autofs
- autofs-5.1.6-fix-quoted-string-length-calc-in-expand.patch
  Fix problem with quote handling
  (bsc#1181715)
- 0005-autofs-5.1.4-fix-incorrect-locking-in-sss-lookup.patch
  Fix locking problem that causes deadlock when sss used.
  (bsc#1196485)
- 0004-autofs-5.1.3-add-port-parameter-to-rpc_ping.patch
  Suppress portmap calls when port explicitly given
  (bsc#1195697)
binutils
- Add binutils-add-z16-name.diff so that the now official name
  z16 for arch14 is recognized.  [bsc#1198237]
cifs-utils
- CVE-2022-27239: mount.cifs: fix length check for ip option
  parsing; (bsc#1197216) (bso#15025); CVE-2022-27239.
  * add 0016-CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch
cloud-init
- Update to version 21.4 (bsc#1192343, jsc#PM-3181)
  + Also include VMWare functionality for (jsc#PM-3175)
  + Remove patches included upstream:
  - cloud-init-purge-cache-py-ver-change.patch
  - cloud-init-update-test-characters-in-substitution-unit-test.patch
  + Forward port:
  - cloud-init-write-routes.patch
  - cloud-init-no-tempnet-oci.patch
  + Add cloud-init-vmware-test.patch
  - Test is system dependend, not properly mocked
  + Azure: fallback nic needs to be reevaluated during reprovisioning
    (#1094) [Anh Vo]
  + azure: pps imds (#1093) [Anh Vo]
  + testing: Remove calls to 'install_new_cloud_init' (#1092)
  + Add LXD datasource (#1040)
  + Fix unhandled apt_configure case. (#1065) [Brett Holman]
  + Allow libexec for hotplug (#1088)
  + Add necessary mocks to test_ovf unit tests (#1087)
  + Remove (deprecated) apt-key (#1068) [Brett Holman] (LP: #1836336)
  + distros: Remove a completed "/TODO"/ comment (#1086)
  + cc_ssh.py: Add configuration for controlling ssh-keygen output (#1083)
    [dermotbradley]
  + Add "/install hotplug"/ module (SC-476) (#1069) (LP: #1946003)
  + hosts.alpine.tmpl: rearrange the order of short and long hostnames
    (#1084) [dermotbradley]
  + Add max version to docutils
  + cloudinit/dmi.py: Change warning to debug to prevent console display
    (#1082) [dermotbradley]
  + remove unnecessary EOF string in
    disable-sshd-keygen-if-cloud-init-active.conf (#1075) [Emanuele
    Giuseppe Esposito]
  + Add module 'write-files-deferred' executed in stage 'final' (#916)
    [Lucendio]
  + Bump pycloudlib to fix CI (#1080)
  + Remove pin in dependencies for jsonschema (#1078)
  + Add "/Google"/ as possible system-product-name (#1077) [vteratipally]
  + Update Debian security suite for bullseye (#1076) [Johann Queuniet]
  + Leave the details of service management to the distro (#1074)
    [Andy Fiddaman]
  + Fix typos in setup.py (#1059) [Christian Clauss]
  + Update Azure _unpickle (SC-500) (#1067) (LP: #1946644)
  + cc_ssh.py: fix private key group owner and permissions (#1070)
    [Emanuele Giuseppe Esposito]
  + VMware: read network-config from ISO (#1066) [Thomas Weißschuh]
  + testing: mock sleep in gce unit tests (#1072)
  + CloudStack: fix data-server DNS resolution (#1004)
    [Olivier Lemasle] (LP: #1942232)
  + Fix unit test broken by pyyaml upgrade (#1071)
  + testing: add get_cloud function (SC-461) (#1038)
  + Inhibit sshd-keygen@.service if cloud-init is active (#1028)
    [Ryan Harper]
  + VMWARE: search the deployPkg plugin in multiarch dir (#1061)
    [xiaofengw-vmware] (LP: #1944946)
  + Fix set-name/interface DNS bug (#1058) [Andrew Kutz] (LP: #1946493)
  + Use specified tmp location for growpart (#1046) [jshen28]
  + .gitignore: ignore tags file for ctags users (#1057) [Brett Holman]
  + Allow comments in runcmd and report failed commands correctly (#1049)
    [Brett Holman] (LP: #1853146)
  + tox integration: pass the *_proxy, GOOGLE_*, GCP_* env vars (#1050)
    [Paride Legovini]
  + Allow disabling of network activation (SC-307) (#1048) (LP: #1938299)
  + renderer: convert relative imports to absolute (#1052) [Paride Legovini]
  + Support ETHx_IP6_GATEWAY, SET_HOSTNAME on OpenNebula (#1045)
    [Vlastimil Holer]
  + integration-requirements: bump the pycloudlib commit (#1047)
    [Paride Legovini]
  + Allow Vultr to set MTU and use as-is configs (#1037) [eb3095]
  + pin jsonschema in requirements.txt (#1043)
  + testing: remove cloud_tests (#1020)
  + Add andgein as contributor (#1042) [Andrew Gein]
  + Make wording for module frequency consistent (#1039) [Nicolas Bock]
  + Use ascii code for growpart (#1036) [jshen28]
  + Add jshen28 as contributor (#1035) [jshen28]
  + Skip test_cache_purged_on_version_change on Azure (#1033)
  + Remove invalid ssh_import_id from examples (#1031)
  + Cleanup Vultr support (#987) [eb3095]
  + docs: update cc_disk_setup for fs to raw disk (#1017)
  + HACKING.rst: change contact info to James Falcon (#1030)
  + tox: bump the pinned flake8 and pylint version (#1029)
    [Paride Legovini] (LP: #1944414)
  + Add retries to DataSourceGCE.py when connecting to GCE (#1005)
    [vteratipally]
  + Set Azure to apply networking config every BOOT (#1023)
  + Add connectivity_url to Oracle's EphemeralDHCPv4 (#988) (LP: #1939603)
  + docs: fix typo and include sudo for report bugs commands (#1022)
    [Renan Rodrigo] (LP: #1940236)
  + VMware: Fix typo introduced in #947 and add test (#1019) [PengpengSun]
  + Update IPv6 entries in /etc/hosts (#1021) [Richard Hansen] (LP: #1943798)
  + Integration test upgrades for the 21.3-1 SRU (#1001)
  + Add Jille to tools/.github-cla-signers (#1016) [Jille Timmermans]
  + Improve ug_util.py (#1013) [Shreenidhi Shedi]
  + Support openEuler OS (#1012) [zhuzaifangxuele]
  + ssh_utils.py: ignore when sshd_config options are not key/value pairs
    (#1007) [Emanuele Giuseppe Esposito]
  + Set Azure to only update metadata on BOOT_NEW_INSTANCE (#1006)
  + cc_update_etc_hosts: Use the distribution-defined path for the hosts
    file (#983) [Andy Fiddaman]
  + Add CloudLinux OS support (#1003) [Alexandr Kravchenko]
  + puppet config: add the start_agent option (#1002) [Andrew Bogott]
  + Fix `make style-check` errors (#1000) [Shreenidhi Shedi]
  + Make cloud-id copyright year (#991) [Andrii Podanenko]
  + Add support to accept-ra in networkd renderer (#999) [Shreenidhi Shedi]
  + Update ds-identify to pass shellcheck (#979) [Andrew Kutz]
  + Azure: Retry dhcp on timeouts when polling reprovisiondata (#998)
    [aswinrajamannar]
  + testing: Fix ssh keys integration test (#992)
- From 21.3
  + Azure: During primary nic detection, check interface status continuously
    before rebinding again (#990) [aswinrajamannar]
  + Fix home permissions modified by ssh module (SC-338) (#984)
    (LP: #1940233)
  + Add integration test for sensitive jinja substitution (#986)
  + Ignore hotplug socket when collecting logs (#985) (LP: #1940235)
  + testing: Add missing mocks to test_vmware.py (#982)
  + add Zadara Edge Cloud Platform to the supported clouds list (#963)
    [sarahwzadara]
  + testing: skip upgrade tests on LXD VMs (#980)
  + Only invoke hotplug socket when functionality is enabled (#952)
  + Revert unnecesary lcase in ds-identify (#978) [Andrew Kutz]
  + cc_resolv_conf: fix typos (#969) [Shreenidhi Shedi]
  + Replace broken httpretty tests with mock (SC-324) (#973)
  + Azure: Check if interface is up after sleep when trying to bring it up
    (#972) [aswinrajamannar]
  + Update dscheck_VMware's rpctool check (#970) [Shreenidhi Shedi]
  + Azure: Logging the detected interfaces (#968) [Moustafa Moustafa]
  + Change netifaces dependency to 0.10.4 (#965) [Andrew Kutz]
  + Azure: Limit polling network metadata on connection errors (#961)
    [aswinrajamannar]
  + Update inconsistent indentation (#962) [Andrew Kutz]
  + cc_puppet: support AIO installations and more (#960) [Gabriel Nagy]
  + Add Puppet contributors to CLA signers (#964) [Noah Fontes]
  + Datasource for VMware (#953) [Andrew Kutz]
  + photon: refactor hostname handling and add networkd activator (#958)
    [sshedi]
  + Stop copying ssh system keys and check folder permissions (#956)
    [Emanuele Giuseppe Esposito]
  + testing: port remaining cloud tests to integration testing framework
    (SC-191) (#955)
  + generate contents for ovf-env.xml when provisioning via IMDS (#959)
    [Anh Vo]
  + Add support for EuroLinux 7 && EuroLinux 8 (#957) [Aleksander Baranowski]
  + Implementing device_aliases as described in docs (#945)
    [Mal Graty] (LP: #1867532)
  + testing: fix test_ssh_import_id.py (#954)
  + Add ability to manage fallback network config on PhotonOS (#941) [sshedi]
  + Add VZLinux support (#951) [eb3095]
  + VMware: add network-config support in ovf-env.xml (#947) [PengpengSun]
  + Update pylint to v2.9.3 and fix the new issues it spots (#946)
    [Paride Legovini]
  + Azure: mount default provisioning iso before try device listing (#870)
    [Anh Vo]
  + Document known hotplug limitations (#950)
  + Initial hotplug support (#936)
  + Fix MIME policy failure on python version upgrade (#934)
  + run-container: fixup the centos repos baseurls when using http_proxy
    (#944) [Paride Legovini]
  + tools: add support for building rpms on rocky linux (#940)
  + ssh-util: allow cloudinit to merge all ssh keys into a custom user
    file, defined in AuthorizedKeysFile (#937) [Emanuele Giuseppe Esposito]
    (LP: #1911680)
  + VMware: new "/allow_raw_data"/ switch (#939) [xiaofengw-vmware]
  + bump pycloudlib version (#935)
  + add renanrodrigo as a contributor (#938) [Renan Rodrigo]
  + testing: simplify test_upgrade.py (#932)
  + freebsd/net_v1 format: read MTU from root (#930) [Gonéri Le Bouder]
  + Add new network activators to bring up interfaces (#919)
  + Detect a Python version change and clear the cache (#857)
    [Robert Schweikert]
  + cloud_tests: fix the Impish release name (#931) [Paride Legovini]
  + Removed distro specific network code from Photon (#929) [sshedi]
  + Add support for VMware PhotonOS (#909) [sshedi]
  + cloud_tests: add impish release definition (#927) [Paride Legovini]
  + docs: fix stale links rename master branch to main (#926)
  + Fix DNS in NetworkState (SC-133) (#923)
  + tests: Add 'adhoc' mark for integration tests (#925)
  + Fix the spelling of "/DigitalOcean"/ (#924) [Mark Mercado]
  + Small Doc Update for ReportEventStack and Test (#920) [Mike Russell]
  + Replace deprecated collections.Iterable with abc replacement (#922)
    (LP: #1932048)
  + testing: OCI availability domain is now required (SC-59) (#910)
  + add DragonFlyBSD support (#904) [Gonéri Le Bouder]
  + Use instance-data-sensitive.json in jinja templates (SC-117) (#917)
    (LP: #1931392)
  + doc: Update NoCloud docs stating required files (#918) (LP: #1931577)
  + build-on-netbsd: don't pin a specific py3 version (#913)
    [Gonéri Le Bouder]
  + Create the log file with 640 permissions (#858) [Robert Schweikert]
  + Allow braces to appear in dhclient output (#911) [eb3095]
  + Docs: Replace all freenode references with libera (#912)
  + openbsd/net: flush the route table on net restart (#908)
    [Gonéri Le Bouder]
  + Add Rocky Linux support to cloud-init (#906) [Louis Abel]
  + Add "/esposem"/ as contributor (#907) [Emanuele Giuseppe Esposito]
  + Add integration test for #868 (#901)
  + Added support for importing keys via primary/security mirror clauses
    (#882) [Paul Goins] (LP: #1925395)
  + [examples] config-user-groups expire in the future (#902)
    [Geert Stappers]
  + BSD: static network, set the mtu (#894) [Gonéri Le Bouder]
  + Add integration test for lp-1920939 (#891)
  + Fix unit tests breaking from new httpretty version (#903)
  + Allow user control over update events (#834)
  + Update test characters in substitution unit test (#893)
  + cc_disk_setup.py: remove UDEVADM_CMD definition as not used (#886)
    [dermotbradley]
  + Add AlmaLinux OS support (#872) [Andrew Lukoshko]
  + Still need to consider the "/network"/ configuration option
cloud-regionsrv-client
- Update to version 10.0.3 (bsc#1198389)
  - Descend into the extension tree even if top level module is recommended
  - Cache license state for AHB support to detect type switch
  - Properly clean suse.com credentials when switching from SCC to update
    infrastructure
  - New log message to indicate base product registration success
dracut
- Update to version 049.1+suse.234.g902e489c:
  * fix(dracut-install): copy files preserving ownership attributes (bsc#1197967)
- Update to version 049.1+suse.232.g2ccee559:
  * fix(dracut-systemd): do not require vconsole-setup.service (bsc#1195508)
  * fix(dracut-functions.sh): ip route parsing (bsc#1195011)
e2fsprogs
- libss-add-newer-libreadline.so.7-to-dlopen-path.patch: libss: Add support
  for libreadline.so.7 for Leap 15.3 (bsc#1196939)
gcc11
- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
  packages provided by older GCC work.  Add a requires from that
  package to the corresponding libstc++6 package to keep those
  at the same version.  [bsc#1196107]
- Add gcc11-D-dependence-fix.patch to fix memory corruption when
  creating dependences with the D language frontend.
- Sync cross.spec.in to avoid trying to build cross-aarch64-gcc1-bootstrap
  on aarch64 which is unresolvable.
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
  to Recommends.
glib2
- Add glib2-CVE-2021-28153.patch: fix CREATE_REPLACE_DESTINATION
  with symlinks (boo#1183533 glgo#GNOME/glib#2325 CVE-2021-28153).
grub2
- Fix grub-install error when efi system partition is created as mdadm software
  raid1 device (bsc#1179981) (bsc#1195204)
  * 0001-install-fix-software-raid1-on-esp.patch
- Fix error in grub-install when linux root device is on lvm thin volume
  (bsc#1192622) (bsc#1191974)
  * 0001-grub-install-bailout-root-device-probing.patch
kernel-default
- drm: drm_file struct kABI compatibility workaround
  (bsc#1197914).
- commit dd24982
- drm: use the lookup lock in drm_is_current_master (bsc#1197914).
- drm: protect drm_master pointers in drm_lease.c (bsc#1197914).
- drm: serialize drm_file.master with a new spinlock
  (bsc#1197914).
- drm: add a locked version of drm_is_current_master
  (bsc#1197914).
- commit 82a498a
- blacklist.conf: Add reverted/reverting swiotlb change (CVE-2022-0854 bsc#1196823 bsc#1197460)
- commit 8d52c36
- Reinstate some of "/swiotlb: rework "/fix info leak with
  DMA_FROM_DEVICE"/"/ (CVE-2022-0854 bsc#1196823).
- swiotlb: fix info leak with DMA_FROM_DEVICE (CVE-2022-0854
  bsc#1196823).
- commit ff554b5
- netfilter: nf_tables: initialize registers in nft_do_chain()
  (CVE-2022-1016 bsc#1197227).
- commit 7111961
- Delete
  patches.suse/net-tipc-validate-domain-record-count-on-input.patch.
  This was the original work-in-progress patch for CVE-2022-0435 /
  bsc#1195254. Later, a proper backport of mainline commit 9aa422ad3266
  ("/tipc: improve size validations for received domain records"/) was added as
  patches.suse/tipc-improve-size-validations-for-received-domain-re.patch but
  this patch was left in place. As it adds the check a bit later than
  upstream fix, it did not cause a conflict so nobody noticed the duplicity.
- commit ef08708
- llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
- commit 2237578
- can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb
  in error path (CVE-2022-28389 bsc#1198033).
- can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb()
  in error path (CVE-2022-28388 bsc#1198032).
- can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb()
  in error path (CVE-2022-28390 bsc#1198031).
- commit d6e6523
- ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and
  mmap_lock (CVE-2022-1048 bsc#1197331).
- Refresh
  patches.kabi/ALSA-kABI-workaround-for-snd_pcm_runtime-changes.patch.
- commit db7647d
- net: sched: fix use-after-free in tc_new_tfilter()
  (CVE-2022-1055 bsc#1197702).
- commit 4c7dc78
- Add CVE tags to
  patches.suse/ext4-fix-kernel-infoleak-via-ext4_extent_header.patch
  (bsc#1189562 bsc#1196761 CVE-2022-0850).
- commit f3cb08f
- powerpc/mm/numa: skip NUMA_NO_NODE onlining in
  parse_numa_properties() (bsc#1179639 ltc#189002 git-fixes).
- commit 73583c9
- esp: Fix possible buffer overflow in ESP transformation
  (bsc#1197131 CVE-2022-0886 CVE-2022-27666).
- commit 39a5891
- cifs: use the correct max-length for dentry_path_raw()
  (bsc1196196).
- commit 10cddb2
- quota: check block number when reading the block in quota file
  (bsc#1197366 CVE-2021-45868).
- commit a7d4915
- netfilter: conntrack: don't refresh sctp entries in closed state
  (bsc#1197389).
- commit c3afd15
- ALSA: kABI workaround for snd_pcm_runtime changes (CVE-2022-1048
  bsc#1197331).
- commit 12628f8
- ALSA: pcm: Fix races among concurrent prealloc proc writes
  (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent prepare and
  hw_params/hw_free calls (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent read/write and buffer
  changes (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent hw_params and hw_free
  calls (CVE-2022-1048 bsc#1197331).
- commit aee063f
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
  (bsc#1196018).
- commit 1580ab2
- ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32
  (bsc#1196018).
- commit 1cdc779
- sr9700: sanity check for packet length (bsc#1196836
  CVE-2022-26966).
- commit edaafdd
- rpm: SC2006: Use $(...) notation instead of legacy backticked `...`.
- commit f0d0e90
- aio: fix use-after-free due to missing POLLFREE handling
  (CVE-2021-39698 bsc#1196956).
- aio: keep poll requests on waitqueue until completed
  (CVE-2021-39698 bsc#1196956).
- signalfd: use wake_up_pollfree() (CVE-2021-39698 bsc#1196956).
- binder: use wake_up_pollfree() (CVE-2021-39698 bsc#1196956).
- wait: add wake_up_pollfree() (CVE-2021-39698 bsc#1196956).
- commit b026506
- rpm/kernel-source.spec.in: call fdupes per subpackage
  It is a waste of time to do a global fdupes when we have
  subpackages.
- commit 1da8439
- af_unix: fix garbage collect vs MSG_PEEK (CVE-2021-0920
  bsc#1193731).
- commit 7040fdd
- Refresh patches.suse/xfrm-fix-mtu-regression.patch.
- commit 8d867d6
- xen/netfront: react properly to failing
  gnttab_end_foreign_access_ref() (bsc#1196488, XSA-396,
  CVE-2022-23042).
- commit fe0a923
- xen/gnttab: fix gnttab_end_foreign_access() without page
  specified (bsc#1196488, XSA-396, CVE-2022-23041).
- commit 58c801b
- xen/pvcalls: use alloc/free_pages_exact() (bsc#1196488,
  XSA-396, CVE-2022-23041).
- commit afb2dba
- xen/9p: use alloc/free_pages_exact() (bsc#1196488, XSA-396,
  CVE-2022-23041).
- commit cee63b9
- xen/usb: don't use gnttab_end_foreign_access() in
  xenhcd_gnttab_done() (bsc#1196488, XSA-396).
- commit b1d434d
- xen/gntalloc: don't use gnttab_query_foreign_access()
  (bsc#1196488, XSA-396, CVE-2022-23039).
- commit a4ec4aa
- xen/scsifront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23038).
- commit fd9cb30
- xen/netfront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23037).
- commit 4e33999
- xen/blkfront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23036).
- commit 4334af7
- xen/grant-table: add gnttab_try_end_foreign_access()
  (bsc#1196488, XSA-396, CVE-2022-23036, CVE-2022-23038).
- commit 19b769a
- xen/xenbus: don't let xenbus_grant_ring() remove grants in
  error case (bsc#1196488, XSA-396, CVE-2022-23040).
- commit 5aacf1f
- rpm/arch-symbols,guards,*driver: Replace Novell with SUSE.
- commit 174a64f
- usb: host: xen-hcd: add missing unlock in error path
  (git-fixes).
- commit daa9ea7
- Refresh
  patches.suse/0002-usb-Introduce-Xen-pvUSB-frontend-xen-hcd.patch.
- commit d9066f6
- Refresh
  patches.suse/0001-usb-Add-Xen-pvUSB-protocol-description.patch.
- commit 5c41eb3
- rpm/kernel-docs.spec.in: use %%license for license declarations
  Limited to SLE15+ to avoid compatibility nightmares.
- commit 73d560e
- rpm/*.spec.in: Use https:// urls
- commit 77b5f8e
- Hand over the maintainership to SLE15-SP3 maintainers
- commit 0c92742
- SUNRPC: avoid race between mod_timer() and del_timer_sync()
  (bnc#1195403).
- commit fffe0fc
- nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
  (CVE-2022-26490 bsc#1196830).
- commit fd10ace
- Update patch reference for iov security fix (CVE-2022-0847 bsc#1196584)
- commit 1dafeb6
- net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
- commit 8c8ae13
- kernel-binary.spec: Also exclude the kernel signing key from devel package.
  There is a check in OBS that fails when it is included. Also the key is
  not reproducible.
  Fixes: bb988d4625a3 ("/kernel-binary: Do not include sourcedir in certificate path."/)
- commit 68fa069
- rpm/check-for-config-changes: Ignore PAHOLE_VERSION.
- commit 88ba5ec
- kernel-binary: Do not include sourcedir in certificate path.
  The certs macro runs before build directory is set up so it creates the
  aggregate of supplied certificates in the source directory.
  Using this file directly as the certificate in kernel config works but
  embeds the source directory path in the kernel config.
  To avoid this symlink the certificate to the build directory and use
  relative path to refer to it.
  Also fabricate a certificate in the same location in build directory
  when none is provided.
- commit bb988d4
- constraints: Also adjust disk requirement for x86 and s390.
- commit 9719db0
- constraints: Increase disk space for aarch64
- commit 09c2882
- kernel-obs-build: include 9p (boo#1195353)
  To be able to share files between host and the qemu vm of the build
  script, the 9p and 9p_virtio kernel modules need to be included in
  the initrd of kernel-obs-build.
- commit 0cfe67a
- net: tipc: validate domain record count on input (bsc#1195254).
- commit 5e4e31e
- kernel-binary.spec.in: Move 20-kernel-default-extra.conf to the correctr
  directory (bsc#1195051).
- commit c80b5de
- kernel-binary.spec: Do not use the default certificate path (bsc#1194943).
  Using the the default path is broken since Linux 5.17
- commit 68b36f0
- fix rpm build warning
  tumbleweed rpm is adding these warnings to the log:
  It's not recommended to have unversioned Obsoletes: Obsoletes:      microcode_ctl
- commit 3ba8941
- build initrd without systemd
  This reduces the size of the initrd by over 25%, which
  improves startup time of the virtual machine by 0.5-0.6s on
  very fast machines, more on slower ones.
- commit ef4c569
libsolv
- reworked choice rule generation to cover more usecases
- support SOLVABLE_PREREQ_IGNOREINST in the ordering code
  [bsc#1196514]
- support parsing of Debian's Multi-Arch indicator
- bump version to 0.7.22
- fix segfault on conflict resolution when using bindings
- fix split provides not working if the update includes a forbidden
  vendor change
- support strict repository priorities
  new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
- support zstd compressed control files in debian packages
- add an ifdef allowing to rename Solvable dependency members
  ("/requires"/ is a keyword in C++20)
- support setting/reading userdata in solv files
  new functions: repowriter_set_userdata, solv_read_userdata
- support queying of the custom vendor check function
  new function: pool_get_custom_vendorcheck
- support solv files with an idarray block
- allow accessing the toolversion at runtime
- bump version to 0.7.21
libzypp
- ZConfig: Update solver settings if target changes (bsc#1196368)
- version 17.30.0 (22)
- Fix possible hang in singletrans mode (bsc#1197134)
- Do 2 retries if mount is still busy.
- version 17.29.7 (22)
- Fix package signature check (bsc#1184501)
  Pay attention that header and payload are secured by a valid
  signature and report more detailed which signature is missing.
- Retry umount if device is busy (bsc#1196061, closes #381)
  A previously released ISO image may need a bit more time to
  release it's loop device. So we wait a bit and retry.
- Fix serializing/deserializing type mismatch in zypp-rpm
  protocol (bsc#1196925)
- Fix handling of ISO media in releaseAll (bsc#1196061)
- Hint on common ptf resolver conflicts (bsc#1194848)
- version 17.29.6 (22)
- Hint on ptf<>patch resolver conflicts (bsc#1194848)
- version 17.29.5 (22)
lvm2
- udev: create symlinks and watch even in suspended state (bsc#1195231)
  + bug-1195231-udev-create-symlinks-and-watch-even-in-suspended-sta.patch
mozilla-nss
- Mozilla NSS 3.68.3 (bsc#1197903)
  This release improves the stability of NSS when used in a multi-threaded
  environment. In particular, it fixes memory safety violations that
  can occur when PKCS#11 tokens are removed while in use (CVE-2022-1097).
  We presume that with enough effort these memory safety violations are exploitable.
  * Remove token member from NSSSlot struct (bmo#1756271).
  * Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots
    (bmo#1755555).
  * Check return value of PK11Slot_GetNSSToken (bmo#1370866).
openldap2
- bsc#1191157 - Correct version specification in ppolicy to allow
  submission to SP3 for TLS1.3
- bsc#1191157 - allow specification of max/min TLS version with TLS1.3
  * 0239-ITS-9422-Update-for-TLS-v1.3.patch
  * 0240-ITS-9518-add-LDAP_OPT_X_TLS_PROTOCOL_MAX-option.patch
  * 0241-TLS-set-protocol-version.patch
- bsc#1197004 - libldap was able to be out of step with openldap in
  some cases which could cause incorrect installations and symbol
  resolution failures. openldap2 and libldap now are locked to their
  related release versions.
- jsc#PM-3288 - restore CLDAP functionality in CLI tools
perl
- Stabilize Socket::VERSION comparisons [bnc#1193489]
  new patch: perl-Stabilize-Socket-VERSION-comparisons.patch
psmisc
  * Add a fallback if the system call name_to_handle_at() is
    not supported by the used file system.
- Add patch psmisc-22.21-semaphores.patch
  * Replace the synchronizing over pipes of the sub process for the
    stat(2) system call with mutex and conditions from pthreads(7)
    (bsc#1194172)
- Add patch psmisc-22.21-statx.patch
  * Use statx(2) or SYS_statx system call to replace the stat(2)
    system call and avoid the sub process at all (bsc#1194172)
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
python-paramiko
- Add CVE-2022-24302-race-condition.patch:
  * Fix a race condition between creation and chmod when writing private
    keys. (bsc#1197279)
python-pip
- Add wheel subpackage with the generated wheel for this package
  (bsc#1176262, CVE-2019-20916).
- Make wheel a separate build run to avoid the setuptools/wheel build
  cycle.
- Switch this package to use update-alternatives for all files
  in %{_bindir} so it doesn't collide with the versions on
  "/the latest"/ versions of Python interpreter (jsc#SLE-18038,
  bsc#1195831).
python-uamqp
- Update in SLE-15 (bsc#1197848)
- New upstream release
  + Version 1.5.3
  + For detailed information about changes see the
    HISTORY.rst file provided with this package
- New upstream release
  + Version 1.5.1
  + For detailed information about changes see the
    HISTORY.rst file provided with this package
- New upstream release
  + Version 1.5.0
  + For detailed information about changes see the
    HISTORY.rst file provided with this package
- New upstream release
  + Version 1.4.3
  + For detailed information about changes see the
    HISTORY.rst file provided with this package
- New upstream release
  + Version 1.4.1
  + For detailed information about changes see the
    HISTORY.rst file provided with this package
- New upstream release
  + Version 1.4.0
  + For detailed information about changes see the
    HISTORY.rst file provided with this package
- New upstream release
  + Version 1.2.15
  + For detailed information about changes see the
    HISTORY.rst file provided with this package
- Refresh patches for new version
  + u_strip-werror.patch
- New upstream release
  + Version 1.2.13
  + For detailed information about changes see the
    HISTORY.rst file provided with this package
- Only build Python3 flavors for distributions 15 and greater
ruby2
- Update suse.patch:
  - backport fix for CVE-2022-28739: ruby: Buffer overrun in
    String-to-Float conversion (boo#1198441)
  - back port date 2.0.3 CVE-2021-41817 (boo#1193035)
  - merge the previous bug fixes into suse.patch
  - CVE-2021-32066.patch
  - CVE-2021-31810.patch
  - CVE-2021-31799.patch
- Add Requires to make and gcc to ruby-devel to make the default
  extconf.rb work
salt
- Fix regression preventing bootstrapping new clients caused by
  redundant dependency on psutil (bsc#1197533)
- Prevent data pollution between actions proceesed at the same time (bsc#1197637)
- Added:
  * fix-regression-with-depending-client.ssh-on-psutil-b.patch
  * prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch
- Fix salt-ssh opts poisoning (bsc#1197637)
- Clear network interfaces cache on grains request (bsc#1196050)
- Add salt-ssh with Salt Bundle support (venv-salt-minion)
- (bsc#1182851, bsc#1196432)
- Remove duplicated method definitions in salt.netapi
- Restrict "/state.orchestrate_single"/ to pass a pillar value if it exists (bsc#1194632)
- Added:
  * clear-network-interface-cache-when-grains-are-reques.patch
  * remove-duplicated-method-definitions-in-salt.netapi-.patch
  * fix-salt-ssh-opts-poisoning-bsc-1197637-3002.2-500.patch
  * add-salt-ssh-support-with-venv-salt-minion-3002.2-47.patch
  * fix-state.orchestrate_single-to-not-pass-pillar-none.patch
- Renamed:
  * patch_for_cve_bsc1197417.patch -> fix-multiple-security-issues-bsc-1197417.patch
- Fix multiple security issues (bsc#1197417)
  * Sign authentication replies to prevent MiTM (CVE-2022-22935)
  * Sign pillar data to prevent MiTM attacks. (CVE-2022-22934)
  * Prevent job and fileserver replays (CVE-2022-22936)
  * Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941)
samba
- Adjust systemd tmpfiles.d configuration, use /run/samba instead of
  /var/run/samba; (bsc#1134046);
suse-build-key
- No longer install 1024bit keys by default. (bsc#1197293)
  - SLE11 key moved to documentation
  - old PTF (pre March 2022) moved to documentation only
systemd-presets-common-SUSE
- enable vgauthd service for VMWare by default (bsc#1195251)
tar
- tests-skip-time01-on-32bit-time_t.patch: Add patch to skip test
  'tests/time01.at' on platforms with 32-bit time_t for now.
- tar.spec: Reference it.
  (%check): Output the testsuite.log in case the testsuite failed.
- The following issues have already been fixed in this package but
  weren't previously mentioned in the changes file:
  * bsc#1181131, CVE-2021-20193
  * bsc#1120610
- GNU tar 1.34:
  * Fix extraction over pipe
  * Fix memory leak in read_header
  * Fix extraction when . and .. are unreadable
  * Gracefully handle duplicate symlinks when extracting
  * Re-initialize supplementary groups when switching to user
    privileges
- GNU tar 1.33:
  * POSIX extended format headers do not include PID by default
  * --delay-directory-restore works for archives with reversed
    member ordering
  * Fix extraction of a symbolic link hardlinked to another
    symbolic link
  * Wildcards in exclude-vcs-ignore mode don't match slash
  * Fix the --no-overwrite-dir option
  * Fix handling of chained renames in incremental backups
  * Link counting works for file names supplied with -T
  * Accept only position-sensitive (file-selection) options in file
    list files
- remove deprecated texinfo packaging macros
- prepare usrmerge (boo#1029961)
- Drop Requires(pre) info in the preamble: the main package does
  not contain any info files, and has not even a pre script. The
  - doc subpackage already has the correct deps.
- No longer recommend -lang: supplements are in use.
- update to version 1.32
  * Fix the use of --checkpoint without explicit --checkpoint-action
  * Fix extraction with the -U option
  * Fix iconv usage on BSD-based systems
  * Fix possible NULL dereference (savannah bug #55369)
    [bsc#1130496] [CVE-2019-9923]
  * Improve the testsuite
- remove tar-1.31-tests_dirrem.patch and
  tar-1.31-racy_compress_tests.patch that are no longer needed
  (applied usptream)
- Remove libattr-devel from buildrequires, tar no longer uses
  it but finds xattr functions in libc.
- update to version 1.31
  * Fix heap-buffer-overrun with --one-top-level, bug introduced
    with the addition of that option in 1.28
  * Support for zstd compression
  * New option '--zstd' instructs tar to use zstd as compression
    program. When listing, extractng and comparing, zstd compressed
    archives are recognized automatically. When '-a' option is in
    effect, zstd compression is selected if the destination archive
    name ends in '.zst' or '.tzst'.
  * The -K option interacts properly with member names given in the
    command line. Names of members to extract can be specified along
    with the "/-K NAME"/ option. In this case, tar will extract NAME
    and those of named members that appear in the archive after it,
    which is consistent with the semantics of the option. Previous
    versions of tar extracted NAME, those of named members that
    appeared before it, and everything after it.
  * Fix CVE-2018-20482 - When creating archives with the --sparse
    option, previous versions of tar would loop endlessly if a
    sparse file had been truncated while being archived.
- remove the following patches (upstreamed)
  * tar-1.30-tests-difflink.patch
  * tar-1.30-tests_dirrem_race.patch
- refresh add_readme-tests.patch
- add tar-1.31-tests_dirrem.patch to fix expected output in dirrem
  tests
- add tar-1.31-racy_compress_tests.patch to fix compression tests
xen
- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359,
  CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity
  map (AMD-Vi) handling issues (XSA-400)
  624ebcef-VT-d-dont-needlessly-look-up-DID.patch
  624ebd3b-VT-d-avoid-NULL-deref-on-dcmo-error-paths.patch
  624ebd74-VT-d-avoid-infinite-recursion-on-dcmo-error-path.patch
- bsc#1197423 - VUL-0: CVE-2022-26356: xen: Racy interactions
  between dirty vram tracking and paging log dirty hypercalls
  (XSA-397)
  xsa397.patch
- bsc#1197425 - VUL-0: CVE-2022-26357: xen: race in VT-d domain ID
  cleanup (XSA-399)
  xsa399.patch
- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359,
  CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity
  map (AMD-Vi) handling issues (XSA-400)
  xsa400-00.patch
  xsa400-01.patch
  xsa400-02.patch
  xsa400-03.patch
  xsa400-04.patch
  xsa400-05.patch
  xsa400-06.patch
  xsa400-07.patch
  xsa400-08.patch
  xsa400-09.patch
  xsa400-10.patch
  xsa400-11.patch
- bsc#1196915 - VUL-0: CVE-2022-0001, CVE-2022-0002,CVE-2021-26401:
  xen: BHB speculation issues (XSA-398)
  xsa398-1.patch
  xsa398-2.patch
  xsa398-3.patch
  xsa398-4.patch
  xsa398-5.patch
  xsa398-6.patch
  list not giving any output (see also bsc#1194267)
xz
- Fix ZDI-CAN-16587 Fix escaping of malicious filenames
  (ZDI-CAN-16587 bsc#1198062 CVE-2022-1271)
  * bsc1198062.patch
yast2-storage-ng
- Fix fstab entry filesystem matching allowing the use of quotes
  surrounding the device UUID or label (bsc#1197692)
- 4.2.122
zypper
- info: print the packages upstream URL if available (fixes #426)
- info: Fix SEGV with not installed PTFs (bsc#1196317)
- Don't prevent less restrictive umasks (bsc#1195999)
- version 1.14.52