- Add CVE fixes:
  + glib2-CVE-2026-1484.patch (bsc#1257355 CVE-2026-1484
    glgo#GNOME/glib!4979).
  + glib2-CVE-2026-1485.patch (bsc#1257354 CVE-2026-1485
    glgo#GNOME/glib!4981).
  + glib2-CVE-2026-1489.patch (bsc#1257353 CVE-2026-1489
    glgo#GNOME/glib!4984).

- Add glib2-CVE-2026-0988.patch: fix a potential integer overflow
  in g_buffered_input_stream_peek (bsc#1257049 CVE-2026-0988
  glgo#GNOME/glib#3851).

- memalign-overflow-check.patch: memalign: reinstate alignment overflow
  check (CVE-2026-0861, bsc#1256766, BZ #33796)
- nss-dns-getnetbyaddr.patch: resolv: Fix NSS DNS backend for getnetbyaddr
  (CVE-2026-0915, bsc#1256822, BZ #33802)
- nptl-optimize-trylock.patch: nptl: Optimize trylock for high cache
  contention workloads (bsc#1256437, BZ #33704)
- wordexp-wrde-reuse.patch: posix: Reset wordexp_t fields with WRDE_REUSE
  (CVE-2025-15281, bsc#1257005, BZ #33814)

- Security fix: [bsc#1255715, CVE-2025-68973] (gpg.fail/memcpy)
  * gpg: Fix possible memory corruption in the armor parser [T7906]
  * Add gnupg-CVE-2025-68973.patch

- Security fix: [bsc#1256246] (gpg.fail/sha1)
  * gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures [T7904]
  * Add gnupg-gpg-Avoid-potential-downgrade-to-SHA1-in-3rd-party-keysig.patch

- Security fix: [bsc#1256244] (gpg.fail/detached)
  * gpg: Error out on unverified output for non-detached signatures [T7903]
  * Add gnupg-gpg-Error-out-on-unverified-output-for-non-detached-signatures.patch

- Security fix: [bsc#1256243]
  * gpg2 agent: Fix a memory leak
  * Add patch gnupg-agent-memleak.patch

- Security fix: [bsc#1256390] (gpg.fail/notdash)
  * gpg2: Cleartext Signature Forgery in the NotDashEscaped header
    implementation in GnuPG
  * Add patch gnupg-notdash-escape.patch

- Add avahi-CVE-2025-68276.patch:
  Backport 0c013e2 from upstream, refuse to create wide-area record
  browsers when wide-area is off.
  (CVE-2025-68276, bsc#1256498)

- Add avahi-CVE-2025-68471.patch:
  Backport 9c6eb53 from upstream, fix DoS bug by changing assert to
  return.
  (CVE-2025-68471, bsc#1256500)

- Add avahi-CVE-2025-68468.patch:
  Backport f66be13 from upstream, fix DoS bug by removing incorrect
  assertion.
  (CVE-2025-68468, bsc#1256499)

- Disable the select backend, this can be easily done by lying
  to configure. This is done due to:
  * using fd number > 1024 on an fd_set results in a runtime
    fortify source assertion, preventing further doom.
  * select will not be changed to handle fd > 1024.
  * this limit is unreasonable low for this century.

- Drop insserv_prereq and fillup_prereq macros: there are no
  pre-scripts that would justify these dependencies.

- Update to 2.1.12 stable
  * buffer: do not pass NULL to memcpy() from evbuffer_pullup()
  * http: fix undefined-shift in EVUTIL_IS*_ helpers
  * Check error code of evhttp_add_header_internal() in
    evhttp_parse_query_impl()
  * http: fix EVHTTP_CON_AUTOFREE in case of timeout
  * evdns: Add additional validation for values of dns options
  * Fix memory corruption in EV_CLOSURE_EVENT_FINALIZE with debug enabled
  * increase segment refcnt only if evbuffer_add_file_segment() succeeds
  * evdns: fix a crash when evdns_base with waiting requests is freed
  * event_base_once: fix potential null pointer threat
  * http: do not assume body for CONNECT
  * evbuffer_add_file: fix freeing of segment in the error path
  * Fix checking return value of the evdns_base_resolv_conf_parse()
  * Support EV_CLOSED on linux for poll(2)
  * Parse IPv6 scope IDs.
  * evutil_time: detect and use _gmtime64_s()/_gmtime64()
  * bufferevent: allow setting priority on socket and openssl type
  * Fix EV_CLOSED detection/reporting
  * Revert "Warn if forked from the event loop during event_reinit()"

- Add upstream patches with the feature of "prepare" and "check"
  watchers. That feature is needed by envoy-proxy:
  * 0001-evwatch-Add-prepare-and-check-watchers.patch
  * 0002-evwatch-fix-race-condition.patch

- Update to 2.1.11 stable
  * Fix ABI breakage that had been introduced in 2.1.10. Strictly speaking
    this release breaks ABI again to make it compatible with <= 2.1.9.
    + See git commit 18104973 for more details
  * evdns: add new options -- so-rcvbuf/so-sndbuf
  * various autotools and cmake build changes
  * buffer: fix possible NULL dereference in evbuffer_setcb() on ENOMEM
  * Warn if forked from the event loop during event_reinit()
  * evutil: set the have_checked_interfaces in evutil_check_interfaces()
  * https-client: correction error checking

- Use FAT LTO objects in order to provide proper static library.

- Fix name of library package (bsc#1138369)

- Update to 2.1.10 stable
  * evdns: add DNS_OPTION_NAMESERVERS_NO_DEFAULT /
    EVDNS_BASE_NAMESERVERS_NO_DEFAULT
  * Add support for EV_TIMEOUT to event_base_active_by_fd
  * kqueue: Avoid undefined behaviour.
  * Prevent integer overflow in kq_build_changes_list.
  * evdns: fix lock/unlock mismatch in evdns_close_server_port()
  * Protect min_heap_push_ against integer overflow.
  * le-proxy: initiate use of the Winsock DLL
  * Fix leaks in error path of the bufferevent_init_common_()
  * buffer: make evbuffer_prepend() of zero-length array no-op
  * Don't loose top error in SSL
  * Remove needless check for arc4_seeded_ok
  * Cleanup __func__ detection
  * Add convenience macros for user-triggered events
  * Notify event base if there are no more events, so it can exit without
    delay
  * Fix base unlocking in event_del() if event_base_set() runned in another
    thread
  * If precise_time is false, we should not set EVENT_BASE_FLAG_PRECISE_TIMER
  * Fix race in access to ev_res from event loop with event_active()
  * Return from event_del() after the last event callback termination
  * Preserve socket error from listen across closesocket cleanup
  * fix connection retries when there more then one request for connection
  * improve error path for bufferevent_{setfd,enable,disable}()
  * Fix conceivable UAF of the bufferevent in evhttp_connection_free()
  * Fix evhttp_connection_get_addr() fox incomming http connections
  * fix leaks in evhttp_uriencode()
  * CONNECT method only takes an authority
  * Allow bodies for GET/DELETE/OPTIONS/CONNECT
  * Do not crash when evhttp_send_reply_start() is called after a timeout.
  * Fix crashing http server when callback do not reply in place
  * fix handling of close_notify (ssl) in http with openssl bufferevents
  * use *_new_with_arg() to match function prototype
  * avoid NULL dereference on request is not EVHTTP_REQ_POST
  * bufferevent_socket_connect{,_hostname}() missing event callback and use
    ret code
  * don't fail be_null_filter if bytes are copied
  * Call underlying bev ctrl GET_FD on filtered bufferevents
  * be_openssl: avoid leaking of SSL structure
  * Add missing includes into openssl-compat.h
  * Explicitly call SSL_clear when reseting the fd.
  * sample/https-client: use host SSL certificate store by default
  * ipv6only socket bind support
  * evdns: handle NULL filename explicitly
  * Fix assert() condition in evbuffer_drain() for IOCP
  * fix incorrect unlock of the buffer mutex (for deferred callbacks)
  * Fix wrong assert in evbuffer_drain()
  * Port `event_rpcgen.py` and `test/check-dumpevents.py` to Python 3.
- rename python2-shebang.patch -> python3-shebang.patch following port

- Make use of %license macro

- Add devel-static package, which is needed for building Envoy
  (https://www.envoyproxy.io/) and Cilium with Envoy integration
- Fix an error about /usr/bin/env shebang in event_rpcgen.py
  * python2-shebang.patch

- Security fixes:
  * Missing ASN1_TYPE validation in PKCS#12 parsing
  * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
  - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795], [bsc#1256840, CVE-2026-22796]
  * Missing ASN1_TYPE validation in TS_RESP_verify_response() function
  - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420]
  * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
  - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421]
  * Heap out-of-bounds write in BIO_f_linebuffer on short writes
  - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160]
  * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls
  - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418]
  * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion
  - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419]

- Security fixes:
  * Missing ASN1_TYPE validation in PKCS#12 parsing
  - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795]
  * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
  - openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796]
  * Missing ASN1_TYPE validation in TS_RESP_verify_response() function
  - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420]
  * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
  - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421]
  * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion
  - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419]
  * Heap out-of-bounds write in BIO_f_linebuffer on short writes
  - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160]
  * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls
  - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418]
  * Stack buffer overflow in CMS AuthEnvelopedData parsing
  - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467]
  - openssl-CVE-2025-15467-comments.patch
  - openssl-CVE-2025-15467-test.patch

- security update
- added patches
  CVE-2025-28162 [bsc#1257364], memory leaks when running `pngimage`
  CVE-2025-28164 [bsc#1257365], memory leaks when running `pngimage`
  * libpng16-CVE-2025-28162,28164.patch

- security update
- added patches
  CVE-2026-22695 [bsc#1256525], Heap buffer over-read in png_image_finish_read
  * libpng16-CVE-2026-22695.patch
  CVE-2026-22801 [bsc#1256526], Integer truncation causing heap buffer over-read in png_image_write_*
  * libpng16-CVE-2026-22801.patch

- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
  CVE-2025-13836) to prevent reading an HTTP response from
  a server, if no read amount is specified, with using
  Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
  behavior in node ID cache clearing (CVE-2025-12084,
  bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
  against OOM when loading malicious content (CVE-2025-13837,
  bsc#1254401).

- Security fix: [bsc#1256070, CVE-2025-15444, bsc#1255764, CVE-2025-69277]
  * check Y==Z in addition to X==0
  * Add patch libsodium-CVE-2025-15444.patch

- Security fix: [bsc#1256341, CVE-2025-13151]
  * Stack-based buffer overflow. The function asn1_expend_octet_string()
    fails to validate the size of input data resulting in a buffer overflow.
  * Add libtasn1-CVE-2025-13151.patch

- Add python36-certifi provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-idna provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-importlib-metadata provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-packaging provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-pyasn1 provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-pycparser provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-pytz provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-py provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36- provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-six provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add CVE-2025-68480.patch to fix CVE-2025-68480 (bsc#1255473)

- Add CVE-2026-0994.patch to fix google.protobuf.Any recursion depth
  bypass in Python json_format.ParseDict (bsc#1257173, CVE-2026-0994)

- Add patch pep-0639.patch to implement basic PEP 639 support,
  jsc#PED-14457, bsc#1254255
- Skip failing test test_debugging_tips

- Changes to version 3.2.12
  + Optimized lsof usage and honors OPTION_OFILES (bsc#1232351, PR#274)
  + Run in containers without errors (bsc#1245667, PR#272)
  + Removed pmap PID from memory.txt (bsc#1246011, PR#263)
  + Added missing /proc/pagetypeinfo to memory.txt (bsc#1246025, PR#264)
  + Improved database perforce with kGraft patching (bsc#1249657, PR#273)
  + Using last boot for journalctl for optimization (bsc#1250224, PR#287)
  + Fixed extraction failures (bsc#1252318, PR#275)
  + Update supportconfig.conf path in docs (bsc#1254425, PR#281)
  + drm_sub_info: Catch error when dir doesn't exist (PR#265)
  + Replace remaining `egrep` with `grep -E` (PR#261, PR#266)
  + Add process affinity to slert logs (PR#269)
  + Reintroduce cgroup statistics (and v2) (PR#270)
  + Minor changes to basic-health-check: improve information level (PR#271)
  + Collect important machine health counters (PR#276)
  + powerpc: collect hot-pluggable PCI and PHB slots (PR#278)
  + podman: collect podman disk usage (PR#279)
  + Exclude binary files in crondir (PR#282)
  + kexec/kdump: collect everything under /sys/kernel/kexec dir (PR#284)
  + Use short-iso for journalctl (PR#288)

- Changes to version 3.2.11
  + Collect rsyslog frule files (bsc#1244003, pr#257)
  + Remove proxy passwords (bsc#1244011, pr#257)
  + Missing NetworkManager information (bsc#1241284, pr#257)
  + Include agama logs bsc#1244937, pr#256)
  + Additional NFS conf files (pr#253)
  + New fadump sysfs files (pr#252)
  + Fixed change log dates

- bsc#1256745 - VUL-0: CVE-2025-58150: xen: x86: buffer overrun
  with shadow paging + tracing (XSA-477)
  xsa477.patch
- bsc#1256747 - VUL-0: CVE-2026-23553: xen: x86: incomplete IBPB
  for vCPU isolation (XSA-479)
  xsa479.patch