1218739)
python3-M2Crypto
- Disable broken tests with openssl 3.2, bsc#1217782

- add timeout_300hz.patch to accept a small deviation from time
  in the testsuite (bsc#1212757)

- Adapt tests for OpenSSL v3.1.0
  * Add openssl-adapt-tests-for-3.1.0.patch

- add openssl-stop-parsing-header.patch (bsc#1205042)
- add m2crypto-0.38-ossl3-tests.patch
python-chardet
- Fix update-alternative in %postun, bsc#1218765
python3-cryptography
- Add CVE-2023-49083.patch to fix A null-pointer-dereference and
  segfault could occur when loading certificates from a PKCS#7 bundle.
  bsc#1217592
salt
- Prevent directory traversal when creating syndic cache directory
  on the master (CVE-2024-22231, bsc#1219430)
- Prevent directory traversal attacks in the master's serve_file
  method (CVE-2024-22232, bsc#1219431)
- Added:
  * fix-cve-2024-22231-and-cve-2024-22232-bsc-1219430-bs.patch

- Ensure that pillar refresh loads beacons from pillar without restart
- Fix the aptpkg.py unit test failure
- Prefer unittest.mock to python-mock in test suite
- Enable "KeepAlive" probes for Salt SSH executions (bsc#1211649)
- Revert changes to set Salt configured user early in the stack (bsc#1216284)
- Align behavior of some modules when using salt-call via symlink (bsc#1215963)
- Fix gitfs "__env__" and improve cache cleaning (bsc#1193948)
- Remove python-boto dependency for the python3-salt-testsuite package for Tumbleweed
- Added:
  * fix-the-aptpkg.py-unit-test-failure.patch
  * enable-keepalive-probes-for-salt-ssh-executions-bsc-.patch
  * prefer-unittest.mock-for-python-versions-that-are-su.patch
  * update-__pillar__-during-pillar_refresh.patch
  * revert-make-sure-configured-user-is-properly-set-by-.patch
  * fix-gitfs-__env__-and-improve-cache-cleaning-bsc-119.patch
  * dereference-symlinks-to-set-proper-__cli-opt-bsc-121.patch
spacewalk-certs-tools
- version 4.3.22-1
  * Skip deploying the CA into the Salt directory on proxies (bsc#1219850)

- version 4.3.21-1
  * Deploy the CA certificate also into the Salt filesystem (bsc#1219577)

- version 4.3.20-1
  * Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615)
  * Include reboot info beacon in the bootstrap script for transactional systems (bsc#1217588)
spacewalk-client-tools
- version 4.3.18-1
  * Update translation strings
release-notes-susemanager
- Update to SUSE Manager 4.3.11
  * Migrate from RHEL and its clones to SUSE Liberty Linux
  * Reboot required indication for non-SUSE distributions
  * SSH key rotation for enhanced security
  * Configure remote command execution
  * End of Debian 10 support
  * CVEs fixed:
    CVE-2023-32189, CVE-2024-22231, CVE-2024-22232
  * Bugs mentioned:
    bsc#1170848, bsc#1210911, bsc#1211254, bsc#1211560, bsc#1211912
    bsc#1213079, bsc#1213507, bsc#1213738, bsc#1213981, bsc#1214077
    bsc#1214791, bsc#1215166, bsc#1215514, bsc#1215769, bsc#1215810
    bsc#1215813, bsc#1215982, bsc#1216114, bsc#1216394, bsc#1216437
    bsc#1216550, bsc#1216657, bsc#1216753, bsc#1216781, bsc#1216988
    bsc#1217069, bsc#1217209, bsc#1217588, bsc#1217784, bsc#1217869
    bsc#1218019, bsc#1218074, bsc#1218075, bsc#1218089, bsc#1218094
    bsc#1218490, bsc#1218615, bsc#1218669, bsc#1218849, bsc#1219577
    bsc#1219850, bsc#1218146
rpm
- backport lua support for rpm.execute to ease migrating [bnc#1216752]
  * new patch: luaexecute.diff
rsyslog
- suppress installation errors when systemd is not running
  (bsc#1218799)

- restart daemon after modules packages have been updated
  (bsc#1217292)
runc
- Update to runc v1.1.12. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.12>. bsc#1218894
  * This release fixes a container breakout vulnerability (CVE-2024-21626). For
    more details, see the upstream security advisory:
    <https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
  * Remove upstreamed patches:
  - CVE-2024-21626.patch
  * Update runc.keyring to match upstream changes.

[ This was only ever released for SLES. ]
- Add upstream patch to fix embargoed issue CVE-2024-21626. bsc#1218894
  <https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
  + CVE-2024-21626.patch

- Update to runc v1.1.11. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.11>.
samba
- Add "net offlinejoin composeodj" command; (bsc#1214076);
000release-packages:sle-module-basesystem-release
n/a
000release-packages:sle-module-containers-release
n/a
000release-packages:sle-module-public-cloud-release
n/a
000release-packages:sle-module-server-applications-release
n/a
000release-packages:sle-module-web-scripting-release
n/a
spacecmd
- version 4.3.26-1
  * Update translation strings
spacewalk-backend
- version 4.3.27-1
  * Fix issue in "spacewalk-repo-sync" when RPM packages contains files with
    size greater than 4GB (bsc#1219151)

- version 4.3.26-1
  * Fix decompressing and renaming bzip2 comps files in reposync
  * Update query to the new credentials structure
  * Remove normalize_orphan_vendor_packages and move it to taskomatic (bsc#1216781)
  * Skip syncing packages with incorrect metadata (bsc#1213738)
  * Update translation strings
spacewalk-web
- version 4.3.37-1
  * Fix the use of page size preference in systems and packages lists (bsc#1217209)
  * Fix issue displaying Ansible playbook name (bsc#1216657)
  * Add support for `PaygNotCompliantWarning` notification
  * Bump web.version to 4.3.11
spacewalk-java
- version 4.3.71-1
  * Generate server SSH key also when bootstrapping regular Minions (bsc#1219449)

- version 4.3.70-1
  * Fix the use of page size preference in systems and packages lists (bsc#1217209)
  * Fix issue with disabling token check not working (bsc#1218669)
  * Enforce snakeyaml version requirement (bsc#1215166)
  * Improve the performance of paginated queries when syncing the
    reporting database (bsc#1211912, bsc#1213079)
  * Do not require entitlement for PAYG SLES for SAP (bsc#1217069)
  * Use the base product file to show the correct SUSE Manager
    product in the subscription matching results page
  * Do not require entitlements if SUSE Manager is PAYG
  * Exclude SUSE Manager from subscription matching if it's PAYG
  * Refactor Credentials to a proper class hierarchy
  * Fix unit test about duplicated packages
  * Prevent installation of packages with same name
    in a single action (bsc#1214791)
  * When canceling an action which has prerequisites, return hints to
    get the first action id which can be canceled (bsc#1216988)
  * Fix exception when removing a Debian package (bsc#1216781)
  * Fix XSS in taskomatic XML RPC handler (bsc#1210911)
  * Improve logging for Product Migration (bsc#1218490)
  * Add only 1 IP for Cloud RMT Host in /etc/hosts
  * Change org for orphan vendor packages that an admin can delete (bsc#1216781)
  * Expose the monitoring data for the Salt queue handling the Salt results
  * Provide total number of CPUs for SLE Micro systems to subscription matcher
    when it is not used as hypervisor to match vCore subscriptions correctly
    (bsc#1218074)
  * Try to download compressed Ubuntu USN database
  * Add user information to system organization transfer message (bsc#1216753)
  * Fix issue with Salt ssh keys for Salt ssh minions CVE-2023-32189 (bsc#1170848)
  * Add notification in daily email in addition to in SUSE Manager home page when
    SUSE Manager PAYG is not compliant
  * Fix apidoc link from #top to $call.name (bsc#1213507)
  * Add config option to disable remote commands from web UI (bsc#1217869)
  * Address high rating Sonar issues
  * Refactor SCC registration flow
  * Avoid blocking Taskomatic thread when waiting for queued action (bsc#1211560)
  * Fix modify kickstart profile when using "Always newest tree" option (bsc#1215813)
  * Configure reboot method for SLE Micro when applying bootstrap state (bsc#1213981)
  * Handle not existing known_host file in permission check
  * Fix handling of proxy ssh public keys
  * Include reboot required indication for non-Suse distros
spacewalk-setup
- version 4.3.19-1
  * Update query to the new credentials structure
  * Fix setting SCC password during setup
spacewalk-utils
- version 4.3.19-1
  * Add SLE Micro 5.4 and 5.5 to spacewalk-commons-channels
subscription-matcher
- Version 0.35
  * Added missing part number

- Version 0.34
  * Enabled support for LTSS subscriptions (bsc#1218075)
  * Added SLE Micro vCore handling (bsc#1218074)
  * Added new SKUs and new bundles
supportutils-plugin-suse-public-cloud
- Update to version 1.0.9 (bsc#1218762, bsc#1218763)
  + Remove duplicate data collection for the plugin itself
  + Collect archive metering data when available
  + Query billing flavor status
supportutils-plugin-susemanager
- version 4.3.10-1
  * Update query to the new credentials structure
supportutils
- Additional changes in version 3.1.28
  + ipset - List entries for all sets
  + ipvsadm - Inspect the virtual server table (pr#185)
  + Correctly detects Xen Dom0 (bsc#1218201)
  + Fixed smart disk error (bsc#1218282)

- Changes in version 3.1.28
  + Inhibit the conversion of port numbers to port names for network files (cherry picked from commit 55f5f716638fb15e3eb1315443949ed98723d250)
  + powerpc: collect rtas_errd.log and lp_diag.log files (pr#175)
  + Get list of pam.d file (cherry picked from commit eaf35c77fd4bc039fd7e3d779ec1c2c6521283e2)
  + Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
  + Added missing klp information to kernel-livepatch.txt (bsc#1216390)
  + Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
  + Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
  + Optimize lsof usage (bsc#1183663)
  + Added mokutil commands for secureboot (pr#179)
  + Collects chrony or ntp as needed (bsc#1196293)

- Changes in version 3.1.27
  + Fixed podman display issue (bsc#1217287)
  + Added nvme-stas configuration to nvme.txt (bsc#1216049)
  + Added timed command to fs-files.txt (bsc#1216827)
  + Collects zypp history file issue#166 (bsc#1216522)
  + Changed -x OPTION to really be exclude only (issue#146)
  + Collect HA related rpm package versions in ha.txt (pr#169)
suse-build-key
- Switch container key to be default RSA 4096bit. (jsc#PED-2777)

- run rpm commands in import script only when libzypp is not
  active. bsc#1219189 bsc#1219123

- run import script also in %posttrans section, but only when
  libzypp is not active. bsc#1219189 bsc#1219123
suse-module-tools
- Update to version 15.4.19:
  * rpm-script: add symlink /boot/.vmlinuz.hmac (bsc#1217775)
susemanager-build-keys
- Version 15.4.10
  * Add new Almalinux 8 GPG Key (bsc#1218849)
- Added:
  * RPM-GPG-KEY-AlmaLinux-8

- Refresh extended Uyuni GPG public key
  * Modified: gpg-pubkey-0d20833e.asc
susemanager-docs_en
- Removed obsolete traditional to Salt migration documentation from
  the System Types section of the Client Configuration Guide and
  updated the Migrate traditional clients to Salt clients section
- Fixed navigation bar of Client Configuration Guide (bsc#1218089)
- Added openSUSE Leap to Supported Features navigation list in Client
  Configuration Guide (bsc#1218094)
- Described new monitoring metrics for Salt queue in Administration
  Guide
- Fixed xrefs for internal book references
- Removed mentioning that CVE number for CVE auditing is optional
  (bsc#1218019)
- Corrected channel names for CentOS 7 Updates and Extras in CentOS
  Client Configuration Guide
- Documented bootstrap settings for SUSE Linux Enterprise Micro in
  Client Configuration Guide (bsc#1216394)
- Corrected command mgr-push to mgrpush in Administration Guide
  (bsc#1215810)
- Updated Red Hat OVAL data URL and file in CentOS Clients Registration
  in Client Configution Guide
- Added Pay-as-you-go for Azure documentation to the Specialized Guides
  book
- Added Pay-as-you-go limitations chapter to Pay-as-you-go Guide
- Removed Ubuntu 18.04 from the list of supported clients
- Fixed file location in Custom Salt Formulas section of Salt Guide
- Documented using Virtualization Host formula in Client Configuration
  Guide
susemanager-schema
- version 4.3.24-1
  * Refactor susecredentials to support the new hierarchy
  * Improve performance of System (bsc#1211254)
  * Change schedule of system-profile-refresh to run on the 2nd Saturday
    of a month to not collide with normal working times (bsc#1215769)

- version 4.3.23-1
  * Revert adding unique index for rhnpackagechangelogdata table
    (bsc#1218027)
susemanager-sls
- version 4.3.40-1
  * Remove automatic reboot from transactional systems bootstrap (bsc#1218146)

- version 4.3.39-1
  * Change certs/RHN-ORG-TRUSTED-SSL-CERT from symlink into a real file
    (bsc#1219577)

- version 4.3.38-1
  * Improve PAYG instance detection (bsc#1217784)
  * Fix issue with Salt ssh keys for Salt ssh minions CVE-2023-32189 (bsc#1170848)
  * Configure reboot method for SLE Micro when applying bootstrap state (bsc#1213981)
  * Include reboot required indication for non-Suse distros
susemanager-sync-data
- version 4.3.16-1
  * Fix OES 23.4 internal name (bsc#1218837)

- version 4.3.15-1
  * Update release status and repository description of OES 23.4 (bsc#1215514)
  * Add new SUSE Liberty Linux 7 LTSS channel families
  * Rename RHEL and Liberty 8 Base product to remove EOL CentOS 8 from the name
susemanager
- version 4.3.34-1
  * Rename OES label to OES23.4 (bsc#1215514)
  * Verify in Yast FQDN with name returned via DNS reverse lookup
  * Fix issue with Salt ssh keys for Salt ssh minions CVE-2023-32189 (bsc#1170848)
tar
- Fix CVE-2023-39804, Incorrectly handled extension attributes in
  PAX archives can lead to a crash, bsc#1217969
  * fix-CVE-2023-39804.patch
tomcat
- Fixed CVEs:
  * CVE-2024-22029: run xsltproc as tomcat group (bsc#1219208)

- Update to Tomcat 9.0.85
  * Fixed CVEs:
    + CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to
    incorrect headers parsing (bsc#1217649)
  * Catalina
    + Update:  68378: Align extension to MIME type mappings in the
    global web.xml with those in httpd by adding
    application/vnd.geogebra.slides for ggs, text/javascript for mjs
    and audio/ogg for opus. (markt)
    + Fix:  Background processes should not be run concurrently with
    lifecycle operations of a container. (remm)
    + Fix:  Correct unintended escaping of XML in some WebDAV
    responses. The XML list of support locks when provided in
    response to a PROPFIND request was incorrectly XML escaped.
    (markt)
    + Fix:  68227: Ensure that AsyncListener.onComplete() is called
    if AsyncListener.onError() calls AsyncContext.dispatch().
    (markt)
    + Fix:  68228: Use a 408 status code if a read timeout occurs
    during HTTP request processing. Includes a test case based on
    code provided by adwsingh. (markt)
    + Fix:  67667: TLSCertificateReloadListener prints unreadable
    rendering of X509Certificate#getNotAfter(). (michaelo)
    + Update:  The status servlet included in the manager webapp
    can now output statistics as JSON, using the JSON=true URL
    parameter. (remm)
    + Update:  Optionally allow ServiceBindingPropertySource to
    trim a trailing newline from a file containing a
    property-value. (schultz)
    + Fix:  67793: Ensure the original session timeout is restored
    after FORM authentication if the user refreshes a page during
    the FORM authentication process. Based on a suggestion by
    Mircea Butmalai. (markt)
    + Update:  67926: PEMFile prints unidentifiable string
    representation of ASN.1 OIDs. (michaelo)
    + Fix:  66875: Ensure that setting the request attribute
    jakarta.servlet.error.exception is not sufficient to trigger
    error handling for the current request and response. (markt)
    + Fix:  68054: Avoid some file canonicalization calls
    introduced by the fix for 65433. (remm)
    + Fix:  68089: Improve performance of request attribute access
    for ApplicationHttpRequest and ApplicationRequest. (markt)
    + Fix:  Use a 400 status code to report an error due to a bad
    request (e.g. an invalid trailer header) rather than a 500
    status code. (markt)
    + Fix:  Ensure that an IOException during the reading of the
    request triggers always error handling, regardless of whether
    the application swallows the exception. (markt)
  * Coyote
    + Fix:  Refactor the VirtualThreadExecutor so that it can be
    used by the NIO2 connector which was using platform threads
    even when configured to use virtual threads. (markt)
    + Fix:  Correct a regression in the fix for 67675 that broke
    TLS key file parsing for PKCS#8 format keys that do not specify
    an explicit pseudo-random function and rely on the default.
    This typically affects keys generated by OpenSSL 1.0.2.
    (markt)
    + Fix:  Allow multiple operations with the same name on
    introspected mbeans, fixing a regression caused by the
    introduction of a second addSslHostConfig method. (remm)
    + Fix:  Relax the check that the HTTP Host header is consistent
    with the host used in the request line, if any, to make the
    check case insensitive since host names are case insensitive.
    (markt)
    + Add:  68348: Add support for the partitioned attribute for
    cookies. (markt)
    + Add:  66670: Add SSLHostConfig#certificateKeyPasswordFile and
    SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
    + Add:  When calling
    SSLHostConfigCertificate.setCertificateKeystore(ks),
    automatically call setCertificateKeystoreType(ks.getType()).
    (markt)
    + Fix:  67628: Clarify how the ciphers attribute of the
    SSLHostConfig is used. (markt)
    + Fix:  67666: Ensure TLS connectors using PEM files either
    work with the TLSCertificateReloadListener or, in the rare case
    that they do not, log a warning on Connector start. (markt)
    + Fix:  67675: Support a wider range of KDF and ciphers for PEM
    files than the combinations supported by the JVM by default.
    Specifically, support the OpenSSL default of HmacSHA256 and
    DES-EDE3-CBC. (markt)
    + Fix:  67927: Reloading TLS configuration can cause the
    Connector to refuse new connections or the JVM to crash.
    (markt)
    + Fix:  67934: If both Tomcat Native 1.2.x and 2.0.x are
    available, prefer 1.2.x since it supports the APR/Native
    connector whereas 2.0.x does not. (markt)
    + Fix:  67938: Correct handling of large TLS client hello
    messages that were causing the TLS handshake to fail. (markt)
    + Fix:  68026: Convert selected MessageByte values to String
    when first accessed to speed up subsequent accesses and reduce
    garbage collection. (markt)
  * Jasper
    + Code:  68119: Refactor the CompositeELResolver to improve
    performance during type conversion operations. (markt)
    + Fix:  68068: Performance improvement for EL. Based on a
    suggestion by John Engebretson. (markt)
  * Web Applications
    + Fix:  68035: Additional fix to the Manager application to
    enable the deployment of a web application located in a Host's
    appBase where the web application is specified by a bare (no
    path) WAR or directory name as shown in the documentation.
    (markt)
    + Fix:  Examples. Improve the error handling so snakes
    associated with a user that drops from the network are removed
    from the game. (markt)
    + Fix:  68035: Correct a regression in the fix for 56248 that
    prevented deployment via the Manager of a WAR or directory that
    was already present in the appBase or a context file that was
    already present in the xmlBase. (markt)
  * Other
    + Update:  Update Checkstyle to 10.12.7. (markt)
    + Update:  Update SpotBugs to 4.8.3. (markt)
    + Add:  Improvements to French translations. (remm)
    + Add:  Improvements to Japanese translations by tak7iji.
    (markt)
    + Update:  Update UnboundID to 6.0.11. (markt)
    + Update:  Update Checkstyle to 10.12.5. (markt)
    + Update:  Update SpotBugs to 4.8.2. (markt)
    + Update:  Update Derby to 10.17.1. (markt)
    + Add:  Improvements to French translations. (remm)
    + Add:  Improvements to Japanese translations by tak7iji.
    (markt)
    + Add:  Improvements to Brazilian Portuguese translations by
    John William Vicente. (markt)
    + Add:  Improvements to Russian translations by usmazat and
    remm. (markt)
    + Add:  67538: Make use of Ant's <javaversion /> task to enfore
    the mininum Java build version. (michaelo)
    + Update:  Update Checkstyle to 10.12.4. (markt)
    + Update:  Update JaCoCo to 0.8.11. (markt)
    + Update:  Update SpotBugs to 4.8.0. (markt)
    + Update:  Update BND to 7.0.0. (markt)
    + Update:  The minimum Java version required to build Tomcat
    has been raised to Java 17. (markt)
- Added patches:
  * tomcat-9.0-build-with-java-11.patch

- change server.xml during %post instead of %posttrans

- Fix server.xml permission (bsc#1217768, bsc#1217402)
- remove serverxmltool and use xsltproc

- replace prep setup and patches macro with autosetup
uyuni-reportdb-schema
- version 4.3.9-1
  * Provide reportdb upgrade schema path structure
xen
- bsc#1218851 - VUL-0: CVE-2023-46839: xen: phantom functions
  assigned to incorrect contexts (XSA-449)
  xsa449.patch

- Upstream bug fixes (bsc#1027519)
  62ab2ed9-x86-more-MSR_ARCH_CAPS.patch
  64763137-x86-AutoIBRS-definitions.patch
  652fef4f-x86-AMD-erratum-1485.patch
  6532858d-x86-DOITM.patch
  65437103-x86-i8259-dont-assume-IRQs-always-target-CPU0.patch
  65536847-AMD-IOMMU-correct-level-for-quarantine-pt.patch
  65536848-x86-spec-ctrl-remove-conditional-IRQs-on-ness.patch
  655b2ba9-fix-sched_move_domain.patch
  6566fef3-x86-vLAPIC-x2APIC-derive-LDR-from-APIC-ID.patch
  6569ad03-libxg-mem-leak-in-cpu-policy-get-set.patch
  656ee5e1-x86emul-avoid-triggering-event-assertions.patch
  656ee602-cpupool-adding-offline-CPU.patch
  656ee6c3-domain_create-error-path.patch
- Patches dropped / replaced by newer upstream versions
  xsa445.patch
  xsa446.patch
yast2-http-server
- bsc#1218943
  - followup of previous fix - fixed internal issue which caused
    Server modules not to be displayed at all.
  - 4.4.3
yast2-pkg-bindings
- Fixed repository and service probing with libzypp 7.31.26
  and newer, fixes broken repository handling (bsc#1218977,
  bsc#1218399)
- 4.4.7
yast2-samba-client
- Use translation macro for range settings expert details text;
  (bsc#1197936).
- 4.4.4
zypper
- Fix search/info commands ignoring --ignore-unknown (bsc#1217593)
  The switch makes search commands return 0 rather than 104 for
  empty search results.
- version 1.14.68

- patch: Make sure reboot-needed is remembered until next boot
  (bsc#1217873)
- version 1.14.67