- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch
  Fix off-by-one error in recursive map handling. (bsc#1209653)
- Add avahi-CVE-2023-1981.patch: emit error if requested service
  is not found (boo#1210328 CVE-2023-1981).
- Security Fix:
  * The overmem cleaning process has been improved, to prevent the
    cache from significantly exceeding the configured
    max-cache-size limit.
  [bsc#1212544, CVE-2023-2828, bind-CVE-2023-2828.patch]
- Sensitive data exposure (bsc#1210277, CVE-2023-1786)
  + Add hidesensitivedata
  + Add cloud-init-cve-2023-1786-redact-inst-data.patch
  + Do not expose sensitive data gathered from the CSP
- Add cloud-init-log-file-mode.patch (bsc#1183939)
  + Change log file creation mode to 640
- Add cloud-init-no-pwd-in-log.patch (bsc#1184758, CVE-2021-3429)
  + Do not write the generated password to the log file
- Add cloud-init-purge-cache-py-ver-change.patch
- Add cloud-init-bonding-opts.patch (bsc#1184085)
  + Write proper bonding option configuration for SLE/openSUSE
- Fix application and inclusion of
  use_arroba_to_include_sudoers_directory-bsc_1181283.patchfix (bsc#1181283)
- Add use_arroba_to_include_sudoers_directory-bsc_1181283.patchfix (bsc#1181283)
  - Do not including sudoers.d directory twice
- Update to version 10.1.0 (bsc#1207133, bsc#1208097, bsc#1208099 )
  - Removes a warning about system_token entry present in the credentials
  - Adds logrotate configuration for log rotation.
- Let systemd finish jobs executed by cron after it gets killed, bsc#1211066
  * cron.service
- cups-1.7.5-CVE-2023-32324.patch fixes CVE-2023-32324
  "/Heap buffer overflow in cupsd"/
  * [bsc#1211230, CVE-2023-28319] use-after-free in SSH sha256
    fingerprint check.
  - Add curl-CVE-2023-28319.patch
  * [bsc#1211231, CVE-2023-28320] siglongjmp race condition
  - Add curl-CVE-2023-28320.patch
  * [bsc#1211232, CVE-2023-28321] IDN wildcard matching
  - Add curl-CVE-2023-28321.patch
  * [bsc#1211233, CVE-2023-28322] POST-after-PUT confusion
  - Add curl-CVE-2023-28322.patch
- Update to 8.0.1: [jsc#PED-2580]
  * Remove the curl-mini package and associated files:
  - curl-mini.changes curl-mini.spec
  * Rebase curl-use_DEFAULT_SUSE_cipher.patch
  * Remove patches fixed in the update:
  - curl-check-content-type.patch
  - curl-fix-O_APPEND.patch
  - curl-libssh-socket.patch
  - curl-X509_V_FLAG_PARTIAL_CHAIN.patch
  - curl-CVE-2018-0500.patch curl-CVE-2018-14618.patch
  - curl-CVE-2018-16839.patch curl-CVE-2018-16840.patch
  - curl-CVE-2018-16842.patch curl-CVE-2018-16890.patch
  - curl-CVE-2019-3822.patch curl-CVE-2019-3823.patch
  - curl-CVE-2019-5436.patch curl-CVE-2019-5481.patch
  - curl-CVE-2019-5482.patch curl-CVE-2020-8177.patch
  - curl-CVE-2020-8231.patch curl-CVE-2020-8284.patch
  - curl-CVE-2020-8285.patch curl-CVE-2020-8286.patch
  - curl-CVE-2021-22876.patch curl-CVE-2021-22876-URL-API.patch
  - curl-CVE-2021-22898.patch curl-CVE-2021-22924.patch
  - curl-CVE-2021-22925.patch curl-CVE-2021-22946.patch
  - curl-CVE-2021-22947.patch curl-CVE-2023-27534-dynbuf.patch
  - curl-CVE-2022-22576.patch curl-CVE-2022-27776.patch
  - curl-CVE-2022-27781.patch curl-CVE-2022-27782.patch
  - curl-CVE-2022-32206.patch curl-CVE-2022-32208.patch
  - curl-CVE-2022-32221.patch curl-CVE-2022-35252.patch
  - curl-CVE-2022-43552.patch curl-CVE-2023-23916.patch
  - curl-CVE-2023-27533.patch curl-CVE-2023-27533-no-sscanf.patch
  - curl-CVE-2023-27534.patch curl-CVE-2023-27535.patch
  - curl-CVE-2023-27536.patch curl-CVE-2023-27538.patch
- Update to 8.0.1:
  * Bugfixes:
  - fix crash in curl_easy_cleanup
- Update to 8.0.0:
  * Security fixes:
  - TELNET option IAC injection [bsc#1209209, CVE-2023-27533]
  - SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534]
  - FTP too eager connection reuse [bsc#1209211, CVE-2023-27535]
  - GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536]
  - HSTS double-free [bsc#1209213, CVE-2023-27537]
  - SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538]
  * Changes:
  - build: remove support for curl_off_t < 8 bytes
  * Bugfixes:
  - aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
  - BINDINGS: add Fortran binding
  - cf-socket: use port 80 when resolving name for local bind
  - cookie: don't load cookies again when flushing
  - curl_path: create the new path with dynbuf
  - CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
  - note Curl_dyn_add* calls Curl_dyn_free on failure
  - ftp: active mode with SSL, add the filter
  - hostip: avoid sscanf and extra buffer copies
  - http2: fix for http2-prior-knowledge when reusing connections
  - http2: fix handling of RST and GOAWAY to recognize partial transfers
  - http: don't send 100-continue for short PUT requests
  - http: fix unix domain socket use in https connects
  - libssh: use dynbuf instead of realloc
  - ngtcp2-gnutls.yml: bump to gnutls 3.8.0
  - sectransp: make read_cert() use a dynbuf when loading
  - telnet: only accept option arguments in ascii
  - telnet: parse telnet options without sscanf
  - url: fix the SSH connection reuse check
  - url: only reuse connections with same GSS delegation
  - urlapi: '%' is illegal in host names
  - ws: keep the socket non-blocking
  * Rebase libcurl-ocloexec.patch
- Security fixes:
- Update to 7.88.1:
  * Bugfix release
- Drop upstreamed patch:
  * curl-fix-uninitialized-value-in-tests.patch
- Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
  [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
  * Security fixes:
  - CVE-2023-23914: HSTS ignored on multiple requests
  - CVE-2023-23915: HSTS amnesia with --parallel
  - CVE-2023-23916: HTTP multi-header compression denial of service
  * Changes:
  - curl.h: add CURL_HTTP_VERSION_3ONLY
  - share: add sharing of HSTS cache among handles
  - src: add --http3-only
  - tool_operate: share HSTS between handles
  - urlapi: add CURLU_PUNYCODE
  - writeout: add %{certs} and %{num_certs}
  * Bugfixes:
  - cf-socket: keep sockaddr local in the socket filters
  - cfilters:Curl_conn_get_select_socks: use the first non-connected filter
  - curl.h: allow up to 10M buffer size
  - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
  - curl/websockets.h: extend the websocket frame struct
  - curl: output warning at --verbose output for debug-enabled version
  - curl_free.3: fix return type of `curl_free`
  - curl_log: for failf/infof and debug logging implementations
  - dict: URL decode the entire path always
  - docs/ deprecate gskit
  - easyoptions: fix header printing in generation script
  - haxproxy: send before TLS handhshake
  - hsts.d: explain hsts more
  - hsts: handle adding the same host name again
  - HTTP/[23]: continue upload when state.drain is set
  - http: decode transfer encoding first
  - http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
  - http_proxy: do not assign data->req.p.http use local copy
  - lib: connect/h2/h3 refactor
  - libssh2: try sha2 algos for hostkey methods
  - md4: fix build with GnuTLS + OpenSSL v1
  - ngtcp2: replace removed define and stop using removed function
  - noproxy: support for space-separated names is deprecated
  - nss: implement data_pending method
  - openldap: fix missing sasl symbols at build in specific configs
  - openssl: adapt to boringssl's error code type
  - openssl: don't ignore CA paths when using Windows CA store (redux)
  - openssl: don't log raw record headers
  - openssl: make the BIO_METHOD a local variable in the connection filter
  - openssl: only use CA_BLOB if verifying peer
  - openssl: remove attached easy handles from SSL instances
  - openssl: store the CA after first send (ClientHello)
  - setopt: use >, not >=, when checking if uarg is larger than uint-max
  - smb: return error on upload without size
  - socketpair: allow localhost MITM sniffers
  - strdup: name it Curl_strdup
  - tool_getparam: fix hiding of command line secrets
  - tool_operate: fix error codes on bad URL & OOM
  - tool_operate: repair --rate
  - transfer: break the read loop when RECV is cleared
  - typecheck: accept expressions for option/info parameters
  - urlapi: avoid Curl_dyn_addf() for hex outputs
  - urlapi: skip path checks if path is just "//"/
  - urlapi: skip the extra dedotdot alloc if no dot in path
  - urldata: cease storing TLS auth type
  - urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
  - urldata: make set.http200aliases conditional on HTTP being present
  - urldata: move the cookefilelist to the 'set' struct
  - urldata: remove unused struct fields, made more conditional
  - vquic: stabilization and improvements
  - vtls: fix hostname handling in filters
  - vtls: manage current easy handle in nested cfilter calls
  - vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
  * Rebase libcurl-ocloexec.patch
  * Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091
  - runtests: fix "/uninitialized value $port"/
  - Add curl-fix-uninitialized-value-in-tests.patch
- Update to 7.87.0:
  * Security fixes:
  - CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN
  - CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free
  * Changes
  - curl: add --url-query
  - CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
  - lib: add CURL_WRITEFUNC_ERROR to signal write callback error
  - openssl: reduce CA certificate bundle reparsing by caching
  - version: add a feature names array to curl_version_info_data
  * Bugfixes
  - altsvc: fix rejection of negative port numbers
  - aws_sigv4: consult x-%s-content-sha256 for payload hash
  - aws_sigv4: fix typos in aws_sigv4.c
  - base64: better alloc size
  - base64: encode without using snprintf
  - base64: faster base64 decoding
  - build: assume assert.h is always available
  - build: assume errno.h is always available
  - c-hyper: CONNECT respones are not server responses
  - c-hyper: fix multi-request mechanism
  - CI: Change FreeBSD image from 12.3 to 12.4
  - CI: will be shut down in December 2022
  - ci: Remove zuul fuzzing job as it's superseded by CIFuzz
  - cmake: check for cross-compile, not for toolchain
  - CMake: fix build with `CURL_USE_GSSAPI`
  - cmake: really enable warnings with clang
  - cmake: set the soname on the shared library
  - cmdline-opts/ fix the linkifier
  - cmdline-opts/page-footer: remove long option nroff formatting
  - config-mac: define HAVE_SYS_IOCTL_H
  - config-mac: fix typo: size_T -> size_t
  - config-mac: remove HAVE_SYS_SELECT_H
  - config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW
  - configure: require fork for NTLM-WB
  - actually use $CURLWWW instead of just setting it
  - cookie: compare cookie prefixes case insensitively
  - cookie: expire cookies at once when max-age is negative
  - cookie: open cookie jar as a binary file
  - curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS
  - curl-rustls.m4: on macOS, rustls also needs the Security framework
  - curl.h: include <sys/select.h> on SerenityOS
  - curl.h: name all public function parameters
  - curl.h: reword comment to not use deprecated option
  - curl: override the numeric locale and set "/C"/ by force
  - curl: timeout in the read callback
  - curl_endian: remove Curl_write64_le from header
  - curl_get_line: allow last line without newline char
  - curl_path: do not add '/' if homedir ends with one
  - curl_url_get.3: remove spurious backtick
  - curl_url_set.3: document CURLU_DISALLOW_USER
  - curl_url_set.3: fix typo
  - CURLOPT_COOKIEFILE.3: advice => advise
  - CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example
  - CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "/raw"/
  - CURLOPT_POST.3: Explain setting to 0 changes request type
  - docs/curl_ws_send: Fixed typo in websocket docs
  - docs/ how to determine an early release
  - docs/examples: spell correction ('Retrieve')
  - docs/ expand on static builds
  - docs/ explain the URL use
  - docs: add missing parameters for --retry flag
  - docs: add more "/SEE ALSO"/ links to CA related pages
  - docs: explain the noproxy CIDR notation support
  - docs: extend the dump-header documentation
  - docs: remove performance note in CURLOPT_SSL_VERIFYPEER
  - examples/10-at-a-time: fix possible skipped final transfers
  - examples: update descriptions
  - ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH
  - do not generate CURLHELP bitmask lines > 79 characters
  - GHA: clarify workflows permissions, set least possible privilege
  - GHA: NSS use clang instead of clang-9
  - gnutls: use common gnutls init and verify code for ngtcp2
  - headers: add endif comments
  - mention that http://localhost is a secure context
  - update the 6265bis link to draft-11
  - http: do not send PROXY more than once
  - http: fix the ::1 comparison for IPv6 localhost for cookies
  - http: set 'this_is_a_follow' in the Location: logic
  - http: use the IDN decoded name in HSTS checks
  - hyper: classify headers as CONNECT and 1XX
  - hyper: fix handling of hyper_task's when reusing the same address
  - idn: remove Curl_win32_ascii_to_idn
  - INSTALL: update operating systems and CPU archs
  - KNOWN_BUGS: remove eight entries
  - lib1560: add some basic IDN host name tests
  - lib: connection filters (cfilter) addition to curl:
  - lib: feature deprecation warnings in gcc >= 4.3
  - lib: fix some type mismatches and remove unneeded typecasts
  - lib: parse numbers with fixed known base 10
  - lib: remove bad set.opt_no_body assignments
  - lib: rewind BEFORE request instead of AFTER previous
  - lib: sync guard for Curl_getaddrinfo_ex() definition and use
  - lib: use size_t or int etc instead of longs
  - libcurl-errors.3: remove duplicate word
  - libssh2: return error when ssh_hostkeyfunc returns error
  - limit-rate.d: see also --rate
  - wrap long lines at 80 columns
  - address minor issues
  - improve a GNU Make hack
  - portable Makefile.m32
  - maketgz: set the right version in lib/libcurl.plist
  - mime: relax easy/mime structures binding
  - misc: Fix incorrect spelling
  - misc: remove duplicated include files
  - misc: typo and grammar fixes
  - have it call its close() method
  - netrc.d: provide mutext info
  - netware: remove leftover traces
  - noproxy: also match with adjacent comma
  - noproxy: guard against empty hostnames in noproxy check
  - noproxy: tailmatch like in 7.85.0 and earlier
  - detect double highlights
  - ntlm: improve comment for encrypt_des
  - ntlm: silence ubsan warning about copying from null target_info pointer
  - openssl/mbedtls: use %d for outputing port with failf (int)
  - openssl: prefix errors with '[lib]/[version]: '
  - os400: use platform socklen_t in Curl_getnameinfo_a
  - page-header: grammar improvement (display transfer rate)
  - proxy: refactor haproxy protocol handling as connection filter
  - remove badges and xmas-tree garnish
  - rtsp: fix RTSP auth
  - runtests: --no-debuginfod now disables DEBUGINFOD_URLS
  - runtests: do CRLF replacements per section only
  - scripts/ detect duplicated include files
  - sendf: change Curl_read_plain to wrap Curl_recv_plain
  - sendf: remove unnecessary if condition
  - setup: do not require __MRC__ defined for Mac OS 9 builds
  - smb/telnet: do not free the protocol struct in *_done()
  - socks: fix username max size is 255 (0xFF)
  - spellcheck.words: remove 'github' as an accepted word
  - ssl-reqd.d: clarify that this is for upgrading connections only
  - strcase: use curl_str(n)equal for case insensitive matches
  - styled-output.d: this option does not work on Windows
  - system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS
  - system.h: support 64-bit curl_off_t for NonStop 32-bit
  - test1421: fix typo
  - test3026: reduce runtime in legacy mingw builds
  - tests/ re-enable ssh-rsa while using openssh 8.8+
  - tests: add authorityInfoAccess to generated certs
  - tests: add HTTP/3 test case, custom location for proper nghttpx
  - tls: backends use connection filters for IO, enabling HTTPS-proxy
  - tool: determine the correct fopen option for -D
  - tool_cfgable: free the ssl_ec_curves on exit
  - tool_cfgable: make socks5_gssapi_nec a boolean
  - tool_formparse: avoid clobbering on function params
  - tool_getparam: make --no-get work as the opposite of --get
  - tool_operate: provide better errmsg for -G with bad URL
  - tool_operate: when aborting, make sure there is a non-NULL error buffer
  - tool_paramhlp: free the proto strings on exit
  - url: move back the IDN conversion of proxy names
  - urlapi: reject more bad letters from the host name: &+()
  - urldata: change port num storage to int and unsigned short
  - vms: remove SIZEOF_SHORT
  - vtls: fix build without proxy support
  - vtls: localization of state data in filters
  - fix broken link
  - Websocket: fixes for partial frames and buffer updates
  - websockets: fix handling of partial frames
  - windows: fail early with a missing windres in autotools
  - windows: fix linking .rc to shared curl with autotools
  - winidn: drop WANT_IDN_PROTOTYPES
  - ws: if no connection is around, return error
  - ws: return CURLE_NOT_BUILT_IN when websockets not built in
  - x509asn1: avoid freeing unallocated pointers
- Add 1.50.0 as the minimum libnghttp2 build requirement version as
  a bandaid. Curl's 7.86.0 release introduces the use of
  introduced by nghttp2 1.50.0 release, without introducing a check
  for the function/right version in their build scripts. This will
  make Zypper/cURL unusable in some corner cases where users
  installing something that requires libcurl4 before doing full
  system upgrade, thus updating the cURL stack, but not
  libnghttp2's. Background: boo#1204983, Factory mailing list
  "/? broken dependency in curl and/or *zyp* ?"/, and forums thread:
- Update to 7.86.0:
  * Security fixes:
  - POST following PUT confusion [bsc#1204383, CVE-2022-32221]
  - .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260]
  - HTTP proxy double-free [bsc#1204385, CVE-2022-42915]
  - HSTS bypass via IDN [bsc#1204386, CVE-2022-42916]
  * Changes:
  - NPN: remove support for and use of
  - Websockets: initial support
  * Bugfixes:
  - altsvc: reject bad port numbers
  - autotools: reduce brute-force when detecting recv/send arg list
  - aws_sigv4: fix header computation
  - cli tool: do not use disabled protocols
  - connect: change verbose IPv6 address:port to [address]:port
  - connect: fix builds without AF_INET6
  - connect: fix Curl_updateconninfo for TRNSPRT_UNIX
  - connect: fix the wrong error message on connect failures
  - content_encoding: use writer struct subclasses for different encodings
  - content_encoding: use writer struct subclasses for different encodings
  - cookie: reject cookie names or content with TAB characters
  - curl/add_file_name_to_url: use the libcurl URL parser
  - curl/get_url_file_name: use libcurl URL parser
  - curl: warn for --ssl use, considered insecure
  - docs/libcurl/symbols-in-versions: add several missing symbols
  - ftp: ignore a 550 response to MDTM
  - functypes: provide the recv and send arg and return types
  - getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
  - header: define public API functions as extern c
  - headers: reset the requests counter at transfer start
  - hostip: guard PF_INET6 use
  - hostip: lazily wait to figure out if IPv6 works until needed
  - http, vauth: always provide Curl_allow_auth_to_host() functionality
  - http2: make nghttp2 less picky about field whitespace
  - http: try parsing Retry-After: as a number first
  - http_proxy: restore the protocol pointer on error
  - lib: add missing limits.h includes
  - lib: prepare the incoming of additional protocols
  - lib: sanitize conditional exclusion around MIME
  - libssh: if sftp_init fails, don't get the sftp error code
  - mprintf: reject two kinds of precision for the same argument
  - mqtt: return error for too long topic
  - netrc: compare user name case sensitively
  - netrc: replace fgets with Curl_get_line
  - netrc: use the URL-decoded user
  - ngtcp2: fix build errors due to changes in ngtcp2 library
  - noproxy: support proxies specified using cidr notation
  - openssl: make certinfo available for QUIC
  - resolve: make forced IPv4 resolve only use A queries
  - schannel: ban server ALPN change during recv renegotiation
  - schannel: don't reset recv/send function pointers on renegotiation
  - schannel: when importing PFX, disable key persistence
  - setopt: use the handler table for protocol name to number conversions
  - setopt: when POST is set, reset the 'upload' field
  - single_transfer: use the libcurl URL parser when appending query parts
  - smb: replace CURL_WIN32 with WIN32
  - tool: avoid generating ambiguous escaped characters in --libcurl
  - tool_main: exit at once if out of file descriptors
  - tool_operate: more transfer cleanup after parallel transfer fail
  - tool_operate: prevent over-queuing in parallel mode
  - tool_paramhelp: asserts verify maximum sizes for string loading
  - tool_xattr: save the original URL, not the final redirected one
  - url: a zero-length userinfo part in the URL is still a (blank) user
  - url: allow non-HTTPS HSTS-matching for debug builds
  - url: rename function due to name-clash in Watt-32
  - url: use IDN decoded names for HSTS checks
  - urlapi: detect scheme better when not guessing
  - urlapi: fix parsing URL without slash with CURLU_URLENCODE
  - urlapi: reject more bad characters from the host name field
  * Remove patch upstream:
  - connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
- Update connection info when using UNIX socket as endpoint
- Change the deprecated configure option --enable-hidden-symbols
  to the new --enable-symbol-hiding.
- Update to 7.85.0:
  * Security fixes: [bsc#1202593, CVE-2022-35252]
  - control code in cookie denial of service
  * Changes:
  - quic: add support via wolfSSL
  - schannel: Add TLS 1.3 support
  * Bugfixes:
  - asyn-thread: fix socket leak on OOM
  - asyn-thread: make getaddrinfo_complete return CURLcode
  - base64: base64url encoding has no padding
  - configure: fix broken m4 syntax in TLS options
  - configure: if asked to use TLS, fail if no TLS lib was detected
  - connect: add quic connection information
  - connect: set socktype/protocol correctly
  - cookie: reject cookies with "/control bytes"/
  - cookie: treat a blank domain in Set-Cookie: as non-existing
  - curl: output warning when a cookie is dropped due to size
  - Curl_close: call Curl_resolver_cancel to avoid memory-leak
  - digest: fix memory leak, fix not quoted 'opaque'
  - digest: fix missing increment of 'nc' value for auth-int
  - digest: pass over leading spaces in qop values
  - digest: reject broken header with session protocol but without qop
  - doh: use https protocol by default
  - easy_lock.h: include sched.h if available to fix build
  - easy_lock.h: use __asm__ instead of asm to fix build
  - easy_lock: switch to using atomic_int instead of bool
  - ftp: use a correct expire ID for timer expiry
  - h2h3: fix overriding the 'TE: Trailers' header
  - hostip: resolve *.localhost to
  - update to msh3 v0.4.0
  - hyper: use wakers for curl pause/resume
  - lib3026: reduce the number of threads to 100
  - libssh2: make atime/mtime date overflow return error
  - libssh2: provide symlink name in SFTP dir listing
  - multi: have curl_multi_remove_handle close CONNECT_ONLY transfer
  - multi: use larger dns hash table for multi interface
  - multi_wait: fix skipping to populate revents for extra_fds
  - netrc: Use the password from lines without login
  - ngtcp2: Fix build error due to change in nghttp3 prototypes
  - ngtcp2: fix stall or busy loop on STOP_SENDING with upload data
  - ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks
  - openssl: add 'CURL_BORINGSSL_VERSION' to identify BoringSSL
  - openssl: add cert path in error message
  - openssl: add details to "/unable to set client certificate"/ error
  - openssl: fix BoringSSL symbol conflicts with LDAP and Schannel
  - select: do not return fatal error on EINTR from poll()
  - sendf: fix paused header writes since after the header API
  - sendf: skip storing HTTP headers if HTTP disabled
  - url: really use the user provided in the url when netrc entry exists
  - url: reject URLs with hostnames longer than 65535 bytes
  - url: treat missing usernames in netrc as empty
  - urldata: reduce size of several struct fields
  - vtls: make Curl_ssl_backend() return the enum type curl_sslbackend
  * Remove tests-for-32bit.patch fixed in the update
  * Rebase libcurl-ocloexec.patch
- add tests-for-32bit.patch to fix testsuite on 32bit platforms
- Update to 7.84.0:
  * Security fixes:
  - (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification
  - (bsc#1200736, CVE-2022-32207): Unpreserved file permissions
  - (bsc#1200735, CVE-2022-32206): HTTP compression denial of service
  - (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service
  * Changes:
  - curl: add --rate to set max request rate per time unit
  - curl: deprecate --random-file and --egd-file
  - curl_version_info: add CURL_VERSION_THREADSAFE
  - CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
  - lib: make curl_global_init() threadsafe when possible
  - opts: deprecate RANDOM_FILE and EGDSOCKET
  - socks: support unix sockets for socks proxy
  * Bugfixes:
  - aws-sigv4: fix potentional NULL pointer arithmetic
  - bindlocal: don't use a random port if port number would wrap
  - c-hyper: mark status line as status for Curl_client_write()
  - ci: avoid `cmake -Hpath`
  - CI: bump FreeBSD 13.0 to 13.1
  - ci: update github actions
  - cmake: add libpsl support
  - cmake: do not add libcurl.rc to the static libcurl library
  - cmake: enable curl.rc for all Windows targets
  - cmake: fix detecting libidn2
  - cmake: support adding a suffix to the OS value
  - configure: skip libidn2 detection when winidn is used
  - configure: use the SED value to invoke sed
  - configure: warn about rustls being experimental
  - content_encoding: return error on too many compression steps
  - cookie: address secure domain overlay
  - cookie: apply limits
  - parse and use .reuse/dep5 for skips
  - copyright: make repository REUSE compliant
  - curl.1: add a few see also --tls-max
  - curl.1: mention exit code zero too
  - curl: re-enable --no-remote-name
  - curl_easy_pause.3: remove explanation of progress function
  - curl_getdate.3: document that some illegal dates pass through
  - Curl_parsenetrc: don't access local pwbuf outside of scope
  - curl_url_set.3: clarify by default using known schemes only
  - CURLOPT_ALTSVC.3: document the file format
  - CURLOPT_FILETIME.3: fix the protocols this works with
  - CURLOPT_HTTPHEADER.3: improve comment in example
  - CURLOPT_NETRC.3: document the .netrc file format
  - CURLOPT_PORT.3: We discourage using this option
  - CURLOPT_RANGE.3: remove ranged upload advice
  - digest: added detection of more syntax error in server headers
  - digest: tolerate missing "/realm"/
  - digest: unquote realm and nonce before processing
  - DISABLED: disable 1021 for hyper again
  - docs/cmdline-opts: add copyright and license identifier to each file
  - docs/ document the 'needs-votes' concept
  - docs: clarify data replacement policy for MIME API
  - doh: remove UNITTEST macro definition
  - examples/crawler.c: use the curl license
  - examples: remove fopen.c and rtsp.c
  - FAQ: Clarify Windows double quote usage
  - fopen: add Curl_fopen() for better overwriting of files
  - ftp: restore protocol state after http proxy CONNECT
  - ftp: when failing to do a secure GSSAPI login, fail hard
  - GHA/hyper: enable debug in the build
  - gssapi: improve handling of errors from gss_display_status
  - gssapi: initialize gss_buffer_desc strings
  - headers api: remove EXPERIMENTAL tag
  - http2: always debug print stream id in decimal with %u
  - http2: reject overly many push-promise headers
  - http: restore header folding behavior
  - hyper: use 'alt-used'
  - krb5: return error properly on decode errors
  - lib: make more protocol specific struct fields #ifdefed
  - libcurl-security.3: add "/Secrets in memory"/
  - libcurl-security.3: document CRLF header injection
  - libssh: skip the fake-close when libssh does the right thing
  - links: update dead links to the curl-wiki
  - log2changes: do not indent empty lines [ci skip]
  - macos9: remove partial support
  - fix portability issues
  - Makefile.m32: delete obsolete options, improve -On [ci skip]
  - Makefile.m32: delete two obsolete OpenSSL options [ci skip]
  - Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
  - max-time.d: clarify max-time sets max transfer time
  - mprintf: ignore clang non-literal format string
  - netrc: check %USERPROFILE% as well on Windows
  - netrc: support quoted strings
  - ngtcp2: allow curl to send larger UDP datagrams
  - ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types
  - ngtcp2: enable Linux GSO
  - ngtcp2: extend QUIC transport parameters buffer
  - ngtcp2: fix alert_read_func return value
  - ngtcp2: fix typo in preprocessor condition
  - ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
  - ngtcp2: send appropriate connection close error code
  - ngtcp2: support boringssl crypto backend
  - ngtcp2: use helper funcs to simplify TLS handshake integration
  - ntlm: provide a fixed fake host name
  - projects: fix third-party SSL library build paths for Visual Studio
  - quic: add Curl_quic_idle
  - quiche: support ca-fallback
  - rand: stop detecting /dev/urandom in cross-builds
  - remote-name.d: mention --output-dir
  - add the --repeat parameter to the --help output
  - runtests: fix skipping tests not done event-based
  - runtests: skip starting the ssh server if user name is lacking
  - scripts/ fix the exclusion to not ignore man pages
  - sectransp: check for a function defined when __BLOCKS__ is undefined
  - select: return error from "/lethal"/ poll/select errors
  - server/sws: support spaces in the HTTP request path
  - speed-limit/time.d: mention these affect transfers in either direction
  - strcase: some optimisations
  - test 2081: add a valid reply for the second request
  - test 675: add missing CR so the test passes when run through Privoxy
  - test414: add the '--resolve' keyword
  - test681: verify --no-remote-name
  - tests 266, 116 and 1540: add a small write delay
  - tests/data/test1501: kill ftp server after slow LIST response
  - tests/getpart: fix getpartattr to work with "/data"/ and "/data2"/
  - tests/server/sws.c: change the HTTP writedelay unit to milliseconds
  - test{440,441,493,977}: add "/HTTP proxy"/ keywords
  - tool_getparam: fix --parallel-max maximum value constraint
  - tool_operate: make sure --fail-with-body works with --retry
  - transfer: fix potential NULL pointer dereference
  - transfer: maintain --path-as-is after redirects
  - transfer: upload performance; avoid tiny send
  - url: free old conn better on reuse
  - url: remove redundant #ifdefs in allocate_conn()
  - url: URL encode the path when extracted, if spaces were set
  - urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
  - urlapi: support CURLU_URLENCODE for curl_url_get()
  - urldata: reduce size of a few struct fields
  - urldata: remove three unused booleans from struct UserDefined
  - urldata: store tcp_keepidle and tcp_keepintvl as ints
  - version: allow stricmp() for sorting the feature list
  - vtls: make curl_global_sslset thread-safe
  - wolfssh.h: removed
  - wolfssl: correct the failf() message when a handle can't be made
  - wolfSSL: explicitly use compatibility layer
  - x509asn1: mark msnprintf return as unchecked
- Update to 7.83.1:
  * Security fixes:
  - (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot
  - (bsc#1199224, CVE-2022-27782) TLS and SSH connection too eager reuse
  - (bsc#1199223, CVE-2022-27781) CERTINFO never-ending busy-loop
  - (bsc#1199222, CVE-2022-27780) percent-encoded path separator in URL host
  - (bsc#1199221, CVE-2022-27779) cookie for trailing dot TLD
  - (bsc#1199220, CVE-2022-27778) removes wrong file on error
  * Bugfixes:
  - altsvc: fix host name matching for trailing dots
  - cirrus: Update to FreeBSD 12.3
  - cirrus: Use pip for Python packages on FreeBSD
  - conn: fix typo 'connnection' -> 'connection' in two function names
  - cookies: make bad_domain() not consider a trailing dot fine
  - curl: free resource in error path
  - curl: guard against size_t wraparound in no-clobber code
  - CURLOPT_DOH_URL.3: mention the known bug
  - CURLOPT_HSTS*FUNCTION.3: document the involved structs as well
  - CURLOPT_SSH_AUTH_TYPES.3: fix the default
  - data/test376: set a proper name
  - GHA/mbedtls: enabled nghttp2 in the build
  - gha: build msh3
  - gskit: fixed bogus setsockopt calls
  - gskit: remove unused function set_callback
  - hsts: ignore trailing dots when comparing hosts names
  - http: move Curl_allow_auth_to_host()
  - http_proxy/hyper: handle closed connections
  - hyper: fix test 357
  - Makefile: fix "/make ca-firefox"/
  - mbedtls: bail out if rng init fails
  - mbedtls: fix compile when h2-enabled
  - mbedtls: fix some error messages
  - misc: use "/autoreconf -fi"/ instead buildconf
  - msh3: get msh3 version from MsH3Version
  - msh3: print boolean value as text representation
  - msh3: psss remote_port to MsH3ConnectionOpen
  - ngtcp2: add ca-fallback support for OpenSSL backend
  - nss: return error if seemingly stuck in a cert loop
  - openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl
  - post_per_transfer: remove the updated file name
  - sectransp: bail out if SSLSetPeerDomainName fails
  - tests/server: declare variable 'reqlogfile' static
  - tests: fix markdown formatting in README
  - test{898,974,976}: add 'HTTP proxy' keywords
  - tls: check more TLS details for connection reuse
  - url: check SSH config match on connection reuse
  - urlapi: address (harmless) UndefinedBehavior sanitizer warning
  - urlapi: reject percent-decoding host name into separator bytes
  - x509asn1: make do_pubkey handle EC public keys
- Patches rework:
  * Refreshed all patches as -p1.
  * Use autopatch macro.
  * Renamed:
  - dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch
  * Removed (already upstream):
  - curl-fix-verifyhost.patch
- Update to 7.83.0:
  * Security fixes:
  - (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect
  - (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse
  - (bsc#1198608, CVE-2022-27774) Credential leak on redirect
  - (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use
  * Changes:
  - curl: add %header{name} experimental support in -w handling
  - curl: add %{header_json} experimental support in -w handling
  - curl: add --no-clobber
  - curl: add --remove-on-error
  - header api: add curl_easy_header and curl_easy_nextheader
  - msh3: add support for QUIC and HTTP/3 using msh3
  * Bugfixes:
  - appveyor: add Cygwin build
  - appveyor: only add MSYS2 to PATH where required
  - BearSSL: add CURLOPT_SSL_CIPHER_LIST support
  - add Hollywood binding
  - CI: Do not use buildconf. Instead, just use: autoreconf -fi
  - CI: install Python package impacket to run SMB test 1451
  - move -pthread CFLAGS setting back where it used to be
  - configure: bump the copyright year range int the generated output
  - conncache: include the zone id in the "/bundle"/ hashkey
  - connecache: remove duplicate connc->closure_handle check
  - connect: make Curl_getconnectinfo work with conn cache from share handle
  - connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined
  - cookie.d: clarify when cookies are sent
  - cookies: improve errorhandling for reading cookiefile
  - curl/system.h: update ifdef condition for MCST-LCC compiler
  - curl: error out if -T and -d are used for the same URL
  - curl: error out when options need features not present in libcurl
  - curl: escape '?' in generated --libcurl code
  - curl: fix segmentation fault for empty output file names.
  - curl_easy_header: fix typos in documentation
  - CURLINFO_PRIMARY_PORT.3: clarify which port this is
  - CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS
  - CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs
  - CURLOPT_PROGRESSFUNCTION.3: fix typo in example
  - CURLOPT_UNRESTRICTED_AUTH.3: extended explanation
  - CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype
  - docs/ updated to reflect current hyper build needs
  - docs/opts: Mention Schannel client cert type is P12
  - docs: Fix missing semicolon in example code
  - docs: lots of minor language polish
  - English: use American spelling consistently
  - fail.d: tweak the description
  - make the shell script safer
  - ftp: fix error message for partial file upload
  - change wording for mutexed options
  - GHA: add openssl3 jobs moved over from zuul
  - GHA: build hyper with nightly rustc
  - GHA: move bearssl jobs over from zuul
  - gha: move the event-based test over from Zuul
  - gtls: fix build for disabled TLS-SRP
  - http2: handle DONE called for the paused stream
  - http2: RST the stream if we stop it on our own will
  - http: avoid auth/cookie on redirects same host diff port
  - http: close the stream (not connection) on time condition abort
  - http: reject header contents with nul bytes
  - http: return error on colon-less HTTP headers
  - http: streamclose "/already downloaded"/
  - hyper: fix status_line() return code
  - hyper: fix tests 580 and 581 for hyper
  - hyper: no h2c support
  - infof: consistent capitalization of warning messages
  - ipv4/6.d: clarify that they are about using IP addresses
  - json.d: fix typo (overriden -> overridden)
  - keepalive-time.d: It takes many probes to detect brokenness
  - lib/warnless.[ch]: only check for WIN32 and ignore _WIN32
  - lib670: avoid double check result
  - lib: #ifdef on USE_HTTP2 better
  - lib: fix some misuse of curlx_convert_wchar_to_UTF8
  - lib: remove exclamation marks
  - libssh2: compare sha256 strings case sensitively
  - libssh2: make the md5 comparison fail if wrong length
  - libssh: fix build with old libssh versions
  - libssh: fix double close
  - libssh: Improve fix for missing SSH_S_ stat macros
  - libssh: unstick SFTP transfers when done event-based
  - macos: set .plist version in autoconf
  - mbedtls: remove 'protocols' array from backend when ALPN is not used
  - mbedtls: remove server_fd from backend
  - Use stricter logic to process the certificates
  - mk-ca-bundle.vbs: delete this script in favor of
  - mlc_config.json: add file to ignore known troublesome URLs
  - mqtt: better handling of TCP disconnect mid-message
  - ngtcp2: add client certificate authentication for OpenSSL
  - ngtcp2: avoid busy loop in low CWND situation
  - ngtcp2: deal with sub-millisecond timeout
  - ngtcp2: disconnect the QUIC connection proper
  - ngtcp2: enlarge H3_SEND_SIZE
  - ngtcp2: fix HTTP/3 upload stall and avoid busy loop
  - ngtcp2: fix memory leak
  - ngtcp2: fix QUIC_IDLE_TIMEOUT
  - ngtcp2: make curl 1ms faster
  - ngtcp2: remove remote_addr which is not used in a meaningful way
  - ngtcp2: update to work after recent ngtcp2 updates
  - ngtcp2: use token when detecting :status header field
  - nonblock: restore setsockopt method to curlx_nonblock
  - openssl: check SSL_get_peer_cert_chain return value
  - openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL
  - openssl: fix CN check error code
  - options: remove mistaken space before paren in prototype
  - perl: removed a double semicolon at end of line
  - pop3/smtp: return *WEIRD_SERVER_REPLY when not understood
  - projects/README: converted to markdown
  - projects: Update VC version names for VS2017, VS2022
  - rtsp: don't let CSeq error override earlier errors
  - runtests: add 'bearssl' as testable feature
  - runtests: make 'oldlibssh' be before 0.9.4
  - schannel: remove dead code that will never run
  - scripts/ ignore the new mlc_config.json file
  - scripts: move three scripts from lib/ to scripts/
  - test1135: sync with recent API updates
  - test1459: disable for oldlibssh
  - test375: fix line endings on Windows
  - test386: Fix an incorrect test markup tag
  - test718: edited slightly to return better HTTP
  - tests/server/util.h: align WIN32 condition with util.c
  - tests: refactor server/socksd.c to support --unix-socket
  - timediff.[ch]: add curlx helper functions for timeval conversions
  - tls: make mbedtls and NSS check for h2, not nghttp2
  - tool and tests: force flush of all buffers at end of program
  - tool_cb_hdr: Turn the Location: into a terminal hyperlink
  - tool_getparam: error out on missing -K file
  - tool_listhelp.c: uppercase URL
  - tool_operate: fix a scan-build warning
  - tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3)
  - transfer: redirects to other protocols or ports clear auth
  - unit1620: call global_init before calling Curl_open
  - url: check sasl additional parameters for connection reuse.
  - vtls: provide a unified APLN-disagree string for all backends
  - vtls: use a backend standard message for "/ALPN: offers %s"/
  - vtls: use a generic "/ALPN, server accepted"/ message
  - winbuild/ fixup dead link
  - winbuild: Add a Visual Studio example to the README
  - wolfssl: fix compiler error without IPv6
- Fix: openssl: fix CN check error code
  * Add curl-fix-verifyhost.patch
- Update to 7.82.0:
  * curl: add --json command line option
  * curl: make it so that sensitive command line arguments do not
    show as easily in the output of ps(1)
  * curl_multi_socket.3: remove callback and typical usage descriptions
  * ftp: provide error message for control bytes in path
  * ldap: return CURLE_URL_MALFORMAT for bad URL
  * lib: remove support for CURL_DOES_CONVERSIONS
  * mqtt: plug some memory leaks
  * multi: allow user callbacks to call curl_multi_assign
  * multi: remember connection_id before returning connection to pool
  * multi: set in_callback for multi interface callbacks
  * netware: remove support
  * ngtcp2: adapt to changed end of headers callback proto
  * openldap: implement SASL authentication
  * openssl: return error if TLS 1.3 is requested when not supported
  * sectransp: mark a 3DES cipher as weak
  * smb: pass socket for writing and reading data instead of FIRSTSOCKET
  * tool_getparam: DNS options that need c-ares now fail without it
  * TPF: drop support
  * url: given a user in the URL, find pwd for that user in netrc
  * url: keep trailing dot in host name
  * urlapi: handle "/redirects"/ smarter
  * urldata: CONN_IS_PROXIED replaces bits.proxy when proxy can be disabled
  * urldata: remove conn->bits.user_passwd
- update to 7.81.0:
  * mime: use percent-escaping for multipart form field and file names
  * asyn-ares: ares_getaddrinfo needs no happy eyeballs timer
  * azure: make the "/w/o HTTP/SMTP/IMAP"/ build disable SSL proper
  * BINDINGS: add cURL client for PostgreSQL
  * BINDINGS: add one from Everything curl and update a link
  * checksrc: detect more kinds of NULL comparisons we avoid
  * CI: build examples for additional code verification
  * CI: bump job to use mbedtls 3.1.0
  * cmake: don't set _USRDLL on a static Windows build
  * cmake: prevent dev warning due to mismatched arg
  * cmake: private identifiers use CURL_ instead of CMAKE_ prefix
  * config.d: update documentation to match the path search
  * configure: add -lm to configure for rustls build.
  * configure: better diagnostics if hyper is built wrong
  * configure: don't enable TLS when --without-* flags are used
  * configure: fix runtime-lib detection on macOS
  * curl.1: require "/see also"/ for every documented option
  * curl: improve error message for --head with -J
  * curl_easy_cleanup.3: remove from multi handle first
  * curl_easy_escape.3: call curl_easy_cleanup in example
  * curl_easy_unescape.3: call curl_easy_cleanup in example
  * curl_multi_init.3: fix EXAMPLE formatting
  * curl_multi_perform/socket_action.3: clarify what errors mean
  * curl_share_setopt.3: split out options into their own manpages
  * CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL
  * digest: compute user:realm:pass digest w/o userhash
  * docs/checksrc: Add documentation for STRERROR
  * docs/cmdline-opts: do not say "/protocols: all"/
  * docs/examples: workaround broken -Wno-pedantic-ms-format
  * docs/HTTP3: describe how to setup a h3 reverse-proxy for testing
  * docs/ typo fix : added missing "/get"/ verb
  * docs/ space is not fine in a given URL
  * docs: add known bugs list to
  * docs: address proselint nits
  * docs: consistent manpage SYNOPSIS
  * docs: fix dead links, remove
  * docs: fix typo in OpenSSL 3 build instructions
  * docs: Update the Reducing Size section
  * example/progressfunc: remove code for old libcurls
  * examples/multi-single.c: remove WAITMS()
  * FAQ: typo fix : "/yout"/ ➤ "/your"/
  * ftp: disable warning 4706 in MSVC
  * improve example output format
  * github workflow: add wolfssl (removed from zuul)
  * github/workflows: add mbedtls and mbedtls-clang (removed from zuul)
  * gtls: check return code for gnutls_alpn_set_protocols
  * hash: lazy-alloc the table in Curl_hash_add()
  * http2:set_transfer_url() return early on OOM
  * HTTP3: update quiche build instructions
  * http: enable haproxy support for hyper backend
  * http_proxy: don't close the socket (too early)
  * insecure.d: detail its use for SFTP and SCP as well
  * insecure.d: expand and clarify
  * libcurl-multi.3: "/SOCKS proxy handshakes"/ are not blocking
  * libcurl-security.3: mention address and URL mitigations
  * libssh2: fix error message for sha256 mismatch
  * libtest: avoid "/assignment within conditional expression"/
  * lift: ignore is a deprecated config option, use ignoreRules
  * linkcheck.yml: add CI job that checks markdown links
  * m4/curl-compilers: tell clang -Wno-pointer-bool-conversion
  * Makefile.m32: rename -winssl option to -schannel and tidy up
  * mbedTLS: add support for CURLOPT_CAINFO_BLOB
  * mbedtls: fix CURLOPT_SSLCERT_BLOB
  * mbedtls: fix private member designations for v3.1.0
  * misc: remove unused doh flags when CURL_DISABLE_DOH is defined
  * misc: s/e-mail/email
  * multi: cleanup the socket hash when destroying it
  * multi: handle errors returned from socket/timer callbacks
  * multi: shut down CONNECT in Curl_detach_connnection
  * netrc.d: edit the .netrc example to look nicer
  * ngtcp2: verify the server cert on connect (quictls)
  * ngtcp2: verify the server certificate for the gnutls case
  * nss:set_cipher don't clobber the cipher list
  * openldap: implement STARTTLS
  * openldap: process search query response messages one by one
  * openldap: several minor improvements
  * openldap: simplify ldif generation code
  * openssl: check the return value of BIO_new()
  * openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+
  * openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable
  * openssl: remove usage of deprecated `SSL_get_peer_certificate`
  * openssl: use non-deprecated API to read key parameters
  * page-footer: add a mention of how to report bugs to the man page
  * page-footer: document more environment variables
  * request.d: refer to 'method' rather than 'command'
  * retry-all-errors.d: make the example complete
  * runtests: make the SSH library a testable feature
  * rustls: read of zero bytes might be okay
  * rustls: remove comment about checking handshaking
  * rustls: remove incorrect EOF check
  * sha256/md5: return errors when init fails
  * socks5: use appropriate ATYP for numerical IP address host names
  * test1156: enable for hyper
  * test1156: fixup the stdout check for Windows
  * test1525: tweaked for hyper
  * test1526: enable for hyper
  * test1527: enable for hyper
  * test1528: enable for hyper
  * test1554: adjust for hyper
  * test1556: adjust for hyper
  * test302[12]: run only with the libssh2 backend
  * test661: enable for hyper
  * tests/ add more information on CI environments
  * tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256
  * tftp: mark protocol as not possible to do over CONNECT
  * tool_findfile: updated search for a file in the homedir
  * tool_operate: only set SSH related libcurl options for SSH URLs
  * tool_operate: warn if too many output arguments were found
  * url.c: fix the SIGPIPE comment for Curl_close
  * url: check ssl_config when re-use proxy connection
  * url: reduce ssl backend count for CURL_DISABLE_PROXY builds
  * urlapi: accept port number zero
  * urlapi: if possible, shorten given numerical IPv6 addresses
  * urlapi: provide more detailed return codes
  * urlapi: reject short file URLs
  * version_win32: Check build number and platform id
  * vtls/rustls: adapt to the updated rustls_version proto
  * writeout: fix %{http_version} for HTTP/3
  * x509asn1: return early on errors
  * zuul.d: update rustls-ffi to version 0.8.2
  * zuul: fix quiche build pointing to wrong Cargo
- Update to 7.80.0:
  * Changes:
  - CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
  - CURLOPT_PREREQFUNCTION: add new callback
  - libssh2: add SHA256 fingerprint support
  - urlapi: add curl_url_strerror()
  * Bugfixes:
  - aws-sigv4: make signature work when post data is binary
  - c-hyper: don't abort CONNECT responses early when auth-in-progress
  - cmake: add CURL_ENABLE_SSL option
  - cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
  - replace krb5-config with pkg-config
  - configure: when hyper is selected, deselect nghttp2
  - curl-confopts.m4: remove --enable/disable-hidden-symbols
  - curl-openssl.m4: modify library order for openssl linking
  - curl_ntlm_core: use OpenSSL only if DES is available
  - Curl_updateconninfo: store addresses for QUIC connections too
  - ftp: make the MKD retry to retry once per directory
  - http: fix Basic auth with empty name field in URL
  - http: reject HTTP response codes < 100
  - http: remove assert that breaks hyper
  - http: set content length earlier
  - imap: display quota information
  - libssh2: Get the version at runtime if possible
  - md5: fix compilation with OpenSSL 3.0 API
  - ngtcp2: advertise h3 as well as h3-29
  - ngtcp2: compile with the latest nghttp3
  - ngtcp2: use latest QUIC TLS RFC9001
  - NTLM: use DES_set_key_unchecked with OpenSSL
  - openssl: if verifypeer is not requested, skip the CA loading
  - openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway
  - schannel: fix memory leak due to failed SSL connection
  - sendf: accept zero-length data in Curl_client_write()
  - sha256: use high-level EVP interface for OpenSSL
  - sws: fix memory leak on exit
  - tool_operate: a failed etag save now only fails that transfer
  - url: check the return value of curl_url()
  - url: set "/k->size"/ -1 at start of request
  - urlapi: skip a strlen(), pass in zero
  - urlapi: URL decode percent-encoded host names
  - vtls: Fix a memory leak if an SSL session cannot be added to the cache
  - wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity
  * Use --with-openssl configure option, --with-ssl is now deprecated
- Update to 7.79.1:
  * Bugfixes:
  - Curl_http2_setup: don't change connection data on repeat invokes
  - curl_multi_fdset: make FD_SET() not operate on sockets out of range
  - dist: provide lib/.checksrc in the tarball
  - FAQ: add GOPHERS + curl works on data, not files
  - hsts: CURLSTS_FAIL from hsts read callback should fail transfer
  - hsts: handle unlimited expiry
  - http: fix the broken >3 digit response code detection
  - strerror: use sys_errlist instead of strerror on Windows
  - test1184: disable:
  - tests/ make it work with openssh-8.7p1
- Temporarily disable flaky test 1184
  * See
- Update to 7.79.0: [bsc#1190213, CVE-2021-22945]
  [bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947]
  * Changes:
  - bearssl: support CURLOPT_CAINFO_BLOB
  - http: consider cookies over localhost to be secure
  - secure transport: support CURLINFO_CERTINFO
  * Bugfixes:
  - CVE-2021-22945: clear the leftovers pointer when sending succeeds
  - CVE-2021-22946: do not ignore --ssl-reqd
  - CVE-2021-22947: reject STARTTLS server response pipelining
  - auth: do not append zero-terminator to authorisation id in kerberos
  - auth: properly handle byte order in kerberos security message
  - auth: use sasl authzid option in kerberos
  - auth: we do not support a security layer after kerberos authentication
  - c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
  - c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
  - c-hyper: initial step for 100-continue support
  - c-hyper: initial support for "/dumping"/ 1xx HTTP responses
  - curl-openssl.m4: show correct output for OpenSSL v3
  - docs/MQTT: update state of username/password support
  - docs: the security list is reached at security at now
  - getparameter: fix the --local-port number parser
  - hostip: Make Curl_ipv6works function independent of getaddrinfo
  - http_proxy: fix the User-Agent inclusion in CONNECT
  - http_proxy: fix user-agent and custom headers for CONNECT with hyper
  - http_proxy: only wait for writable socket while sending request
  - mailing lists: move from to
  - mbedtls: avoid using a large buffer on the stack
  - mbedTLS: initial 3.0.0 support
  - ngtcp2: remove the acked_crypto_offset struct field init
  - ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
  - ngtcp2: reset the oustanding send buffer again when drained
  - ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
  - ngtcp2: stop buffering crypto data
  - ngtcp2: utilize crypto API functions to simplify
  - openssl: when creating a new context, there cannot be an old one
  - scripts: invoke interpreters through /usr/bin/env
  - tests/ cleanup copy&paste mistakes and unused code
  - tests: be explicit about using 'python3' instead of 'python'
  - tool/tests: fix potential year 2038 issues
  - tool_operate: Fix --fail-early with parallel transfers
  - x509asn1: fix heap over-read when parsing x509 certificates
  * Rebase libcurl-ocloexec.patch
- Update to 7.78.0:
  [bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923]
  [bsc#1188219, CVE-2021-22924][bsc#1188220, CVE-2021-22925]
  * Changes:
  - curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
  - CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
  - hostip: make 'localhost' return fixed values
  - mbedtls: add support for cert and key blob options
  - metalink: remove all support for it
  - mqtt: add support for username and password
  * Bugfixes:
  - ares: always store IPv6 addresses first
  - c-hyper: abort CONNECT response reading early on non 2xx responses
  - c-hyper: add support for transfer-encoding in the request
  - c-hyper: bail on too long response headers
  - c-hyper: clear NTLM auth buffer when request is issued
  - c-hyper: fix NTLM on closed connection tested with test159
  - conncache: lowercase the hash key for better match
  - curl_multibyte: Remove local encoding fallbacks
  - Curl_ntlm_core_mk_nt_hash: fix OOM in error path
  - Curl_ssl_getsessionid: fail if no session cache exists
  - easy: during upkeep, attach Curl_easy to connections in the cache
  - gnutls: set the preferred TLS versions in correct order
  - hsts: ignore numberical IP address hosts
  - HSTS: not experimental anymore
  - http2: init recvbuf struct for pushed streams
  - http: fix crash in rate-limited upload
  - http: make the haproxy support work with unix domain sockets
  - http_proxy: deal with non-200 CONNECT response with Hyper
  - lib: don't compare fd to FD_SETSIZE when using poll
  - lib: fix compiler warnings with CURL_DISABLE_NETRC
  - lib: fix type of len passed to *printf's %*s
  - lib: more %u for port and int for %*s fixes
  - lib: use %u instead of %ld for port number printf
  - libssh2: limit time a disconnect can take to 1 second
  - mqtt: detect illegal and too large file size
  - msnprintf: return number of printed characters excluding null byte
  - multi: add scan-build-6 work-around in curl_multi_fdset
  - multi: alter transfer timeout ordering
  - multi: do not switch off connect_only flag when closing
  - multi: fix crash in curl_multi_wait / curl_multi_poll
  - ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
  - openssl: avoid static variable for seed flag
  - openssl: don't remove session id entry in disassociate
  - socketpair: fix potential hangs
  - socks4: scan for the IPv4 address in resolve results
  - ssl: read pending close notify alert before closing the connection
  - telnet: fix option parser to not send uninitialized contents
  - TLS: prevent shutdown loops to get stuck
  - vtls: exit addsessionid if no cache is inited
  - vtls: fix connection reuse checks for issuer cert and case sensitivity
- Update to 7.77.0: [bsc#1186114, CVE-2021-22898]
  [bsc#1186115, bsc#1185579, CVE-2021-22901]
  * Security fixes:
  - CVE-2021-22297: schannel cipher selection surprise
  - CVE-2021-22298: TELNET stack contents disclosure
  - CVE-2021-22901: TLS session caching disaster
  * Changes:
  - configure: make the TLS library choice(s) explicit
  - curl: ignore options asking for SSLv2 or SSLv3
  - hsts: enable by default
  - SSL: support in-memory CA certs for some backends
  - vtls: refuse setting any SSL version
  * Bugfixes:
  - configure: provide --with-openssl, deprecate --with-ssl
  - cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
  - curl: include libmetalink version in --version output
  - data_pending: check only SECONDARY socket for FTP(S) transfers
  - gnutls: don't allow TLS 1.3 for versions that don't support it
  - gnutls: make setting only the MAX TLS allowed version work
  - http2: fix resource leaks in set_transfer_url() and push_promise()
  - http: limit the initial send amount to used upload buffer size
  - rustls: only return CURLE_AGAIN when TLS session is fully drained
  - rustls: use ALPN
  - schannel: Disable auto credentials; add an option to enable it
  - schannel: Support strong crypto option
  - sectransp: allow cipher name to be specified
  - sockfilt: avoid getting stuck waiting for writable socket
- update to 7.76.1:
  - ngtcp2: Use ALPN h3-29 for now
  - TODO: remove 18.22 --fail-with-body
- Update to 7.76.0
  * Security fixes:
  - [bsc#1183933, CVE-2021-22876]: strip credentials from the
    auto-referer header field
  - [bsc#1183934, CVE-2021-22890]: add 'isproxy' argument to
  * Changes:
  - cookies: Support multiple -b parameters
  - curl: add --fail-with-body
  - doh: add options to disable ssl verification
  - http: add support to read and store the referrer header
  - sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
  - vtls: initial implementation of rustls backend
  * Bugfixes:
  - CVE-2021-22876: strip credentials from the auto-referer header field
  - CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid()
  - c-hyper: support automatic content-encoding
  - configure: only add OpenSSL paths if they are defined
  - configure: provide Largefile feature for curl-config
  - curl: set CURLOPT_NEW_FILE_PERMS if requested
  - doh: Fix sharing user's resolve list with DOH handles
  - doh: Inherit CURLOPT_STDERR from user's easy handle
  - dynbuf: bump the max HTTP request to 1MB
  - ftp: add 'list_only' to the transfer state struct
  - ftp: add 'prefer_ascii' to the transfer state struct
  - ftp: allow SIZE to fail when doing (resumed) upload
  - ftp: avoid SIZE when asking for a TYPE A file
  - ftp: fix memory leak in ftp_done
  - ftp: never set data->set.ftp_append outside setopt
  - gnutls: assume nettle crypto support
  - http2: don't set KEEP_SEND when there's no more data to be sent
  - http2: fail if connection terminated without END_STREAM
  - http: do not add a referrer header with empty value
  - http: strip default port from URL sent to proxy
  - http: use credentials from transfer, not connection
  - lib: remove 'conn->data' completely
  - multi: close the connection when h2=>h1 downgrading
  - multi: do once-per-transfer inits in before_perform in DID state
  - multi: rename the multi transfer states
  - multi: update pending list when removing handle
  - ngtcp2: adapt to the new recv_datagram callback
  - ngtcp2: clarify calculation precedence
  - ngtcp2: sync with recent API updates
  - openssl: adapt to v3's new const for a few API calls
  - openssl: ensure to check SSL_CTX_set_alpn_protos return values
  - openssl: remove get_ssl_version_txt in favor of SSL_get_version
  - parse_proxy: fix a memory leak in the OOM path
  - url: fix memory leak if OOM in the HSTS handling
  - url: fix possible use-after-free in default protocol
  - urldata: don't touch data->set.httpversion at run-time
  - urldata: merge "/struct DynamicStatic"/ into "/struct UrlState"/
  - urldata: remove the 'rtspversion' field
  - urldata: remove the _ORIG suffix from string names
  - wolfssl: don't store a NULL sessionid
- Harden build, enable full RELRO
- Never allow undefined symbols anywhere.
- Update to 7.75.0
  * Changes:
  - curl: add --create-file-mode [mode]
  - curl: add new variables to --write-out
  - dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries
  - gopher: implement secure gopher protocol
  - http: add Hyper as new optional HTTP backend
  - http: introduce AWS HTTP v4 Signature support
  * Bugfixes:
  - cmake: Add an option to disable libidn2
  - cmake: enable gophers correctly in curl-config
  - digest_sspi: Show InitializeSecurityContext errors in verbose mode
  - getinfo: build with disabled HTTP support
  - http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy
  - http_proxy: Fix CONNECT chunked encoding race condition
  - httpauth: make multi-request auth work with custom port
  - lib: pass in 'struct Curl_easy *' to most functions
  - lib: remove Curl_ prefix from many static functions
  - lib: save a bit of space with some structure packing
  - libssh: avoid plain free() of libssh-memory
  - mime: make sure setting MIMEPOST to NULL resets properly
  - multi_runsingle: bail out early on data->conn == NULL
  - ngtcp2: Fix http3 upload stall
  - ngtcp2: Fix stack buffer overflow
  - openssl: lowercase the hostname before using it for SNI
  - socks: use the download buffer instead
  - speedcheck: exclude paused transfers
  - tooĺ_writeout: fix the -w time output units
  - url: if IDNA conversion fails, fallback to Transitional
- Refresh libcurl-ocloexec.patch
- Enable zstd and brotli support
- Update to 7.74.0
  * Changes:
    hsts: add experimental support for Strict-Transport-Security
  * Bugfixes:
  - Inferior OCSP verification  [bsc#1179593, CVE-2020-8286]
  - FTP wildcard stack overflow [bsc#1179399, CVE-2020-8285]
  - trusting FTP PASV responses [bsc#1179398, CVE-2020-8284]
  - Revert "/multi: implement wait using winsock events"/
  - openssl: free mem_buf in error path
  - ntlm: avoid malloc(0) on zero length user and domain
  - ngtcp2: use the minimal version of QUIC supported by ngtcp2
  - ngtcp2: advertise h3 ALPN unconditionally
  - file: avoid duplicated code sequence
  - openssl: guard against OOM on context creation
  - docs: document the 8MB input string limit for curl_easy_escape
    and curl_easy_setopt()
  - hsts: add read/write callbacks
  - hsts: add support for Strict-Transport-Security
  - alt-svc: enable by default
  - checksrc: warn on empty line before open brace
  - connect: repair build without ipv6 availability
  - new home
  - ftp: retry getpeername for FTP with TCP_FASTOPEN
  - gnutls: fix memory leaks (certfields memory wasn't released)
  - http: pass correct header size to debug callback for chunked post
  - libssh2: fix transport over HTTPS proxy
  - openssl: guard against OOM on context creation
  - openssl: use OPENSSL_init_ssl() with >= 1.1.0
  - Revert "/multi: implement wait using winsock events"/
  - socks: check for DNS entries with the right port number
  - tool_operate: --retry for HTTP 408 responses too
  - tool_operate: bail out proper on errors during parallel transfers
  - urlapi: don't accept blank port number field without scheme
  - urlapi: URL encode a '+' in the query part
  - vquic/ngtcp2.h: define local_addr as sockaddr_storage
- Update check section:
  * runtests now supports dynamically base64 encoded sections in tests
  * Replace env interpreter for perl and python3
- Remove curl-use_OPENSSL_config.patch since the OpenSSL initialization
  has been updated to use OPENSSL_init_ssl() with >= 1.1.0
- Update patches to fix compiling warnings:
  * curl-disabled-redirect-protocol-message.patch
  * libcurl-ocloexec.patch
- Enable test 1165
- Update to 7.73.0
  * Changes:
  - curl: add --output-dir
  - curl: support XDG_CONFIG_HOME to find .curlrc
  - curl: update --help with categories
  - curl_easy_option_*: new API for meta-data about easy options
  - CURLE_PROXY: new error code
  - mqtt: enable by default
  - sftp: add new quote commands 'atime' and 'mtime'
  - ssh: add the option CURLKHSTAT_FINE_REPLACE
  - tls: add CURLOPT_SSL_EC_CURVES and --curves
  * Bugfixes:
  - base64: also build for smtp, pop3 and imap
  - cleanups: avoid curl_ on local variables
  - configure: let --enable-debug set -Wenum-conversion with gcc >= 10
  - conn: check for connection being dead before reuse
  - curl: in retry output don't call all problems "/transient"/
  - curl: make checkpasswd, file2memory, file2string and
    glob_match_url use dynbuf
  - curl: retry delays in parallel mode no longer sleeps blocking
  - curl: use curlx_dynbuf for realloc when loading config files
  - curl:parallel_transfers: make sure retry readds the transfer
  - curl_get_line: build only if cookies or alt-svc are enabled
  - Curl_pgrsTime - return new time to avoid timeout integer overflow
  - Curl_send: return error when pre_receive_plain can't malloc
  - dynbuf: make sure Curl_dyn_tail() zero terminates
  - etag: save and use the full received contents
  - ftp: a 550 response to SIZE returns CURLE_REMOTE_FILE_NOT_FOUND
  - ftp: avoid risk of reading uninitialized integers
  - ftp: get rid of the PPSENDF macro
  - ftp: make a 552 response return CURLE_REMOTE_DISK_FULL
  - ftp: separate FTPS from FTP over "/HTTPS proxy"/
  - HTTP/3: update to OpenSSL_1_1_1g-quic-draft-29
  - http: consolidate nghttp2_session_mem_recv() call paths
  - http_proxy: do not count proxy headers in the header bytecount
  - http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
  - imap: make imap_send use dynbuf for the send buffer management
  - imap: set cselect_bits to CURL_CSELECT_IN initially
  - lib1560: verify "/redirect"/ to double-slash leading URL
  - lib: make Curl_gethostname accept a const pointer
  - libssh2: handle the SSH protocols done over HTTPS proxy
  - libssh2: pass on the error from ssh_force_knownhost_key_type
  - memdebug: remove 9 year old unused debug function
  - multi: expand pre-check for socket readiness
  - ngtcp2: adapt to new NGTCP2_PROTO_VER_MAX define
  - ngtcp2: adapt to the new pkt_info arguments
  - openssl: avoid error conditions when importing native CA
  - openssl: consider ALERT_CERTIFICATE_EXPIRED a failed verification
  - parsedate: tune the date to epoch conversion
  - pause: only trigger a reread if the unpause sticks
  - pingpong: use a dynbuf for the *_pp_sendf() function
  - runtests: allow creating files without newlines
  - runtests: allow generating a binary sequence from hex
  - runtests: clear pid variables when failing to start a server
  - schannel: fix memory leak when using get_cert_location
  - schannel: return CURLE_PEER_FAILED_VERIFICATION for untrusted root
  - sectransp: make it build with --disable-proxy
  - select.h: make socket validation macros test for INVALID_SOCKET
  - select: align poll emulation to return all relevant events
  - select: fix poll-based check not detecting connect failure
  - select: simplify return code handling for poll and select
  - setopt: if the buffer exists, refuse the new BUFFERSIZE
  - setopt: return CURLE_BAD_FUNCTION_ARGUMENT on bad argument
  - socketpair: allow CURL_DISABLE_SOCKETPAIR
  - sockfilt: handle FD_CLOSE winsock event on write socket
  - symbian: drop support
  - tests: remove pipelining tests
  - tls: fix SRP detection by using the proper #ifdefs
  - tls: provide the CApath verbose log on its own line
  - tool_setopt: escape binary data to hex, not octal
  - url: use blank credentials when using proxy w/o username and password
  - urlapi: use more Curl_safefree
  - vtls: deduplicate client certificates in ssl_config_data
- Update to 7.72.0 [bsc#1175109, CVE-2020-8231]
  * Changes:
  - content_encoding: add zstd decoding support
  - CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream
  * Bugfixes:
  - CVE-2020-8231: libcurl: wrong connect-only connection
  - curl-config: ignore REQUIRE_LIB_DEPS in --libs output
  - curl: improve the existing file check with -J
  - curl_multi_setopt: fix compiler warning "/result is always false"/
  - curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
  - docs: Add video link to docs/
  - docs: clarify MAX_SEND/RECV_SPEED functionality
  - ftp: don't do ssl_shutdown instead of ssl_close
  - ftpserver: don't verify SMTP MAIL FROM names
  - getinfo: reset retry-after value in initinfo
  - gnutls: repair the build with 'CURL_DISABLE_PROXY'
  - gtls: survive not being able to get name/issuer
  - h2: repair trailer handling
  - http2: close the http2 connection when no more requests may be sent
  - http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages
  - libssh2: s/ssherr/sftperr/
  - mprintf: Fix dollar string handling
  - mprintf: Fix stack overflows
  - multi_remove_handle: close unused connect-only connections
  - ngtcp2: adapt to error code rename
  - ngtcp2: adjust to recent sockaddr updates
  - ngtcp2: update to modified qlog callback prototype
  - ntlm: free target_info before (re-)malloc
  - page-header: provide protocol details in the curl.1 man page
  - quiche: handle calling disconnect twice
  - setopt: unset NOBODY switches to GET if still HEAD
  - smtp_parse_address: handle blank input string properly
  - socks: use size_t for size variable
  - tls-max.d: this option is only for TLS-using connections
  - tlsv1.3.d. only for TLS-using connections
  - tool_getparam: make --krb option work again
  - transfer: fix data_pending for builds with both h2 and h3 enabled
  - transfer: fix memory-leak with CURLOPT_CURLU in a duped handle
  - transfer: move retrycount from connect struct to easy handle
  - url: fix CURLU and location following
- Update to 7.71.1
  * Bugfixes:
  - Curl_inet_ntop: always check the return code
  - CURLOPT_READFUNCTION.3: provide the upload data size up front
  - escape: make the URL decode able to reject only %00-bytes
  - escape: zero length input should return a zero length output
  - examples/multithread.c: call curl_global_cleanup()
  - http2: set the correct URL in pushed transfers
  - http: fix proxy auth with blank password
  - mbedtls: fix build with disabled proxy support
  - ngtcp2: sync with current master
  - Revert "/multi: implement wait using winsock events"/
  - sendf: improve the message on client write errors
  - terminology: call them null-terminated strings
  - tool_cb_hdr: Fix etag warning output and return code
  - url: allow user + password to contain "/control codes"/ for HTTP(S)
  - vtls: compare cert blob when finding a connection to reuse
- Update to 7.71.0 [bsc#1173026, CVE-2020-8169][bsc#1173027, CVE-2020-8177]
  * Changes:
  - CURLOPT_SSL_OPTIONS: optional use of Windows' CA store (with openssl)
  - setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency
  - setopt: support certificate options in memory with struct curl_blob
  - tool: Add option --retry-all-errors to retry on any error
  * Bugfixes:
  - *_sspi: fix bad uses of CURLE_NOT_BUILT_IN
  - altsvc: bump to h3-29
  - altsvc: fix 'dsthost' may be used uninitialized in this function
  - altsvc: fix parser for lines ending with CRLF
  - altsvc: remove the num field from the altsvc struct
  - asyn-*: remove support for never-used NULL entry pointers
  - azure: use matrix strategy to avoid configuration redundancy
  - build: disable more code/data when built without proxy support
  - buildconf: remove -print from the find command that removes files
  - checksrc: enhance the ASTERISKSPACE and update code accordingly
  - cirrus: disable SFTP and SCP tests
  - CMake: add ENABLE_ALT_SVC option
  - CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche)
  - CMake: add libssh build support
  - configure: fix pthread check with static boringssl
  - configure: for wolfSSL, check for the DES func needed for NTLM
  - configure: only strip first -L from LDFLAGS
  - configure: repair the check if argv can be written to
  - configure: the wolfssh backend does not provide SCP
  - connect: improve happy eyeballs handling
  - connect: make happy eyeballs work for QUIC (again)
  - curl: remove -J "/informational"/ written on stdout
  - Curl_addrinfo: use one malloc instead of three
  - dynbuf: introduce internal generic dynamic buffer functions
  - easy: fix dangling pointer on easy_perform fail
  - examples/ephiperfifo: turn off interval when setting timerfd
  - examples/http2-down/upload: add error checks
  - FILEFORMAT: add more features that tests can depend on
  - FILEFORMAT: describe verify/stderr
  - ftp: make domore_getsock() return the secondary socket properly
  - ftp: mark return-ignoring calls to Curl_GetFTPResponse with (void)
  - ftp: shut down the secondary connection properly when SSL is used
  - GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT
  - hostip: make Curl_printable_address not return anything
  - http2: keep trying to send pending frames after req.upload_done
  - http2: simplify and clean up trailer handling
  - http: move header storage to Curl_easy from connectdata
  - libssh2: improved error output for wrong quote syntax
  - libssh2: keep sftp errors as 'unsigned long'
  - libssh2: set the expected total size in SCP upload init
  - multi: add defensive check on data->multi->num_alive
  - multi: implement wait using winsock events
  - ngtcp2: cleanup memory when failing to connect
  - ngtcp2: fix build with current ngtcp2 master implementing draft 28
  - ngtcp2: fix happy eyeballs quic connect crash
  - ngtcp2: introduce qlog support
  - ngtcp2: never call fprintf() in lib code in release version
  - ngtcp2: update with recent API changes
  - ntlm: enable NTLM support with wolfSSL
  - openssl: set FLAG_TRUSTED_FIRST unconditionally
  - projects: Add crypt32.lib to dependencies for all OpenSSL configs
  - quiche: clean up memory properly when failing to connect
  - quiche: enable qlog output
  - quiche: update SSLKEYLOGFILE support
  - Revert "/ssh: ignore timeouts during disconnect"/
  - select: fix overflow protection in Curl_socket_check
  - sendf: make failf() use the mvsnprintf() return code
  - server/sws: fix asan warning on use of uninitialized variable
  - server/util: fix logmsg format using curl_off_t argument
  - sha256: fixed potentially uninitialized variable
  - share: don not set the share flag it something fails
  - sockfilt: make select_ws stop waiting on exit signal event
  - socks: detect connection close during handshake
  - socks: fix expected length of SOCKS5 reply
  - socks: remove unreachable breaks in socks.c and mime.c
  - source cleanup: remove all custom typedef structs
  - timeouts: change millisecond timeouts to timediff_t from time_t
  - timeouts: move ms timeouts to timediff_t from int and long
  - tool_cfgable: free login_options at exit
  - tool_getparam: -i is not OK if -J is used
  - tool_getparam: fix memory leak in parse_args
  - tool_operate: fixed potentially uninitialized variables
  - tool_paramhlp: fixed potentially uninitialized strtol() variable
  - transfer: close connection after excess data has been read
  - typecheck-gcc.h: CURLINFO_PRIVATE does not need a 'char *'
  - unit1604.c: fix implicit conv from 'SANITIZEcode' to 'CURLcode'
  - url: accept "/any length"/ credentials for proxy auth
  - url: alloc the download buffer at transfer start
  - url: make the updated credentials URL-encoded in the URL
  - url: reject too long input when parsing credentials
  - url: sort the protocol schemes in rough popularity order
  - urlapi: accept :: as a valid IPv6 address
  - urldata: leave the HTTP method untouched in the set.* struct
  - urlglob: treat literal IPv6 addresses with zone IDs as a host name
  - user-agent.d: spell out what happens given a blank argument
  - vauth/cleartext: fix theoretical integer overflow
  - version.d: expanded and alpha-sorted
  - vtls: Extract and simplify key log file handling from OpenSSL
  - wolfssl: add SSLKEYLOGFILE support
  - wording: avoid blacklist/whitelist stereotypes
  - write-out.d: added "/response_code"/
- Change with-gssapi configure parameter: krb5 is changing location
  in the future: ask krb5-config about the correct prefix values.
- Update to 7.70.0
  * Changes:
  - curl: add --ssl-revoke-best-effort to allow a "/best effort"/ revocation check
  - mqtt: add new experimental protocol
  - schannel: add "/best effort"/ revocation check option: CURLSSLOPT_REVOKE_BEST_EFFORT
  - writeout: support to generate JSON output with '%{json}'
  * Bugfixes:
  - gnutls: Don't skip really long certificate fields
  - gnutls: ensure TLS 1.3 when SRP isn't requested
  - lib: never define CURL_CA_BUNDLE with a getenv
  - libcurl-multi.3: added missing full stop
  - libssh: avoid options override by configuration files
  - libssh: Use new ECDSA key types to check known hosts
  - tons of other fixes
- Update to 7.69.1
  * Bugfixes:
  - ares: store dns parameters for duphandle
  - cirrus-ci: disable the FreeBSD 13 builds
  - curl_share_setopt.3: Note sharing cookies doesn't enable the engine
  - lib1564: reduce number of mid-wait wakeup calls
  - libssh: Fix matching user-specified MD5 hex key
  - MANUAL: update a dict-using command line
  - mime: do not perform more than one read in a row
  - mime: fix the binary encoder to handle large data properly
  - mime: latch last read callback status
  - multi: skip EINTR check on wakeup socket if it was closed
  - pause: bail out on bad input
  - pause: force a connection recheck after unpausing (take 2)
  - pause: return early for calls that don't change pause state
  - runtests.1: rephrase how to specify what tests to run
  - runtests: fix missing use of exe_ext helper function
  - seek: fix fall back for missing ftruncate on Windows
  - sftp: fix segfault regression introduced by #4747 in 7.69.0
  - sha256: Added SecureTransport implementation
  - sha256: Added WinCrypt implementation
  - socks4: fix host resolve regression
  - socks5: host name resolv regression fix
  - tests/server: fix missing use of exe_ext helper function
  - tests: fix static ip:port instead of dynamic values being used
  - tests: make sleeping portable by avoiding select
  - unit1612: fix the inclusion and compilation of the HMAC unit test
  - urldata: remove the 'stream_was_rewound' connectdata struct member
  - version: make curl_version* thread-safe without using global context
- ignore_runtests_failure.patch: remove, no longer needed
- Update to 7.69.0
  * Changes:
  - polarssl: removed
  - smtp: add CURLOPT_MAIL_RCPT_ALLLOWFAILS and --mail-rcpt-allowfails
  - wolfSSH: new SSH backend
  * Bugfixes:
  - altsvc: improved header parser
  - altsvc: keep a copy of the file name to survive handle reset
  - altsvc: make saving the cache an atomic operation
  - altsvc: use h3-27
  - azure: disable brotli on the macos debug-builds
  - build: remove all HAVE_OPENSSL_ENGINE_H defines
  - cleanup: fix several comment typos
  - cleanup: fix typos and wording in docs and comments
  - cmake: add support for CMAKE_LTO option
  - cmake: clean up and improve build procedures
  - cmake: Show HTTPS-proxy in the features output
  - cmake: use check_symbol_exists also for inet_pton
  - fix comments about --with-quiche
  - configure: disable metalink if mbedTLS is specified
  - configure: disable metalink support for incompatible SSL/TLS
  - conn: do not reuse connection if SOCKS proxy credentials differ
  - conncache: removed unused Curl_conncache_bundle_size()
  - connect: remove some spurious infof() calls
  - connection reuse: respect the max_concurrent_streams limits
  - cookie: check __Secure- and __Host- case sensitively
  - cookies: make saving atomic with a rename
  - create-dirs.d: mention the mode
  - curl: avoid using strlen for testing if a string is empty
  - curl: error on --alt-svc use w/o support
  - curl: let -D merge headers in one file again
  - curl: make #0 not output the full URL
  - curl: make the -# spaceship bar not wrap the line
  - curl: remove 'config' field from OutStruct
  - curl:progressbarinit: ignore column width from terminals < 20
  - curl_escape.3: add a link to curl_free
  - curl_getenv.3: fix the memory handling description
  - curl_global_init: assume the EINTR bit by default
  - curl_global_init: move the IPv6 works status bool to multi handle
  - CURLINFO_COOKIELIST.3: Fix example
  - CURLOPT_ALTSVC_CTRL.3: fix the DEFAULT wording
  - CURLOPT_REDIR_PROTOCOLS.3: update the DEFAULT section
  - data.d: remove "/Multiple files can also be specified"/
  - digest: do not quote algorithm in HTTP authorisation
  - docs/HTTP3: add --enable-alt-svc to curl's configure
  - docs/HTTP3: update the OpenSSL branch to use for ngtcp2
  - docs: fix typo on CURLINFO_RETRY_AFTER
  - easy: remove dead code
  - form.d: fix two minor typos
  - ftp: convert 'sock_accepted' to a plain boolean
  - ftp: remove superfluous checking for crlf in user or pwd
  - ftp: shrink temp buffers used for PORT
  - github: Instructions to post "/uname -a"/ on Unix systems in issues
  - GnuTLS: always send client cert
  - gtls: fixed compilation when using GnuTLS < 3.5.0
  - hostip: move code to resolve IP address literals to 'Curl_resolv'
  - HTTP-COOKIES: describe the cookie file format
  - HTTP-COOKIES: mention that a trailing newline is required
  - http2: make pausing/unpausing set/clear local stream window
  - http2: now requires nghttp2 >= 1.12.0
  - http: added 417 response treatment
  - http: increase EXPECT_100_THRESHOLD to 1Mb
  - http: mark POSTs with no body as "/upload done"/ from the start
  - http: move "/oauth_bearer"/ from connectdata to Curl_easy
  - include: remove non-curl prefixed defines
  - KNOWN_BUGS: Multiple methods in a single WWW-Authenticate: header
  - libssh2: add support for forcing a hostkey type
  - libssh2: fix variable type
  - libssh: improve known hosts handling
  - llist: removed unused Curl_llist_move()
  - location.d: the method change is from POST to GET only
  - md4: fixed compilation issues when using GNU TLS gcrypt
  - md4: use init/update/final functions in Secure Transport
  - md5: added implementation for mbedTLS
  - mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER
  - multi: change curl_multi_wait/poll to error on negative timeout
  - multi: fix outdated comment
  - multi: if Curl_readwrite sets 'comeback' use expire, not loop
  - multi_done: if multiplexed, make conn->data point to another transfer
  - multi_wait: stop loop when sread() returns zero
  - ngtcp2: add error code for QUIC connection errors
  - ngtcp2: fixed to only use AF_INET6 when ENABLE_IPV6
  - ngtcp2: update to git master and its draft-25 support
  - ntlm: removed the dependency on the TLS libaries when using MD5
  - ntlm_wb: use Curl_socketpair() for greater portability
  - oauth2-bearer.d: works for HTTP too
  - openssl: make CURLINFO_CERTINFO not truncate x509v3 fields
  - openssl: remove redundant assignment
  - os400: fixed the build
  - pause: force-drain the transfer on unpause
  - quiche: update to draft-25
  - README: mention that the docs is in docs/
  - runtests: make random seed fixed for a month
  - runtests: restore the command log
  - schannel_verify: Fix alt names manual verify for UNICODE builds
  - sha256: use crypto implementations when available
  - support new API functions, fix curl_dbg_ handling
  - smtp: support the SMTPUTF8 extension
  - smtp: support UTF-8 based host names in MAIL FROM
  - SOCKS: make the connect phase non-blocking
  - strcase: turn Curl_raw_tolower into static
  - strerror: increase STRERROR_LEN 128 -> 256
  - test1323: added missing 'unit test' feature requirement
  - tests: add a unit test for MD4 digest generation
  - tests: add a unit test for SHA256 digest generation
  - tests: add a unit test for the HMAC hash generation
  - tests: deduce the tool name from the test case for unit tests
  - tests: fix Python 3 compatibility of
  - tool_dirhie: allow directory traversal during creation
  - tool_homedir: change GetEnv() to use libcurl's curl_getenv()
  - url: include the failure reason when curl_win32_idn_to_ascii() fails
  - urlapi: guess scheme properly with credentials given
  - urldata: do string enums without #ifdefs for build scripts
  - vtls: refactor Curl_multissl_version to make the code clearer
- Refresh patches:
  * curl-secure-getenv.patch
  * libcurl-ocloexec.patch
- Eliminate curl-mini: The reason for this to exist was that cmake
  pulled in curl into too many places, causing build cycles. A new
  cmake-mini was generated, eliminating that need.
- Update to 7.68.0
  * Changes:
  - TLS: add BearSSL vtls implementation
  - curl: add --etag-compare and --etag-save
  - curl: add --parallel-immediate
  - multi: add curl_multi_wakeup()
  - openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
  * Bugfixes:
  - CVE-2019-15601: file: on Windows, refuse paths that start with /
  - Azure Pipelines: add several builds
  - CMake: add support for building with the NSS vtls backend
  - CURL-DISABLE: initial docs for the CURL_DISABLE_* defines
  - CURLOPT_HEADERFUNCTION.3: Document that size is always 1
  - CURLOPT_QUOTE.3: fix typos
  - CURLOPT_READFUNCTION.3: fix the example
  - CURLOPT_URL.3: "/curl supports SMB version 1 (only)"/
  - HISTORY: added cmake, HTTP/3 and parallel downloads with curl
  - HISTORY: the SMB(S) support landed in 2014
  - provide Android build instructions
  - KNOWN_BUGS: Connection information when using TCP Fast Open
  - KNOWN_BUGS: LDAP on Windows doesn't work correctly
  - KNOWN_BUGS: TLS session cache doesn't work with TFO
  - OPENSOCKETFUNCTION.3: correct the purpose description
  - TrackMemory tests: always remove CR before LF
  - altsvc: bump to h3-24
  - altsvc: make the save function ignore NULL filenames
  - build: Disable Visual Studio warning "/conditional expression is constant"/
  - build: fix for CURL_DISABLE_DOH
  - checksrc.bat: Add a check for vquic and vssh directories
  - checksrc: repair the copyrightyear check
  - cirrus-ci: enable clang sanitizers on freebsd 13
  - cirrus: Drop the FreeBSD 10.4 build
  - config-win32: cpu-machine-OS for Windows on ARM
  - configure: avoid unportable `==' test(1) operator
  - configure: enable IPv6 support without `getaddrinfo`
  - configure: fix typo in help text
  - conncache: CONNECT_ONLY connections assumed always in-use
  - conncache: fix multi-thread use of shared connection cache
  - copyrights: fix copyright year range
  - create_conn: prefer multiplexing to using new connections
  - curl -w: handle a blank input file correctly
  - curl.h: add two missing defines for "/pre ISO C"/ compilers
  - curl/parseconfig: fix mem-leak
  - curl/parseconfig: use curl_free() to free memory allocated by libcurl
  - curl: cleanup multi handle on failure
  - curl: fix --upload-file . hangs if delay in STDIN
  - curl: fix -T globbing
  - curl: improved cleanup in upload error path
  - curl: make a few char pointers point to const char instead
  - curl: properly free mimepost data
  - curl: show better error message when no homedir is found
  - curl: show error for --http3 if libcurl lacks support
  - curl_setup_once: consistently use WHILE_FALSE in macros
  - define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore
  - docs: Change 'experiemental' to 'experimental'
  - docs: TLS SRP doesn't work with TLS 1.3
  - docs: fix several typos
  - docs: mention CURL_MAX_INPUT_LENGTH restrictions
  - doh: improved both encoding and decoding
  - doh: make it behave when built without proxy support
  - examples/postinmemory.c: Call curl_global_cleanup always
  - examples/url2file.c: corrected erroneous comment
  - examples: add multi-poll.c
  - global_init: undo the "/intialized"/ bump in case of failure
  - hostip: suppress compiler warning
  - http_ntlm: Remove duplicate NSS initialisation
  - lib: Move lib/ssh.h -> lib/vssh/ssh.h
  - lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`
  - lib: fix warnings found when porting to NuttX
  - lib: remove ASSIGNWITHINCONDITION exceptions, use our code style
  - lib: remove erroneous +x file permission on some c files
  - libssh2: add support for ECDSA and ed25519 knownhost keys
  - multi.h: remove INITIAL_MAX_CONCURRENT_STREAMS from public header
  - multi: free sockhash on OOM
  - multi_poll: avoid busy-loop when called without easy handles attached
  - ngtcp2: Support the latest update key callback type
  - ngtcp2: fix thread-safety bug in error-handling
  - ngtcp2: free used resources on disconnect
  - ngtcp2: handle key updates as ngtcp2 master branch tells us
  - ngtcp2: increase QUIC window size when data is consumed
  - ngtcp2: use overflow buffer for extra HTTP/3 data
  - ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set
  - ntlm_wb: fix double-free in OOM
  - openssl: Revert to less sensitivity for SYSCALL errors
  - openssl: improve error message for SYSCALL during connect
  - openssl: prevent recursive function calls from ctx callbacks
  - openssl: retrieve reported LibreSSL version at runtime
  - openssl: set X509_V_FLAG_PARTIAL_CHAIN by default
  - parsedate: offer a getdate_capped() alternative
  - pause: avoid updating socket if done was already called
  - projects: Fix Visual Studio projects SSH builds
  - projects: Fix Visual Studio wolfSSL configurations
  - quiche: reject HTTP/3 headers in the wrong order
  - remove_handle: clear expire timers after multi_done()
  - runtests: --repeat=[num] to repeat tests
  - runtests: introduce --shallow to reduce huge torture tests
  - schannel: fix --tls-max for when min is --tlsv1 or default
  - setopt: Fix ALPN / NPN user option when built without HTTP2
  - strerror: Add Curl_winapi_strerror for Win API specific errors
  - strerror: Fix an error looking up some Windows error strings
  - strerror: Fix compiler warning "/empty expression"/
  - system.h: fix for MCST lcc compiler
  - test/sws: search for "/Testno:"/ header unconditionally if no testno
  - test1175: verify symbols-in-versions and libcurl-errors.3 in sync
  - test1270: a basic -w redirect_url test
  - test1456: remove the use of a fixed local port number
  - test1558: use double slash after file:
  - test1560: require IPv6 for IPv6 aware URL parsing
  - tests/lib1557: fix mem-leak in OOM
  - tests/lib1559: fix mem-leak in OOM
  - tests/lib1591: free memory properly on OOM, in the trailers callback
  - tests/unit1607: fix mem-leak in OOM
  - tests/unit1609: fix mem-leak in OOM
  - tests/unit1620: fix bad free in OOM
  - tests: Change NTLM tests to require SSL
  - tests: Fix bounce requests with truncated writes
  - tests: fix build with `CURL_DISABLE_DOH`
  - tests: fix permissions of ssh keys in WSL
  - tests: make it possible to set executable extensions
  - tests: make sure checksrc runs on header files too
  - tests: set LC_ALL=en_US.UTF-8 instead of blank in several tests
  - tests: use DoH feature for DoH tests
  - tests: use rn for log messages in WSL
  - tool_operate: fix mem leak when failed config parse
  - travis: Fix error detection
  - travis: abandon coveralls, it is not reliable
  - travis: build ngtcp2 with --enable-lib-only
  - travis: export the CC/CXX variables when set
  - vtls: make BearSSL possible to set with CURL_SSL_BACKEND
  - winbuild: Define CARES_STATICLIB when WITH_CARES=static
  - winbuild: Document CURL_STATICLIB requirement for static libcurl
- Remove curl-expire-clear.patch
- Fix segfault in zypper ref: [bsc#1156481]
  * remove_handle: clear expire timers after multi_done()
  * Add patch curl-expire-clear.patch
- Update spec file with spec-cleaner
- Update to 7.67.0
  * Changes:
  - curl: added --no-progress-meter
  - urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
  * Bugfixes:
  - BINDINGS: five new bindings addded
  - CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time
  - CURLOPT_TIMEOUT.3: remove the mention of "/minutes"/
  - ESNI: initial build/setup support
  - FTP: FTPFILE_NOCWD: avoid redundant CWDs
  - FTP: allow "/rubbish"/ prepended to the SIZE response
  - FTP: remove trailing slash from path for LIST/MLSD
  - FTP: skip CWD to entry dir when target is absolute
  - FTP: url-decode path before evaluation
  - move -p for mkdir, remove -j for make
  - HTTP3: fix invalid use of sendto for connected UDP socket
  - HTTP3: fix prefix parameter for ngtcp2 build
  - HTTP3: show an --alt-svc using example too
  - INSTALL: add missing space for configure commands
  - INSTALL: add vcpkg installation instructions
  - altsvc: accept quoted ma and persist values
  - altsvc: both backends run h3-23 now
  - appveyor: Add MSVC ARM64 build
  - appveyor: Use two parallel compilation on appveyor with CMake
  - appveyor: add --disable-proxy autotools build
  - appveyor: publish artifacts on appveyor
  - appveyor: upgrade VS2017 to VS2019
  - asyn-thread: make use of Curl_socketpair() where available
  - asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
  - build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines
  - checksrc: fix uninitialized variable warning
  - chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error
  - cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build
  - cirrus: switch off blackhole status on the freebsd CI machines
  - cleanups: 21 various PVS-Studio warnings
  - configure: only say ipv6 enabled when the variable is set
  - configure: remove all cyassl references
  - conn-reuse: requests wanting NTLM can reuse non-NTLM connections
  - connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT
  - connect: silence sign-compare warning
  - cookie: avoid harmless use after free
  - cookie: pass in the correct cookie amount to qsort()
  - cookies: change argument type for Curl_flush_cookies
  - cookies: using a share with cookies shouldn't enable the cookie engine
  - copyrights: update copyright notices to 2019
  - curl: create easy handles on-demand and not ahead of time
  - curl: ensure HTTP 429 triggers --retry
  - curl: exit the create_transfers loop on errors
  - curl: fix memory leaked by parse_metalink()
  - curl: load large files with -d @ much faster
  - docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag
  - docs: added multi-event.c example
  - docs: disambiguate CURLUPART_HOST is for host name (ie no port)
  - docs: note on failed handles not being counted by curl_multi_perform
  - doh: allow only http and https in debug mode
  - doh: avoid truncating DNS QTYPE to lower octet
  - doh: clean up dangling DOH memory on easy close
  - doh: fix (harmless) buffer overrun
  - doh: fix undefined behaviour and open up for gcc and clang optimization
  - doh: return early if there is no time left
  - examples/sslbackend: fix -Wchar-subscripts warning
  - gnutls: make gnutls_bye() not wait for response on shutdown
  - http2: expire a timeout at end of stream
  - http2: prevent dup'ed handles to send dummy PRIORITY frames
  - http2: relax verification of :authority in push promise requests
  - http2_recv: a closed stream trumps pause state
  - http: lowercase headernames for HTTP/2 and HTTP/3
  - ldap: Stop using wide char version of ldapp_err2string
  - ldap: fix OOM error on missing query string
  - mbedtls: add error message for cert validity starting in the future
  - mime: when disabled, avoid C99 macro
  - ngtcp2: adapt to API change
  - ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23
  - ngtcp2: remove fprintf() calls
  - openssl: close_notify on the FTP data connection doesn't mean closure
  - openssl: use strerror on SSL_ERROR_SYSCALL
  - os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr
  - parsedate: fix date parsing disabled builds
  - quiche: don't close connection at end of stream
  - quiche: persist connection details (fixes -I with --http3)
  - quiche: set 'drain' when returning without having drained the queues
  - quiche: update HTTP/3 config creation to new API
  - redirect: handle redirects to absolute URLs containing spaces
  - runtests: get textaware info from curl instead of perl
  - schannel: reverse the order of certinfo insertions
  - schannel_verify: Fix concurrent openings of CA file
  - security: silence conversion warning
  - setopt: handle ALTSVC set to NULL
  - setopt: make it easier to add new enum values
  - setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly
  - smb: check for full size message before reading message details
  - smbserver: fix Python 3 compatibility
  - socks: Fix destination host shown on SOCKS5 error
  - test1162: disable MSYS2's POSIX path conversion
  - test1591: fix spelling of http feature
  - tests: add 'connect to non-listen' keywords
  - tests: fix narrowing conversion warnings
  - tests: fix the test 3001 cert failures
  - tests: makes tests succeed when using --disable-proxy
  - tests: use %FILE_PWD for file:// URLs
  - tests: use port 2 instead of 60000 for a safer non-listening port
  - tool_operate: Fix retry sleep time shown to user when Retry-After
  - url: Curl_free_request_state() should also free doh handles
  - url: don't set appconnect time for non-ssl/non-ssh connections
  - url: fix the NULL hostname compiler warning
  - url: normalize CURLINFO_EFFECTIVE_URL
  - url: only reuse TLS connections with matching pinning
  - urlapi: avoid index underflow for short ipv6 hostnames
  - urlapi: fix URL encoding when setting a full URL
  - urlapi: question mark within fragment is still fragment
  - urldata: use 'bool' for the bit type on MSVC compilers
  - vtls: fix narrowing conversion warnings
- Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481]
  * Changes:
  - CURLINFO_RETRY_AFTER: parse the Retry-After header value
  - HTTP3: initial (experimental still not working) support
  - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
  - curl: support parallel transfers with -Z
  - curl_multi_poll: a sister to curl_multi_wait() that waits more
  - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
  * Bugfixes:
  - CVE-2019-5481: FTP-KRB double-free
  - CVE-2019-5482: TFTP small blocksize heap buffer overflow
  - CMake: remove needless newlines at end of gss variables
  - CMake: use platform dependent name for dlopen() library
  - CURLINFO docs: mention that in redirects times are added
  - CURLOPT_ALTSVC.3: use a "/"/ file name to not load from a file
  - CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
  - CURLOPT_READFUNCTION.3: provide inline example
  - CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
  - Curl_addr2string: take an addrlen argument too
  - Curl_fillreadbuffer: avoid double-free trailer buf on error
  - HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
  - alt-svc: add protocol version selection masking
  - alt-svc: fix removal of expired cache entry
  - alt-svc: make it use h3-22 with ngtcp2 as well
  - alt-svc: more liberal ALPN name parsing
  - alt-svc: send Alt-Used: in redirected requests
  - alt-svc: with quiche, use the quiche h3 alpn string
  - asyn-thread: create a socketpair to wait on
  - cleanup: move functions out of url.c and make them static
  - cleanup: remove the 'numsocks' argument used in many places
  - configure: avoid undefined check_for_ca_bundle
  - curl.h: add CURL_HTTP_VERSION_3 to the version enum
  - curl: cap the maximum allowed values for retry time arguments
  - curl: handle a libcurl build without netrc support
  - curl: make use of CURLINFO_RETRY_AFTER when retrying
  - curl: use CURLINFO_PROTOCOL to check for HTTP(s)
  - curl_global_init_mem.3: mention it was added in 7.12.0
  - curl_version: bump string buffer size to 250
  - curl_version_info.3: mentioned ALTSVC and HTTP3
  - curl_version_info: offer quic (and h3) library info
  - curl_version_info: provide nghttp2 details
  - defines: avoid underscore-prefixed defines
  - docs/ALTSVC: remove what works and the experimental explanation
  - docs/EXPERIMENTAL: explain what it means and what's experimental now
  - docs/ converted to markdown from plain text
  - docs/examples/curlx: fix errors
  - docs: s/curl_debug/curl_dbg_debug in comments and docs
  - easy: resize receive buffer on easy handle reset
  - examples: Avoid reserved names in hiperfifo examples
  - examples: add http3.c, altsvc.c and http3-present.c
  - http09: disable HTTP/0.9 by default in both tool and library
  - http2: when marked for closure and wanted to close == OK
  - http2_recv: trigger another read when the last data is returned
  - http: fix use of credentials from URL when using HTTP proxy
  - http_negotiate: improve handling of gss_init_sec_context() failures
  - md4: Use our own MD4 when no crypto libraries are available
  - multi: call detach_connection before Curl_disconnect
  - nss: use TLSv1.3 as default if supported
  - openssl: build warning free with boringssl
  - openssl: use SSL_CTX_set__proto_version() when available
  - plan9: add support for running on Plan 9
  - progress: reset download/uploaded counter between transfers
  - readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
  - scp: fix directory name length used in memcpy
  - smb: init *msg to NULL in smb_send_and_recv()
  - smtp: check for and bail out on too short EHLO response
  - source: remove names from source comments
  - spnego_sspi: add typecast to fix build warning
  - src/makefile: fix uncompressed hugehelp.c generation
  - ssh-libssh: do not specify O_APPEND when not in append mode
  - ssh: move code into vssh for SSH backends
  - sspi: fix memory leaks
  - tests: Replace outdated test case numbering documentation
  - tftp: return error when packet is too small for options
  - timediff: make it 64 bit (if possible) even with 32 bit time_t
  - travis: reduce number of torture tests in 'coverage'
  - url: make use of new HTTP version if alt-svc has one
  - urlapi: verify the IPv6 numerical address
  - urldata: avoid 'generic', use dedicated pointers
  - vauth: Use CURLE_AUTH_ERROR for auth function errors
- Update to 7.65.3
  * progress: make the progress meter appear again
- Update to 7.65.2
  * Bugfixes:
  - Explain Schannel error SEC_E_ALGORITHM_MISMATCH
  - CMake: Fix finding Brotli on case-sensitive file systems
  - CURLOPT_RANGE.3: Caution against using it for HTTP PUT
  - CURLOPT_SEEKDATA.3: fix variable name
  - bindlocal: detect and avoid IP version mismatches in bind()
  - build: fix Codacy warnings
  - c-ares: honor port numbers in CURLOPT_DNS_SERVERS
  - config-os400: add getpeername and getsockname defines
  - configure: --disable-progress-meter
  - configure: fix --disable-code-coverage
  - configure: more --disable switches to toggle off individual features
  - configure: remove CURL_DISABLE_TLS_SRP
  - conn_maxage: move the check to prune_dead_connections()
  - curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds
  - docs: Explain behavior change in --tlsv1. options since 7.54
  - docs: Fix links to OpenSSL docs
  - docs: fix string suggesting HTTP/2 is not the default
  - headers: Remove no longer exported functions
  - http2: call done_sending on end of upload
  - http2: don't call stream-close on already closed streams
  - http2: remove CURL_DISABLE_TYPECHECK define
  - http: allow overriding timecond with custom header
  - http: clarify header buffer size calculation
  - krb5: fix compiler warning
  - lib: Use UTF-8 encoding in comments
  - libcurl: Restrict redirect schemes to HTTP, HTTPS, FTP and FTPS
  - multi: enable multiplexing by default (again)
  - multi: fix the transfer hashes in the socket hash entries
  - multi: make sure 'data' can present in several sockhash entries
  - netrc: Return the correct error code when out of memory
  - nss: don't set unused parameter
  - nss: inspect returnvalue of token check
  - nss: only cache valid CRL entries
  - openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
  - openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined
  - openssl: fix pubkey/signature algorithm detection in certinfo
  - os400: make vsetopt() non-static as Curl_vsetopt() for os400 support
  - quote.d: asterisk prefix works for SFTP as well
  - runtests: keep logfiles around by default
  - runtests: report single test time + total duration
  - test1165: verify that CURL_DISABLE_ symbols are in sync
  - test1521: adapt to SLISTPOINT
  - test1523: test CURLOPT_LOW_SPEED_LIMIT
  - test153: fix content-length to avoid occasional hang
  - test188/189: fix Content-Length
  - tests: have runtests figure out disabled features
  - tests: support non-localhost HOSTIP for dict/smb servers
  - tests: update fixed IP for hostip/clientip split
  - tool_cb_prg: Fix integer overflow in progress bar
  - typecheck: CURLOPT_CONNECT_TO takes an slist too
  - typecheck: add 3 missing strings and a callback data pointer
  - unit1654: cleanup on memory failure
  - unpause: trigger a timeout for event-based transfers
  - url: Fix CURLOPT_MAXAGE_CONN time comparison
- Rebased patch curl-use_OPENSSL_config.patch
- Disable new added failing test1165
- Update to 7.65.1
  * Bugfixes:
  - CURLOPT_LOW_SPEED_* repaired
  - NTLM: reset proxy "/multipass"/ state when CONNECT request is done
  - PolarSSL: deprecate support step 1. Removed from configure
  - cmake: check for if_nametoindex()
  - cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
  - conncache: Remove the DEBUGASSERT on length check
  - conncache: make "/bundles"/ per host name when doing proxy tunnels
  - curl_share_setopt.3: improve wording
  - dump-header.d: spell out that no headers == empty file
  - example/http2-download: fix format specifier
  - examples: cleanups and compiler warning fixes
  - http2: Stop drain from being permanently set
  - http: don't parse body-related headers in bodyless responses
  - md4: build correctly with openssl without MD4
  - md4: include the mbedtls config.h to get the MD4 info
  - multi: track users of a socket better
  - nss: allow to specify TLS 1.3 ciphers if supported by NSS
  - parse_proxy: make sure portptr is initialized
  - parse_proxy: use the IPv6 zone id if given
  - sectransp: handle errSSLPeerAuthCompleted from SSLRead()
  - singlesocket: use separate variable for inner loop
  - ssl: Update outdated "/openssl-only"/ comments for supported backends
  - tests: add HAProxy keywords
  - tests: make test 1420 and 1406 work with rtsp-disabled libcurl
  - tls13-docs: mention it is only for OpenSSL >= 1.1.1
  - tool_setopt: for builds with disabled-proxy, skip all proxy setopts()
  - url: fix bad feature-disable #ifdef
  - url: use correct port in ConnectionExists()
- Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436]
  * Changes:
  - CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
  - pipelining: removed
  * Bugfixes:
  - CVE-2019-5435: Integer overflows in curl_url_set
  - CVE-2019-5436: tftp: use the current blksize for recvfrom()
  - --config: clarify that initial : and = might need quoting
  - CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
  - CURLOPT_ADDRESS_SCOPE: fix range check and more
  - CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
  - CURL_MAX_INPUT_LENGTH: largest acceptable string input size
  - Curl_disconnect: treat all CONNECT_ONLY connections as "/dead"/
  - OS400/ccsidcurl: replace use of Curl_vsetopt
  - OpenSSL: Report -fips in version if OpenSSL is built with FIPS
  - WRITEFUNCTION: add missing set_in_callback around callback
  - altsvc: Fix building with cookies disabled
  - auth: Rename the various authentication clean up functions
  - base64: build conditionally if there are users
  - cmake: avoid linking executable for some tests with cmake 3.6+
  - cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
  - cmake: set SSL_BACKENDS
  - configure: avoid unportable '==' test(1) operator
  - configure: error out if OpenSSL wasn't detected when asked for
  - configure: fix default location for fish completions
  - cookie: Guard against possible NULL ptr deref
  - curl: make code work with protocol-disabled libcurl
  - curl: report error for "/--no-"/ on non-boolean options
  - curlver.h: use parenthesis in CURL_VERSION_BITS macro
  - docs/INSTALL: fix broken link
  - doh: acknowledge CURL_DISABLE_DOH
  - doh: disable DOH for the cases it doesn't work
  - examples: remove unused variables
  - ftplistparser: fix LGTM alert "/Empty block without comment"/
  - hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS
  - http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
  - http: acknowledge CURL_DISABLE_HTTP_AUTH
  - http: mark bundle as not for multiuse on < HTTP/2 response
  - http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
  - http_negotiate: do not treat failure of gss_init_sec_context() as fatal
  - http_ntlm: Corrected the name of the include guard
  - http_ntlm_wb: Handle auth for only a single request
  - http_ntlm_wb: Return the correct error on receiving an empty auth message
  - lib509: add missing include for strdup
  - lib557: initialize variables
  - mbedtls: enable use of EC keys
  - mime: acknowledge CURL_DISABLE_MIME
  - multi: improved HTTP_1_1_REQUIRED handling
  - netrc: acknowledge CURL_DISABLE_NETRC
  - nss: allow fifos and character devices for certificates
  - nss: provide more specific error messages on failed init
  - ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup
  - ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
  - openssl: mark connection for close on TLS close_notify
  - openvms: Remove pre-processor for SecureTransport
  - parse_proxy: use the URL parser API
  - parsedate: disabled on CURL_DISABLE_PARSEDATE
  - pingpong: disable more when no pingpong protocols are enabled
  - polarssl_threadlock: remove conditionally unused code
  - progress: acknowledge CURL_DISABLE_PROGRESS_METER
  - proxy: acknowledge DISABLE_PROXY more
  - resolve: apply Happy Eyeballs philosophy to parallel c-ares queries
  - revert "/multi: support verbose conncache closure handle"/
  - sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
  - sasl: only enable if there's a protocol enabled using it
  - singleipconnect: show port in the verbose "/Trying ..."/ message
  - socks5: user name and passwords must be shorter than 256
  - socks: fix error message
  - socksd: new SOCKS 4+5 server for tests
  - spnego_gssapi: fix return code on gss_init_sec_context() failure
  - ssh-libssh: remove unused variable
  - ssh: define USE_SSH if SSH is enabled (any backend)
  - ssh: move variable declaration to where it's used
  - test1002: correct the name
  - test2100: Fix typos in test description
  - tests: Run global cleanup at end of tests
  - tests: make Impacket (SMB server) Python 3 compatible
  - tool_cb_wrt: fix bad-function-cast warning
  - tool_formparse: remove redundant assignment
  - tool_help: Warn if curl and libcurl versions do not match
  - tool_help: include for strcasecmp
  - url: always clone the CUROPT_CURLU handle
  - url: convert the zone id from a IPv6 URL to correct scope id
  - urlapi: add CURLUPART_ZONEID to set and get
  - urlapi: increase supported scheme length to 40 bytes
  - urlapi: require a non-zero host name length when parsing URL
  - urlapi: stricter CURLUPART_PORT parsing
  - urlapi: strip off zone id from numerical IPv6 addresses
  - urlapi: urlencode characters above 0x7f correctly
  - vauth/cleartext: update the PLAIN login to match RFC 4616
  - vauth/oauth2: Fix OAUTHBEARER token generation
  - vauth: Fix incorrect function description for Curl_auth_user_contains_domain
  - vtls: fix potential ssl_buffer stack overflow
  - wildcard: disable from build when FTP isn't present
  - xattr: skip unittest on unsupported platforms
- Install completions file from curl rather than from the fish package
- update to version 7.64.1
  * Changes:
  - alt-svc: experiemental support added
  - configure: add --with-amissl
  * Bugfixes:
  - AppVeyor: switch VS 2015 builds to VS 2017 image
  - CURLU: fix NULL dereference when used over proxy
  - Curl_easy: remove req.maxfd - never used!
  - Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning
  - DoH: inherit some SSL options from user's easy handle
  - Secure Transport: no more "/darwinssl"/
  - Secure Transport: tvOS 11 is required for ALPN support
  - cirrus: Added FreeBSD builds using Cirrus CI
  - cleanup: make local functions static
  - cli tool: do not use mime.h private structures
  - cmdline-opts/proxytunnel.d: the option tunnnels all protocols
  - configure: add additional libraries to check for LDAP support
  - configure: remove the unused fdopen macro
  - configure: show features as well in the final summary
  - conncache: use conn->data to know if a transfer owns it
  - connection: never reuse CONNECT_ONLY connections
  - connection_check: restore original conn->data after the check
  - connection_check: set ->data to the transfer doing the check
  - cookie: Add support for cookie prefixes
  - cookies: dotless names can set cookies again
  - cookies: fix NULL dereference if flushing cookies with no CookieInfo set
  - curl.1: --user and --proxy-user are hidden from ps output
  - curl.1: mark the argument to --cookie as
  - curl.h: use __has_declspec_attribute for shared builds
  - curl: display --version features sorted alphabetically
  - curl: fix FreeBSD compiler warning in the --xattr code
  - curl: remove MANUAL from -M output
  - curl_easy_duphandle.3: clarify that a duped handle has no shares
  - curl_multi_remove_handle.3: use at any time, just not from within callbacks
  - curl_url.3: this API is not experimental anymore
  - dns: release sharelock as soon as possible
  - docs: update max-redirs.d phrasing
  - examples/10-at-a-time.c: improve readability and simplify
  - examples/cacertinmem.c: use multiple certificates for loading CA-chain
  - examples/crawler: Fix the Accept-Encoding setting
  - examples/ephiperfifo.c: various fixes
  - examples/externalsocket: add missing close socket calls
  - examples/http2-download: cleaned up
  - examples/http2-serverpush: add some sensible error checks
  - examples/http2-upload: cleaned up
  - examples/httpcustomheader: Value stored to 'res' is never read
  - examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory'
  - examples/sftpuploadresume: Value stored to 'result' is never read
  - examples: only include
  - examples: remove recursive calls to curl_multi_socket_action
  - examples: remove superfluous null-pointer checks
  - file: fix "/Checking if unsigned variable 'readcount' is less than zero."/
  - fnmatch: disable if FTP is disabled
  - gnutls: remove call to deprecated gnutls_compression_get_name
  - gopher: remove check for path == NULL
  - gssapi: fix deprecated header warnings
  - hostip: make create_hostcache_id avoid alloc + free
  - http2: multi_connchanged() moved from multi.c, only used for h2
  - http2: verify :athority in push promise requests
  - http: make adding a blank header thread-safe
  - http: send payload when (proxy) authentication is done
  - http: set state.infilesize when sending multipart formposts
  - makefile: make checksrc and hugefile commands "/silent"/
  - mbedtls: make it build even if MBEDTLS_VERSION_C isn't set
  - mbedtls: release sessionid resources on error
  - memdebug: log pointer before freeing its data
  - memdebug: make debug-specific functions use curl_dbg_ prefix
  - mime: put the boundary buffer into the curl_mime struct
  - multi: call multi_done on connect timeouts, fixes CURLINFO_TOTAL_TIME
  - multi: remove verbose "/Expire in"/ ... messages
  - multi: removed unused code for request retries
  - multi: support verbose conncache closure handle
  - negotiate: fix for HTTP POST with Negotiate
  - openssl: add support for TLS ASYNC state
  - openssl: if cert type is ENG and no key specified, key is ENG too
  - pretransfer: don't strlen() POSTFIELDS set for GET requests
  - rand: Fix a mismatch between comments in source and header
  - runtests: detect "/schannel"/ as an alias for "/winssl"/
  - schannel: be quiet - remove verbose output
  - schannel: close TLS before removing conn from cache
  - schannel: support CALG_ECDH_EPHEM algorithm
  - scripts/ also generate fish completion file
  - singlesocket: fix the 'sincebefore' placement
  - source: fix two 'nread' may be used uninitialized warnings
  - ssh: fix Condition '!status' is always true
  - ssh: loop the state machine if not done and not blocking
  - strerror: make the strerror function use local buffers
  - test578: make it read data from the correct test
  - tests: Fixed XML validation errors in some test files
  - tests: add stderr comparison to the test suite
  - tests: fix multiple may be used uninitialized warnings
  - threaded-resolver: shutdown the resolver thread without error message
  - tool_cb_wrt: fix writing to Windows null device NUL
  - tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr
  - tool_operate: build on AmigaOS
  - tool_operate: fix typecheck warning
  - transfer.c: do not compute length of undefined hex buffer
  - travis: add build using gnutls
  - travis: add scan-build
  - travis: bump the used wolfSSL version to 4.0.0
  - travis: enable valgrind for the iconv tests
  - travis: use updated compiler versions: clang 7 and gcc 8
  - unit1307: require FTP support
  - unit1651: survive curl_easy_init() fails
  - url/idnconvert: remove scan for <= 32 ascii values
  - url: change conn shutdown order to ensure SOCKETFUNCTION callbacks
  - urlapi: reduce variable scope, remove unreachable 'break'
  - urldata: convert bools to bitfields and move to end
  - urldata: simplify bytecounters
  - urlglob: Argument with 'nonnull' attribute passed null
  - version.c: silent scan-build even when librtmp is not enabled
  - vtls: rename some of the SSL functions
  - wolfssl: stop custom-adding curves
  - x509asn1: "/Dereference of null pointer"/
  - x509asn1: cleanup and unify code layout
  - escape ':' character
  - update regex to better match curl -h output
- Dropped patches fixed upstream:
  * 0001-connection_check-set-data-to-the-transfer-doing-the-.patch
  * 0002-connection_check-restore-original-conn-data-after-th.patch
  * curl-singlesocket-sincebefore-placement.patch
- Fix variable placement that wasn't properly reset within a loop
  missing to notify sockets. [bsc#1129083, bsc#1129470]
  * Added curl-singlesocket-sincebefore-placement.patch
- Add patches to fix use-after-free (boo#1127849):
  * 0001-connection_check-set-data-to-the-transfer-doing-the-.patch
  * 0002-connection_check-restore-original-conn-data-after-th.patch
- BuildRequire libcurl4-mini for !bootstrap to avoid build cycles
  due to cmake pulling libcurl4
- update to version 7.64.0
  [bcs#1123371, CVE-2018-16890][bcs#1123377, CVE-2019-3822]
  [bcs#1123378, CVE-2019-3823]
  * Changes:
  - cookies: leave secure cookies alone
  - hostip: support wildcard hosts
  - http: Implement trailing headers for chunked transfers
  - http: added options for allowing HTTP/0.9 responses
  - timeval: Use high resolution timestamps on Windows
  * Bugfixes:
  - CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
  - CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
  - CVE-2019-3823: SMTP end-of-response out-of-bounds read
  - FAQ: remove mention of sourceforge for github
  - OS400: handle memory error in list conversion
  - OS400: upgrade ILE/RPG binding.
  - README: add codacy code quality badge
  - Revert http_negotiate: do not close connection
  - THANKS: added several missing names from year <= 2000
  - build: make 'tidy' target work for metalink builds
  - cmake: added checks for variadic macros
  - cmake: updated check for HAVE_POLL_FINE to match autotools
  - cmake: use lowercase for function name like the rest of the code
  - configure: detect xlclang separately from clang
  - configure: fix recv/send/select detection on Android
  - configure: rewrite --enable-code-coverage
  - conncache_unlock: avoid indirection by changing input argument type
  - cookie: fix comment typo
  - cookies: allow secure override when done over HTTPS
  - cookies: extend domain checks to non psl builds
  - cookies: skip custom cookies when redirecting cross-site
  - curl --xattr: strip credentials from any URL that is stored
  - curl -J: refuse to append to the destination file
  - curl/urlapi.h: include "/curl.h"/ first
  - curl_multi_remove_handle() don't block terminating c-ares requests
  - darwinssl: accept setting max-tls with default min-tls
  - disconnect: separate connections and easy handles better
  - disconnect: set conn->data for protocol disconnect
  - docs/version.d: mention MultiSSL
  - docs: fix the --tls-max description
  - docs: use $(INSTALL_DATA) to install man page
  - docs: use meaningless port number in CURLOPT_LOCALPORT example
  - gopher: always include the entire gopher-path in request
  - http2: clear pause stream id if it gets closed
  - if2ip: remove unused function Curl_if_is_interface_name
  - libssh: do not let libssh create socket
  - libssh: free sftp_canonicalize_path() data correctly
  - libtest/stub_gssapi: use "/real"/ snprintf
  - mbedtls: use VERIFYHOST
  - multi: multiplexing improvements
  - multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
  - ntlm: fix NTMLv2 compliance
  - ntlm_sspi: add support for channel binding
  - openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
  - openssl: fix the SSL_get_tlsext_status_ocsp_resp call
  - openvms: fix OpenSSL discovery on VAX
  - openvms: fix typos in documentation
  - os400: add a missing closing bracket
  - os400: fix extra parameter syntax error
  - pingpong: change default response timeout to 120 seconds
  - pingpong: ignore regular timeout in disconnect phase
  - printf: fix format specifiers
  - Fix perl call to include srcdir
  - schannel: fix compiler warning
  - schannel: preserve original certificate path parameter
  - schannel: stop calling it "/winssl"/
  - sigpipe: if mbedTLS is used, ignore SIGPIPE
  - smb: fix incorrect path in request if connection reused
  - ssh: log the libssh2 error message when ssh session startup fails
  - test1558: verify CURLINFO_PROTOCOL on file:// transfer
  - test1561: improve test name
  - test1653: make it survive torture tests
  - tests: allow tests to pass by 2037-02-12
  - tests: move objnames-* from lib into tests
  - timediff: fix math for unsigned time_t
  - timeval: Disable MSVC Analyzer GetTickCount warning
  - tool_cb_prg: avoid integer overflow
  - travis: added cmake build for osx
  - urlapi: Fix port parsing of eol colon
  - urlapi: distinguish possibly empty query
  - urlapi: fix parsing ipv6 with zone index
  - urldata: rename easy_conn to just conn
  - winbuild: conditionally use /DZLIB_WINAPI
  - wolfssl: fix memory-leak in threaded use
  - spnego_sspi: add support for channel binding
- Fix wrong summary, curl is at version 7, not 4.
- Provide libcurl4 = %version in the mini library package
- Update to version 7.63.0
  * curl: add %{stderr} and %{stdout} for --write-out
  * curl: add undocumented option --dump-module-paths for w32
  * setopt: add CURLOPT_CURLU
  * (lib)curl.rc: fixup for minor bugs
  * CURLINFO_REDIRECT_URL: extract the Location: header field unvalidated
  * CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis/desc
  * CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
  * Curl_follow: accept non-supported schemes for "/fake"/ redirects
  * KNOWN_BUGS: add --proxy-any connection issue
  * NTLM: Remove redundant ifdef USE_OPENSSL
  * NTLM: force the connection to HTTP/1.1
  * OS400: add URL API ccsid wrappers and sync ILE/RPG bindings
  * SECURITY-PROCESS: bountygraph shuts down again
  * TODO: Have the URL API offer IDN decoding
  * ares: remove fd from multi fd set when ares is about to close the fd
  * axtls: removed
  * checksrc: add COPYRIGHTYEAR check
  * cmake: fix MIT/Heimdal Kerberos detection
  * configure: include all libraries in ssl-libs fetch
  * configure: show CFLAGS, LDFLAGS etc in summary
  * connect: fix building for recent versions of Minix
  * cookies: create the cookiejar even if no cookies to save
  * cookies: expire "/Max-Age=0"/ immediately
  * curl: --local-port range was not "/including"/
  * curl: fix --local-port integer overflow
  * curl: fix memory leak reading --writeout from file
  * curl: fixed UTF-8 in current console code page (Win)
  * curl_easy_perform: fix timeout handling
  * curl_global_sslset(): id == -1 is not necessarily an error
  * curl_multibyte: fix a malloc overcalculation
  * curle: move deprecated error code to ifndef block
  * docs: curl_formadd field and file names are now escaped
  * docs: escape "/n"/ codes
  * doh: fix memory leak in OOM situation
  * doh: make it work for h2-disabled builds too
  * examples/ephiperfifo: report error when epoll_ctl fails
  * ftp: avoid unsigned int overflows in FTP listing parser
  * host names: allow trailing dot in name resolve, then strip it
  * http2: Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
  * http: don't set CURLINFO_CONDIITON_UNMET for http status code 204
  * http: fix HTTP DIgest auth to include query in URI
  * http_negotiate: do not close connection until negotiation is completed
  * impacket: add LICENSE
  * infof: clearly indicate truncation
  * ldap: fix LDAP URL parsing regressions
  * libcurl: stop reading from paused transfers
  * mprintf: avoid unsigned integer overflow warning
  * netrc: don't ignore the login name specified with "/--user"/
  * nss: Fall back to latest supported SSL version
  * nss: Fix compatibility with nss versions 3.14 to 3.15
  * nss: fix fallthrough comment to fix picky compiler warning
  * nss: remove version selecting dead code
  * nss: set default max-tls to 1.3/1.2
  * openssl: Remove SSLEAY leftovers
  * openssl: do not log excess "/TLS app data"/ lines for TLS 1.3
  * openssl: do not use file BIOs if not requested
  * openssl: fix unused variable compiler warning with old openssl
  * openssl: support session resume with TLS 1.3
  * openvms: fix example name
  * os400: Add curl_easy_conn_upkeep() to ILE/RPG binding
  * os400: add CURLOPT_CURLU to ILE/RPG binding
  * os400: fix return type of curl_easy_pause() in ILE/RPG binding
  * packages: remove old leftover files and dirs
  * pop3: only do APOP with a valid timestamp
  * runtests: use the local curl for verifying
  * schannel: be consistent in Schannel capitalization
  * schannel: better CURLOPT_CERTINFO support
  * schannel: use Curl_prefix for global private symbols
  * snprintf: renamed and now we only use msnprintf()
  * ssl: fix compilation with OpenSSL 0.9.7
  * ssl: replace all internal uses of CURLE_SSL_CACERT
  * symbols-in-versions: add missing CURLU_symbols
  * test328: verify Content-Encoding: none
  * tests: disable SO_EXCLUSIVEADDRUSE for stunnel/Win
  * tests: drop script no longer used
  * tests: drop script no longer used
  * tool_cb_wrt: Silence function cast compiler warning
  * tool_doswin: Fix uninitialized field warning
  * travis: build with clang sanitizers
  * travis: remove curl before a normal build
  * url: a short host name + port is not a scheme
  * url: fix IPv6 numeral address parser
  * urlapi: only skip encoding the first '=' with APPENDQUERY set
- refreshed curl-disabled-redirect-protocol-message.patch
- Update to version 7.62.0
  * multiplex: enable by default
  * url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled
  * setopt: add CURLOPT_DOH_URL
  * curl: --doh-url added
  * setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size
  * imap: change from "/FETCH"/ to "/UID FETCH"/
  * configure: add option to disable automatic OpenSSL config loading
  * upkeep: add a connection upkeep API: curl_easy_upkeep()
  * URL-API: added five new functions
  * vtls: MesaLink is a new TLS backend
  * CVE-2018-16839: SASL password overflow via integer overflow [bsc#1112758]
  * CVE-2018-16840: use-after-free in handle close [bsc#1113029]
  * CVE-2018-16842: warning message out-of-buffer read [bsc#1113660]
  * Curl_dedotdotify(): always nul terminate returned string
  * Curl_follow: Always free the passed new URL
  * Curl_http2_done: fix memleak in error path
  * Curl_retry_request: fix memory leak
  * Curl_saferealloc: Fixed typo in docblock
  * GnutTLS: TLS 1.3 support
  * SECURITY-PROCESS: mention the bountygraph program
  * VS projects: add USE_IPV6:
  * certs: generate tests certs with sha256 digest algorithm
  * checksrc: enable strict mode and warnings
  * checksrc: handle zero scoped ignore commands
  * cmake: Backport to work with CMake 3.0 again
  * cmake: Improve config installation
  * cmake: add support for transitive ZLIB target
  * cmake: disable -Wpedantic-ms-format
  * cmake: don't require OpenSSL if USE_OPENSSL=OFF
  * cmake: fixed path used in generation of docs/tests
  * cmake: remove unused *SOCKLEN_T variables
  * cmake: suppress MSVC warning C4127 for libtest
  * cmake: test and set missed defines during configuration
  * config: Remove unused SIZEOF_VOIDP
  * configure: force-use -lpthreads on HPUX
  * configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T
  * cookies: Remove redundant expired check
  * cookies: fix leak when writing cookies to file
  * remove dependency on bc
  * curl.1: --ipv6 mutexes ipv4 (fixed typo)
  * curl: update the documentation of --tlsv1.0
  * curl_multi_wait: call getsock before figuring out timeout
  * curl_ntlm_wb: check aprintf() return codes
  * data-binary.d: clarify default content-type is x-www-form-urlencoded
  * docs/CIPHERS: Mention the options used to set TLS 1.3 ciphers
  * docs/CIPHERS: fix the TLS 1.3 cipher names
  * docs/CIPHERS: mention the colon separation for OpenSSL
  * docs/examples: URL updates
  * docs: add "/see also"/ links for SSL options
  * example/asiohiper: insert warning comment about its status
  * example/htmltidy: fix include paths of tidy libraries
  * examples/http2-pushinmemory: receive HTTP/2 pushed files in memory
  * examples/parseurl.c: show off the URL API
  * examples: Fix memory leaks from realloc errors
  * examples: do not wait when no transfers are running
  * ftp: include command in Curl_ftpsend sendbuffer
  * gskit: make sure to terminate version string
  * gtls: Values stored to but never read
  * hostip: fix check on Curl_shuffle_addr return value
  * http2: fix memory leaks on error-path
  * http: fix memleak in rewind error path
  * krb5: fix memory leak in krb_auth
  * memory: add missing curl_printf header
  * memory: ensure to check allocation results
  * multi: Fix error handling in the SENDPROTOCONNECT state
  * multi: fix memory leak in content encoding related error path
  * multi: make the closure handle "/inherit"/ CURLOPT_NOSIGNAL
  * netrc: free temporary strings if memory allocation fails
  * nss: try to connect even if fails to load
  * ntlm_wb: Fix memory leaks in ntlm_wb_response
  * ntlm_wb: bail out if the response gets overly large
  * openssl: assume engine support in 0.9.8 or later
  * openssl: enable TLS 1.3 post-handshake auth
  * openssl: fix gcc8 warning
  * openssl: load built-in engines too
  * openssl: make 'done' a proper boolean
  * openssl: output the correct cipher list on TLS 1.3 error
  * openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer
  * openssl: show "/proper"/ version number for libressl builds
  * pipelining: deprecated
  * rand: add comment to skip a clang-tidy false positive
  * rtmp: fix for compiling with lwIP
  * runtests: ignore disabled even when ranges are given
  * schannel: unified error code handling
  * sendf: Fix whitespace in infof/failf concatenation
  * ssh: free the session on init failures
  * ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code
  * system.h: use proper setting with Sun C++ as well
  * test1299: use single quotes around asterisk
  * test1452: mark as flaky
  * test1651: unit test Curl_extract_certinfo()
  * test320: strip out more HTML when comparing
  * tests/ fix Python2-ism in neg TELNET server
  * tests: add unit tests for url.c
  * tool_cb_hdr: handle failure of rename()
  * travis: add a "/make tidy"/ build that runs clang-tidy
  * travis: add build for "/configure --disable-verbose"/
  * travis: bump the Secure Transport build to use xcode
  * travis: make distcheck scan for BOM markers
  * unit1300: fix stack-use-after-scope AddressSanitizer warning
  * urldata: Fix "/connecting"/ comment
  * urlglob: improve error message on bad globs
  * vtls: fix ssl version "/or later"/ behavior change for many backends
  * x509asn1: Fix SAN IP address verification
  * x509asn1: always check return code from getASN1Element()
  * x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert
  * x509asn1: suppress left shift on signed value
- Rebased patches after update:
  * curl-disabled-redirect-protocol-message.patch
  * curl-use_OPENSSL_config.patch
- Update to version 7.61.1
  * CVE-2018-14618: NTLM password overflow via integer overflow (bsc#1106019)
  * CURLINFO_SIZE_UPLOAD: fix missing counter update
  * CURLOPT_ACCEPT_ENCODING.3: list them comma-separated
  * CURLOPT_SSL_CTX_FUNCTION.3: might cause accidental connection reuse
  * Curl_getoff_all_pipelines: improved for multiplexed
  * DEPRECATE: remove release date from 7.62.0
  * HTTP: Don't attempt to needlessly decompress redirect body
  * INTERNALS: require GnuTLS >= 2.11.3
  * add code quality grade for C/C++
  * SSLCERTS: improve the openssl command line
  * Silence GCC 8 cast-function-type warnings
  * ares: check for NULL in completed-callback
  * asyn-thread: Remove unused macro
  * auth: only pick CURLAUTH_BEARER if we *have* a Bearer token
  * auth: pick Bearer authentication whenever a token is available
  * cmake: CMake config files are defining CURL_STATICLIB for static builds
  * cmake: Respect BUILD_SHARED_LIBS
  * cmake: Update scripts to use consistent style
  * cmake: bumped minimum version to 3.4
  * cmake: link curl to the OpenSSL targets instead of lib absolute paths
  * configure: conditionally enable pedantic-errors
  * configure: fix for -lpthread detection with OpenSSL and pkg-config
  * conn: remove the boolean 'inuse' field
  * content_encoding: accept up to 4 unknown trailer bytes after raw deflate data
  * cookie tests: treat files as text
  * cookies: support creation-time attribute for cookies
  * curl: Fix segfault when -H @headerfile is empty
  * curl: add http code 408 to transient list for --retry
  * curl: fix time-of-check, time-of-use race in dir creation
  * curl: use Content-Disposition before the "/URL end"/ for -OJ
  * curl: warn the user if a given file name looks like an option
  * curl_threads: silence bad-function-cast warning
  * darwinssl: add support for ALPN negotiation
  * docs/CURLOPT_URL: fix indentation
  * docs/CURLOPT_WRITEFUNCTION: size is always 1
  * docs/SECURITY-PROCESS: mention bounty, drop pre-notify
  * docs/examples: add hiperfifo example using linux epoll/timerfd
  * docs: add disallow-username-in-url.d and haproxy-protocol.d to dist
  * docs: clarify NO_PROXY env variable functionality
  * docs: improved the manual pages of some callbacks
  * docs: mention NULL is fine input to several functions
  * formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT
  * gopher: Do not translate `?' to `%09'
  * header output: switch off all styles, not just unbold
  * hostip: fix unused variable warning
  * http2: Use correct format identifier for stream_id
  * http2: abort the send_callback if not setup yet
  * http2: avoid set_stream_user_data() before stream is assigned
  * http2: check nghttp2_session_set_stream_user_data return code
  * http2: clear the drain counter in Curl_http2_done
  * http2: make sure to send after RST_STREAM
  * http2: separate easy handle from connections better
  * http: fix for tiny "/HTTP/0.9"/ response
  * http_proxy: Remove unused macro SELECT_TIMEOUT
  * lib/Makefile: only do symbol hiding if told to
  * lib1502: fix memory leak in torture test
  * lib1522: fix curl_easy_setopt argument type
  * libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation
  * mime: check Curl_rand_hex's return code
  * multi: always do the COMPLETED procedure/state
  * openssl: assume engine support in 1.0.0 or later
  * openssl: fix debug messages
  * projects: Improve Windows perl detection in batch scripts
  * retry: return error if rewind was necessary but didn't happen
  * reuse_conn(): memory leak - free old_conn->options
  * schannel: client certificate store opening fix
  * schannel: enable CALG_TLS1PRF for w32api >= 5.1
  * schannel: fix MinGW compile break
  * sftp: don't send post-qoute sequence when retrying a connection
  * smb: fix memory leak on early failure
  * smb: fix memory-leak in URL parse error path
  * smb_getsock: always wait for write socket too
  * ssh-libssh: fix infinite connect loop on invalid private key
  * ssh-libssh: reduce excessive verbose output about pubkey auth
  * ssh-libssh: use FALLTHROUGH to silence gcc8
  * ssl: set engine implicitly when a PKCS#11 URI is provided
  * sws: handle EINTR when calling select()
  * system_win32: fix version checking
  * telnet: Remove unused macros TELOPTS and TELCMDS
  * test1143: disable MSYS2's POSIX path conversion
  * test1148: disable if decimal separator is not point
  * test1307: (fnmatch testing) disabled
  * test1422: add required file feature
  * test1531: Add timeout
  * test1540: Remove unused macro TEST_HANG_TIMEOUT
  * test214: disable MSYS2's POSIX path conversion for URL
  * test320: treat curl320.out file as binary
  * tests/ Use /usr/bin/env to find python
  * tests: Don't use Windows path %PWD for SSH tests
  * tests: fixes for Windows line endlings
  * tool_operate: Fix setting proxy TLS 1.3 ciphers
  * travis: build darwinssl on macos 10.12 to fix linker errors
  * travis: execute "/set -eo pipefail"/ for coverage build
  * travis: run a 'make checksrc' too
  * travis: update to GCC-8
  * travis: verify that man pages can be regenerated
  * upload: allocate upload buffer on-demand
  * upload: change default UPLOAD_BUFSIZE to 64KB
  * urldata: remove unused pipe_broke struct field
  * vtls: reinstantiate engine on duplicated handles
  * windows: implement send buffer tuning
  * wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random
- Remove patch included upstream:
  * curl-switch-off-all-styles.patch
- Added curl-switch-off-all-styles.patch: Fix output of wrong escape sequences,
  which might mess up the terminal (bsc#1105624)
- Update to version 7.61.0
  [bsc#1099793, CVE-2018-0500]
  * getinfo: add microsecond precise timers for seven intervals
  * curl: show headers in bold, switch off with --no-styled-output
  * httpauth: add support for Bearer tokens
  * curl: --tls13-ciphers and --proxy-tls13-ciphers
  * curl: --disallow-username-in-url
  * CVE-2018-0500: smtp: fix SMTP send buffer overflow
  * schannel: disable client cert option if APIs not available
  * schannel: disable manual verify if APIs not available
  * tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
  * openssl: acknowledge --tls-max for default version too
  * stub_gssapi: fix 'unused parameter' warnings
  * examples/progressfunc: make it build on both new and old libcurls
  * docs: mention it is HA Proxy protocol "/version 1"/
  * curl_fnmatch: only allow two asterisks for matching
  * docs: clarify CURLOPT_HTTPGET
  * configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
  * configure: do compile-time SIZEOF checks instead of run-time
  * checksrc: make sure sizeof() is used *with* parentheses
  * CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
  * schannel: make CAinfo parsing resilient to CR/LF
  * tftp: make sure error is zero terminated before printfing it
  * http resume: skip body if http code 416 (range error) is ignored
  * configure: add basic test of --with-ssl prefix
  * cmake: set -d postfix for debug builds
  * multi: provide a socket to wait for in Curl_protocol_getsock
  * content_encoding: handle zlib versions too old for Z_BLOCK
  * winbuild: only delete OUTFILE if it exists
  * winbuild: In fix typo DISTDIR->DIRDIST
  * schannel: add failf calls for client certificate failures
  * cmake: Fix the test for fsetxattr and strerror_r
  * curl.1: Fix cmdline-opts reference errors
  * cmdline-opts/ warn if mutexes: or see-also: list non-existing options
  * cmake: check for getpwuid_r
  * configure: fix ssh2 linking when built with a static mbedtls
  * psl: use latest psl and refresh it periodically
  * fnmatch: insist on escaped bracket to match
  * KNOWN_BUGS: restore text regarding #2101
  * INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib
  * configure: override AR_FLAGS to silence warning
  * os400: implement mime api EBCDIC wrappers
  * curl.rc: embed manifest for correct Windows version detection
  * strictness: correct {infof, failf} format specifiers
  * tests: update .gitignore for libtests
  * configure: check for declaration of getpwuid_r
  * fnmatch: use the system one if available
  * CURLOPT_RESOLVE: always purge old entry first
  * multi: remove a potentially bad DEBUGF()
  * curl_addrinfo: use same #ifdef conditions in source as header
  * build: remove the Borland specific makefiles
  * axTLS: not considered fit for use
  * cmdline-opts/cert-type.d: mention "/p12"/ as a recognized type
  * system.h: add support for IBM xlc C compiler
  * tests/libtest: Add lib1521 to nodist_SOURCES
  * leave certificate name untouched
  * boringssl + schannel: undef X509_NAME in lib/schannel.h
  * openssl: assume engine support in 1.0.1 or later
  * cppcheck: fix warnings
  * test 46: make test pass after year 2025
  * schannel: support selecting ciphers
  * Curl_debug: remove dead printhost code
  * test 1455: unflakified
  * Curl_init_do: handle NULL connection pointer passed in
  * progress: remove a set of unused defines
  * make -u delete certdata.txt if found not changed
  * explains how this project is run
  * configure: use pkg-config for c-ares detection
  * configure: enhance ability to build with static openssl
  * maketgz: fix sed issues on OSX
  * multi: fix memory leak when stopped during name resolve
  * CURLOPT_INTERFACE.3: interface names not supported on Windows
  * url: fix dangling conn->data pointer
  * cmake: allow multiple SSL backends
  * system.h: fix for gcc on 32 bit OpenServer
  * ConnectionExists: make sure conn->data is set when "/taking"/ a connection
  * multi: fix crash due to dangling entry in connect-pending list
  * CURLOPT_SSL_VERIFYPEER.3: Add performance note
  * netrc: use a larger buffer to support longer passwords
  * url: check Curl_conncache_add_conn return code
  * configure: Add dependent libraries after crypto
  * easy_perform: faster local name resolves by using *multi_timeout()
  * getnameinfo: not used, removed all configure checks
  * travis: add a build using the synchronous name resolver
  * CURLINFO_TLS_SSL_PTR.3: improve the example
  * openssl: allow TLS 1.3 by default
  * openssl: make the requested TLS version the *minimum* wanted
  * openssl: Remove some dead code
  * telnet: fix clang warnings
  * DEPRECATE: new doc describing planned item removals
  * example/crawler.c: simple crawler based on libxml2
  * libssh: goto DISCONNECT state on error, not SESSION_FREE
  * CMake: Remove unused functions
  * darwinssl: allow High Sierra users to build the code using GCC
  * scripts: include _curl as part of CLEANFILES
  * examples: fix -Wformat warnings
  * curl_setup: include <winerror.h> before <windows.h>
  * schannel: make more cipher options conditional
  * CMake: remove redundant and old end-of-block syntax
  * post303.d: clarify that this is an RFC violation
- refreshed libcurl-ocloexec.patch
4 dependencies from upstream to be able to apply one more fix:
- util-dont-leak-a-file-descriptor-in-read_file.patch: If memory
  allocation fails, we should close the file descriptor before
  returning the error.
- util-let-callers-pass-an-offset-to-read_file.patch: Make the
  read_file() function more versatile.
- dmidecode-fix-reading-from-smbios-3-dump-files.patch: Use the
  sysfs code path when reading from a dump file, as the
  requirements are similar.
- util-dont-close-the-same-file-descriptor-twice.patch: Close file
  descriptor once and only once on error
  Fix a potential regression:
- use-read_file-to-read-from-dump.patch: Fix an old harmless bug
  which would prevent root from using the --from-dump option since
  the latest security fixes (bsc#1210418).
Security fixes (CVE-2023-30630)
- dmidecode-split-table-fetching-from-decoding.patch: dmidecode:
  Clean up function dmi_table so that it does only one thing
- dmidecode-write-the-whole-dump-file-at-once.patch: When option
  - -dump-bin is used, write the whole dump file at once, instead of
  opening and closing the file separately for the table and then
  for the entry point (bsc#1210418).
- dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch:
  Make sure that the file passed to option --dump-bin does not
  already exist (bsc#1210418).
- ensure-dev-mem-is-a-character-device-file.patch: Add a safety
  check on the type of the mem device file we are asked to read
  from, if we are root (bsc#1210418).
  4 dependencies from upstream to be able to apply the above fixes:
- avoid-sigbus-on-mmap-failure.patch: Prevent a crash when reading
  non-existent portion of memory device file.
- fix-error-paths-in-mem_chunk.patch: Prevent a memory and file
  descriptor leak.
- dmidecode-add-support-for-3-digit-versions.patch: Support
  3-digit SMBIOS specification version comparison.
- dmidecode-only-scan-dev-mem-for-entry-point-on-x86.patch: Don't
  attempt to read from /dev/mem on non-x86 systems.
  6 recommended fixes from upstream:
- dmidecode-fortify-entry-point-length-checks.patch: Ensure that
  the SMBIOS entry point is long enough to include all the fields
  we need.
- dmidecode-fix-the-alignment-of-type-25-name.patch: Drop a stray
  tabulation before the name of DMI record type 25.
- dmidecode-print-type-33-name-unconditionally.patch: Display the
  name of DMI record type 33 even if we can't decode it.
- dmidecode-validate-structure-completeness-before-decoding.patch:
  Ensure that the whole DMI structure fits in the announced table
  length before performing any action on it.
- dmidecode-avoid-oob-read-on-invalid-entry-point-length.patch:
  Don't let the entry point checksum verification run beyond the
  end of the buffer holding it.
- dmioem-decode-hpe-uefi-type-219-misc-features.patch: Check the
  correct bits to report UEFI support.
- fix(dracut): do not read /proc/modules to get the host modules (bsc#1210910)
  * add 0634-fix-dracut-do-not-read-proc-modules-to-get-the-host-.patch
- fix handling of omit_dracutmodules parameter (bsc#1208929)
  * add
- get the homedir from getpwuid when no $ENV{"/HOME"/} set
- added patches
  fix bsc#1210700
  + fonts-config-homedir-getpwuid.patch
- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204
  * includes regression bug fixes
- Add gcc12-testsuite-fixes.patch to pick testsuite related fixes
  from the branch after the release.
- Speed up builds with --enable-link-serialization.
- Update to gcc-12 branch head, 193f7e62815b4089dfaed4c2bd3, git749
- Don't rely on %usrmerged, set it based on standard %suse_version
- Update to gcc-12 branch head, e4b5fec75aa8d0d01f6e042ec28, git696
  * remove gcc12-fifo-jobserver-support.patch which is now
    included upstream
- avoid trailing backslashes at the end of post install scripts
- Update to gcc-12 branch head, 0aaef83351473e8f4eb774f8f99, git537
- Update embedded newlib to version 4.2.0
  * includes newlib-4.1.0-aligned_alloc.patch
- add gcc12-riscv-inline-atomics.patch,
  gcc12-riscv-pthread.patch: handle subword size inline atomics
  (needed by several openSUSE packages)
- Update glib2-fix-normal-form-handling-in-gvariant.patch:
  Backported from upstream to fix regression on s390x.
  (bsc#1210135, glgo#GNOME/glib!2978)
- Add glib2-fix-normal-form-handling-in-gvariant.patch: Backported
  from upstream to fix normal form handling in GVariant.
  (CVE-2023-24593, CVE-2023-25180, bsc#1209714, bsc#1209713,
- Fix error grub_file_filters not found in Azure virtual machine (bsc#1182012)
  * 0001-Workaround-volatile-efi-boot-variable.patch
- Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064)
  * 0001-grub-core-modify-sector-by-sysfs-as-disk-sector.patch
- Fix installation over serial console ends up in infinite boot loop
  (bsc#1187810) (bsc#1209667) (bsc#1209372)
  * 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
- Fix aarch64 kiwi image's file not found due to '/@' prepended to path in
  btrfs filesystem. (bsc#1209165)
  * grub2-btrfs-05-grub2-mkconfig.patch
- ceph: fix use-after-free bug for inodes when flushing capsnaps
- commit e731236
- blacklist.conf: gcc 12 issue
- commit 612c29c
- blacklist.conf: cosmetic fix to suppress a compiler warning
- commit f46848d
- fs: ocfs2: fix a possible null-pointer dereference in
  ocfs2_write_end_nolock() (git-fixes).
- commit ea30d59
- fs: ocfs2: fix a possible null-pointer dereference in
  ocfs2_info_scan_inode_alloc() (git-fixes).
- commit 4a538d4
- ocfs2: fix non-auto defrag path not working issue (git-fixes).
- commit 28a9871
- ocfs2: fix defrag path triggering jbd2 ASSERT (git-fixes).
- commit 190f99a
- ocfs2: fix memory leak in ocfs2_stack_glue_init() (git-fixes).
- commit ac6dbde
- ocfs2: clear dinode links count in case of error (git-fixes).
- commit f1a97d4
- ocfs2: fix BUG when iput after ocfs2_mknod fails (git-fixes).
- commit e11f180
- ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock
- commit 70db5f3
- ocfs2: fix a NULL pointer dereference when call
  ocfs2_update_inode_fsync_trans() (git-fixes).
- commit f3e26c1
- ocfs2: call journal flush to mark journal as empty after
  journal recovery when mount (git-fixes).
- commit d5a28a3
- ocfs2: clear zero in unaligned direct IO (git-fixes).
- commit 4189b4d
- ocfs2: wait for recovering done after direct unlock request
- commit b3e22bb
- ocfs2: remove set but not used variable 'last_hash' (git-fixes).
- commit d403713
- ocfs2: fix a panic problem caused by o2cb_ctl (git-fixes).
- commit b701b96
- ocfs2: don't clear bh uptodate for block read (git-fixes).
- commit 30ca2be
- ocfs2: clear journal dirty flag after shutdown journal
- commit ccfe523
- ocfs2: fix panic due to unrecovered local alloc (git-fixes).
- commit 007a17f
- ocfs2: fix potential use after free (git-fixes).
- commit 49406d3
- ocfs2: fix deadlock caused by ocfs2_defrag_extent() (git-fixes).
- commit f258e7d
- ocfs2: fix clusters leak in ocfs2_defrag_extent() (git-fixes).
- commit 01bc1d8
- ocfs2: don't put and assigning null to bh allocated outside
- commit 760bd24
- fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in
  dlm_print_one_mle() (git-fixes).
- commit 01c2b72
- ocfs2: take inode cluster lock before moving reflinked inode
  from orphan dir (git-fixes).
- commit 7e1768a
- ocfs2/dlm: don't handle migrate lockres if already in shutdown
- commit 04cf6d0
- ipvlan:Fix out-of-bounds caused by unclear skb->cb (bsc#1212842
- commit bd94484
- btrfs: unset reloc control if transaction commit fails in
  prepare_to_relocate() (bsc#1212051 CVE-2023-3111).
- commit 6726801
- kprobes: Fix to handle forcibly unoptimized kprobes on
  freeing_list (git-fixes).
- commit 35c8c33
- kprobes: Fix check for probe enabled in kill_kprobe()
- commit a744c64
- HID: intel_ish-hid: Add check for ishtp_dma_tx_map (git-fixes
  bsc#1212606 CVE-2023-3358).
- commit 448bfe3
- igb: fix error handling (git-fixes).
- bnxt_en: Query default VLAN before VNIC setup on a VF
- igb: fix bit_shift to be in [1..8] range (git-fixes).
- ixgbe: Enable setting RSS table to default values (git-fixes).
- ixgbe: Allow flow hash to be set via ethtool (git-fixes).
- bnxt_en: Fix typo in PCI id to device description string mapping
- igbvf: Regard vf reset nack as success (git-fixes).
- intel/igbvf: free irq on the error path in igbvf_request_msix()
- igb: Enable SR-IOV after reinit (git-fixes).
- bnxt_en: Fix mqprio and XDP ring checking logic (git-fixes).
- ixgbe: fix pci device refcount leak (git-fixes).
- igb: Initialize mailbox message for VF reset (git-fixes).
- igb: Allocate MSI-X vector when testing (git-fixes).
- bnxt_en: Remove debugfs when pci_register_driver failed
- bnxt_en: fix potentially incorrect return value for
  ndo_rx_flow_steer (git-fixes).
- ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter
- bnxt_en: fix NQ resource accounting during vf creation on
  57500 chips (git-fixes).
- igb: Add lock to avoid data race (git-fixes).
- ixgbe: Add locking to prevent panic when setting sriov_numvfs
  to zero (git-fixes).
- bnxt_en: reclaim max resources if sriov enable fails
- igb: Make DMA faster when CPU is active on the PCIe link
- ixgbe: fix unexpected VLAN Rx in promisc mode on VF (git-fixes).
- ixgbe: fix bcast packets Rx on VF after promisc removal
- igb: skip phy status check where unavailable (git-fixes).
- dim: initialize all struct fields (bsc#1174852).
- ixgbe: ensure IPsec VF<->PF compatibility (git-fixes).
- igc: Fix BUG: scheduling while atomic (git-fixes).
- igc: Fix infinite loop in release_swfw_sync (git-fixes).
- ixgbe: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx
  to skb (git-fixes).
- igc: igc_write_phy_reg_gpy: drop premature return (git-fixes).
- igc: igc_read_phy_reg_gpy: drop premature return (git-fixes).
- ixgbe: set X550 MDIO speed before talking to PHY (git-fixes).
- igbvf: fix double free in `igbvf_probe` (git-fixes).
- igb: fix netpoll exit with traffic (git-fixes).
- commit 34bf378
- powerpc/iommu: Limit number of TCEs to 512 for H_STUFF_TCE hcall
- commit 207c27c
- blacklist.conf: Add 3f5f766d5f7f powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06
- commit 1a3b374
- sched/core: Use smp_mb() in wake_woken_function() (git-fixes)
- commit 5df8049
- sched/fair: Fix util_avg of new tasks for asymmetric systems (git-fixes)
- commit 828ccf7
- net: ks8851: Dequeue RX packets explicitly (git-fixes).
- commit fe5ef52
- net: dev: Use unsigned integer as an argument to left-shift
- commit 0bf77d3
- net: set static variable an initial value in atl2_probe()
- commit 08dc41f
- net: thunderx: make CFG_DONE message to run through generic
  send-ack sequence (git-fixes).
- commit dbc5a3f
- net: marvell: mvneta: fix DMA debug warning (git-fixes).
- commit c48f8b1
- l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs
  file (git-fixes).
- commit b182fac
- l2tp: hold reference on tunnels printed in pppol2tp proc file
- commit 1f7ac1f
- l2tp: hold reference on tunnels in netlink dumps (git-fixes).
- commit 9be2a0f
- ipv4: fix uninit-value in ip_route_output_key_hash_rcu()
- Refresh
- commit ea68726
- netlabel: If PF_INET6, check sk_buff ip header version
- commit 058c41d
- blacklist.conf: renaming device
- commit 9dfee21
- blacklist.conf: cleanup; another dead reference
- commit 735761f
- blacklist.conf: kABI breakage; does not fix any bug
- commit 1276dc0
- usb: core: hub: disable autosuspend for TI TUSB8041 (git-fixes).
- commit 539dc8d
- put quirk_disable_autosuspend into a hole (git-fixes).
- commit d42a632
- USB: hub: Fix the broken detection of USB3 device in SMSC hub
- blacklist.conf: patch itself is useless, but needed as infrastructure
- commit f4a7f78
- USB: serial: option: add Quectel EM05-G (CS) modem (git-fixes).
- commit d8d554b
- netfilter: x_tables: add and use xt_check_proc_name (git-fixes).
- commit a579604
- blacklist.conf: update blacklist
- commit 1b6a52d
- s390/dasd: Use correct lock while counting channel queue length
  (LTC#202775 bsc#1212443).
- commit c2ba548
- binfmt_elf: Take the mmap lock when walking the VMA list
  (bsc#1209039 CVE-2023-1249).
- commit 6550df3
- relayfs: fix out-of-bounds access in relay_file_read
  (bsc#1212502 CVE-2023-3268).
- kernel/relay.c: fix read_pos error when multiple readers
  (bsc#1212502 CVE-2023-3268).
- commit f9dadc6
- bluetooth: Perform careful capability checks in hci_sock_ioctl()
  (bsc#1210533 CVE-2023-2002).
- commit cb9bcb2
- media: dm1105: Fix use after free bug in dm1105_remove due to
  race condition (bsc#1212501 CVE-2023-35824).
- commit a511fea
- x86/kprobes: Fix arch_check_optimized_kprobe check within
  optimized_kprobe range (git-fixes).
- commit 261c02b
- e1000e: Disable TSO on i219-LM card to increase speed
- e1000e: Fix TX dispatch condition (git-fixes).
- net/mlx4: Check retval of mlx4_bitmap_init (git-fixes).
- net/mlx4_en: Fix wrong return value on ioctl EEPROM query
  failure (git-fixes).
- e1000e: Fix possible overflow in LTR decoding (git-fixes).
- e1000e: Correct NVM checksum verification flow (git-fixes).
- net/mlx4_en: Fix an use-after-free bug in
  mlx4_en_try_alloc_resources() (git-fixes).
- net/mlx4_en: Don't allow aRFS for encapsulated packets
- net/mlx4_en: Resolve bad operstate value (git-fixes).
- mlx5: count all link events (git-fixes).
- commit 084d4cc
- x86/kprobes: Fix __recover_optprobed_insn check optimizing logic
- commit 9ede6f6
- kprobes: Fix to check probe enabled before
  disarm_kprobe_ftrace() (git-fixes).
- commit 0f174b4
- blacklist.conf: Add not needed kprobes fixes
- commit 9c2f070
- kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation
  logic (git-fixes).
- commit 36f829b
- coda: fix build using bare-metal toolchain (git-fixes).
- commit 2df3146
- coda: add error handling for fget (git-fixes).
- commit c092001
- uapi linux/coda_psdev.h: move upc_req definition from uapi to
  kernel side headers (git-fixes).
- commit 074a075
- coda: pass the host file in vma->vm_file on mmap (git-fixes).
- commit 728d4d8
- revert "/squashfs: harden sanity check in
  squashfs_read_xattr_id_table"/ (git-fixes).
- commit fc7c6f6
- hfs/hfsplus: avoid WARN_ON() for sanity check, use proper
  error handling (git-fixes).
- commit e8ee0dd
- affs: initialize fsdata in affs_truncate() (git-fixes).
- commit f9e83d6
- fs/affs: release old buffer head on error path (git-fixes).
- commit b0b572b
- fs/ufs: avoid potential u32 multiplication overflow (git-fixes).
- commit a84c265
- fs/adfs: super: fix use-after-free bug (git-fixes).
- commit 02200da
- Drop a buggy dvb-core fix patch (bsc#1205758)
  Also the kabi workaround is dropped, too
- commit 34f0c8e
- README.BRANCH: Add Miroslav Franc as a co-maintainer
- commit e545474
- README.BRANCH: Update the maintainer list
- commit 65a6ad8
- blacklist.conf: removes exported symbol
- commit 39cf0dc
- blacklist.conf: add git-fix not needed
- commit 50851fb
- kprobes: Prohibit probes in gate area (git-fixes).
- commit 4a73d55
- kprobes: don't call disarm_kprobe() for disabled kprobes
- commit 5cbfb40
- kprobes: Forbid probing on trampoline and BPF code areas
- commit 667fe1b
- samples/kretprobes: Fix return value if register_kretprobe()
  failed (git-fixes).
- commit 5b1b600
- kprobes: Do not use local variable when creating debugfs file
- commit 7286e91
- usb: xhci: add XHCI_SPURIOUS_SUCCESS to ASM1042 despite being
  a V0.96 controller.
- commit b40a0f8
- USB: serial: qcserial: add new usb-id for Dell branded EM7455
- commit ab28954
- kretprobe: Avoid re-registration of the same kretprobe earlier
- commit c2cc176
- USB: add RESET_RESUME quirk for NVIDIA Jetson devices in RCM
- commit 3561afe
- blacklist.conf: relevant only for kernel development
- commit 99f403c
- blacklist.conf: relevant only for kernel development
- commit 9c92369
- blacklist.conf: build fix irrelevant for us
- commit b9a3ab1
- blacklist.conf: build fix irrelevant for us
- commit 2f6b7fd
- blacklist.conf: only for kernel development
- commit cf47010
- blacklist.conf: relevant only for kernel development
- commit 1370701
- blacklist.conf: relevant only for kernel development
- commit f1f85a4
- blacklist.conf: unneeded build fix
- commit c531cca
- blacklist.conf: relevant only for kbuild irrelevant in the build system
- commit 1faed4b
- kprobes: fix kill kprobe which has been marked as gone
- commit 77940f3
- kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler
- commit f08285c
- kprobes: Fix to protect kick_kprobe_optimizer() by kprobe_mutex
- commit 64b09f1
- kprobes: Set unoptimized flag after unoptimizing code
- commit e2d065d
- kprobes: Prohibit probing on BUG() and WARN() address
- commit 0a4ad8b
- kprobes: Fix error check when reusing optimized probes
- commit 11aecb3
- kprobes: Remove pointless BUG_ON() from reuse_unused_kprobe()
- Refresh
- commit 1fb5f11
- kprobes: Don't call BUG_ON() if there is a kprobe in use on
  free list (git-fixes).
- commit e0562e5
- kprobes: Use synchronize_rcu_tasks() for optprobe with
  CONFIG_PREEMPT=y (git-fixes).
- commit 32c4978
- blacklist.conf: Add more powerpc unsupported platform paths
- commit 80240fd
- s390/dasd: fix no record found for raw_track_access (git-fixes
- commit 9377e38
- blacklist.conf: just a cleanup, potential dead reference won't break anything
- commit ae3248a
- scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup()
- scsi: megaraid: Fix mega_cmd_done() CMDID_INT_CMDS (git-fixes).
- scsi: core: Improve scsi_vpd_inquiry() checks (git-fixes).
- scsi: megaraid_sas: Fix crash after a double completion
- scsi: megaraid_sas: Fix fw_crash_buffer_show() (git-fixes).
- scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
- scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR
- scsi: mpt3sas: Fix NULL pointer access in
  mpt3sas_transport_port_add() (git-fixes).
- scsi: core: Remove the /proc/scsi/${proc_name} directory earlier
- scsi: ipr: Work around fortify-string warning (git-fixes).
- scsi: ses: Don't attach if enclosure has no components
- scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()
- scsi: ses: Fix possible desc_ptr out-of-bounds accesses
- scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
- scsi: ses: Fix slab-out-of-bounds in
  ses_enclosure_data_process() (git-fixes).
- scsi: aic94xx: Add missing check for dma_map_single()
- scsi: mpt3sas: Fix a memory leak (git-fixes).
- scsi: libsas: Remove useless dev_list delete in
  sas_ex_discover_end_dev() (git-fixes).
- commit 9bcdcf3
- s390/kasan: avoid vdso instrumentation (git-fixes bsc#1212244).
- commit e08fb9a
- CDC-NCM: avoid overflow in sanity checking (git-fixes).
- commit c5a973e
- net: fec: fix rare tx timeout (git-fixes).
- commit 8adec9a
- net: macb: Clean 64b dma addresses if they are not detected
- commit 889275f
- scsi: zfcp: assert that the ERP lock is held when tracing a
  recovery trigger (git-fixes bsc#1212240).
- commit eb171ad
- openvswitch: fix linking without CONFIG_NF_CONNTRACK_LABELS
- commit 444e066
- net: fix warning in af_unix (git-fixes).
- commit a389e79
- blacklist.conf: blacklist MDIO_BCM_UNIMAC
- commit 62fb3cf
- s390/smsgiucv: disable SMSG on module unload (git-fixes
- commit 1cef259
- net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818
- commit e119b8c
- net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
- commit cb1afd9
- xfrm: Refuse to insert 32 bit userspace socket policies on 64
  bit systems (git-fixes).
- commit 413544a
- net: cdc_ncm: remove set but not used variable 'ctx'
- commit 0867b66
- blacklist.conf: update blacklist
- commit 7a1167e
- net/usb/drivers: Remove useless hrtimer_active check
- commit 5dc6e54
- fs: sysv: Fix sysv_nblocks() returns wrong value (git-fixes).
- commit d94e079
- s390/ctcm: Fix return type of ctc{mp,}m_tx() (git-fixes
- commit 4d63d84
- fbcon: Check font dimension limits (CVE-2023-3161 bsc#1212154).
- commit 481687d
- s390/netiucv: Fix return type of netiucv_tx() (git-fixes
- commit 8055c39
- s390/lcs: Fix return type of lcs_start_xmit() (git-fixes
- commit bb085e1
- Move setting %%build_html to
- commit 647b21a
- s390/kprobes: fix irq mask clobbering on kprobe reenter from
  post_handler (git-fixes bsc#1212170).
- commit 21760dd
- xfs: fix rm_offset flag handling in rmap keys (git-fixes).
- commit 09f5a59
- Squashfs: fix handling and sanity checking of xattr_ids count
- commit 78ee867
- squashfs: harden sanity check in squashfs_read_xattr_id_table
- commit 006d643
- fs: hfsplus: fix UAF issue in hfsplus_put_super (git-fixes).
- commit 4693a49
- hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
- commit 6189e17
- hfsplus: fix bug causing custom uid and gid being unable to
  be assigned with mount (git-fixes).
- commit 3226ad8
- s390/kprobes: fix current_kprobe never cleared after kprobes
  reenter (git-fixes bsc#1212167).
- commit 94cf46f
- hfs: Fix OOB Write in hfs_asc2mac (git-fixes).
- commit 5986c8d
- hfs: fix OOB Read in __hfs_brec_find (git-fixes).
- commit f70b4c6
- hfs/hfsplus: use WARN_ON for sanity check (git-fixes).
- commit 1caaab9
- hfs: add lock nesting notation to hfs_find_init (git-fixes).
- commit 37dff28
- hfs: fix high memory mapping in hfs_bnode_read (git-fixes).
- commit ae9031e
- hfs: add missing clean-up in hfs_fill_super (git-fixes).
- commit cc1fbe6
- hfsplus: fix crash and filesystem corruption when deleting files
- commit 3526c58
- fs/hfs/extent.c: fix array out of bounds read of array extent
- commit 5ff3c8a
- hfs: update timestamp on truncate() (git-fixes).
- commit f4e5f42
- hfsplus: update timestamps on truncate() (git-fixes).
- commit 5f7a4bc
- hfs: fix return value of hfs_get_block() (git-fixes).
- commit aa4ce83
- hfsplus: fix return value of hfsplus_get_block() (git-fixes).
- commit 1500cd0
- hfs: prevent btree data loss on ENOSPC (git-fixes).
- commit b6da074
- hfsplus: prevent btree data loss on ENOSPC (git-fixes).
- commit efe705c
- hfs: fix BUG on bnode parent update (git-fixes).
- commit e3129f2
- hfsplus: fix BUG on bnode parent update (git-fixes).
- commit ecc193f
- sysv: use BUILD_BUG_ON instead of runtime check (git-fixes).
- commit 33448c7
- reiserfs: Add security prefix to xattr name in
  reiserfs_security_write() (git-fixes).
- commit 381baa2
- reiserfs: Add missing calls to reiserfs_security_free()
- commit 894cdec
- reiserfs: check directory items on read from disk (git-fixes).
- commit c73d26d
- reiserfs: add check for root_inode in reiserfs_fill_super
- commit 0112af8
- reiserfs: add check for invalid 1st journal block (git-fixes).
- commit 9fe53c4
- reiserfs: only call unlock_new_inode() if I_NEW (git-fixes).
- commit fdc0c7c
- reiserfs: Fix memory leak in reiserfs_parse_options()
- commit eda67ce
- reiserfs: prevent NULL pointer dereference in
  reiserfs_insert_item() (git-fixes).
- commit 922f823
- reiserfs: propagate errors from fill_with_dentries() properly
- commit 529b15f
- reiserfs: change j_timestamp type to time64_t (git-fixes).
- commit 982e84f
- memstick: r592: Fix UAF bug in r592_remove due to race condition
  (CVE-2023-3141 bsc#1212129 bsc#1211449).
- commit 77b88e9
- firewire: fix potential uaf in outbound_phy_packet_callback()
  (CVE-2023-3159 bsc#1212128).
- commit f62d406
- s390/dasd: fix hanging blockdevice after request requeue
  (git-fixes bsc#1212165).
- commit 2203987
- s390/qdio: fix do_sqbs() inline assembly constraint (git-fixes
- commit e732a7c
- Fix missing top level chapter numbers on SLE12 SP5 (bsc#1212158).
- commit 7ebcbd5
- Refresh
  fix the second instance of incorrect MPOL_MF_STRICT check.
- commit 47debde
- PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros (git-fixes).
- commit dd4da3b
- Refresh
  Delete also the out: label. Upstream still has users for that label.
  Unlike we.
  drivers/char/ipmi/ipmi_msghandler.c:5366:1: error: label ‘out’ defined but not used
- commit 05b72bb
- wcn36xx: Fix max channels retrieval (gcc-warning-fixes).
  drivers/net/wireless/ath/wcn36xx/smd.c: In function ‘wcn36xx_smd_update_channel_list’:
  ./include/linux/kernel.h:785:12: error: large integer implicitly truncated to unsigned type
- commit 6bbb096
- Refresh
  Fix compiler warning:
  fs/btrfs/disk-io.c:815:6: error: unused variable ‘limit’
  The upstream patch removes 'limit' too, so follow that up.
- commit 45d33ba
- Refresh
  Drop memcg_update_kmem_limit() as it is unused now and the compiler
  mm/memcontrol.c:2972:12: error: ‘memcg_update_kmem_limit’ defined but not used
  This is done in the upstream patch too.
- commit 660e644
- Move setting %%split_optional to
- commit 8b0828d
- Refresh
  Fix the MPOL_MF_STRICT condition (noticed by Jiri Slaby)
- commit b6b86f2
- Move setting %%supported_modules_check to
- commit 494d3df
- PCI: pciehp: Clear cmd_busy bit in polling mode (git-fixes).
- PCI: aardvark: Clear all MSIs at setup (git-fixes).
- PCI: pciehp: Fix infinite loop in IRQ handler upon power fault
- PCI/MSI: Fix pci_irq_vector()/pci_irq_get_affinity()
- PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error (git-fixes).
- PCI/MSI: Mask MSI-X vectors only on success (git-fixes).
- PCI/MSI: Destroy sysfs before freeing entries (git-fixes).
- PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG
- PCI: aardvark: Fix return value of MSI domain .alloc() method
- PCI: aardvark: Do not unmask unused interrupts (git-fixes).
- PCI: aardvark: Do not clear status bits of masked interrupts
- commit fd8f739
- rpm/ pass PYTHON=python3 to fix build error (bsc#1160435)
- commit 799f050
- PCI: aardvark: Replace custom macros by standard
  linux/pci_regs.h macros (git-fixes).
- Refresh
- blacklist.conf: remove it from there
  While it's a cleanup, it's a prerequisite for the following patches.
- commit 4ef2916
- blacklist.conf: add some PCI git-fixes
- commit dcca97f
- rpm/ Fix compatibility wth newer rpm
- commit 334fb4d
- net: hisilicon: Fix "/Trying to free already-free IRQ"/
- commit 997c2f2
- qed: Add cleanup in qed_slowpath_start() (git-fixes).
- commit 912dd32
- net: myri10ge: fix memory leaks (git-fixes).
- commit 47340d2
- cxgb4: fix a memory leak bug (git-fixes).
- commit 3c000ae
- net: cxgb3_main: Fix a resource leak in a error path in
  'init_one()' (git-fixes).
- commit e158810
- net/ethernet/qlogic/qed: force the string buffer NULL-terminated
- commit 4ba9e6b
- qed: RDMA - Fix the hw_ver returned in device attributes
- commit 410eb8e
- blacklist.conf: update blacklist
- commit 2c3f74d
- ixgbe: Check DDM existence in transceiver before access
- commit 510e134
- net: axienet: Fix race condition causing TX hang (git-fixes).
- commit e7cf2ee
- bnx2x: Check if transceiver implements DDM before access
- commit c586a4b
- sched/rt: pick_next_rt_entity(): check list_entry (bsc#1208600 CVE-2023-1077)
- commit 6b28935
- Also include kernel-docs build requirements for ALP
- commit 114d088
- Move the kernel-binary conflicts out of the spec file.
  Thie list of conflicting packages varies per release.
  To reduce merge conflicts move the list out of the spec file.
- commit 4d81125
- Avoid unsuported tar parameter on SLE12
- commit 2b8c97b
- usb: xhci: rework grace period logic (git-fixes).
- commit 0d7b2a3
- xhci: Add grace period after xHC start to prevent premature
  runtime suspend (git-fixes).
- commit 7c3b440
- Move obsolete KMP list into a separate file.
  The list of obsoleted KMPs varies per release, move it out of the spec
- commit 016bc55
- Trim obsolete KMP list.
  SLE11 is out of support, we do not need to handle upgrading from SLE11
- commit 08819bb
- powerpc/64s/radix: Fix soft dirty tracking (bsc#1065729).
- commit ad0e3ea
- Generalize kernel-doc build requirements.
- commit 23b058f
- kernel-binary: Add back kernel-default-base guarded by option
  Add configsh option for splitting off kernel-default-base, and for
  not signing the kernel on non-efi
- commit 8ad6a28
- gve: Remove the code of clearing PBA bit (bsc#1211519).
- gve: Secure enough bytes in the first TX desc for all TCP pkts
- gve: Cache link_speed value from device (bsc#1211519).
- gve: Handle alternate miss completions (bsc#1211519).
- gve: Adding a new AdminQ command to verify driver (bsc#1211519).
- gve: Fix error return code in gve_prefill_rx_pages()
- gve: Reduce alloc and copy costs in the GQ rx path
- gve: Fix GFP flags when allocing pages (bsc#1211519).
- google/gve:fix repeated words in comments (bsc#1211519).
- gve: Fix spelling mistake "/droping"/ -> "/dropping"/ (bsc#1211519).
- gve: enhance no queue page list detection (bsc#1211519).
- commit cda49a1
- usb: idmouse: fix an uninit-value in idmouse_open (git-fixes).
- commit e7f1d31
- net: stmmac: don't log oversized frames (git-fixes).
- commit 02a1ae5
- net: stmmac: fix dropping of multi-descriptor RX frames
- commit 0c5e8a5
- bonding: show full hw address in sysfs for slave entries
- commit 4640084
- net: ibm: fix possible object reference leak (git-fixes).
- commit 2cab0bb
- net: hns: Fix wrong read accesses via Clause 45 MDIO protocol
- commit 1cfa1c0
- net: altera_tse: fix msgdma_tx_completion on non-zero fill_level
  case (git-fixes).
- commit 82bd47b
- sfc: suppress duplicate nvmem partition types in
  efx_ef10_mtd_probe (git-fixes).
- commit 17c6719
- net: altera_tse: fix connect_local_phy error path (git-fixes).
- commit da2fa27
- blacklist.conf: add FSL_UCC_HDLC
- commit cbbd4dd
- net/mlx4_core: Fix return codes of unsupported operations
- commit b2c5ba8
- vrf: mark skb for multicast or link-local as enslaved to VRF
- commit 9630bdb
- net: dsa: bcm_sf2: Turn on PHY to allow successful registration
- commit 00680d2
- net: netxen: fix a missing check and an uninitialized use
- commit 76249f8
- net: hisilicon: remove unexpected free_netdev (git-fixes).
- commit fc72200
- net: amd: add missing of_node_put() (git-fixes).
- commit 72cfaff
- blacklist.conf: add faraday network driver
- commit 8453351
- net: faraday: fix return type of ndo_start_xmit function
- commit 079382e
- net: smsc: fix return type of ndo_start_xmit function
- commit 56bd9aa
- net: micrel: fix return type of ndo_start_xmit function
- commit 96160a1
- net: sun: fix return type of ndo_start_xmit function
- commit 59f94b5
- net: broadcom: fix return type of ndo_start_xmit function
- commit 77fb78e
- net: xilinx: fix return type of ndo_start_xmit function
- commit 80ef560
- net: toshiba: fix return type of ndo_start_xmit function
- commit dbdb0d6
- net: hns3: fix return type of ndo_start_xmit function
- commit 5ba4bbc
- net: qla3xxx: Remove overflowing shift statement (git-fixes).
- commit 7055766
- blacklist.conf: update blacklist
- commit 804cac4
- blacklist.conf: Add 4ef0c5c6b5ba kernel/sched: Fix sched_fork() access an invalid sched_task_group
- commit 5d65c2b
- cifs: prevent infinite recursion in CIFSGetDFSRefer()
- commit 8982556
- netfilter: ebtables: convert BUG_ONs to WARN_ONs (git-fixes).
- commit 5f3d85f
- netfilter: ipt_CLUSTERIP: put config instead of freeing it
- commit 87f8afc
- netfilter: ipt_CLUSTERIP: put config struct if we can't
  increment ct refcount (git-fixes).
- commit e675512
- net/tcp/illinois: replace broken algorithm reference link
- commit 1264c76
- sit: fix IFLA_MTU ignored on NEWLINK (git-fixes).
- commit 05e5b1a
- ip6_tunnel: fix IFLA_MTU ignored on NEWLINK (git-fixes).
- commit 678863c
- RDS: IB: Fix null pointer issue (git-fixes).
- commit 85f4095
- l2tp: remove l2specific_len dependency in l2tp_core (git-fixes).
- Refresh
- commit 80db1e0
- l2tp: remove configurable payload offset (git-fixes).
- Refresh
- commit e4e115d
- rds; Reset rs->rs_bound_addr in rds_add_bound() failure path
- commit 2b478a1
- net: xfrm: allow clearing socket xfrm policies (git-fixes).
- commit cb50bb2
- sctp: avoid flushing unsent queue when doing asoc reset
- commit 271642c
- blacklist: add nvme fabrics git-fixes
  The whole nvme fabrics part is missing fundamental changes which will
  not be backported. Don't bother to port git-fixes for this part.
- commit f524f37
- blacklist.conf: update blacklist
- commit ec49bac
- blacklist.conf: add net/caif
- commit 7907ff7
- nvme-pci: fix a NULL pointer dereference in
  nvme_alloc_admin_tags (git-fixes).
- nvme-pci: avoid the deepest sleep state on Kingston A2000 SSDs
- nvme: free sq/cq dbbuf pointers when dbbuf set fails
- nvme: refine the Qemu Identify CNS quirk (git-fixes).
- nvme: Fix u32 overflow in the number of namespace list
  calculation (git-fixes).
- nvme: remove the ifdef around nvme_nvm_ioctl (git-fixes).
- nvme-pci: unquiesce admin queue on shutdown (git-fixes).
- nvme-pci: use the same attributes when freeing
  host_mem_desc_bufs (git-fixes).
- commit f8a43a3
- Drivers: hv: vmbus: Optimize vmbus_on_event (bsc#1211622).
- scsi: storvsc: Parameterize number hardware queues
- commit f58838c
- scsi: qla2xxx: Replace all non-returning strlcpy() with
  strscpy() (bsc#1211960).
- scsi: qla2xxx: Update version to (bsc#1211960).
- scsi: qla2xxx: Wait for io return on terminate rport
- scsi: qla2xxx: Fix mem access after free (bsc#1211960).
- scsi: qla2xxx: Fix hang in task management (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd fail due to unavailable
  resource (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd failure (bsc#1211960).
- scsi: qla2xxx: Multi-que support for TMF (bsc#1211960).
- scsi: qla2xxx: Replace all non-returning strlcpy() with
  strscpy() (bsc#1211960).
- scsi: qla2xxx: Update version to (bsc#1211960).
- scsi: qla2xxx: Wait for io return on terminate rport
- scsi: qla2xxx: Fix mem access after free (bsc#1211960).
- scsi: qla2xxx: Fix hang in task management (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd fail due to unavailable
  resource (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd failure (bsc#1211960).
- scsi: qla2xxx: Multi-que support for TMF (bsc#1211960).
- scsi: qla2xxx: Declare SCSI host template const (bsc#1211960).
- scsi: qla2xxx: Refer directly to the qla2xxx_driver_template
- scsi: qla2xxx: Remove default fabric ops callouts (bsc#1211960).
- scsi: qla2xxx: Drop redundant pci_enable_pcie_error_reporting()
- commit 875f923
- kcm: Check if sk_user_data already set in kcm_attach
- Refresh patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch.
- commit 796ddfc
- ip6_tunnel: allow ip6gre dev mtu to be set below 1280
- Refresh
- commit 9359f96
- xfrm: Fix stack-out-of-bounds with misconfigured transport
  mode policies (git-fixes).
- commit a397dd8
- sctp: fix the issue that a __u16 variable may overflow in
  sctp_ulpq_renege (git-fixes).
- Refresh
- commit dfdadd9
- fix kcm_clone() (git-fixes).
- Refresh
- commit ff3266d
- blacklist.conf: update blacklist
- commit 6559dbc
- usrmerge: Compatibility with earlier rpm (boo#1211796)
- commit 2191d32
- Fix usrmerge error (boo#1211796)
- commit da84579
- s390/uaccess: add missing earlyclobber annotations to __clear_user()
  (LTC#202116 bsc#1209857 git-fixes).
- commit 466ebf1
- media: radio-shark: Add endpoint checks (git-fixes).
- commit 645a65c
- USB: sisusbvga: Add endpoint checks (git-fixes).
- commit 0086804
- USB: core: Add routines for endpoint checks in old drivers
- commit 9b3a4b6
- mac80211: drop multicast fragments (git-fixes).
- Refresh patches.kabi/cfg80211-kabi-workaround.patch.
- Refresh
- commit dcf3ad7
- mac80211: choose first enabled channel for monitor (git-fixes).
- commit 9005ef1
- mac80211: pause TX while changing interface type (git-fixes).
- commit 2e9a9ca
- IB/mlx5: Fix initializing CQ fragments buffer (git-fixes)
- commit ab52722
- RDMA/core: Don't access cm_id after its destruction (git-fixes)
- commit 3e6a35e
- mac80211: fix fast-rx encryption check (git-fixes).
- commit 6dc3740
- blacklist.conf: breaks kABI in a pretty unfixable way
- commit f0b7d32
- RDMa/mthca: Work around -Wenum-conversion warning (git-fixes)
- commit 4ec5513
- RDMA/bnxt_re: Restrict the max_gids to 256 (git-fixes)
- commit 45f80d9
- RDMA/hns: Bugfix for querying qkey (git-fixes)
- commit 916464c
- RDMA/mlx5: Block delay drop to unprivileged users (git-fixes)
- commit b67e136
- IB/rdmavt: Add __init/__exit annotations to module init/exit funcs (git-fixes)
- commit aef401f
- RDMA/usnic: fix set-but-not-unused variable 'flags' warning (git-fixes)
- commit 410f136
- RDMA/mlx4: Prevent shift wrapping in set_user_sq_size() (git-fixes)
- commit 08b691c
- IB/hfi1: Assign npages earlier (git-fixes)
- commit 94a7a3d
- RDMA/srp: Move large values to a new enum for gcc13 (git-fixes)
- commit 21e4838
- RDMA/hfi1: Prevent panic when SDMA is disabled (git-fixes)
- commit 69d046f
- RDMA/cma: Fix rdma_resolve_route() memory leak (git-fixes)
- commit ebc12ea
- RDMA/cxgb4: Fix missing error code in create_qp() (git-fixes)
- commit 16a901d
- RDMA/rxe: Fix error type of mmap_offset (git-fixes)
- commit 78c6be8
- RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()' (git-fixes)
- commit a8ed0c1
- RDMA/i40iw: Fix potential use after free (git-fixes)
- commit 078387e
- IB/iser: bound protection_sg size by data_sg size (git-fixes)
- commit c6057ed
- IB/mlx4: Fix memory leaks (git-fixes)
- commit 93dc3d9
- ipoib: correcly show a VF hardware address (git-fixes)
- commit b86fe95
- IB/mlx4: Increase the timeout for CM cache (git-fixes)
- commit bd695fb
- IB/usnic: Fix potential deadlock (git-fixes)
- commit 7517110
- RDMA/srp: Propagate ib_post_send() failures to the SCSI mid-layer (git-fixes)
- commit ce8a13e
- mlx4: Use snprintf instead of complicated strcpy (git-fixes)
- commit 8357ea9
- rxe: IB_WR_REG_MR does not capture MR's iova field (git-fixes)
- commit 737703b
- RDMA/cma: Do not change route.addr.src_addr.ss_family (git-fixes)
- commit 0f21ca2
- Update References
  (bsc#1198400 bsc#1209779 CVE-2023-1637).
- commit 8e47860
- smb3: fix problem remounting a share after shutdown
- commit faae71e
- seccomp: Set PF_SUPERPRIV when checking capability (git-fixes
- commit f8e3006
- dm ioctl: fix nested locking in table_clear() to remove deadlock
  concern (bsc#1210806, CVE-2023-2269).
- commit e962c83
- tcp: Fix data races around icsk->icsk_af_ops (bsc#1204405
- commit 75b4182
- blacklist.conf: Add 9fc9e278a5c0 panic: Introduce warn_limit
- commit 43ad239
- blacklist.conf: Add 659c0ce1cb9e kernel/sys.c: fix and improve control flow in __sys_setres[ug]id()
- commit 28b437a
- Remove usrmerge compatibility symlink in buildroot (boo#1211796)
  Besides Makefile needs to be patched to prefix /lib/modules.
  Requires corresponding patch to kmod.
- commit b8e00c5
- ceph: force updating the msg pointer in non-split case
- commit ebc5c5b
- cifs_atomic_open(): fix double-put on late allocation failure
- commit 9b4a498
- CIFS: Spelling s/EACCESS/EACCES/ (bsc#1190317).
- Refresh
- commit 154e2e3
- smb3: fix temporary data corruption in collapse range
- commit 48c460b
- smb3: fix temporary data corruption in insert range
- commit 6225020
- blacklist.conf: Append 'Revert "/fbcon: don't lose the console font across generic->chip driver switch"/'
- commit 0b0664b
- fbcon: Check font dimension limits (bsc#1154048)
  * rename drivers/video/fbdev/core to drivers/video/console
- commit 2e6300a
- fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() (bsc#1154048)
- commit 7a7fe7f
- backlight: lm3630a: Fix return code of .update_status() callback (bsc#1129770)
- commit 65a9461
- blacklist.conf: Append 'fbdev: udlfb: Fix endpoint check'
- commit c71f23c
- blacklist.conf: Append 'fbdev: arcfb: Fix error handling in arcfb_probe()'
- commit 3b8befa
- blacklist.conf: Append 'fbdev: au1200fb: Fix potential divide by zero'
- commit 99bcf68
- blacklist.conf: Append 'fbdev: lxfb: Fix potential divide by zero'
- commit 29ac883
- blacklist.conf: Append 'fbdev: intelfb: Fix potential divide by zero'
- commit c54aef0
- blacklist.conf: Append 'fbdev: nvidia: Fix potential divide by zero'
- commit 0180fb8
- blacklist.conf: Append 'fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks'
- commit 7424f1a
- blacklist.conf: Append 'fbdev: tgafb: Fix potential divide by zero'
- commit 3dfd2f8
- blacklist.conf: Append 'fbdev: omapfb: cleanup inconsistent indentation'
- commit e6f26fa
- blacklist.conf: Append 'fbdev: vermilion: decrease reference count in error path'
- commit bfe058e
- blacklist.conf: Append 'fbdev: via: Fix error in via_core_init()'
- commit 47cb95a
- blacklist.conf: Append 'fbdev: pm2fb: fix missing pci_disable_device()'
- commit 5d257c9
- blacklist.conf: Append 'fbdev: ssd1307fb: Drop optional dependency'
- commit 6cbf42c
- blacklist.conf: Append 'fbdev: cyber2000fb: fix missing pci_disable_device()'
- commit 06f0770
- blacklist.conf: Append 'fbdev: smscufx: Fix several use-after-free bugs'
- commit 62a32ff
- blacklist.conf: Append 'parisc: fbdev/stifb: Align graphics memory size to 4MB'
- commit 22da2c5
- blacklist.conf: Append 'fbdev: smscufx: Fix use-after-free in ufx_ops_open()'
- commit 02b683d
- blacklist.conf: Append 'fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init()'
- commit 489652a
- blacklist.conf: Append 'video: fbdev: i740fb: Check the argument of i740_calc_vclk()'
- commit c7b03dd
- blacklist.conf: Append 'video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write'
- commit ccb235b
- blacklist.conf: Append 'video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove()'
- commit 9dffdbd
- blacklist.conf: Append 'video: fbdev: sm712fb: Fix crash in smtcfb_write()'
- commit d1847f5
- blacklist.conf: Append 'video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf()'
- commit ac6af46
- blacklist.conf: Append 'video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf()'
- commit 5a2e2fe
- blacklist.conf: Append 'video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit'
- commit 9966c33
- blacklist.conf: Append 'video: fbdev: cirrusfb: check pixclock to avoid divide by zero'
- commit 9b4a739
- blacklist.conf: Append 'video: fbdev: w100fb: Reset global state'
- commit 8c331fe
- blacklist.conf: Append 'video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow'
- commit e521feb
- blacklist.conf: Append 'video: fbdev: riva: Error out if 'pixclock' equals zero'
- commit cd1778b
- blacklist.conf: Append 'video: fbdev: kyro: Error out if 'pixclock' equals zero'
- commit e680120
- blacklist.conf: Append 'video: fbdev: asiliantfb: Error out if 'pixclock' equals zero'
- commit 4eef362
- blacklist.conf: Append 'video: fbdev: kyro: fix a DoS bug by restricting user input'
- commit 4dfa6f9
- cifs: fix confusing debug message (bsc#1190317).
- commit 5e1a930
- cifs: Fix uninitialized memory read for smb311 posix symlink
  create (bsc#1190317).
- Refresh
- commit 853e32c
- cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL
- commit 4ae057c
- cifs: sanitize paths in cifs_update_super_prepath (bsc#1190317).
- commit 17664dd
- cifs: fix pcchunk length type in smb2_copychunk_range
- commit 2a739a8
- HID: asus: use spinlock to safely schedule workers (bsc#1208604
- commit 95bf045
- HID: asus: use spinlock to protect concurrent accesses
  (bsc#1208604 CVE-2023-1079).
- commit d755874
- blacklist.conf: changes behavior in user space
- commit 8e76d7a
- blacklist.conf: breaks existing user space
- commit 8a0f9f8
- KVM: x86: emulator: update the emulation mode after CR0 write
- commit 45c60e8
- KVM: x86: emulator: introduce emulator_recalc_and_set_mode
- commit cd1c312
- KVM: x86: emulator: em_sysexit should update ctxt->mode
- commit e33b7a7
- KVM: x86: fix incorrect comparison in trace event (git-fixes).
- commit e7c7c64
- x86/kvm: Don't call kvm_spurious_fault() from .fixup
- commit 2994486
- x86: kvm: avoid constant-conversion warning (git-fixes).
- commit 785e3c9
- KVM: x86: avoid misreporting level-triggered irqs as
  edge-triggered in tracing (git-fixes).
- commit 3a2f7bf
- ring-buffer: Sync IRQ works before buffer destruction
- commit 7f66fa1
- ring-buffer: Ensure proper resetting of atomic variables in
  ring_buffer_reset_online_cpus (git-fixes).
- commit 05b01b4
- f2fs: Fix f2fs_truncate_partial_nodes ftrace event (git-fixes).
- commit c9aec28
- KVM: nSVM: clear events pending from svm_complete_interrupts()
  when exiting to L1 (git-fixes).
- commit dea3e13
- KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported
- commit e8ac19f
- x86/kvm/vmx: fix old-style function declaration (git-fixes).
- commit 60914fa
- KVM: x86: fix empty-body warnings (git-fixes).
- commit 1ff0909
- kvm: mmu: Don't read PDPTEs when paging is not enabled
- commit 0c9e6c3
- KVM: x86: Update the exit_qualification access bits while
  walking an address (git-fixes).
- commit fb42639
- kernel-source: Remove unused macro variant_symbols
- commit 915ac72
- ipv6: sr: fix out-of-bounds read when setting HMAC data
- commit b97c30d
- Move upstreamed media fixes into sorted section
- commit 488e428
- media: dvb_net: kABI workaround (CVE-2022-45886 bsc#1205760).
- media: dvb_frontend: kABI workaround (CVE-2022-45885
- commit df5f28a
- media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
  (CVE-2022-45887 bsc#1205762).
- media: dvb-core: Fix use-after-free due to race condition at
  dvb_ca_en50221 (CVE-2022-45919 bsc#1205803).
- media: dvb-core: Fix use-after-free due to race at
  dvb_register_device() (CVE-2022-45884 bsc#1205756).
- media: dvb-core: Fix use-after-free due on race condition at
  dvb_net (CVE-2022-45886 bsc#1205760).
- media: dvb-core: Fix kernel WARNING for blocking operation in
  wait_event*() (CVE-2023-31084 bsc#1210783).
- media: dvb-core: Fix use-after-free on race condition at
  dvb_frontend (CVE-2022-45885 bsc#1205758).
- media: dvbdev: fix error logic at dvb_register_device()
  (CVE-2022-45884 bsc#1205756).
- media: dvbdev: Fix memleak in dvb_register_device
  (CVE-2022-45884 bsc#1205756).
- media: media/dvb: Use kmemdup rather than duplicating its
  implementation (CVE-2022-45884 bsc#1205756).
- commit f7cc9c8
- net: sched: sch_qfq: prevent slab-out-of-bounds in
  qfq_activate_agg (bsc#1210940 CVE-2023-31436).
- commit a507e94
- i2c: xgene-slimpro: Fix out-of-bounds bug in
  xgene_slimpro_i2c_xfer() (bsc#1210715 CVE-2023-2194).
- commit 3e58c3b
- net/iucv: Fix size of interrupt data (bsc#1211466).
- commit f3fc622
- blacklist.conf: update blacklist
- commit 6d6d566
- net: emac: fix fixed-link setup for the RTL8363SB switch (git-fixes).
- commit 9681063
- stmmac: fix valid numbers of unicast filter entries (git-fixes).
- commit ef24a07
- net: qca_spi: Fix log level if probe fails (git-fixes).
- commit 3f5bdc7
- net: davinci_emac: match the mdio device against its compatible if possible (git-fixes).
- commit bd607b2
- net: dsa: qca8k: Add support for QCA8334 switch (git-fixes).
- commit 7151502
- net: ethernet: ti: cpsw-phy-sel: check bus_find_device()
  ret value (git-fixes).
- commit faf163d
- blacklist.conf: update blacklist
- commit ee5c63d
- blacklist.conf: update blacklist
- commit cb25c3b
- net: dsa: b53: Add BCM5389 support (git-fixes).
- commit 97f949b
- net: mvneta: fix enable of all initialized RXQs (git-fixes).
- commit c3670b0
- net: dsa: mt7530: fix module autoloading for OF platform drivers
- commit 5aa0e3c
- sunvnet: does not support GSO for sctp (git-fixes).
- commit 2c2cd3a
- net: qcom/emac: Use proper free methods during TX (git-fixes).
- commit 9e71f84
- net: Extra '_get' in declaration of
  arch_get_platform_mac_address (git-fixes).
- commit a07f7ac
- net: arc_emac: fix arc_emac_rx() error paths (git-fixes).
- commit 055ed24
- net: mediatek: setup proper state for disabled GMAC on the
  default (git-fixes).
- commit d4884c0
- blacklist.conf: update blacklist
- commit 3d40ef3
- sctp: fix erroneous inc of snmp SctpFragUsrMsgs (git-fixes).
- commit 1e6b878
- net: propagate dev_get_valid_name return code (git-fixes).
- commit 6c7e15c
- blacklist.conf: update blacklist
- commit 0b29eb6
- s390/kasan: fix early pgm check handler execution (git-fixes
- s390: ctcm: fix ctcm_new_device error return code (git-fixes
- s390/pci: fix sleeping in atomic during hotplug (git-fixes
- s390/sysinfo: add missing #ifdef CONFIG_PROC_FS (git-fixes
- s390/extmem: fix gcc 8 stringop-overflow warning (git-fixes
- s390/scm_blk: correct numa_node in scm_blk_dev_setup (git-fixes
- s390/dasd: correct numa_node in dasd_alloc_queue (git-fixes
- commit eaf6fde
- netrom: Fix use-after-free caused by accept on already
  connected socket (bsc#1211186 CVE-2023-32269).
- commit 5091773
- net: tls: fix possible race condition between
  do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
  (bsc#1209366 CVE-2023-28466).
- commit 6a60b30
- ACPI: processor: Fix evaluating _PDC method when running as
  Xen dom0 (git-fixes).
- commit dc522b8
- xen/netback: use same error messages for same errors
- commit 4db5f86
- xen/netback: don't do grant copy across page boundary
- commit 1db009c
- Refresh patches.suse/arm64-Discard-.note.GNU-stack-section.patch.
  Add note about required followups for the upstream version.
- commit 22f581b
- powerpc/rtas: use memmove for potentially overlapping buffer
  copy (bsc#1065729).
- powerpc: Don't try to copy PPR for task with NULL pt_regs
- powerpc: Squash lines for simple wrapper functions
- commit 5b5254d
- blacklist.conf: workqueue: Cosmetic change. Not worth backporting (bsc#1211275)
- commit 75d9c4f
- ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT
- commit 45358c3
- sctp: make use of pre-calculated len (git-fixes).
- commit 917a7de
- ipv6: icmp6: Allow icmp messages to be looped back (git-fixes).
- commit b8c6b46
- ipv4: ipv4_default_advmss() should use route mtu (git-fixes).
- commit b90f190
- net: ipv6: send NS for DAD when link operationally up
- commit 068ddeb
- blacklist.conf: update blacklist
- commit a62f4ec
- workqueue: Print backtraces from CPUs with hung CPU bound
  workqueues (bsc#1211044).
- commit 9009e7b
- workqueue: Warn when a rescuer could not be created
- commit 729d6a5
- blacklist.conf: udapte blacklist
- commit 6f9c349
- blacklist.conf: update blacklist
- commit b77ff03
- workqueue: Interrupted create_worker() is not a repeated event
- commit 19f4343
- workqueue: Warn when a new worker could not be created
- commit 6849328
- workqueue: Fix hung time report of worker pools (bsc#1211044).
- commit 6603859
- blacklist.conf: dependencies cannot be met
- commit 719ca49
- wcn36xx: ensure pairing of init_scan/finish_scan and
  start_scan/end_scan (git-fixes).
- commit 087dd65
- wcn36xx: Ensure finish scan is not requested before start scan
- commit caae985
- blacklist.conf: add one pci git-fixes
- commit 855c141
- wcn36xx: Specify ieee80211_rx_status.nss (git-fixes).
- commit 012d160
- wcn36xx: Fix warning due to bad rate_idx (git-fixes).
- commit a518de1
- wcn36xx: Disable bmps when encryption is disabled (git-fixes).
- commit ebc2371
- wcn36xx: Fix software-driven scan (git-fix).
- Refresh
- Refresh
- commit 15a8b93
- wcn36xx: Use sequence number allocated by mac80211 (git-fixes).
- commit bb661ed
- wcn36xx: Fix TX data path (git-fixes).
- commit b77eb82
- wcn36xx: Increase number of TX retries (git-fixes).
- commit 97a8d22
- wcn36xx: Fix multiple AMPDU sessions support (git-fixes).
- commit 63b0807
- wcn36xx: Add ieee80211 rx status rate information (git-fixes).
- commit 4b6a254
- wcn36xx: fix spelling mistake "/to"/ -> "/too"/ (git-fixes).
- commit 7e6ee67
- wcn36xx: disable HW_CONNECTION_MONITOR (git-fixes).
- commit 4d8f867
- wcn36xx: fix typo (git-fixes).
- commit b5b95ed
- wcn36xx: remove unecessary return (git-fixes).
- commit 0eb75a5
- wcn36xx: use dma_zalloc_coherent instead of allocator/memset
- commit bbbad4b
- wcn36xx: Use kmemdup instead of duplicating it in
  wcn36xx_smd_process_ptt_msg_rsp (git-fixes).
- commit aa805c7
- wcn36xx: Channel list update before hardware scan (git-fixes).
- commit fcf8c32
- wcn36xx: Add ability for wcn36xx_smd_dump_cmd_req to pass
  two's complement (git-fixes).
- commit 39c25cd
- mwl8k: Fix a double Free in mwl8k_probe_hw (git-fixes).
- commit 9de04e1
- adm8211: fix error return code in adm8211_probe() (git-fixes).
- commit 8910841
- Documentation: Document sysfs interfaces purr, spurr, idle_purr,
  idle_spurr (PED-3947 bsc#1210544 ltc#202303).
- powerpc/sysfs: Show idle_purr and idle_spurr for every CPU
  (PED-3947 bsc#1210544 ltc#202303).
- powerpc/pseries: Account for SPURR ticks on idle CPUs (PED-3947
  bsc#1210544 ltc#202303).
- powerpc/idle: Store PURR snapshot in a per-cpu global variable
  (PED-3947 bsc#1210544 ltc#202303).
- powerpc: Move idle_loop_prolog()/epilog() functions to header
  file (PED-3947 bsc#1210544 ltc#202303).
- cpuidle/powernv: avoid double irq enable coming out of idle
  (PED-3947 bsc#1210544 ltc#202303).
- cpuidle: powerpc: no memory barrier after break from idle
  (PED-3947 bsc#1210544 ltc#202303).
- cpuidle: powerpc: read mostly for common globals (PED-3947
  bsc#1210544 ltc#202303).
- Refresh patches.suse/cpuidle-powernv-Fix-promotion-from-snooze-if-next-st.patch
- cpuidle: powerpc: cpuidle set polling before enabling irqs
  (PED-3947 bsc#1210544 ltc#202303).
- Refresh patches.suse/cpuidle-powernv-Fix-promotion-from-snooze-if-next-st.patch
- commit 964f26b
- rpm/ Increase disk size constraint for riscv64 to 52GB
- commit 1c1a4cd
- usb: early: xhci-dbc: Fix a potential out-of-bound memory access
- commit ad8060e
- fotg210-udc: Add missing completion handler (git-fixes).
- commit 3c809e3
- blacklist.conf: kABI
- commit dcd54c2
- usb: dwc3: Fix race between dwc3_set_mode and __dwc3_set_mode
- commit 9ea489a
- platform/x86: dell-smbios-wmi: Add missing kfree in error-exit
  from run_smbios_call (git-fixes).
- commit bc58d39
- platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios
- commit 96326a4
- platform/x86: alienware-wmi: fix kfree on potentially
  uninitialized pointer (git-fixes).
- commit 52b26a2
- platform/x86: alienware-wmi: fix format string overflow warning
- commit 9e6baf6
- platform/x86: alienware-wmi: constify attribute_group structures
- commit 804cedf
- platform/x86: alienware-wmi: Adjust instance of
  wmi_evaluate_method calls to 0 (git-fixes).
- commit 17d45d2
- platform/x86: dell-laptop: fix rfkill functionality.
- commit 04ebc44
- wifi: brcmfmac: slab-out-of-bounds read in
  brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380).
- commit 07a41fa
- Remove obsolete rpm spec constructs
  defattr does not need to be specified anymore
  buildroot does not need to be specified anymore
- commit c963185
- kernel-spec-macros: Fix up obsolete_rebuilds_subpackage to generate
  obsoletes correctly (boo#1172073 bsc#1191731).
  rpm only supports full length release, no provides
- commit c9b5bc4
- ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h
- commit 40e694d
- ext4: fix use-after-free in ext4_xattr_set_entry (bsc#1206878
  bsc#1211105 CVE-2023-2513).
- commit a52726d
- kernel-binary: install expoline.o (boo#1210791 bsc#1211089)
- commit d6c8c20
- net: qcom/emac: Fix use after free bug in emac_remove due to
  race condition (bsc#1211037 CVE-2023-2483).
- commit 6c7d167
- usb: chipidea: fix missing goto in `ci_hdrc_probe` (git-fixes).
- commit 8371d59
- USB: dwc3: fix runtime pm imbalance on unbind (git-fixes).
- commit 3c78b91
- USB: dwc3: fix runtime pm imbalance on probe errors (git-fixes).
- commit 07dd465
- cifs: return ENOENT for DFS lookup_cache_entry() (bsc#1190317).
- Refresh
- Refresh
- commit f050536
- PCI: aardvark: Fix PCIe Max Payload Size setting (git-fixes).
- PCI: Mark Atheros QCA6174 to avoid bus reset (git-fixes).
- PCI: xilinx-nwl: Enable the clock through CCF (git-fixes).
- PCI: aardvark: Fix masking and unmasking legacy INTx interrupts
- PCI: aardvark: Configure PCIe resources from 'ranges' DT
  property (git-fixes).
- PCI: aardvark: Increase polling delay to 1.5s while waiting
  for PIO response (git-fixes).
- PCI: aardvark: Fix checking for PIO status (git-fixes).
- PCI: Add ACS quirks for Cavium multi-function devices
- PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure
- PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported
- PCI: Call Max Payload Size-related fixup quirks early
- commit 4ba05a4
- ipmi: fix SSIF not responding under certain cond (git-fixes).
- commit fd75dd9
- blacklist.conf: add one char git-fixes
- commit e967264
- wifi: ath5k: fix an off by one check in
  ath5k_eeprom_read_freq_list() (git-fixes).
- commit e7e4a01
- xfs: verify buffer contents when we skip log replay (bsc#1210498
- commit d228bcf
- kcm: Only allow TCP sockets to be attached to a KCM mux
- Refresh patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch.
- commit 1c38f1b
- xhci: hide include of iommu.h (git-fixes).
- commit d4a90d2
- xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a passthrough
  iommu (git-fixes).
- commit 25aa1f6
- struct ci_hdrc: hide new member at end (git-fixes).
- commit 10801c8
- usb: chipidea: core: fix possible concurrent when switch role
- commit b7e0f07
- x86/irq: Ensure PI wakeup handler is unregistered before module unload (git-fixes).
- commit 1ba0504
- x86/fpu: Prevent FPU state corruption (git-fixes).
- commit 7902778
- x86/mce/inject: Avoid out-of-bounds write when setting flags (git-fixes).
- commit 7747d1d
- x86/tools/relocs: Fix non-POSIX regexp (git-fixes).
- commit bf7956d
- crypto: x86/ghash - fix unaligned access in ghash_setkey() (git-fixes).
- commit b2c2637
- x86/boot: Avoid using Intel mnemonics in AT&T syntax asm (git-fixes).
- commit 01320b7
- x86/virt: Mark flags and memory as clobbered by VMXOFF (git-fixes).
- commit 128b31b
- x86/virt: Eat faults on VMXOFF in reboot flows (git-fixes).
- commit d5a2713
- x86/tools: Fix objdump version check again (git-fixes).
- commit 2fac6b7
- x86/kprobes: Restore BTF if the single-stepping is cancelled (git-fixes).
- commit 675ef6d
- x86/kprobes: Fix to check non boostable prefixes correctly (git-fixes).
- commit 7707216
- blacklist.conf: Add a patch for kconfig option we don't have
- commit 133510f
- x86/bugs: Enable STIBP for IBPB mitigated RETBleed (git-fixes).
- commit 08350f2
- blacklist.conf: add nvme git-fixes
- commit 763e434
- nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is
  not RESETTING (git-fixes).
- commit 289f082
- x86/bugs: Add Cannon lake to RETBleed affected CPU list (git-fixes).
- commit 765cf23
- keys: Fix linking a duplicate key to a keyring's assoc_array
- commit fd3a7e5
- keys: Hoist locking out of __key_link_begin() (bsc#1207088).
- commit 9d4b000
- keys: Change keyring_serialise_link_sem to a mutex (bsc#1207088).
- commit d0f80a2
- scsi: qla2xxx: Fix memory leak in qla2x00_probe_one()
- scsi: qla2xxx: Perform lockless command completion in abort path
- commit 9283be1
- kabi/severities: ignore KABI for NVMe, except nvme-fc (bsc#1174777)
  Exported symbols under drivers/nvme/host/ are only used by the
  nvme subsystem itself, except for the nvme-fc symbols.
- commit c973bd8
- blacklist.conf: add nvme git-fixes
  The nvme fabric part is not really supported in sle12 and touching this
  code with proper a lot of testing has a high change of regressions.
  The nvme core bits are also very dangerous to update without introducing
  regression because sle12 is still using mixed single queue and
  multiqueue block layers infrastructures. All this fixes are addressing
  issues reported against multiqueue only setups
- commit 039b5e1
- blacklist.conf: irrelevant in all our configs
- commit 21e8e20
- blacklist.conf: irrelevant in all our configs
- commit 5d97024
- blacklist.conf: irrelevant in all our configs
- commit ed95b61
- blacklist.conf: cleanup
- commit 2328a0e
- blacklist.conf: kABI
- commit 5ede269
- blacklist.conf: irrelevant with the compiler options of SLE12
- commit 09fdb2d
- blacklist.conf: architecture not supported in SLE12
- commit 0f802d0
- blacklist.conf: alters behavior in a way that could cause regression
- commit 9198a95
- blacklist.conf: cosmetic
- commit 8c47024
- audit: improve audit queue handling when "/audit=1"/ on cmdline
- commit 05326be
- xirc2ps_cs: Fix use after free bug in xirc2ps_detach
  (bsc#1209871 CVE-2023-1670).
- commit cab17d2
- nvme-pci: fix doorbell buffer value endianness (git-fixes).
- nvme: retain split access workaround for capability reads
- commit 664dfaa
- cgroup/cpuset: Wake up cpuset_attach_wq tasks in
  cpuset_cancel_attach() (bsc#1210827).
- commit c9ac567
- xfrm: policy: use hlist rcu variants on insert (git-fixes).
- commit 8f58d09
- blacklist.conf: update blacklist
- commit 94895b2
- powerpc/papr_scm: Update the NUMA distance table for the
  target node (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509
  FATE#327775 git-fixes).
- powerpc/pseries: Consolidate different NUMA distance update
  code paths (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509
  FATE#327775 git-fixes).
- powerpc/pseries: Rename TYPE1_AFFINITY to FORM1_AFFINITY
  (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 FATE#327775
- powerpc/pseries: rename min_common_depth to primary_domain_index
  (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 FATE#327775
- powerpc/numa: Consider the max NUMA node for migratable LPAR
  (bsc#1209999 ltc#202140 bsc#1190544 ltc#194520 bsc#1142685 ltc#179509 FATE#327775
- powerpc/numa: Detect support for coregroup (bsc#1209999
  ltc#202140 bsc#1142685 ltc#179509 FATE#327775 git-fixes).
- powerpc/numa: Restrict possible nodes based on platform
  (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 FATE#327775
- powerpc/numa: Limit possible nodes to within num_possible_nodes
  (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 FATE#327775
- commit 2690e67
- cred: allow get_cred() and put_cred() to be given NULL
- commit b20510e
- scsi: iscsi_tcp: Fix UAF during login when accessing the shost
  ipaddress (bsc#1210647 CVE-2023-2162).
- commit eba27cd
- drivers: net: lmc: fix case value for target abort error
- commit 9328eea
- net: axienet: Fix double deregister of mdio (git-fixes).
- commit ceccbaf
- net: prevent ISA drivers from building on PPC32 (git-fixes).
- commit 1665091
- blacklist.conf: update blacklist
- commit c7d12aa
- RDMA/core: Refactor rdma_bind_addr (bsc#1210629 CVE-2023-2176)
- commit 39d6889
- RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests (bsc#1210629 CVE-2023-2176)
- commit e746751
- RDMA/cma: Do not change route.addr.src_addr outside state checks (bsc#1210629 CVE-2023-2176)
- commit 8101e86
- RDMA/cma: Make the locking for automatic state transition more clear (bsc#1210629 CVE-2023-2176)
- commit b3ddeab
- blacklist.conf: add !CONFIG_SYSFS entry
- commit ea663e2
- l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels
- commit a6de55d
- l2tp: clean up stale tunnel or session in pppol2tp_connect's
  error path (git-fixes).
- commit ac0c4ce
- l2tp: fix pseudo-wire type for sessions created by
  pppol2tp_connect() (git-fixes).
- commit 3cea0f6
- netfilter: nft_set_rbtree: fix parameter of
  __nft_rbtree_lookup() (git-fixes).
- commit d139e7b
- netfilter: x_tables: Add note about how to free percpu counters
- commit 370ae8e
- net: core: dst: Add kernel-doc for 'net' parameter (git-fixes).
- commit f4bb4ad
- net: core: dst_cache_set_ip6: Rename 'addr' parameter to
  'saddr' for consistency (git-fixes).
- commit d4c9c59
- x86/boot/compressed: Disable relocation relaxation (git-fixes).
- Refresh patches.suse/x86-Use-return-thunk-in-asm-code.patch.
- kretprobe: Prevent triggering kretprobe from within
  kprobe_flush_task (git-fixes).
- x86/speculation/mds: Mark mds_user_clear_cpu_buffers()
  __always_inline (git-fixes).
- x86_64: Fix jiffies ODR violation (git-fixes).
- x86/mm: Stop printing BRK addresses (git-fixes).
- bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX
  BPF_B (git-fixes).
- x86: Don't let pgprot_modify() change the page encryption bit
- x86/pkeys: Add check for pkey "/overflow"/ (git-fixes).
- commit e67532f
- watchdog: pcwd_usb: Fix attempting to access uninitialized
  memory (git-fixes).
- commit d040be6
- powercap: fix possible name leak in powercap_register_zone()
- commit 31ce59d
- usb: storage: Add check for kcalloc (git-fixes).
- commit 610895c
- usb: typec: Check for ops->exit instead of ops->enter in
  altmode_exit (git-fixes).
- commit b4c0f7a
- blacklist.conf: add some x86 git-fixes
- commit decff2c
- blacklist.conf: cleanup
- commit b4c83c2
- usb: dwc3: gadget: Don't set IMI for no_interrupt (git-fixes).
- commit 7500ab7
- ath10k: Fix missing frame timestamp for beacon/probe-resp
- commit b6a1dea
- x86/speculation: Allow enabling STIBP with legacy IBRS
  (bsc#1210506 CVE-2023-1998).
- commit 82dbdfe
- cifs: fix negotiate context parsing (bsc#1210301).
- commit e970e4b
- blacklist.conf: not needed; added also the commit introducing the regression
  on the blacklist to stay on the safe side
- commit 39430c3
- blacklist.conf: not worth the risk
- commit 581559c
- blacklist.conf: printk: cosmetic problem; wrong value shown in log
- commit 68309f1
- printk: Give error on attempt to set log buffer length to over
  2G (bsc#1210534).
- commit 416f599
- tuntap: fix dividing by zero in ebpf queue selection
- commit c7fc31c
- net: phy: realtek: Use the dummy stubs for MMD register access
  for rtl8211b (git-fixes).
- commit 8197f03
- blacklist.conf: update blacklist
- commit 1eb047f
- iwlwifi: Fix -EIO error code that is never returned (git-fixes).
- commit e2a6440
- iwlwifi: pcie: gen2: fix locking when "/HW not ready"/
- commit a192018
- iwlwifi: pcie: fix locking when "/HW not ready"/ (git-fixes).
- commit 34a2104
- blacklist.conf: upstream error
- commit 82a830a
- iwlwifi: pcie: reschedule in long-running memory reads
- commit e6380b0
- blacklist.conf: cleanup for specific compiler
- commit 0396363
- iwlwifi: fw: make pos static in iwl_sar_get_ewrd_table() loop
- commit c845c94
- blacklist.conf: feature and optimization, not a fix
- commit 9a8bf0b
- blacklist.conf: kABI
- commit 7b6dc5b
- ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern
- commit a5c8a19
- ath10k: fix division by zero in send path (git-fixes).
- commit 995d86c
- ath10k: fix control-message timeout (git-fixes).
- commit 49a6469
- ath10k: add missing error return code in ath10k_pci_probe()
- commit 40313d2
- ath10k: Fix error handling in case of CE pipe init failure
- commit 29f18be
- struct wmi_svc_avail_ev_arg: new member to end (git-fixes).
- commit ace4238
- ath10k: Fix the parsing error in service available event
- commit 83c5772
- power: supply: da9150: Fix use after free bug in
  da9150_charger_remove due to race condition (CVE-2023-30772
- commit a67542a
- k-m-s: Drop Linux 2.6 support
- commit 22b2304
- Remove obsolete KMP obsoletes (bsc#1210469).
- commit 7f325c6
- wq: handle VM suspension in stall detection (bsc#1210466).
- commit b6661b9
- blacklist.conf: workqueue: Non-trivial reasoning why the change is correct.
  Fixing a corner case.
- commit 5637e05
- workqueue: Fix missing kfree(rescuer) in destroy_workqueue()
- commit 3c2ae43
- workqueue: Fix spurious sanity check failures in
  destroy_workqueue() (bsc#1210460).
- blacklist.conf: Remove the commit from the blacklist.
- commit dcf3af1
- cachefiles: Drop superfluous readpages aops NULL check
- cachefiles: Handle readpage error correctly (bsc#1210430).
- cachefiles: Fix race between read_waiter and read_copier
  involving  op->to_do (bsc#1210430).
- fscache, cachefiles: remove redundant variable 'cache'
- cachefiles: Fix page leak in cachefiles_read_backing_file
  while  vmscan is active (bsc#1210430).
- commit 08d094b
- blacklist.conf: cachefiles fix not applicable to 12SP5
- commit 76c59ea
- hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove
  due to race condition (CVE-2023-1855 bsc#1210202).
- commit 8e7b0ea
- Bluetooth: btsdio: fix use after free bug in btsdio_remove
  due to unfinished work (CVE-2023-1989 bsc#1210336).
- commit 636a7de
- nfc: st-nci: Fix use after free bug in ndlc_remove due to race
  condition (git-fixes bsc#1210337 CVE-2023-1990).
- commit 6ec02e1
- intel_pmc_ipc: restore ability to call functions with irq
  enabled (git-fixes).
- commit 8b76237
- Refresh
  Added additional commit ID
- commit 32b5de9
- platform/x86: intel_pmc_ipc: Use spin_lock to protect GCR
  updates (git-fixes).
- commit 6fd8245
- platform/x86: intel_pmc_ipc: Use devm_* calls in driver probe
  function (git-fixes).
- commit 66a8daf
- blacklist.conf: irrelevant in our configs
- commit 77369a1
- s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple()
- commit 1101ba6
- net: usb: qmi_wwan: add Telit 0x1080 composition (git-fixes).
- commit cc9a7d7
- Refresh
  Added additional ID
- commit ec0740e
- blacklist.conf: Add 6a2cbc58d6c9 seq_buf: Make trace_seq_putmem_hex() support data longer than 8
- commit 3b72881
- usb: dwc3: core: fix kernel panic when do reboot (git-fixes).
- commit e2fbf46
- usb/ohci-platform: Fix a warning when hibernating (git-fixes).
- commit f004188
- blacklist.conf: not a fix
- commit 579db14
- blacklist.conf: hardware this is relevant for not supported in SLE12
- commit 9c1574c
- usb: host: ohci-pxa27x: Fix and & vs | typo (git-fixes).
- commit 8a04e90
- blacklist.conf: update blacklist
- commit 960fe5e
- sctp: return error if the asoc has been peeled off in
  sctp_wait_for_sndbuf (git-fixes).
- Refresh
- commit ec9bf28
- sctp: use the right sk after waking up from wait_buf sleep
- Refresh
- commit 09b20fd
- sctp: do not free asoc when it is already dead in sctp_sendmsg
- Refresh
- commit 064e118
- net/ncsi: Don't return error on normal response (git-fixes).
- commit 0448b7b
- blacklist.conf: update blacklist
- commit dd82a70
- blacklist.conf: add an intrusive ftrace refinement
- commit 1b629dd
- ftrace: Mark get_lock_parent_ip() __always_inline (git-fixes).
- commit f82808a
- ring-buffer: Fix race while reader and writer are on the same
  page (git-fixes).
- commit 68f2c8a
- Update
  (bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
  (bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
  (bsc#1205128 CVE-2022-43945 bsc#1210124).
  Fix a performance bug introduced by the backports bsc#1210124
- commit 98fde8e
- btrfs: fix race between quota disable and quota assign ioctls
  (CVE-2023-1611 bsc#1209687).
- commit 5262625
- Define kernel-vanilla as source variant
  The vanilla_only macro is overloaded. It is used for determining if
  there should be two kernel sources built as well as for the purpose of
  determmioning if vanilla kernel should be used for kernel-obs-build.
  While the former can be determined at build time the latter needs to be
  baked into the spec file template. Separate the two while also making
  the latter more generic.
  $build_dtbs is enabled on every single rt and azure branch since 15.3
  when the setting was introduced, gate on the new $obs_build_variant
  setting as well.
- commit 36ba909
- timekeeping: Prevent 32bit truncation in (git-fixes)
- commit b5eceb5
- ntp: Limit TAI-UTC offset (git-fixes)
- commit cb87f16
- x86/decoder: Add TEST opcode to Group3-2 (git-fixes).
- x86/sysfb: Fix check for bad VRAM size (git-fixes).
- x86/mm: Use the correct function type for native_set_fixmap()
- x86/ioapic: Prevent inconsistent state when moving an interrupt
- x86/mce: Lower throttling MCE messages' priority to warning
- x86/apic: Soft disable APIC before initializing it (git-fixes).
- x86/reboot: Always use NMI fallback when shutdown via reboot
  vector IPI fails (git-fixes).
- uprobes/x86: Fix detection of 32-bit user mode (git-fixes).
- x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled
  machines (git-fixes).
- x86/apic: Handle missing global clockevent gracefully (git-fixes
- x86/lib/cpu: Address missing prototypes warning (git-fixes).
- x86, boot: Remove multiple copy of static function
  sanitize_boot_params() (git-fixes).
- commit 439b087
- blacklist.conf: add some x86 git-fixes
- commit 048281c
- netlink: limit recursion depth in policy validation
  (CVE-2020-36691 bsc#1209613).
- commit 519d73a
- rpm/ increase the disk size for armv6/7 to 24GB
  It grows and the build fails recently on SLE15-SP4/5.
- commit 41ac816
- rpm/check-for-config-changes: add TOOLCHAIN_NEEDS_* to IGNORED_CONFIGS_RE
  This new form was added in commit e89c2e815e76 ("/riscv: Handle
  zicsr/zifencei issues between clang and binutils"/).
- commit 234baea
- cifs: Fix smb2_set_path_size() (bsc#1190317).
- commit 298a4d8
- cifs: Move the in_send statistic to __smb_send_rqst()
- commit c1a3dcd
- cifs: prevent data race in cifs_reconnect_tcon() (bsc#1190317).
- commit 46ad6ef
- update internal module version number for cifs.ko (bsc#1190317).
- commit 0d92429
- cifs: reuse cifs_match_ipaddr for comparison of dstaddr too
- commit 29571bf
- cifs: match even the scope id for ipv6 addresses (bsc#1190317).
- commit ffb4742
- cifs: Fix lost destroy smbd connection when MR allocate failed
- commit 8c42642
- cifs: get rid of dns resolve worker (bsc#1190317).
- commit 1597aa3
- cifs: Fix warning and UAF when destroy the MR list
- commit 57628d2
- cifs: Convert struct fealist away from 1-element array
- commit 450af82
- cifs: fix mount on old smb servers (bsc#1190317).
- commit b608d71
- cifs: Fix uninitialized memory reads for oparms.mode
- commit 4430e40
- cifs: remove unneeded 2bytes of padding from smb2 tree connect
- commit 3db0a6b
- cifs: Fix uninitialized memory read in smb3_qfs_tcon()
- commit 7fd60d0
- cifs: don't try to use rdma offload on encrypted connections
- commit b75ae7e
- cifs: split out smb3_use_rdma_offload() helper (bsc#1190317).
- commit 4ec903f
- cifs: introduce cifs_io_parms in smb2_async_writev()
- commit 9060955
- cifs: get rid of unneeded conditional in cifs_get_num_sgs()
- commit b970b4a
- cifs: prevent data race in smb2_reconnect() (bsc#1190317).
- commit e153e6f
- cifs: fix indentation in make menuconfig options (bsc#1190317).
- commit e3f6c21
- cifs: update Kconfig description (bsc#1190317).
- commit d50d5ca
- cifs: Get rid of unneeded conditional in the smb2_get_aead_req()
- commit 46dc317
- cifs: print last update time for interface list (bsc#1190317).
- commit aaab89f
- cifs: Replace zero-length arrays with flexible-array members
- commit 86e6cd6
- cifs: Use kstrtobool() instead of strtobool() (bsc#1190317).
- commit 103e49e
- cifs: Fix use-after-free in rdata->read_into_pages()
- commit 0bb36b3
- cifs: Fix oops due to uncleared server->smbd_conn in reconnect
- commit 7c17011
- cifs: do not include page data when checking signature
- commit 68b5c43
- cifs: fix return of uninitialized rc in
  dfs_cache_update_tgthint() (bsc#1190317).
- commit aef9873
- cifs: handle cache lookup errors different than -ENOENT
- commit b259488
- cifs: remove duplicate code in __refresh_tcon() (bsc#1190317).
- commit 078424b
- cifs: don't take exclusive lock for updating target hints
- commit 0ba4f09
- cifs: avoid re-lookups in dfs_cache_find() (bsc#1190317).
- commit db9d0ac
- cifs: fix potential deadlock in cache_refresh_path()
- commit 8b47c8a
- cifs: fix potential memory leaks in session setup (bsc#1190317).
- commit 9d070b1
- cifs: fix double free on failed kerberos auth (bsc#1190317).
- commit e2bec13
- cifs: remove redundant assignment to the variable match
- commit 77ccb0d
- cifs: protect access of TCP_Server_Info::{dstaddr,hostname}
- commit f930e6e
- cifs: fix race in assemble_neg_contexts() (bsc#1190317).
- commit ea7fbbe
- cifs: ignore ipc reconnect failures during dfs failover
- commit afdee33
- cifs: update internal module number (bsc#1190317).
- commit 7b8d7fd
- cifs: split out ses and tcon retrieval from mount_get_conns()
- commit 15a2a87
- cifs: set resolved ip in sockaddr (bsc#1190317).
- commit d330759
- cifs: set correct ipc status after initial tree connect
- commit 37864d2
- cifs: set correct tcon status after initial tree connect
- commit 1a028fa
- cifs: Remove duplicated include in cifsglob.h (bsc#1190317).
- commit a1d08d1
- cifs: fix oops during encryption (bsc#1190317).
- commit f574daf
- cifs: fix missing display of three mount options (bsc#1190317).
- commit 93d0b09
- cifs: fix various whitespace errors in headers (bsc#1190317).
- commit bea92d2
- cifs: minor cleanup of some headers (bsc#1190317).
- commit eb82a98
- cifs: skip alloc when request has no pages (bsc#1190317).
- commit 10815ee
- cifs: remove ->writepage (bsc#1190317).
- commit 2c2004f
- cifs: stop using generic_writepages (bsc#1190317).
- commit 000147c
- cifs: add check for returning value of SMB2_set_info_init
- commit cba1815
- cifs: Fix wrong return value checking when GETFLAGS
- commit 3e78b62
- cifs: add check for returning value of SMB2_close_init
- commit 46060ff
- cifs: Fix connections leak when tlink setup failed
- commit 8cec257
- cifs: fix use-after-free caused by invalid pointer `hostname`
- commit a20d808
- cifs: Fix pages leak when writedata alloc failed in
  cifs_write_from_iter() (bsc#1190317).
- commit f847274
- cifs: Fix pages array leak when writedata alloc failed in
  cifs_writedata_alloc() (bsc#1190317).
- commit d37ea58
- cifs: use stub posix acl handlers (bsc#1190317).
- commit ee8407b
- cifs: update internal module number (bsc#1190317).
- commit 7ab3edc
- cifs: Fix memory leak when build ntlmssp negotiate blob failed
- commit 98ff997
- cifs: fix memory leaks in session setup (bsc#1190317).
- commit c763ca5
- cifs: Fix xid leak in cifs_flock() (bsc#1190317).
- commit dacf024
- cifs: Fix xid leak in cifs_copy_file_range() (bsc#1190317).
- commit 3de8885
- cifs: Fix xid leak in cifs_create() (bsc#1190317).
- commit 705ac59
- smb3: improve SMB3 change notification support (bsc#1190317).
- commit fde51a0
- cifs: lease key is uninitialized in two additional functions
  when smb1 (bsc#1190317).
- commit 2f04807
- cifs: lease key is uninitialized in smb1 paths (bsc#1190317).
- commit ff35bdf
- smb3: must initialize two ACL struct fields to zero
- commit 0955f83
- cifs: fix double-fault crash during ntlmssp (bsc#1190317).
- commit 9254cdc
- cifs: use ALIGN() and round_up() macros (bsc#1190317).
- Refresh patches.suse/cifs-fix-negotiate-context-parsing.patch.
- commit 53d873a
- cifs: prevent copying past input buffer boundaries
- commit 62868f6
- smb3: fix oops in calculating shash_setkey (bsc#1190317).
- commit 5afee83
- cifs: secmech: use shash_desc directly, remove sdesc
- commit 55bc867
- cifs: remove initialization value (bsc#1190317).
- commit 8fe3a94
- smb3: rename encryption/decryption TFMs (bsc#1190317).
- commit 87d5689
- Fix formatting of client smbdirect RDMA logging (bsc#1190317).
- commit 51fd618
- Handle variable number of SGEs in client smbdirect send
- commit 6d2118f
- Reduce client smbdirect max receive segment size (bsc#1190317).
- commit 92e56ee
- Decrease the number of SMB3 smbdirect client SGEs (bsc#1190317).
- commit 7f2c69f
- cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message
- commit 29e7c59
- cifs: destage dirty pages before re-reading them for cache=none
- commit 70d82b6
- cifs: return correct error in ->calc_signature() (bsc#1190317).
- commit b8c45e4
- cifs: misc: fix spelling typo in comment (bsc#1190317).
- commit 4f07bbc
- cifs: avoid use of global locks for high contention data
- Refresh
- Refresh patches.suse/cifs-remove-useless-DeleteMidQEntry-.patch.
  Context adjustment.
- commit be7ee22
- cifs: add missing spinlock around tcon refcount (bsc#1190317).
- commit 0886941
- cifs: always initialize struct msghdr smb_msg completely
- commit bc42256
- cifs: don't send down the destination address to sendmsg for
  a SOCK_STREAM (bsc#1190317).
- commit 4cd0dc6
- cifs: revalidate mapping when doing direct writes (bsc#1190317).
- commit fdcc906
- cifs: fix small mempool leak in SMB2_negotiate() (bsc#1190317).
- commit eb1b54c
- cifs: Add helper function to check smb1+ server (bsc#1190317).
- commit 260556f
- cifs: Use help macro to get the mid header size (bsc#1190317).
- commit 11dd1d2
- cifs: skip extra NULL byte in filenames (bsc#1190317).
- commit d9c1046
- cifs: Use help macro to get the header preamble size
- commit 1c1c393
- cifs: fix open leaks in open_cached_dir() (bsc#1209342).
- commit 6fa5ff4
- rpm/ Fix output difference when / is in location
  While previous attempt to fix in 6d651362c38
  "/rpm/ Deal with {pre,post}fixed / in location"/
  breaks the infinite loop, it does not properly address the issue. Having
  prefixed and/or postfixed forward slash still result in different
  This commit changes the script to use the Perl core module File::Spec
  for proper path manipulation to give consistent output.
- commit 4161bf9
- Require suse-kernel-rpm-scriptlets at all times.
  The kernel packages call scriptlets for each stage, add the dependency
  to make it clear to libzypp that the scriptlets are required.
  There is no special dependency for posttrans, these scriptlets run when
  transactions are resolved. The plain dependency has to be used to
  support posttrans.
- commit 56c4dbe
- Replace mkinitrd dependency with dracut (bsc#1202353).
  Also update mkinitrd refrences in documentation and comments.
- commit e356c9b
- rpm/ Remove SLE11 cruft
- commit 871eeb4
- Update patch reference for libata fix (bsc#1118212).
- commit 16b85ae
- rpm/ Fix missing kernel-preempt-devel and KMP Provides (bsc#1199046)
- commit 84d7ba8
- rpm/ Add Provides of kernel-preempt (jsc#SLE-18857)
  For smooth migration with the former kernel-preempt user, kernel-default
  provides kernel-preempt now when CONFIG_PREEMPT_DYNAMIC is defined.
- commit d292a81
- libata: add horkage for ASMedia 1092 (git-fixes).
- commit 1ec1df0
- commit 8592674
- commit f575c68
- commit 2717fab
- Fix prefix reported by krb5-config, libraries and headers are not
  installed under /usr/lib/mit prefix. (bsc#1211411);
- U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
  * Buffer overflows in InitExt.c (boo#1212102, CVE-2023-3138)
- Fixed integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup()
  (bsc#1211419 / CVE-2023-2603) CVE-2023-2603.patch
- Speed up database handling when handling lots of rules like in docker
  Added backported patches:
  - 01-21b98d85e8bfdb701a5f9afd54ff5175af910a45.patch
  - 02-19af04da86e9a4168a443f3563fc7aec8839edf0.patch
- Security update:
  * [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings
    isn't deterministic
  - Added patch libxml2-CVE-2023-29469.patch
  * [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in
  - Added patch libxml2-CVE-2023-28484-1.patch
  - Added patch libxml2-CVE-2023-28484-2.patch
- curl: Trim user agent and custom header strings (bsc#1212187)
  HTTP/2 RFC 9113 forbids fields ending with a space. Violation
  results in curl error: 92: HTTP/2 PROTOCOL_ERROR.
- version 16.22.8 (0)
- zypp.conf: Introduce 'download.connect_timeout' [60 sec.]
  Maximum time in seconds that you allow the connection phase to
  the server to take. This only limits the connection phase, it has
  no impact once it has connected. (see also CURLOPT_CONNECTTIMEOUT)
- version 16.22.7 (0)
- Removing a PTF without enabled repos should always fail
  Without enabled repos, the dependent PTF-packages would be
  removed (not replaced!) as well. To remove a PTF "/zypper install
  - - -PTF"/ or a dedicated "/zypper removeptf PTF"/ should be used.
  This will update the installed PTF packages to their latest
- version 16.22.6 (0)
- Added expiration data for GCC 11 yearly update for the Toolchain/Development modules.
  (jsc#PM-3603, jsc#PED-2029)
- update to version 4.35
  * fixes for building with clang
  * use the number of online processors for the
    PR_GetNumberOfProcessors() API on some platforms
  * fix build on mips+musl libc
  * Add support for the LoongArch 64-bit architecture
- update to NSS 3.90
  * bmo#1623338 - ride along: remove a duplicated doc page
  * bmo#1623338 - remove a reference to IRC
  * bmo#1831983 - clang-format lib/freebl/stubs.c
  * bmo#1831983 - Add a constant time select function
  * bmo#1774657 - Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
  * bmo#1830973 - output early build errors by default
  * bmo#1804505 - Update the technical constraints for KamuSM
  * bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates
  * bmo#1790763 - Enable default UBSan Checks
  * bmo#1786018 - Add explicit handling of zero length records
  * bmo#1829391 - Tidy up DTLS ACK Error Handling Path
  * bmo#1786018 - Refactor zero length record tests
  * bmo#1829112 - Fix compiler warning via correct assert
  * bmo#1755267 - run linux tests on nss-t/t-linux-xlarge-gcp
  * bmo#1806496 - In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
  * bmo#1784163 - Fix reading raw negative numbers
  * bmo#1748237 - Repairing unreachable code in clang built with gyp
  * bmo#1783647 - Integrate Vale Curve25519
  * bmo#1799468 - Removing unused flags for Hacl*
  * bmo#1748237 - Adding a better error message
  * bmo#1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
  * bmo#1782980 - Fall back to the softokn when writing certificate trust
  * bmo#1806010 - FIPS-104-3 requires we restart post programmatically
  * bmo#1826650 - cmd/ecperf: fix dangling pointer warning on gcc 13
  * bmo#1818766 - Update ACVP dockerfile for compatibility with debian package changes
  * bmo#1815796 - Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
  * bmo#1819958 - Removed deprecated sprintf function and replaced with snprintf
  * bmo#1822076 - fix rst warnings in nss doc
  * bmo#1821997 - Fix incorrect pygment style
  * bmo#1821292 - Change GYP directive to apply across platforms
  * Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
- Add nss-fix-bmo1836925.patch to fix build-errors
- Merge the libfreebl3-hmac and libsoftokn3-hmac packages
  into the respective libraries. (bsc#1185116)
- update to NSS 3.89.1
  * bmo#1804505 - Update the technical constraints for KamuSM.
  * bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates.
- update to NSS 3.89
  * bmo#1820834 - revert freebl/softoken RSA_MIN_MODULUS_BITS increase
  * bmo#1820175 - PR_STATIC_ASSERT is cursed
  * bmo#1767883 - Need to add policy control to keys lengths for signatures
  * bmo#1820175 - Fix unreachable code warning in fuzz builds
  * bmo#1820175 - Fix various compiler warnings in NSS
  * bmo#1820175 - Enable various compiler warnings for clang builds
  * bmo#1815136 - set PORT error after sftk_HMACCmp failure
  * bmo#1767883 - Need to add policy control to keys lengths for signatures
  * bmo#1804662 - remove data length assertion in sec_PKCS7Decrypt
  * bmo#1804660 - Make high tag number assertion failure an error
  * bmo#1817513 - CKM_SHA384_KEY_DERIVATION correction maximum key
    length from 284 to 384
  * bmo#1815167 - Tolerate certificate_authorities xtn in ClientHello
  * bmo#1789436 - Fix build failure on Windows
  * bmo#1811337 - migrate Win 2012 tasks to Azure
  * bmo#1810702 - fix title length in doc
  * bmo#1570615 - Add interop tests for HRR and PSK to GREASE suite
  * bmo#1570615 - Add presence/absence tests for TLS GREASE
  * bmo#1804688 - Correct addition of GREASE value to ALPN xtn
  * bmo#1789436 - CH extension permutation
  * bmo#1570615 - TLS GREASE (RFC8701)
  * bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
  * bmo#1815870 - use a different treeherder symbol for each docker
    image build task
  * bmo#1815868 - pin an older version of the ubuntu:18.04 and
    20.04 docker images
  * bmo#1810702 - remove nested table in rst doc
  * bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag
  * bmo#1812671 - build failure while implicitly casting SECStatus
    to PRUInt32
- update to NSS 3.88.1
  * bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
- update to NSS 3.88
  * bmo#1815870 - use a different treeherder symbol for each docker
    image build task
  * bmo#1815868 - pin an older version of the ubuntu:18.04 and
    20.04 docker images
  * bmo#1810702 - remove nested table in rst doc
  * bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag.
  * bmo#1812671 - build failure while implicitly casting SECStatus
    to PRUInt32
  * bmo#1212915 - Add check for ClientHello SID max length
  * bmo#1771100 - Added EarlyData ALPN test support to BoGo shim
  * bmo#1790357 - ECH client - Discard resumption TLS < 1.3
    Session(IDs|Tickets) if ECH configs are setup
  * bmo#1714245 - On HRR skip PSK incompatible with negotiated
    ciphersuites hash algorithm
  * bmo#1789410 - ECH client: Send ech_required alert on server
    negotiating TLS 1.2. Fixed misleading Gtest,
    enabled corresponding BoGo test
  * bmo#1771100 - Added Bogo ECH rejection test support
  * bmo#1771100 - Added ECH 0Rtt support to BoGo shim
  * bmo#1747957 - RSA OAEP Wycheproof JSON
  * bmo#1747957 - RSA decrypt Wycheproof JSON
  * bmo#1747957 - ECDSA Wycheproof JSON
  * bmo#1747957 - ECDH Wycheproof JSON
  * bmo#1747957 - PKCS#1v1.5 wycheproof json
  * bmo#1747957 - Use X25519 wycheproof json
  * bmo#1766767 - Move scripts to python3
  * bmo#1809627 - Properly link FuzzingEngine for oss-fuzz.
  * bmo#1805907 - Extending RSA-PSS bltest test coverage
    (Adding SHA-256 and SHA-384)
  * bmo#1804091 - NSS needs to move off of DSA for integrity checks
  * bmo#1805815 - Add initial testing with ACVP vector sets using
  * bmo#1806369 - Don't clone libFuzzer, rely on clang instead
- update to NSS 3.87
  * bmo#1803226 - NULL password encoding incorrect
  * bmo#1804071 - Fix rng stub signature for fuzzing builds
  * bmo#1803595 - Updating the compiler parsing for build
  * bmo#1749030 - Modification of supported compilers
  * bmo#1774654 - tstclnt crashes when accessing gnutls server
    without a user cert in the database.
  * bmo#1751707 - Add configuration option to enable source-based
    coverage sanitizer
  * bmo#1751705 - Update ECCKiila generated files.
  * bmo#1730353 - Add support for the LoongArch 64-bit architecture
  * bmo#1798823 - add checks for zero-length RSA modulus to avoid
    memory errors and failed assertions later
  * bmo#1798823 - Additional zero-length RSA modulus checks
- Remove nss-fix-bmo1774654.patch which is now upstream
- update to NSS 3.86
  * bmo#1803190 - conscious language removal in NSS
  * bmo#1794506 - Set nssckbi version number to 2.60
  * bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
    TrustCor Root Certificates
  * bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS
  * bmo#1797559 - Remove EC-ACC root cert from NSS
  * bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS
  * bmo#1794495 - Remove Network Solutions Certificate Authority
  * bmo#1802331 - compress docker image artifact with zstd
  * bmo#1799315 - Migrate nss from AWS to GCP
  * bmo#1800989 - Enable static builds in the CI
  * bmo#1765759 - Removing SAW docker from the NSS build system
  * bmo#1783231 - Initialising variables in the rsa blinding code
  * bmo#320582 - Implementation of the double-signing of the message
    for ECDSA
  * bmo#1783231 - Adding exponent blinding for RSA.
- update to NSS 3.85
  * bmo#1792821 - Modification of the primes.c and dhe-params.c in
    order to have better looking tables
  * bmo#1796815 - Update zlib in NSS to 1.2.13
  * bmo#1796504 - Skip building modutil and shlibsign when building
    in Firefox
  * bmo#1796504 - Use __STDC_VERSION__ rather than __STDC__ as a guard
  * bmo#1796407 - Fix -Wunused-but-set-variable warning from clang 15
  * bmo#1796308 - Fix -Wtautological-constant-out-of-range-compare
    and -Wtype-limits warnings
  * bmo#1796281 - Followup: add missing stdint.h include
  * bmo#1796281 - Fix -Wint-to-void-pointer-cast warnings
  * bmo#1796280 - Fix -Wunused-{function,variable,but-set-variable}
    warnings on Windows
  * bmo#1796079 - Fix -Wstring-conversion warnings
  * bmo#1796075 - Fix -Wempty-body warnings
  * bmo#1795242 - Fix unused-but-set-parameter warning
  * bmo#1795241 - Fix unreachable-code warnings
  * bmo#1795222 - Mark _nss_version_c unused on clang-cl
  * bmo#1795668 - Remove redundant variable definitions in lowhashtest
  * Add note about python executable to build instructions.
- update to NSS 3.84
  * bmo#1791699 - Bump minimum NSPR version to 4.35
  * bmo#1792103 - Add a flag to disable building libnssckbi.
- update to NSS 3.83
  * bmo#1788875 - Remove set-but-unused variables from
  * bmo#1563221 - remove older oses that are unused part3/ BeOS
  * bmo#1563221 - remove older unix support in NSS part 3 Irix
  * bmo#1563221 - remove support for older unix in NSS part 2 DGUX
  * bmo#1563221 - remove support for older unix in NSS part 1 OSF
  * bmo#1778413 - Set nssckbi version number to 2.58
  * bmp#1785297 - Add two SECOM root certificates to NSS
  * bmo#1787075 - Add two DigitalSign root certificates to NSS
  * bmo#1778412 - Remove Camerfirma Global Chambersign Root from NSS
  * bmo#1771100 - Added bug reference and description to disabled
    UnsolicitedServerNameAck bogo ECH test
  * bmo#1779361 - Removed skipping of ECH on equality of private and
    public server name
  * bmo#1779357 - Added comment and bug reference to
    ECHRandomHRRExtension bogo test
  * bmo#1779370 - Added Bogo shim client HRR test support. Fixed
    overwriting of CHInner.random on HRR
  * bmo#1779234 - Added check for server only sending ECH extension
    with retry configs in EncryptedExtensions and if not
    accepting ECH. Changed config setting behavior to
    skip configs with unsupported mandatory extensions
    instead of failing
  * bmo# 1771100 - Added ECH client support to BoGo shim. Changed
    CHInner creation to skip TLS 1.2 only extensions to
    comply with BoGo
  * bmo#1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH
    server accept_confirmation bugs
  * bmo#1771100 - Update BoGo tests to recent BoringSSL version
  * bmo#1785846 - Bump minimum NSPR version to 4.34.1
- update to NSS 3.82
  * bmo#1330271 - check for null template in sec_asn1{d,e}_push_state
  * bmo#1735925 - QuickDER: Forbid NULL tags with non-zero length
  * bmo#1784724 - Initialize local variables in
  * bmo#1784191 - Cast the result of GetProcAddress
  * bmo#1681099 - pk11wrap: Tighten certificate lookup based on
    PKCS #11 URI.
- update to NSS 3.81
  * bmo#1762831 - Enable aarch64 hardware crypto support on OpenBSD
  * bmo#1775359 - make NSS_SecureMemcmp 0/1 valued
  * bmo#1779285 - Add no_application_protocol alert handler and
    test client error code is set
  * bmo#1777672 - Gracefully handle null nickname in
  * required for Firefox 104
- raised NSPR requirement to 4.34.1
- changing some Requires from (pre) to generic as (pre) is not
  sufficient (boo#1202118)
- update to NSS 3.80
  * bmo#1774720 - Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
  * bmo#1617956 - Add support for asynchronous client auth hooks.
  * bmo#1497537 - nss-policy-check: make unknown keyword check optional.
  * bmo#1765383 - GatherBuffer: Reduced plaintext buffer allocations
    by allocating it on initialization. Replaced
    redundant code with assert. Debug builds: Added
    buffer freeing/allocation for each record.
  * bmo#1773022 - Mark 3.79 as an ESR release.
  * bmo#1764206 - Bump nssckbi version number for June.
  * bmo#1759815 - Remove Hellenic Academic 2011 Root.
  * bmo#1770267 - Add E-Tugra Roots.
  * bmo#1768970 - Add Certainly Roots.
  * bmo#1764392 - Add DigitCert Roots.
  * bmo#1759794 - Protect SFTKSlot needLogin with slotLock.
  * bmo#1366464 - Compare signature and signatureAlgorithm fields in
    legacy certificate verifier.
  * bmo#1771497 - Uninitialized value in cert_VerifyCertChainOld.
  * bmo#1771495 - Unchecked return code in sec_DecodeSigAlg.
  * bmo#1771498 - Uninitialized value in cert_ComputeCertType.
  * bmo#1760998 - Avoid data race on primary password change.
  * bmo#1769063 - Replace ppc64 dcbzl intrinisic.
  * bmo#1771036 - Allow LDFLAGS override in makefile builds.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) with
  fixes to PBKDF2 parameter validation.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) to
  validate extra PBKDF2 parameters according to FIPS 140-3.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546) to
  update session->lastOpWasFIPS before destroying the key after
  derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE,
- Update nss-fips-pct-pubkeys.patch (bsc#1207209) to remove some
  excess code.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546).
- Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency
  checks. Thanks to Martin for the DHKey parts.
- Add manpages to mozilla-nss-tools (bsc#1208242)
- Modify patch ncurses-6.1.dif
  * Secure writing terminfo entries by setfs[gu]id in s[gu]id
    (boo#1210434, CVE-2023-29491)
  * Reading is done since 2000/01/17
- 0206-gssd-Fix-inner-loop-variable-reuse.patch
  Fix for previous patch
- Update to 4.2.8p17:
  * Fix some regressions of 4.2.8p16
- Update to 4.2.8p16:
  * [Sec 3808] Assertion failure in ntpq on malformed RT-11 date
  * [Sec 3807], bsc#1210390, CVE-2023-26555:
    praecis_parse() in the Palisade refclock driver has a
    hypothetical input buffer overflow.
  * [Sec 3767] An OOB KoD RATE value triggers an assertion when
    debug is enabled.
  * Obsoletes: ntp-CVE-2023-26551.patch, ntp-sntp-dst.patch,
  * Multiple bug fixes and improvements. For details, see:
- Follow upstream's suggestion to build with debugging disabled:
- bsc#1210386: out-of-bounds writes in mstolfp()
  * CVE-2023-26551, CVE-2023-26552, CVE-2023-26553, CVE-2023-26554
  * Add ntp-CVE-2023-26551.patch
- bsc#1211795 - CVE-2023-2953 - Null pointer deref in ber_memalloc_x
  * 0227-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
- Security Fix: [bsc#1207534, CVE-2022-4304]
  * Reworked the Fix for the Timing Oracle in RSA Decryption
    The previous fix for this timing side channel turned out to cause
    a severe 2-3x performance regression in the typical use case
    compared to 1.1.1s.
  * Reworked openssl-CVE-2022-4304.patch
  * Refreshed openssl-CVE-2023-0286.patch
- Security Fix: [CVE-2023-2650, bsc#1211430]
  * Possible DoS translating ASN.1 object identifiers
  * Add openssl-CVE-2023-2650.patch
- Security Fix: [CVE-2023-0465, bsc#1209878]
  * Invalid certificate policies in leaf certificates are silently ignored
  * Add openssl-CVE-2023-0465.patch
- Security Fix: [CVE-2023-0466, bsc#1209873]
  * Certificate policy check not enabled
  * Add openssl-CVE-2023-0466.patch
- Security Fix: [bsc#1207534, CVE-2022-4304]
  * Reworked the Fix for the Timing Oracle in RSA Decryption
    The previous fix for this timing side channel turned out to cause
    a severe 2-3x performance regression in the typical use case
    compared to 1.1.1s.
  * Add openssl-CVE-2022-4304.patch
  * Removed patches:
  - openssl-CVE-2022-4304-1of2.patch
  - openssl-CVE-2022-4304-2of2.patch
  * Refreshed openssl-CVE-2023-0286.patch
- Update further expiring certificates that affect tests [bsc#1201627]
  * Add openssl-Update-further-expiring-certificates.patch
- Security Fix: [CVE-2023-2650, bsc#1211430]
  * Possible DoS translating ASN.1 object identifiers
  * Add openssl-CVE-2023-2650.patch
  * mariadb: settings for new auth_pam_tool (bsc#1160285)
- Update to version 20170707:
- Fix the application of the python-2.7.17-switch-off-failing-SSL-tests.patch.
- python-2.7.5-multilib.patch: Update for riscv64
- Don't fail if _ctypes or dl extension was not built
- The condition around libnsl-devel BuildRequires is NOT
  switching off NIS support on SLE < 15, support for NIS used to
  be in the glibc itself. Partial revert of sr#1061583.
- Add PygmentsBridge-trime_doctest_flags.patch to allow build of
  the documentation even with the current Sphinx. (SUSE-ONLY
- Enable --with-system-ffi for non-standard architectures.
- SLE-12 builds as well.
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters
- Disable NIS for new products, it's deprecated and gets removed
- Add skip_unverified_test.patch because apparently switching off
  SSL verification doesn't work on older SLE.
- Restore python-2.7.9-sles-disable-verification-by-default.patch
  for SLE-12.
- Fix the application of the python-2.7.17-switch-off-failing-SSL-tests.patch.
- python-2.7.5-multilib.patch: Update for riscv64
- Don't fail if _ctypes or dl extension was not built
- The condition around libnsl-devel BuildRequires is NOT
  switching off NIS support on SLE < 15, support for NIS used to
  be in the glibc itself. Partial revert of sr#1061583.
- Add PygmentsBridge-trime_doctest_flags.patch to allow build of
  the documentation even with the current Sphinx. (SUSE-ONLY
- Enable --with-system-ffi for non-standard architectures.
- SLE-12 builds as well.
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters
- Disable NIS for new products, it's deprecated and gets removed
- Add skip_unverified_test.patch because apparently switching off
  SSL verification doesn't work on older SLE.
- Restore python-2.7.9-sles-disable-verification-by-default.patch
  for SLE-12.
- Add 99366-patch.dict-can-decorate-async.patch fixing
  gh#python/cpython#98086 (backport from Python 3.10 patch in
  gh#python/cpython!99366), fixing bsc#1211158.
- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
  CVE-2007-4559 (bsc#1203750) by adding the filter for
  tarfile.extractall (PEP 706).
- Use python3 modules to build the documentation.
- bsc#1210507 (CVE-2023-29383):
  Check for control characters
- Add shadow-CVE-2023-29383.patch
- Removed iSCSI passwords CVE-2022-45154 (bsc#1207598)
- Fixed missing status detail for apparmor (bsc#1196933)
- Corrected invalid argument list in docker.txt (bsc#1206608)
- Changed _sanitize_file to include (bsc#1206350)
- Update to version 1.0.7 (bsc#1209026)
  + Include information about the cached registration data
  + Collect the data that is sent to the update infrastructure during
- Add upstream patch fix-lib-internal-cache-size.patch
  bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
- Add upstream patch fix-lib-internal-cache-size.patch
  bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
- Fixed TFTP download, truncate the target file to avoid garbage
  at the end of the file when saving to an already existing file
- 3.1.4
- Fix deflateBound() before deflateInit(), bsc#1210593
- Add DFLTCC support for using inflate() with a small window,
  fixes bsc#1206513
  * bsc1206513.patch
- Add expert (allow-*) options to all installer commands
- version 1.13.64
- Provide "/removeptf"/ command (bsc#1203249)
  A remove command which prefers replacing dependant packages to
  removing them as well.
  A PTF is typically removed as soon as the fix it provides is
  applied to the latest official update of the dependant packages.
  But you don't want the dependant packages to be removed together
  with the PTF, which is what the remove command would do. The
  removeptf command however will aim to replace the dependant
  packages by their official update versions.
- BuildRequires:  libzypp-devel >= 16.22.6.
- version 1.13.63