- 000release-packages:SUSE-MicroOS-release
-
n/a
- afterburn
-
- Add bugzilla references to past changelog
- Update to version 5.9.0.git21.a73f509:
* docs/release-notes: update for release 5.10.0
* cargo: update dependencies
* microsoft/azure: Add XML attribute alias for serde-xml-rs Fedora compat
* docs/release-notes: Add entry for Azure SharedConfig XML parsing fix
* microsoft/azure: Fix SharedConfig parsing of XML attributes
* microsoft/azure: Mock goalstate.SharedConfig output in tests
* providers/azure: switch SSH key retrieval from certs endpoint to IMDS
as azure stopped providing keys in the old one, fixes bsc#1250471
* build(deps): bump the build group with 8 updates
* build(deps): bump slab from 0.4.10 to 0.4.11
* build(deps): bump actions/checkout from 4 to 5
* upcloud: implement UpCloud provider
* build(deps): bump the build group with 4 updates
* Sync repo templates ⚙
- Update to version 5.9.0:
* cargo: Afterburn release 5.9.0
* docs/release-notes: update for release 5.9.0
* cargo: update dependencies
* Add TMT test structure and basic smoke test
* build(deps): bump openssl from 0.10.72 to 0.10.73
* build(deps): bump reqwest from 0.12.15 to 0.12.18
* docs/release-notes: Update changelog entry
* dracut: Return 255 in module-setup
* oraclecloud: add release note and move base URL to constant
* oraclecloud: implement oraclecloud provider
* build(deps): bump nix from 0.29.0 to 0.30.1
* build(deps): bump zbus from 5.7.0 to 5.7.1
* build(deps): bump serde-xml-rs from 0.6.0 to 0.8.1
* build(deps): bump ipnetwork from 0.20.0 to 0.21.1
* build(deps): bump clap from 4.5.38 to 4.5.39
- Fix Requires in noarch package to not be arch specific (bsc#1244675)
- Update to version 5.8.2:
* cargo: Afterburn release 5.8.2
* docs/release-notes: update for release 5.8.2
* cargo: update dependencies
* cargo: Afterburn release 5.8.1
* cargo: Afterburn release 5.8.0
* docs/release-notes: update for release 5.8.0
* cargo: update dependencies
this includes an update of the dependency idna, which
fixes CVE-2024-12224 AKA bsc#1243850
* packit: add initial support
- Use autosetup for patches, refresh them and rename
* fix-authorized-keys-location.patch to 0001-Fix-authorized-keys-location-for-OpenSUSE.patch
* set-default-user.patch to 0002-Set-the-default-user-to-suse.patch
* no-network-args.patch to 0003-On-OpenSUSE-do-not-add-to-kernel-command-line.patch
- Update to version 5.7.0.git103.bae893c:
* Sync repo templates ⚙
* build(deps): bump crossbeam-channel from 0.5.13 to 0.5.15
* build(deps): bump tokio from 1.40.0 to 1.44.2
* build(deps): bump openssl from 0.10.71 to 0.10.72
fixes RUSTSEC-2025-0022 AKA CVE-2025-3416 AKA bsc#1242665
* build(deps): bump zbus from 4.4.0 to 5.5.0
* mod.rs: Fix clippy lint errors
* release-notes.md: add release notes for rust version update
* Cargo.toml: bump MSRV to 1.84.1
* Fix clippy lint issues
* Sync repo templates ⚙
* build(deps): bump mockito from 1.6.1 to 1.7.0
* build(deps): bump serde_json from 1.0.139 to 1.0.140
* build(deps): bump tempfile from 3.17.1 to 3.19.1
* build(deps): bump clap from 4.5.31 to 4.5.35
* build(deps): bump reqwest from 0.12.12 to 0.12.15
* Update release notes.
* proxmoxve: Add more context to log messages.
* proxmoxve: Remove unneeded fields
* proxmoxve: Add tests for static network configuration from cloud-init.
* proxmoxve: Add support for static network configuration from cloud-init.
* build(deps): bump mailparse from 0.15.0 to 0.16.1
* Sync repo templates ⚙
* build(deps): bump ring from 0.17.8 to 0.17.13
* build(deps): bump anyhow from 1.0.95 to 1.0.96
* release notes: add notes for tempfile bump from 3.16.0 to 3.17.1
* build(deps): bump serde from 1.0.217 to 1.0.218
* build(deps): bump openssl from 0.10.70 to 0.10.71
* build(deps): bump tempfile from 3.16.0 to 3.17.1
* build(deps): bump serde_json from 1.0.138 to 1.0.139
* build(deps): bump clap from 4.5.27 to 4.5.31
* add makefile targets for fmt,lint and test
* providers/openstack: ignore ec2 metadata if not present
* build(deps): bump openssl from 0.10.66 to 0.10.70
* build(deps): bump serde_json from 1.0.137 to 1.0.138
* build(deps): bump tempfile from 3.14.0 to 3.16.0
* build(deps): bump openssl from 0.10.66 to 0.10.69
* build(deps): bump ipnetwork from 0.20.0 to 0.21.1
* build(deps): bump serde from 1.0.215 to 1.0.217
* build(deps): bump serde_json from 1.0.133 to 1.0.137
* build(deps): bump anyhow from 1.0.93 to 1.0.95
* build(deps): bump clap from 4.5.21 to 4.5.27
* build(deps): bump reqwest from 0.12.7 to 0.12.12
* Sync repo templates ⚙
* Sync repo templates ⚙
* build(deps): bump mockito from 1.5.0 to 1.6.1
* build(deps): bump serde_json from 1.0.128 to 1.0.133
* Sync repo templates ⚙
* build(deps): bump clap from 4.5.17 to 4.5.21
* build(deps): bump tempfile from 3.12.0 to 3.14.0
* build(deps): bump anyhow from 1.0.89 to 1.0.93
* build(deps): bump serde from 1.0.210 to 1.0.215
* Sync repo templates ⚙
* Sync repo templates ⚙
* docs: add changelog entry
* proxmox: use noop provider if no configdrive
* add noop provider
* release-notes: remove "upcoming"
- Update to version 5.7.0:
* cargo: Afterburn release 5.7.0
* docs/release-notes: update for release 5.7.0
* cargo: update dependencies
* dhcp: replace dbus_proxy with proxy, and zbus traits
* build(deps): bump zbus from 3.15.2 to 4.4.0
* build(deps): bump tempfile from 3.10.1 to 3.12.0
* build(deps): bump serde from 1.0.205 to 1.0.210
* build(deps): bump serde_json from 1.0.121 to 1.0.127
* build(deps): bump reqwest from 0.12.5 to 0.12.7
* build(deps): bump uzers from 0.12.0 to 0.12.1
* build(deps): bump clap from 4.5.13 to 4.5.16
* build(deps): bump serde from 1.0.203 to 1.0.205
* build(deps): bump serde_json from 1.0.119 to 1.0.121
* build(deps): bump mockito from 1.4.0 to 1.5.0
* build(deps): bump openssh-keys from 0.6.3 to 0.6.4
* build(deps): bump clap from 4.5.8 to 4.5.13
* build(deps): bump openssl from 0.10.64 to 0.10.66
* providers/hetzner: private ipv4 addresses in attributes
* openstack: Document the two platforms
* build(deps): bump zerovec-derive from 0.10.2 to 0.10.3
* build(deps): bump zerovec from 0.10.2 to 0.10.4
* build(deps): bump nix from 0.27.1 to 0.29.0
* build(deps): bump clap from 4.5.7 to 4.5.8
* build(deps): bump serde_json from 1.0.117 to 1.0.119
* microsoft/azure: allow empty certificate chain in PKCS12 file
* proxmoxve: implement proxmoxve provider
* providers/hetzner: fix duplicate attribute prefix
* build(deps): bump pnet_base from 0.34.0 to 0.35.0
* cargo: Afterburn release 5.6.0
* docs/release-notes: update for release 5.6.0
* cargo: update dependencies
* build(deps): bump libflate from 1.4.0 to 2.1.0
* build(deps): bump base64 from 0.21.7 to 0.22.1
* build(deps): bump uzers from 0.11.3 to 0.12.0
* build(deps): bump pnet_datalink from 0.34.0 to 0.35.0
* build(deps): bump nix from 0.28.0 to 0.29.0
* lint: silence deadcode warnings
* lint: address latest lint's from msrv update
* workflows/rust: directly update toolchain to 1.75.0
* cargo: update msrv to 1.75
* Sync repo templates ⚙
* build(deps): bump reqwest from 0.12.2 to 0.12.4
* build(deps): bump serde from 1.0.197 to 1.0.200
* build(deps): bump anyhow from 1.0.81 to 1.0.82
* build(deps): bump mailparse from 0.14.1 to 0.15.0
* build(deps): bump serde_json from 1.0.115 to 1.0.116
* Sync repo templates ⚙
* providers: Add "akamai" provider
* build(deps): bump h2 from 0.3.24 to 0.3.26
* build(deps): bump anyhow from 1.0.79 to 1.0.81
* build(deps): bump serde_json from 1.0.113 to 1.0.115
* build(deps): bump reqwest from 0.11.24 to 0.12.2
* build(deps): bump serde_yaml from 0.9.32 to 0.9.34+deprecated
* build(deps): bump mio from 0.8.10 to 0.8.11
* build(deps): bump mailparse from 0.14.0 to 0.14.1
* build(deps): bump openssl from 0.10.62 to 0.10.64
* build(deps): bump nix from 0.27.1 to 0.28.0
* build(deps): bump mockito from 1.2.0 to 1.4.0
* build(deps): bump tempfile from 3.9.0 to 3.10.1
* build(deps): bump serde_yaml from 0.9.31 to 0.9.32
* build(deps): bump serde from 1.0.195 to 1.0.197
* build(deps): bump h2 from 0.3.23 to 0.3.24
* build(deps): bump slog-term from 2.9.0 to 2.9.1
* build(deps): bump serde_yaml from 0.9.30 to 0.9.31
* build(deps): bump serde_json from 1.0.111 to 1.0.113
* build(deps): bump clap from 4.4.16 to 4.4.18
* build(deps): bump reqwest from 0.11.23 to 0.11.24
* Sync repo templates ⚙
* cargo: Afterburn release 5.5.1
* docs/release-notes: update for release 5.5.1
* cargo: update dependencies
* build(deps): bump anyhow from 1.0.75 to 1.0.78
* build(deps): bump serde_yaml from 0.9.27 to 0.9.29
* build(deps): bump reqwest from 0.11.22 to 0.11.23
* build(deps): bump serde_json from 1.0.108 to 1.0.109
* build(deps): bump openssl from 0.10.60 to 0.10.62
* build(deps): bump tempfile from 3.8.1 to 3.9.0
* build(deps): bump clap from 4.4.10 to 4.4.12
* build(deps): bump unsafe-libyaml from 0.2.9 to 0.2.10
* providers/vmware: add missing public functions for non-amd64
* build(deps): bump clap from 4.4.8 to 4.4.10
* cargo: Afterburn release 5.5.0
* build(deps): bump openssl from 0.10.59 to 0.10.60
* Sync repo templates ⚙
* docs/release-notes: update for release 5.5.0
* cargo: update dependencies
* ci: cancel previous build on PR update
* build(deps): allow building with libsystemd 0.7.0
* providers/vmware: Process guestinfo.metadata netplan configuration
* kubevirt: Run afterburn-hostname service
* build(deps): bump reqwest from 0.11.20 to 0.11.22
* build(deps): bump tempfile from 3.8.0 to 3.8.1
* build(deps): bump clap from 4.4.6 to 4.4.7
* build(deps): bump serde_json from 1.0.107 to 1.0.108
* build(deps): bump serde_yaml from 0.9.25 to 0.9.27
* build(deps): bump rustix from 0.37.19 to 0.37.25
* build(deps): bump clap from 4.4.2 to 4.4.6
* build(deps): bump serde_json from 1.0.105 to 1.0.107
* build(deps): bump mockito from 1.1.0 to 1.2.0
* providers: add support for scaleway
* Move away from deprecated `users` to `uzers`
though not vulnerable as unused but lib had CVE-2025-5791 AKA bsc#1244199
* Sync repo templates ⚙
* providers/hetzner: add support for Hetzner Cloud
* build(deps): bump clap from 4.4.1 to 4.4.2
* cargo: update MSRV to 1.71
* build(deps): bump clap from 4.3.19 to 4.4.1
* chore: Get rid of Clippy warnings
* cargo: specify required features for nix dependency
* build(deps): bump nix from 0.26.2 to 0.27.1
* build(deps): bump slog-async from 2.7.0 to 2.8.0
* build(deps): bump openssl from 0.10.56 to 0.10.57
* build(deps): bump reqwest from 0.11.18 to 0.11.20
* build(deps): bump serde from 1.0.185 to 1.0.188
* Sync repo templates ⚙
* build(deps): bump tempfile from 3.7.1 to 3.8.0
* build(deps): bump serde from 1.0.183 to 1.0.185
* build(deps): bump anyhow from 1.0.72 to 1.0.75
* build(deps): bump serde_json from 1.0.104 to 1.0.105
* build(deps): bump openssl from 0.10.55 to 0.10.56
* build(deps): bump tempfile from 3.7.0 to 3.7.1
* build(deps): bump serde from 1.0.180 to 1.0.183
* Sync repo templates ⚙
* build(deps): bump serde from 1.0.179 to 1.0.180
* build(deps): bump serde_json from 1.0.103 to 1.0.104
* build(deps): bump serde from 1.0.175 to 1.0.179
* build(deps): bump pnet_datalink from 0.33.0 to 0.34.0
* build(deps): bump serde from 1.0.171 to 1.0.175
* build(deps): bump clap from 4.3.14 to 4.3.19
* build(deps): bump pnet_base from 0.33.0 to 0.34.0
* build(deps): bump serde_yaml from 0.9.23 to 0.9.25
* build(deps): bump tempfile from 3.6.0 to 3.7.0
* build(deps): bump clap from 4.3.11 to 4.3.14
* build(deps): bump serde_yaml from 0.9.22 to 0.9.23
* build(deps): bump anyhow from 1.0.71 to 1.0.72
* build(deps): bump serde_json from 1.0.100 to 1.0.103
* Sync repo templates ⚙
* build(deps): bump clap from 4.3.10 to 4.3.11
* build(deps): bump serde_json from 1.0.99 to 1.0.100
* build(deps): bump openssh-keys from 0.6.1 to 0.6.2
* build(deps): bump zbus from 3.13.1 to 3.14.1
* build(deps): bump clap from 4.3.8 to 4.3.10
* build(deps): bump serde from 1.0.164 to 1.0.165
* build(deps): bump serde_json from 1.0.96 to 1.0.99
* build(deps): bump clap from 4.3.3 to 4.3.8
* build(deps): bump serde_yaml from 0.9.21 to 0.9.22
* build(deps): bump openssl from 0.10.54 to 0.10.55
* build(deps): bump mockito from 1.0.2 to 1.1.0
* Sync repo templates ⚙
* Sync repo templates ⚙
* openstack: Add attribute OPENSTACK_INSTANCE_UUID
* build(deps): bump serde from 1.0.163 to 1.0.164
* build(deps): bump clap from 4.3.2 to 4.3.3
* build(deps): bump tempfile from 3.5.0 to 3.6.0
* cargo: Afterburn release 5.4.3
* docs/release-notes: update for release 5.4.3
* cargo: update dependencies
* cargo: allow openssl 0.10.46
* build(deps): bump openssl from 0.10.52 to 0.10.54
* build(deps): bump openssh-keys from 0.6.0 to 0.6.1
* build(deps): bump vmw_backdoor from 0.2.3 to 0.2.4
* ci: strip debug symbols
* Sync repo templates ⚙
* build-sys: Use new tier = 2 for cargo-vendor-filterer
* Sync repo templates ⚙
* Sync repo templates ⚙
* build(deps): bump reqwest from 0.11.17 to 0.11.18
* cargo: Afterburn release 5.4.2
* docs/release-notes: update for release
* docs/release-notes: note Azure SSH regression fix with new openssl
* cargo: fix minimum version of openssl crate
* build(deps): bump serde from 1.0.162 to 1.0.163
* build(deps): bump zbus from 3.12.0 to 3.13.1
* build(deps): bump serde from 1.0.160 to 1.0.162
* build(deps): bump anyhow from 1.0.70 to 1.0.71
* build(deps): bump openssl from 0.10.51 to 0.10.52
* build(deps): bump reqwest from 0.11.16 to 0.11.17
* build(deps): bump openssl from 0.10.50 to 0.10.51
* build(deps): bump enumflags2 from 0.7.5 to 0.7.7
* build(deps): bump openssl from 0.10.48 to 0.10.50
* build(deps): bump zbus from 3.11.1 to 3.12.0
* build(deps): bump serde_json from 1.0.95 to 1.0.96
* build(deps): bump h2 from 0.3.15 to 0.3.17
* build(deps): bump openssl from 0.10.47 to 0.10.48
* microsoft/crypto/mod: replace deprecated function `parse` with `parse2`
* build(deps): bump serde from 1.0.159 to 1.0.160
* build(deps): bump serde_yaml from 0.9.19 to 0.9.21
* build(deps): bump tempfile from 3.4.0 to 3.5.0
* build(deps): bump serde from 1.0.158 to 1.0.159
* build(deps): bump mockito from 1.0.1 to 1.0.2
* Update mockito to 1.0.1
* build(deps): bump reqwest from 0.11.15 to 0.11.16
* build(deps): bump serde_json from 1.0.94 to 1.0.95
* cli: switch to clap derive
* cli: add descriptive value names for option arguments in --help
* build(deps): bump zbus from 3.11.0 to 3.11.1
* build(deps): bump openssl from 0.10.45 to 0.10.47
* build(deps): bump reqwest from 0.11.14 to 0.11.15
* build(deps): bump serde from 1.0.155 to 1.0.158
* build(deps): bump anyhow from 1.0.69 to 1.0.70
* cli: have clap require exactly one of --cmdline/--provider
* providers/*: move endpoint mocking into retry::Client
* retry/client: move URL parsing into helper function
* providers/microsoft: import crate::retry
* providers/microsoft: use stored client for all fetches
* providers/packet: use stored client for boot checkin
* build(deps): bump zbus from 3.10.0 to 3.11.0
* build(deps): bump serde from 1.0.152 to 1.0.155
* Sync repo templates ⚙
* docs: Use upstream theme & update to 0.4.1
* build(deps): bump serde_json from 1.0.93 to 1.0.94
* build(deps): bump serde_yaml from 0.9.17 to 0.9.19
* build(deps): bump mockito from 0.32.3 to 0.32.4
* build(deps): bump tempfile from 3.3.0 to 3.4.0
* initrd: remember to write trailing newline to network kargs file
* util: drop obsolete "OEM" terminology
* Update to clap 4
* build(deps): bump mockito from 0.31.1 to 0.32.3
* workflows: update clippy to 1.67
* Fix clippy lints
* Inline variables into format strings
* build(deps): bump zbus from 3.9.0 to 3.10.0
* build(deps): bump serde_json from 1.0.92 to 1.0.93
- enable all arches
- enable upstream tests
- make lint happy about dracut package not being noarch
- add afterburn-sshkeys.target to pre/post
- Use %patch -P N instead of deprecated %patchN.
- Update to version 5.4.1:
* cargo: Afterburn release 5.4.1
* docs/release-notes: update for release
* build(deps): bump pnet_datalink from 0.31.0 to 0.33.0
* build(deps): bump pnet_base from 0.31.0 to 0.33.0
* build(deps): bump serde_json from 1.0.91 to 1.0.92
* build(deps): bump zbus from 3.7.0 to 3.9.0
* build(deps): bump anyhow from 1.0.68 to 1.0.69
* build(deps): bump ipnetwork from 0.19.0 to 0.20.0
* Sync repo templates ⚙
* build(deps): bump tokio from 1.24.1 to 1.25.0
* cargo: add configuration for cargo-vendor-filterer
* cargo: Afterburn release 5.4.0
* docs/release-notes: update for release
* util: support DHCP option lookup from NetworkManager
* util: factor out retries of DHCP option lookup
* util: refactor DHCP option query helper into an enum
* util: move dns_lease_key_lookup() to a separate module
* cargo: update MSRV to 1.66
* build(deps): bump reqwest from 0.11.13 to 0.11.14
* build(deps): bump nix from 0.26.1 to 0.26.2
* build(deps): bump serde_yaml from 0.9.16 to 0.9.17
* cargo: update all packages to fix build error
* cargo: continue to support openssh-keys 0.5
* build(deps): bump openssh-keys from 0.5.0 to 0.6.0
* cargo: drop serde_derive crate in favor of serde derive feature
* cargo: use consistent declaration syntax for slog dependency
* cargo: drop unused dependencies
* Fix clippy 1.65 lints
* build(deps): bump base64 from 0.13.1 to 0.21.0
* build(deps): bump tokio from 1.19.2 to 1.24.1
* workflows: update actions to current major versions
* workflows: replace actions-rs/toolchain with dtolnay/rust-toolchain
* build(deps): bump mailparse from 0.13.8 to 0.14.0
* build(deps): bump serde from 1.0.151 to 1.0.152
* build(deps): bump openssl from 0.10.44 to 0.10.45
* build(deps): bump libsystemd from 0.5.0 to 0.6.0
* build(deps): bump anyhow from 1.0.66 to 1.0.68
* build(deps): bump base64 from 0.13.1 to 0.20.0
* build(deps): bump serde_derive from 1.0.150 to 1.0.151
* build(deps): bump serde_json from 1.0.89 to 1.0.91
* build(deps): bump serde_yaml from 0.9.14 to 0.9.16
* cargo: continue to support base64 0.13
* cargo: continue to support mailparse 0.13.8
* build(deps): bump mailparse from 0.13.8 to 0.14.0
* build(deps): bump mockito from 0.31.0 to 0.31.1
* build(deps): bump serde from 1.0.148 to 1.0.150
* build(deps): bump openssl from 0.10.43 to 0.10.44
* build(deps): bump base64 from 0.13.1 to 0.20.0
* build(deps): bump nix from 0.25.0 to 0.26.1
* build(deps): bump vmw_backdoor from 0.2.1 to 0.2.3
* build(deps): bump serde from 1.0.147 to 1.0.148
* build(deps): bump serde_json from 1.0.87 to 1.0.89
* build(deps): bump openssl from 0.10.42 to 0.10.43
* build(deps): bump reqwest from 0.11.12 to 0.11.13
* cargo: continue to support clap 3.1
* cargo: stop enabling LTO in release builds
* providers/ibmcloud: avoid error if an ssh key not found in metadata
* build(deps): bump clap from 3.2.5 to 3.2.23
* build(deps): bump serde_yaml from 0.9.13 to 0.9.14
* build(deps): bump anyhow from 1.0.65 to 1.0.66
* build(deps): bump base64 from 0.13.0 to 0.13.1
* build(deps): bump serde from 1.0.145 to 1.0.147
* build(deps): bump serde_json from 1.0.86 to 1.0.87
* dependabot: permute the label order to flush Dependabot's config cache
* ci: migrate to new directory and method names
* build(deps): bump serde_json from 1.0.85 to 1.0.86
* workflows: update clippy to 1.64.0
* build(deps): bump serde from 1.0.144 to 1.0.145
* build(deps): bump openssl from 0.10.41 to 0.10.42
* build(deps): bump reqwest from 0.11.11 to 0.11.12
* Sync repo templates ⚙
* build(deps): bump anyhow from 1.0.64 to 1.0.65
* build(deps): bump serde_yaml from 0.9.11 to 0.9.13
* docs/release-notes: fixed checkin services ordering
* systemd: add explicit ordering, after multi-user.target
* build(deps): bump serde-xml-rs from 0.5.1 to 0.6.0
* build(deps): bump serde_yaml from 0.9.10 to 0.9.11
* build(deps): bump anyhow from 1.0.62 to 1.0.64
* workflows: bump clippy to 1.63.0
* network: fix clippy 1.63.0 lints
* build(deps): bump serde_json from 1.0.83 to 1.0.85
* build(deps): bump anyhow from 1.0.61 to 1.0.62
* build(deps): bump serde_yaml from 0.9.9 to 0.9.10
* build(deps): bump serde from 1.0.143 to 1.0.144
* build(deps): bump serde from 1.0.142 to 1.0.143
* build(deps): bump nix from 0.24.2 to 0.25.0
* build(deps): bump serde_yaml from 0.9.4 to 0.9.9
* build(deps): bump anyhow from 1.0.60 to 1.0.61
* build(deps): bump anyhow from 1.0.59 to 1.0.60
* build(deps): bump serde_yaml from 0.9.2 to 0.9.4
* build(deps): bump serde from 1.0.141 to 1.0.142
* build(deps): bump serde_json from 1.0.82 to 1.0.83
* Sync repo templates ⚙
* cargo: allow serde_yaml 0.8
* dependabot: automatically add "dependency" and "skip-notes" labels to PRs
* Sync repo templates ⚙
* build(deps): bump serde_yaml from 0.8.26 to 0.9.2
* build(deps): bump anyhow from 1.0.58 to 1.0.59
* build(deps): bump serde from 1.0.140 to 1.0.141
* build(deps): bump serde from 1.0.139 to 1.0.140
* build(deps): bump nix from 0.24.1 to 0.24.2
* build(deps): bump serde_yaml from 0.8.25 to 0.8.26
* cargo: update version ranges for post-1.x deps
* providers: Use inline `format!` in a few places
* *: bump MSRV to 1.58.0
* build(deps): bump serde_yaml from 0.8.24 to 0.8.25
* build(deps): bump openssl from 0.10.40 to 0.10.41
* build(deps): bump serde from 1.0.138 to 1.0.139
* Sync repo templates ⚙
* build(deps): bump serde from 1.0.137 to 1.0.138
* build(deps): bump ipnetwork from 0.19.0 to 0.20.0
* build(deps): bump serde_json from 1.0.81 to 1.0.82
* docs: add release notes
* Sync repo templates ⚙
* Sync repo templates ⚙
* Sync repo templates ⚙
* build(deps): bump anyhow from 1.0.57 to 1.0.58
* templates/release-checklist: delete all .a files from vendor dir
* cargo: update
* cargo: update clap to 3.2.5
* build(deps): bump reqwest from 0.11.10 to 0.11.11
* build(deps): bump pnet_datalink from 0.30.0 to 0.31.0
* build(deps): bump pnet_base from 0.30.0 to 0.31.0
* copr: mark git checkout as safe
* build(deps): bump pnet_datalink from 0.29.0 to 0.30.0
* build(deps): bump pnet_base from 0.29.0 to 0.30.0
* workflows: update issue link
* dependabot: switch to weekly cadence
* ci: mark git checkout as safe
* providers/aws: expose instance availability-zone-id as AWS_AVAILABILITY_ZONE_ID
* github/release-checklist: Fixup path for Windows binaries
* build(deps): bump serde_json from 1.0.80 to 1.0.81
* build(deps): bump serde_yaml from 0.8.23 to 0.8.24
* build(deps): bump openssl from 0.10.38 to 0.10.40
* build(deps): bump serde from 1.0.136 to 1.0.137
* build(deps): bump serde_json from 1.0.79 to 1.0.80
* build(deps): bump nix from 0.23.1 to 0.24.1
* build(deps): bump ipnetwork from 0.18.0 to 0.19.0
- Update to version 5.3.0:
* cargo: Afterburn release 5.3.0
* build(deps): bump nix from 0.24.0 to 0.24.1
* build(deps): bump anyhow from 1.0.56 to 1.0.57
* build(deps): bump nix from 0.23.1 to 0.24.0
* systemd: enable sshkeys on Power VS platform
* network: Encode information for systemd-networkd-wait-online
* build(deps): bump ipnetwork from 0.18.0 to 0.19.0
* build(deps): bump crossbeam-channel from 0.5.2 to 0.5.4
* cargo: update to clap 3.1
* cargo: enable clap wrap_help feature
* cli: run clap tests
* cli: avoid deprecated clap constructs
* cargo: update to clap 3.0
* cli: use clap mechanism to require exp subcommand
* build(deps): bump pnet_datalink from 0.28.0 to 0.29.0
* build(deps): bump pnet_base from 0.28.0 to 0.29.0
* build(deps): bump slog-term from 2.8.1 to 2.9.0
* cargo: declare MSRV in Cargo.toml
* cargo: update to Rust 2021; bump MSRV to 1.56.0
* workflows: update clippy to 1.59.0
* copr: abort if specfile fetch fails
* providers/aws: add AWS_IPV6 attribute
* providers/aws: bump metadata version to 2021-01-03
* kubevirt: Add KubeVirt platform support
* *.service: add/update Documentation field
* build(deps): bump regex from 1.5.4 to 1.5.5
fixes RUSTSEC-2022-0013 AKA CVE-2022-24713 AKA bsc#1196972
* build(deps): bump reqwest from 0.11.9 to 0.11.10
* github/release-checklist: Remove Windows binaries from vendored sources
* build(deps): bump anyhow from 1.0.55 to 1.0.56
* build(deps): bump mockito from 0.30.0 to 0.31.0
fixes RUSTSEC-2020-0095
* aws/mock_tests: explicitly drop mocks before resetting
* aws/mock_tests: split out IMDS tests
* aws/mock_tests: factor out map building
* build(deps): bump anyhow from 1.0.54 to 1.0.55
* workflows/rpm: reword workflow and job name
* workflows/rpm: do full git clone
* build(deps): bump anyhow from 1.0.53 to 1.0.54
* workflows: add "RPM build" test
* templates/release-checklist: add Fedora/RHCOS packaging instructions
* lockfile: refresh
* tests: explicitly scope conflicting mocks
* Add COPR integration Makefile
* build(deps): bump serde_json from 1.0.78 to 1.0.79
* build(deps): bump crossbeam-utils from 0.8.5 to 0.8.7
* build(deps): bump block-buffer from 0.10.0 to 0.10.2
* build(deps): bump thread_local from 1.1.3 to 1.1.4
fixes RUSTSEC-2022-0006
* build(deps): bump slog-term from 2.8.0 to 2.8.1
* build(deps): bump serde from 1.0.135 to 1.0.136
* *: use `RemainAfterExit` on all oneshot services
* build(deps): bump anyhow from 1.0.52 to 1.0.53
* build(deps): bump serde_json from 1.0.75 to 1.0.78
* build(deps): bump mailparse from 0.13.7 to 0.13.8
* build(deps): bump serde from 1.0.134 to 1.0.135
* ci: skip broken kdump.crash kola test Issue: https://github.com/coreos/fedora-coreos-tracker/issues/1075
* build(deps): bump serde from 1.0.133 to 1.0.134
* build(deps): bump serde_json from 1.0.74 to 1.0.75
- boost
-
- CVE-2016-9840: fixed out-of-bounds pointer arithmetic in zlib in beast
(bsc#1245936)
- adds patch boost-zlib.patch
- chrony
-
- bsc#1246544: Fix racy socket creation
* Add chrony-unix-socket.patch
* Add chrony-remove-chmod.patch
- Use make quickcheck to speedup build.
- coreutils
-
- coreutils-9.7-sort-CVE-2025-5278.patch: Add upstream patch:
sort with key character offsets of SIZE_MAX, could induce
a read of 1 byte before an allocated heap buffer.
(CVE-2025-5278, bsc#1243767)
- curl
-
- tool_operate: fix return code when --retry is used but not
triggered [bsc#1249367]
* Add curl-tool_operate-fix-return-code-when-retry-is-used.patch
- Security fixes:
* [bsc#1249191, CVE-2025-9086] Out of bounds read for cookie path
* [bsc#1249348, CVE-2025-10148] Predictable WebSocket mask
* Add patches:
- curl-CVE-2025-9086.patch
- curl-CVE-2025-10148.patch
- Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197]
* tool_getparam: fix --ftp-pasv [5f805ee]
* Add curl-fix--ftp-pasv.patch
- Update to 8.14.1: [jsc#PED-13055, jsc#PED-13056]
* Remove pre_checkin.sh and add _multibuild
* Rename patch from dont-mess-with-rpmoptflags.diff to
dont-mess-with-rpmoptflags.patch
* Rebase patches:
- curl-disabled-redirect-protocol-message.patch
- curl-secure-getenv.patch
- libcurl-ocloexec.patch
* Remove patches fixed in the update:
- curl-CVE-2020-8169.patch
- curl-CVE-2020-8177.patch
- curl-CVE-2020-8231.patch
- curl-CVE-2020-8284.patch
- curl-CVE-2020-8285.patch
- curl-CVE-2020-8286.patch
- curl-CVE-2021-22876.patch
- curl-CVE-2021-22890.patch
- curl-CVE-2021-22898.patch
- curl-CVE-2021-22924.patch
- curl-CVE-2021-22925.patch
- curl-CVE-2021-22946.patch
- curl-CVE-2021-22947.patch
- curl-CVE-2022-22576.patch
- curl-CVE-2022-27775.patch
- curl-CVE-2022-27776.patch
- curl-CVE-2022-27781.patch
- curl-CVE-2022-27782.patch
- curl-CVE-2022-32206.patch
- curl-CVE-2022-32208.patch
- curl-CVE-2022-32221.patch
- curl-CVE-2022-35252.patch
- curl-CVE-2022-43552.patch
- curl-CVE-2023-23916.patch
- curl-CVE-2023-27533-no-sscanf.patch
- curl-CVE-2023-27533.patch
- curl-CVE-2023-27534-dynbuf.patch
- curl-CVE-2023-27534-tilde-back.patch
- curl-CVE-2023-27534.patch
- curl-CVE-2023-27535.patch
- curl-CVE-2023-27536.patch
- curl-CVE-2023-27538.patch
- curl-CVE-2023-28320.patch
- curl-CVE-2023-28321.patch
- curl-CVE-2023-28322.patch
- curl-CVE-2023-38546.patch
- curl-CVE-2023-46218.patch
- curl-CVE-2024-11053.patch
- curl-CVE-2024-2398.patch
- curl-CVE-2024-7264.patch
- curl-CVE-2024-8096.patch
- curl-CVE-2025-0167.patch
- curl-CVE-2025-0725.patch
- curl-X509_V_FLAG_PARTIAL_CHAIN.patch
- curl-check-content-type.patch
- curl-expire-clear.patch
- curl-http-lowercase-headernames-for-HTTP-2-and-HTTP-3.patch
- curl-libssh_Implement_SFTP_packet_size_limit.patch
- curl-use_OPENSSL_config.patch
- ignore_runtests_failure.patch
- Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056]
* Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error
when building the curl-mini package in SLE.
* Add libssh minimum version requirements.
* Use ldconfig_scriptlets when available.
* Remove unused option --disable-ntlm-wb.
- docker
-
- Update to Docker 28.3.3-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2833>
CVE-2025-54388 bsc#1247367
- Update to docker-buildx v0.26.1. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.26.1>
- Update to docker-buildx v0.26.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.26.0>
- Update to Go 1.24 for builds, to match upstream.
- Update to Docker 28.3.2-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2832>
- Update to Docker 28.3.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2831>
- Update to Docker 28.3.0-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2830>
bsc#1246556
- Rebase patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
[ This update is a no-op, only needed to work around unfortunate automated
packaging script behaviour on SLES. ]
- The following patches were removed in openSUSE in the Docker 28.1.1-ce
update, but the patch names were later renamed in a SLES-only update before
Docker 28.1.1-ce was submitted to SLES.
This causes the SLES build scripts to refuse the update because the patches
are not referenced in the changelog. There is no obvious place to put the
patch removals (the 28.1.1-ce update removing the patches chronologically
predates their renaming in SLES), so they are included here a dummy changelog
entry to work around the issue.
- 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Update to docker-buildx v0.25.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.25.0>
- Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as
Docker does not have permission to access the host zypper credentials in this
mode (and unprivileged users cannot disable the feature using
/etc/docker/suse-secrets-enable.) bsc#1240150
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- Rebase patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Always clear SUSEConnect suse_* secrets when starting containers regardless
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.
This was a long-standing issue with our secrets support but until recently
this would've required migrating from SLE packages to openSUSE packages
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
away from in-built SUSEConnect support, this is now a practical issue users
will run into. bsc#1244035
+ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
- Rearrange patches:
- 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
- 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
[NOTE: This update was only ever released in SLES and Leap.]
- Always clear SUSEConnect suse_* secrets when starting containers regardless
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.
This was a long-standing issue with our secrets support but until recently
this would've required migrating from SLE packages to openSUSE packages
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
away from in-built SUSEConnect support, this is now a practical issue users
will run into. bsc#1244035
+ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
- Rearrange patches:
- 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
- 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+ 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+ 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Update to Docker 28.2.2-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2822>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Update to Docker 28.2.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2820> bsc#1243833
<https://github.com/moby/moby/releases/tag/v28.2.1>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Update to docker-buildx v0.24.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.24.0>
- Update to Docker 28.1.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2811> bsc#1242114
Includes upstream fixes:
- CVE-2025-22872 bsc#1241830
- Remove long-outdated build handling for deprecated and unsupported
devicemapper and AUFS storage drivers. AUFS was removed in v24, and
devicemapper was removed in v25.
<https://docs.docker.com/engine/deprecated/#aufs-storage-driver>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Remove upstreamed patches:
- 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to docker-buildx v0.23.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.23.0>
- Update to docker-buildx v0.22.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.22.0>
* Includes fixes for CVE-2025-0495. bsc#1239765
- Disable transparent SUSEConnect support for SLE-16. PED-12534
When this patchset was first added in 2013 (and rewritten over the years),
there was no upstream way to easily provide SLE customers with a way to build
container images based on SLE using the host subscription. However, with
docker-buildx you can now define secrets for builds (this is not entirely
transparent, but we can easily document this new requirement for SLE-16).
Users should use
RUN --mount=type=secret,id=SCCcredentials zypper -n ...
in their Dockerfiles, and
docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
when doing their builds.
- Now that the only blocker for docker-buildx support was removed for SLE-16,
enable docker-buildx for SLE-16 as well. PED-8905
- transactional-update
-
- Build with PIE enabled [bsc#1239954]
- grub2
-
- Fix CVE-2024-56738: side-channel attack due to not constant-time
algorithm in grub_crypto_memcmp (bsc#1234959)
* grub2-constant-time-grub_crypto_memcmp.patch
- hwinfo
-
- merge gh#openSUSE/hwinfo#168
- fix usb network card detection (bsc#1245950)
- 21.89
- hyper-v
-
- fcopy: Fix irregularities with size of ring buffer (a4131a50)
- fcopy: Fix incorrect file path conversion (0d86a8d6)
- Enable debug logs for hv_kvp_daemon (a9c0b33e) (bsc#1244154)
- update route parsing in kvp daemon (9bbb8a07)
- reduce resource usage in hv_kvp_daemon (175c71c2)
- reduce resouce usage in hv_get_dns_info helper (a4d024fe)
- hv_kvp_daemon: Pass NIC name to hv_get_dns_info as well (07dfa6e8)
- terminate fcopy daemon if read from uio fails (a9640fcd)
- change permissions of NetworkManager configuration file (91ae69c7)
- Fix a complier warning in the fcopy uio daemon (cb1b78f1)
- remove obsolete kvptest.ps1.txt which failed since a decade
- remove obsolete rpm postinstall code for SLE11SP2
- Add memory allocation check in hv_fcopy_start (94e86b17)
- suppress the invalid warning for packed member alignment (207e03b0)
- Add new fcopy application based on uio driver (82b0945c)
- Add vmbus_bufring (45bab4d7)
- kvp: Handle IPv4 and Ipv6 combination for keyfile format (f971f6dd)
- kvp: Some small fixes for handling NM keyfiles (c3803203)
- kvp: Support for keyfile based connection profile (42999c90)
- kvp: remove unnecessary (void*) conversions (22589542)
- Remove an extraneous "the" (f15f39fa)
- change http to https in hv_kvp_daemon.c (fa52a4b2)
- replace the copy of include/linux/hyperv.h with include/uapi/linux/hyperv.h (6de74d10)
- merge individual udev rules files into a single rules file
- package only files, not directories already owned by filesystem.rpm
- remove braces from rpm spec macros
- remove obsolete Group tag
- replace RPM_BUILD_ROOT with buildroot
- use a meaningful name for the UAPI include file
- use a meaningful variable name for ifcfg in hv_set_ifconfig.sh
- remove dependency on /usr/bin/python3 using
%python3_fix_shebang macro, [bsc#1212476]
- Use %patch -P N instead of deprecated %patchN.
- ignition
-
- Add CVE-2022-28948.patch
* Fixes [bsc#1248548]
- iputils
-
- Security fix [bsc#1243772, CVE-2025-48964]
* Fix integer overflow in ping statistics via zero timestamp
* Add iputils-CVE-2025-48964_01.patch
* Add iputils-CVE-2025-48964_02.patch
- Fix bsc#1243284 - ping on s390x prints invalid ttl
* Add iputils-invalid-ttl-s390x.patch
* Fix ipv4 ttl value when using SOCK_DGRAM on big endian systems
- kernel-default
-
- Update
patches.suse/ALSA-ac97-fix-possible-memory-leak-in-snd_ac97_dev_r.patch
(git-fixes CVE-2022-50427 bsc#1250787).
- Update
patches.suse/ALSA-aoa-i2sbus-fix-possible-memory-leak-in-i2sbus_a.patch
(git-fixes CVE-2022-50431 bsc#1250790).
- Update
patches.suse/Bluetooth-hci_sysfs-Fix-attempting-to-call-device_ad.patch
(git-fixes CVE-2022-50419 bsc#1250394).
- Update patches.suse/NFS-Fix-an-Oops-in-nfs_d_automount.patch
(git-fixes CVE-2022-50385 bsc#1250131).
- Update
patches.suse/clk-tegra-Fix-refcount-leak-in-tegra210_clock_init.patch
(git-fixes CVE-2022-50458 bsc#1250891).
- Update
patches.suse/clk-tegra20-Fix-refcount-leak-in-tegra20_clock_init.patch
(git-fixes CVE-2022-50444 bsc#1250767).
- Update
patches.suse/crypto-cavium-prevent-integer-overflow-loading-firmw.patch
(git-fixes CVE-2022-50330 bsc#1249700).
- Update
patches.suse/drivers-serial-jsm-fix-some-leaks-in-probe.patch
(git-fixes CVE-2022-50312 bsc#1249716).
- Update
patches.suse/drm-amdkfd-Fix-UBSAN-shift-out-of-bounds-warning.patch
(git-fixes CVE-2021-4460 bsc#1250764).
- Update
patches.suse/drm-bridge-megachips-Fix-a-null-pointer-dereference-.patch
(git-fixes CVE-2022-50317 bsc#1249713).
- Update
patches.suse/drm-msm-Make-.remove-and-.shutdown-HW-shutdown-consi.patch
(git-fixes CVE-2022-50260 bsc#1249885).
- Update
patches.suse/drm-msm-dsi-fix-memory-corruption-with-too-many-brid.patch
(git-fixes CVE-2022-50368 bsc#1250009).
- Update
patches.suse/drm-msm-hdmi-fix-memory-corruption-with-too-many-bri.patch
(git-fixes CVE-2022-50437 bsc#1250797).
- Update
patches.suse/drm-nouveau-fix-a-use-after-free-in-nouveau_gem_prim.patch
(git-fixes CVE-2022-50454 bsc#1250890).
- Update
patches.suse/ext4-avoid-crash-when-inline-data-creation-follows-D.patch
(bsc#1206883 CVE-2022-50435 bsc#1250799).
- Update
patches.suse/ext4-fix-null-ptr-deref-in-ext4_write_info.patch
(bsc#1206884 CVE-2022-50344 bsc#1250014).
- Update
patches.suse/media-cx88-Fix-a-null-ptr-deref-bug-in-buffer_prepar.patch
(git-fixes CVE-2022-50359 bsc#1250269).
- Update
patches.suse/media-xilinx-vipp-Fix-refcount-leak-in-xvip_graph_dm.patch
(git-fixes CVE-2022-50309 bsc#1249718).
- Update
patches.suse/memory-of-Fix-refcount-leak-bug-in-of_get_ddr_timing.patch
(git-fixes CVE-2022-50249 bsc#1249747).
- Update
patches.suse/msft-hv-2770-Drivers-vmbus-Check-for-channel-allocation-before-lo.patch
(git-fixes CVE-2023-53273 bsc#1249930).
- Update
patches.suse/netfilter-nf_tables-do-not-ignore-genmask-when-looki.patch
(CVE-2023-31248 bsc#1213061 CVE-2023-53492 bsc#1250823).
- Update
patches.suse/scsi-fcoe-Fix-transport-not-deattached-when-fcoe_if_init-fails.patch
(git-fixes CVE-2022-50414 bsc#1250183).
- Update
patches.suse/scsi-iscsi-iscsi_tcp-Fix-null-ptr-deref-while-calling-getp.patch
(bsc#1243278 CVE-2022-50459 bsc#1250850).
- Update
patches.suse/scsi-iscsi_tcp-Check-that-sock-is-valid-before-iscsi_set_p.patch
(git-fixes CVE-2023-53464 bsc#1250868).
- Update
patches.suse/scsi-libsas-Fix-use-after-free-bug-in-smp_execute_task_sg.patch
(git-fixes CVE-2022-50422 bsc#1250774).
- Update
patches.suse/scsi-lpfc-Fix-null-ndlp-ptr-dereference-in-abnormal-.patch
(bsc#1203063 CVE-2022-50467 bsc#1250847).
- Update
patches.suse/staging-vt6655-fix-some-erroneous-memory-clean-up-lo.patch
(git-fixes CVE-2022-50355 bsc#1250041).
- Update
patches.suse/tty-serial-fsl_lpuart-disable-dma-rx-tx-use-flags-in.patch
(git-fixes CVE-2022-50375 bsc#1250132).
- Update
patches.suse/vhost-vsock-Use-kvmalloc-kvfree-for-larger-packets.patch
(git-fixes CVE-2022-50271 bsc#1249740).
- Update patches.suse/xen-gntdev-Prevent-leaking-grants.patch
(git-fixes CVE-2022-50257 bsc#1249743).
- commit a32c7da
- net: If sock is dead don't access sock's sk_wq in
sk_stream_wait_memory (CVE-2022-50409 bsc#1250392).
- commit b037869
- Update
patches.suse/0001-drm-vmwgfx-Validate-the-box-size-for-the-snooped-cur.patch
(bsc#1203332 CVE-2022-36280 CVE-2022-50440 bsc#1250853).
- Update
patches.suse/0001-media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch
(bsc#1209291 CVE-2023-28328 CVE-2022-50272 bsc#1249808).
- Update
patches.suse/0001-ubi-ensure-that-VID-header-offset-VID-header-size-al.patch
(bsc#1210584 CVE-2023-53265 bsc#1249908).
- Update
patches.suse/0001-wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_a.patch
(bsc#1209287 CVE-2023-1380 CVE-2023-53213 bsc#1249918).
- Update
patches.suse/0016-md-Replace-snprintf-with-scnprintf.patch
(git-fixes CVE-2022-50299 bsc#1249734).
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch
(bsc#1205128 CVE-2022-43945 bsc#1210124 CVE-2022-50410
bsc#1250187).
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-Rdir.patch
(bsc#1205128 CVE-2022-43945 CVE-2022-50235 bsc#1249667).
- Update
patches.suse/fs-fix-UAF-GPF-bug-in-nilfs_mdt_destroy.patch
(CVE-2022-2978 bsc#1202700 CVE-2022-50367 bsc#1250277).
- Update
patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch
(bsc#1204228 CVE-2022-2602 CVE-2022-50234 bsc#1249664).
- Update
patches.suse/netfilter-conntrack-dccp-copy-entire-header-to-stack.patch
(CVE-2023-39197 bsc#1216976 CVE-2023-53333 bsc#1249949).
- Update
patches.suse/netfilter-ipset-add-the-missing-IP_SET_HASH_WITH_NET.patch
(CVE-2023-42753 bsc#1215150 CVE-2023-53179 bsc#1249825).
- Update
patches.suse/netfilter-nft_set_rbtree-fix-overlap-expiration-walk.patch
(git-fixes CVE-2023-53304 bsc#1249923).
- Update
patches.suse/tls-separate-no-async-decryption-request-handling-fr.patch
(CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186
CVE-2024-58240 bsc#1248847).
- Update
patches.suse/xfrm-add-NULL-check-in-xfrm_update_ae_params.patch
(bsc#1213666 CVE-2023-3772 CVE-2023-53147 bsc#1249880).
- commit 6d52739
- igb: Do not free q_vector unless new one was allocated
(CVE-2022-50252 bsc#1249846).
- commit 3009b95
- hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
(git-fixes).
- commit 1ac4fa4
- KVM: x86: use array_index_nospec with indices that come from
guest (CVE-2025-39823 bsc#1250002).
- commit dd835c9
- scripts: test_linux_git.py: Do not complain about missing cwd
- commit 8bfa4b0
- md: fix a crash in mempool_free (CVE-2022-50381, bsc#1250257).
- commit 58a4df9
- git_sort: Make tests independent of environment.
- commit 4b7152c
- Bluetooth: eir: Fix using strlen with
hdev->{dev_name,short_name} (CVE-2022-50233 bsc#1246968).
- commit 5ebaab2
- tar-up: Remove the $build_dir prefix when in $build_dir
- commit 5155f1e
- scripts/tar-up: Remove mkspec only affter running it.
- commit 0a2b831
- tar-up: Remove mkspec and its inputs as from target directory
(bsc#1250522).
- commit 97af97c
- Bluetooth: L2CAP: Fix build errors in some archs (CVE-2025-21969
bsc#1240784).
- commit df58d3e
- mm: zswap: fix missing folio cleanup in writeback race path
(CVE-2023-53178 bsc#1249827 git-fix).
- commit 2c996e2
- mm: fix zswap writeback race condition (CVE-2023-53178
bsc#1249827).
- commit 3361ec4
- Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
(CVE-2025-21969 bsc#1240784).
- Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression
(CVE-2025-21969 bsc#1240784).
- commit 4b57370
- Bluetooth: L2CAP: Fix user-after-free (CVE-2022-50386
bsc#1250301).
- commit cb71a7c
- Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
(CVE-2025-21969 bsc#1240784).
- commit 9464ed1
- wifi: brcmfmac: fix use-after-free bug in
brcmf_netdev_start_xmit() (CVE-2022-50408 bsc#1250391).
- commit e65c39a
- wifi: mac80211_hwsim: drop short frames (CVE-2023-53321
bsc#1250313).
- commit b01b44e
- x86/MCE: Always save CS register on AMD Zen IF Poison errors
(CVE-2023-53438 bsc#1250180).
- commit 71288d6
- scripts/check-kernel-fix: list branches to blacklist for CVEs without known breaker
Quite a lot of CVEs are coming with unknown breakers and in some cases
it is simply too time consuming to identify them especially when it is
clear that this CVE would be blacklisted for some reason.
Our current
instructions suggest that people can use c-k-f -F to get a list of
branches that might need a fix but that takes some time to execute
and why to force people to run this if we already have that information.
Collect maybe_missing_commit into a file and print it with instructions
if a CVE is to be blacklisted.
Example
./scripts/check-kernel-fix CVE-2022-50359
Security fix for CVE-2022-50359 bsc#1250269 with CVSS 5.5
= 2b064d91440b ("media: cx88: Fix a null-ptr-deref bug in buffer_prepare()") merged v6.1-rc1~130^2~54
No Fixes tag. Requires manual review for affected branches.
Experts candidates: tiwai@suse.com (58) subsystem/role="MEDIA DRIVERS"
Link: https://git.kernel.org/linus/2b064d91440b33fba5b452f2d1b31f13ae911d71
ACTION NEEDED!
Potential git-fixes for 2b064d91440b33fba5b452f2d1b31f13ae911d71
Nothing found
There is no Fixes tag for:
2b064d91440b ("media: cx88: Fix a null-ptr-deref bug in buffer_prepare()")
so we cannot automatically assess which kernel branches require the fix.
Please try to identify all the breakers and then
run ./scripts/check-kernel-fix -f BREAKER_SHA [-f BREAKER_SHA] CVE-2022-50359
to get the real list of branches to apply the fix into.
You can run ./scripts/check-kernel-fix -F CVE-2022-50359
to get an estimated list of branches to apply the fix into.
However, if the CVE turns out to be non-issue or an attack vector is not really feasible and
determining the breaker is not feasible then please blacklist in following branches:
SLE12-SP3-TD
SLE12-SP5
- commit 8a80a3e
- scripts/check-kernel-fix: do not recommend people to directly contribute vuln.git
Since some time we are contributing known breakers to vuln.git in
batches so it is quite confusing to recommend people to do the same.
Drop that message.
- commit bec3b79
- scripts/check-kernel-fix: fix print_no_fixes_warning
since 1beff86485f6 ("scripts/check-kernel-fix: allow quering multiple
branches") $1 is no longer referring to the first argument anymore so
print_no_fixes_warning has been broken as $1 is empty. Fix that by
storing it into arg.
- commit 380d541
- kernel-source.spec: Depend on python3-base for build
Both kernel-binary and kernel-docs already have this dependency.
Adding it to kernel-source makes it possible to use python in shared
build scripts.
- commit 72fdedd
- kernel-source: Do not list mkspec and its inputs as sources
(bsc#1250522).
This excludes the files from the src.rpm. The next step is to remove
these files in tar-up so that they do not get uploaded to OBS either.
As there is only one version of tar-up these files need to be removed
from all kernels.
- commit e72b8a2
- rpm: Link arch-symbols script from scripts directory.
- commit 90b2abb
- sequence-patch: Use arch-symbols
- commit 13311bc
- scripts: Import arch-symbols script from packaging
- commit 01556c3
- scripts/bs-upload-kernel: Remove unused function.
- commit 8748dca
- tar-up: Handle multiple levels of symlinks
- commit d84b00b
- use uniform permission checks for all mount propagation changes
(git-fixes).
- commit d831a67
- rpm: Link guards script from scripts directory.
- commit e19a893
- tar_up: Handle symlinks in rpm directory
- commit d011986
- scripts: Import guards script from packaging
- commit 6b4f3a5
- scripts/check-kernel-fix: drop ok_missing_references
this state is only tracked and reported in -v (verbose) mode and it
denotes that there is a commit present but a reference is missing.
Initially developer was supposed to run add-missing-reference by hand.
Since we have started using mass-cve to update all references in bulk
this is mostly uninteresting information which makes the verbose mode
slightly harder to process becuase this state is actionable but it
doesn't require manual action these days.
Before this change we had
SLE15-SP6: RUN: scripts/cve_tools/add-missing-reference -r CVE-2023-53220 -r bsc#1250337 patches.suse/media-az6007-Fix-null-ptr-deref-in-az6007_i2c_xfer.patch
After
SLE15-SP6: ok_commit_present
- commit e882ecd
- scripts/python/kss-dashboard: simplify control flow
- commit cf115a3
- scripts/check-kernel-fix: Make module support check authoritative
Module support status has been experimental and therefore only had an
advisory role:
Security fix for CVE-2022-50412 bsc#1250189 with CVSS 5.5
= 40cdb02cb9f9 ("drm: bridge: adv7511: unregister cec i2c device after cec adapter") merged v6.1-rc1~159^2~18^2~284
Fixes: 3b1b975003e4 ("drm: adv7511/33: add HDMI CEC support") merged v4.15-rc1~90^2~37^2~21
Link: https://git.kernel.org/linus/40cdb02cb9f965732eb543d47f15bef8d10f0f5f
SLE12-SP5: MANUAL: backport 40cdb02cb9f965732eb543d47f15bef8d10f0f5f (Fixes: 3b1b975003e4)
WW drivers/gpu/drm/bridge/adv7511/adv7511 not supported.
WW all modules unsupported
All eligible branches have warnings. If they are correct then there is NO ACTION NEEDED for 40cdb02cb9f965732eb543d47f15bef8d10f0f5f
NO ACTION NEEDED!
After testing this through hundreds of CVEs with all encountered minor issues
being fixed by now we can reasonably expect this to be stable enough to
make it authoritive finally.
For the same CVE this would lead to
Security fix for CVE-2022-50412 bsc#1250189 with CVSS 5.5
= 40cdb02cb9f9 ("drm: bridge: adv7511: unregister cec i2c device after cec adapter") merged v6.1-rc1~159^2~18^2~284
Fixes: 3b1b975003e4 ("drm: adv7511/33: add HDMI CEC support") merged v4.15-rc1~90^2~37^2~21
Experts candidates: tzimmermann@suse.com (16) tiwai@suse.com (39) patrik.jakobsson@suse.com (1) subsystem/role="GRAPHICS"
Link: https://git.kernel.org/linus/40cdb02cb9f965732eb543d47f15bef8d10f0f5f
NO CODESTREAM AFFECTED
- commit 36687ce
- scripts/common-functions: rework the handling of header files
In 0b6736823ec7, we decided to just print a warning like below, when changeset
consists of only header files:
SLE12-SP3-TD: MANUAL: might need backport of 1e41e693f458eef2d5728207dbd327cd3b16580a ()
WW modifies drivers/ata/ahci.h. Check for includes outside of disabled configs.
All eligible branches have warnings. If they are correct then there is
NO ACTION NEEDED..
But header file changes can be complex, and might involve kABI changes
for example. So don't print this warning and report it like before
0b6736823ec7.
SLE12-SP3-TD: MANUAL: might need backport of 1e41e693f458eef2d5728207dbd327cd3b16580a ()
ACTION NEEDED!
- commit 7c002da
- nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create
failure (bsc#1250140 CVE-2022-50401).
- commit 806e0d9
- hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
(bsc#1249200 CVE-2025-38713).
- commit c141f0c
- wifi: brcmfmac: Fix potential stack-out-of-bounds in
brcmf_c_preinit_dcmds() (CVE-2022-50258 bsc#1249947).
- commit 6598885
- wifi: iwlwifi: mvm: fix double free on tx path (CVE-2022-50248
bsc#1249840).
- commit 0c28d2a
- tar-up: Normalize file modes to ones supported by git
- commit 56d4031
- ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control
(CVE-2025-39751 bsc#1249538).
- commit cf8d359
- scripts/common-functions: identify author of vuln.git .vulnerable assessment
This will help to build a confidence evaluation of vuln.git based
.vulnerable assessments.
Example output
./scripts/check-kernel-fix CVE-2025-38011
Security fix for CVE-2025-38011 bsc#1244729 with CVSS 5.5
= a0fa7873f2f8 ("drm/amdgpu: csa unmap use uninterruptible lock") merged v6.15-rc7~11^2~2^2~10
Vuln Fixes (Joao Povoas): 8a206685d36f ("drm/amdgpu: use drm_exec for GEM and CSA handling v2") merged v6.6-rc1~136^2~21^2~3
- commit a83bc93
- suse_git/header: Complain about patch filenames over 100 characters.
- commit ee72006
- Limit patch filenames to 100 characters (bsc#1249604).
- commit e15e1f1
- scripts/python/kss-dashboard: use decorator to handle exceptions
- commit b84ced6
- tar-up: Set owner of files in generated tar archives to root rather than
nobody
- commit 1c79230
- tar-up: Also sort generated tar archives
- commit 688ab6a
- tar-up: Use the tar utility instead of stable-tar script
The stable-tar script no longer works on Tumbleweed.
Note: this relies on git setting the permissions uniformly, they cannot
be set on tar commandline
- commit f5c226b
- kernel-subpackage-build: Decompress ghost file when compressed version exists (bsc#1249346)
- commit 40606b5
- scripts/python/kss-dashboard: prepare for the alternative CVE branch
- commit b421c1b
- scripts/python/kss-dashboard: speed up patch checking a bit
- commit 9e99f3b
- fbdev: Fix vmalloc out-of-bounds write in fast_imageblit (bsc#1249220 CVE-2025-38685)
- commit e7a7ddd
- scripts/common-functions: SL-16.0-GA is only getting CVSS 9+ CVE fixes
based on email by Marcus
- commit 5824734
- scripts/common-functions: print warning only if there is a disabled
config
condition check in check_config is incomplete
Before:
> ./scripts/check-kernel-fix CVE-2025-38216
> ...
> SL-16.0: MANUAL: backport 320302baed05c6456164652541f23d2a96522c06 (Fixes: v6.12)
> WW modifies drivers/iommu/intel/iommu.h. Check for includes outside of disabled configs.
> WW 0 out of 1 disabled.
After:
> ./scripts/check-kernel-fix CVE-2025-38216
> ...
> SL-16.0: MANUAL: backport 320302baed05c6456164652541f23d2a96522c06 (Fixes: v6.12)
> WW modifies drivers/iommu/intel/iommu.h. Check for includes outside of disabled configs.
- commit 83d91ff
- scripts/python/kss-dashboard: fetch into repos if stale
- commit 8b008e3
- smb: client: fix use-after-free in crypt_message when using
async crypto (bsc#1247239, CVE-2025-38488).
- commit 5019fb1
- check-kernel-fix: Add warning if a for-next blacklists the CVE
When a CVE is blacklisted in a for-next, no indication is provided by
the tool:
./scripts/check-kernel-fix -n -v -F CVE-2024-53093 SLE12-SP5
Security fix for CVE-2024-53093 bsc#1233640 with CVSS 5.5
= 1f021341eef41 ("nvme-multipath: defer partition scanning") merged v6.12-rc4~20^2~1^2~4
No Fixes tag. Requires manual review for affected branches.
Link: https://git.kernel.org/linus/1f021341eef41e77a633186e9be5223de2ce5d48
SLE12-SP5: MANUAL: might need backport of 1f021341eef41e77a633186e9be5223de2ce5d48 ()
WW modifies drivers/nvme/host/nvme.h. Check for includes outside of disabled configs.
WW 0 out of 1 disabled.
All eligible branches have warnings. If they are correct then there is NO ACTION NEEDED for 1f021341eef41e77a633186e9be5223de2ce5d48
ACTION NEEDED!
Until now, the for-next are checked only for a PR regarding patches, not
blacklist. Instead, it would be useful knowing that a for-next contains a blacklist
for the CVE.
The output will now be
./scripts/check-kernel-fix -n -v -F CVE-2024-53093 SLE12-SP5
Security fix for CVE-2024-53093 bsc#1233640 with CVSS 5.5
= 1f021341eef41 ("nvme-multipath: defer partition scanning") merged v6.12-rc4~20^2~1^2~4
No Fixes tag. Requires manual review for affected branches.
Link: https://git.kernel.org/linus/1f021341eef41e77a633186e9be5223de2ce5d48
SLE12-SP5: MANUAL: might need backport of 1f021341eef41e77a633186e9be5223de2ce5d48 ()
WW modifies drivers/nvme/host/nvme.h. Check for includes outside of disabled configs.
WW 0 out of 1 disabled.
WW pending_pr PR through origin/users/dbenini/SLE12-SP5/for-next blacklists 1f021341eef41e77a633186e9be5223de2ce5d48
All eligible branches have warnings. If they are correct then there is NO ACTION NEEDED for 1f021341eef41e77a633186e9be5223de2ce5d48
ACTION NEEDED!
- commit 6a0d53d
- ipv6: reject malicious packets in ipv6_gso_segment()
(CVE-2025-38572 bsc#1248399).
- net/sched: Restrict conditions for adding duplicating netems
to qdisc tree (CVE-2025-38553 bsc#1248255).
- commit 65b4edb
- scripts/python/kss-dashboard: check blacklist.conf and patches.suse
When it comes to exportpatch, the hash might be blacklisted or it
might be already present. It's better to check this before.
- commit 95b2f62
- rpm: Configure KABI checkingness macro (bsc#1249186)
The value of the config should match presence of KABI reference data. If
it mismatches:
- !CONFIG & reference -> this is bug, immediate fail
- CONFIG & no reference -> OK temporarily, must be resolved eventually
- commit 23c1536
- scripts/common-functions: handle case where only header files changed
In d3604b5b0b, we decided to print warnings when fix touches
header files because we can't make reliable conclusions about
supported configs or modules.
But it missed a corner case where fix touches *only* header
files.
Before:
> ./scripts/check-kernel-fix CVE-2025-38652
> ...
> SLE12-SP5: MANUAL: backport 5661998536af52848cc4d52a377e90368196edea (Fixes: v4.12)
> SLE15-SP6: MANUAL: backport 5661998536af52848cc4d52a377e90368196edea (Fixes: v6.4)
> SL-16.0: MANUAL: backport 5661998536af52848cc4d52a377e90368196edea (Fixes: v6.12)
> ACTION NEEDED!
Now:
> ./scripts/check-kernel-fix CVE-2025-38652
> ...
> SLE12-SP5: MANUAL: backport 5661998536af52848cc4d52a377e90368196edea (Fixes: v4.12)
> WW modifies fs/f2fs/f2fs.h. Check for includes outside of disabled configs.
> SLE15-SP6: MANUAL: backport 5661998536af52848cc4d52a377e90368196edea (Fixes: v6.4)
> WW modifies fs/f2fs/f2fs.h. Check for includes outside of disabled configs.
> SL-16.0: MANUAL: backport 5661998536af52848cc4d52a377e90368196edea (Fixes: v6.12)
> WW modifies fs/f2fs/f2fs.h. Check for includes outside of disabled configs.
> All eligible branches have warnings. If they are correct
> then there is NO ACTION NEEDED for 5661998536af52848cc4d52a377e90368196edea
> ACTION NEEDED!
- commit 0b67368
- usb: gadget: udc: core: Offload usb_udc_vbus_handler processing
(CVE-2022-49980 bsc#1245110).
- commit 08f63a5
- scripts/install-git-hooks: Fix compatibility with git < 2.46
Avoid using the new syntax of "git config". The old syntax still
works, even though it is no longer documented. That way, the script
works with both old and new versions of git.
- commit 4336eb8
- ice: Fix a null pointer dereference in ice_copy_and_init_pkg()
(CVE-2025-38664 bsc#1248628).
- commit ced777c
- wifi: mac80211: reject TDLS operations when station is not
associated (CVE-2025-38644 bsc#1248748).
- commit df40adb
- vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511
CVE-2025-38618).
- commit 249ba4b
- USB: gadget: Fix obscure lockdep violation for udc_mutex
(CVE-2022-49980 bsc#1245110).
- commit f7615b0
- usb: gadget: core: do not try to disconnect gadget if it is
not connected (CVE-2022-49980 bsc#1245110).
- commit 9b51d84
- scsi: iscsi_tcp: Check that sock is valid before
iscsi_set_param() (git-fixes).
- commit 00f3bb1
- scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling
getpeername() (bsc#1243278).
- commit 8fda729
- tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (CVE-2025-38184 bsc#1245956)
- commit 0dc5319
- kernel-binary: Another installation ordering fix (bsc#1241353).
- commit fe14ab5
- USB: gadget: Fix use-after-free Read in usb_udc_uevent()
(CVE-2022-49980 bsc#1245110).
- commit 7b421a3
- atm: clip: Fix memory leak of struct clip_vcc (CVE-2025-38546
bsc#1248223).
- atm: clip: Fix potential null-ptr-deref in to_atmarpd()
(CVE-2025-38460 bsc#1247143).
- tls: stop recv() if initial process_rx_list gave us non-DATA
(CVE-2024-58239 bsc#1248614).
- tls: rx: drop pointless else after goto (CVE-2024-58239
bsc#1248614).
- commit 7384f38
- perf/core: Prevent VMA split of buffer mappings (CVE-2025-38563
bsc#1248306).
- commit 2030aac
- perf/core: Exit early on perf_mmap() fail (CVE-2025-38563
bsc#1248306 dependency).
- commit 746ceea
- perf/core: Don't leak AUX buffer refcount on allocation failure
(CVE-2025-38563 bsc#1248306 dependency).
- commit 3dc32be
- exfat: fix double free in delayed_free (bsc#1246073
CVE-2025-38206).
- commit 88d7227
- bpf, ktls: Fix data corruption when using bpf_msg_pop_data()
in ktls (bsc#1248338 CVE-2025-38608).
- commit 175dd5b
- clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (CVE-2025-38499 bsc#1247976)
- commit fc8b641
- net/packet: fix a race in packet_set_ring() and
packet_notifier() (CVE-2025-38617 bsc#1248621).
- commit cf7ec8a
- nvme-pci: fix a NULL pointer dereference in
nvme_alloc_admin_tags (bsc#1238954,CVE-2022-49492).
- commit 356c6e9
- x86/boot/compressed: remove compiler warning (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit b8b7fd8
- Refresh
patches.suse/usb-dwc3-gadget-Fix-IN-endpoint-max-packet-size-allo.patch.
Fix warning: unused variable 'maxpacket' [-Wunused-variable]
- commit 2eeadab
- Update config files. Disable N_GSM (jsc#PED-8240, bsc#1244824, CVE-2022-50116)
- commit 1754375
- Move pesign-obs-integration requirement from kernel-syms to kernel devel
subpackage (bsc#1248108).
- commit e707e41
- NFSv4.1: fix backchannel max_resp_sz verification check
(bsc#1247518).
- commit 8727041
- posix-cpu-timers: fix race between handle_posix_cpu_timers()
and posix_cpu_timer_del() (bsc#1246911 CVE-2025-38352).
- commit 6008c12
- do_change_type(): refuse to operate on unmounted/not ours mounts (CVE-2025-38498 bsc#1247374)
- commit 77d7bfc
- net: atm: fix /proc/net/atm/lec handling (CVE-2025-38180
bsc#1245970).
- net: atm: add lec_mutex (CVE-2025-38323 bsc#1246473).
- commit da0c6b5
- protect the fetch of ->fd[fd] in do_dup2() from mispredictions
(bsc#1229334 CVE-2024-42265).
- fs: prevent out-of-bounds array speculation when closing a
file descriptor (CVE-2023-53117 bsc#1242780).
- commit 869baca
- net/sched: Return NULL when htb_lookup_leaf encounters an
empty rbtree (CVE-2025-38468 bsc#1247437).
- commit 4f5400d
- net/sched: sch_qfq: Avoid triggering might_sleep in atomic
context in qfq_delete_class (CVE-2025-38477 bsc#1247314).
- commit 28d7fe4
- net/sched: sch_qfq: Fix race condition on qfq_aggregate
(CVE-2025-38477 bsc#1247314).
- net/sched: Always pass notifications when child class becomes
empty (CVE-2025-38350 bsc#1246781).
- commit 47b317f
- net_sched: Prevent creation of classes with TC_H_ROOT
(CVE-2025-21971 bsc#1240799).
- commit 337dc14
- kernel-syms.spec: Drop old rpm release number hack (bsc#1247172).
- commit b4fa2d1
- md-raid10: fix KASAN warning (CVE-2022-50211 bsc#1245140).
- commit 31bcd4f
- Update
patches.suse/netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch
(git-fixes CVE-2024-57947 bsc#1236333 CVE-2025-38120
bsc#1245711).
- commit 7d06dc1
- Refresh
patches.suse/RDMA-core-Always-release-restrack-object.patch.
- Refresh
patches.suse/RDMA-core-Don-t-access-cm_id-after-its-destruction.patch.
Add one missing hunk in each patch. This is a no-op because the missing
hunks were compensating each other, but this makes each backport more
obviously correct.
- commit d3f88e2
- Update
patches.suse/sch_hfsc-make-hfsc_qlen_notify-idempotent.patch
(CVE-2025-37798 bsc#1242414 CVE-2025-38177 bsc#1245986).
- commit d9ba7e8
- HID: core: do not bypass hid_hw_raw_request (CVE-2025-38494
bsc#1247349).
- HID: core: ensure the allocated report buffer can contain the
reserved report ID (CVE-2025-38495 bsc#1247348).
- commit a678d3e
- usb: gadget: configfs: Fix OOB read on empty string write
(CVE-2025-38497 bsc#1247347).
- commit e1f48cd
- RDMA/core: Update CMA destination address on rdma_resolve_addr (bsc#1210629 CVE-2023-2176)
- commit 7ed89f3
- rpm/kernel-subpackage-spec: Skip brp-strip-debug to avoid file truncation (bsc#1246879)
Put the same workaround to avoid file truncation of vmlinux and co in
kernel-default-base package, too.
- commit 2329734
- rpm/kernel-binary.spec.in: Ignore return code from ksymtypes compare
When using suse-kabi-tools, the RPM build invokes 'ksymvers compare' to
compare the resulting symbol CRCs with the reference data. If the values
differ, it then invokes 'ksymtypes compare' to provide a detailed report
explaining why the symbols differ. The build expects the latter
'ksymtypes compare' command to always return zero, even if the two
compared kABI corpuses are different.
This is currently the case for 'ksymtypes compare'. However, I plan to
update the command to return a non-zero code when the comparison detects
any differences. This should ensure consistent behavior with 'ksymvers
compare'.
Since the build uses 'ksymtypes compare' only for more detailed
diagnostics, ignore its return code.
- commit 5ac1381
- s390/pkey: Prevent overflow in size calculation for
memdup_user() (1246186 CVE-2025-38257).
- commit 8e1774a
- netfilter: allow exp not to be removed in nf_ct_find_expectation
(CVE-2023-52927 bsc#1239644).
- commit 880fc41
- Revert those fixes for bsc#1238160 because the CVSS less than 7.0
Revert those fixes for bsc#1238160 because the CVSS less than 7.0, and
they cause merge conflicts on SLE15-SP3-LTSS which are not easy to resolve.
- Delete
patches.suse/Bluetooth-hci_event-Fix-checking-conn-for-le_conn_co.patch.
- Delete
patches.suse/Bluetooth-hci_event-Fix-checking-for-invalid-handle-.patch.
- Delete
patches.suse/Bluetooth-hci_event-Ignore-multiple-conn-complete-ev.patch.
(bsc#1238160 CVE-2022-49138)
- commit 6d6e523
- netfilter: nft_set_hash: unaligned atomic read on struct
nft_set_ext (CVE-2023-52923 bsc#1236104).
- commit c227a9f
- netfilter: nft_set_hash: skip duplicated elements pending gc
run (CVE-2023-52923 bsc#1236104).
- commit 51924b8
- net: sched: fix ordering of qlen adjustment (CVE-2024-53164 bsc#1234863)
- commit ea64d33
- Refresh patches.suse/Bluetooth-hci_event-Fix-checking-conn-for-le_conn_co.patch
Remove the duplicate upstream commit ID from blacklist.conf and add it
as Alt-commit to the patch instead.
- commit fa5a3c4
- ipc: fix to protect IPCS lookups using RCU (CVE-2025-38212
bsc#1246029).
- commit 30fc041
- i40e: fix MMIO write access to an invalid page in i40e_clear_hw
(CVE-2025-38200 bsc#1246045).
- commit 5b1ce89
- calipso: Fix null-ptr-deref in calipso_req_{set,del}attr()
(CVE-2025-38181 bsc#1246000).
- commit f693286
- vgacon: Add check for vc_origin address range in vgacon_scroll()
(CVE-2025-38213 bsc#1246037).
- commit a806d03
- rpm/mkspec: Fix missing kernel-syms-rt creation (bsc#1244337)
- commit 630f139
- Bluetooth: hci_event: Fix checking conn for le_conn_complete_evt
(bsc#1238160 CVE-2022-49138).
- commit 9fb4996
- Bluetooth: hci_event: Fix checking for invalid handle on error
status (bsc#1238160 CVE-2022-49138).
- commit 33a7a6d
- Bluetooth: hci_event: Ignore multiple conn complete events
(bsc#1238160 CVE-2022-49138).
- commit 86d3f6a
- crypto: algif_hash - fix double free in hash_accept
(CVE-2025-38079 bsc#1245217).
- commit 7f960ba
- net_sched: hfsc: Fix a UAF vulnerability in class handling
(CVE-2025-37797 bsc#1242417).
- commit a414920
- net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
(CVE-2024-53057 bsc#1233551).
- commit b56116d
- netfilter: nf_set_pipapo_avx2: fix initial map fill (git-fixes
CVE-2024-57947 bsc#1236333).
- commit e92eecd
- netfilter: nf_set_pipapo: fix initial map fill (CVE-2024-57947
bsc#1236333).
- commit bff7b74
- rpm: Drop support for kabi/arch/ignore-flavor (bsc#1249186)
It's not used in any active branches and it cannot solve contemporary
problems.
- commit f86a16a
- scsi: storvsc: Increase the timeouts to storvsc_timeout
(bsc#1245455).
- scsi: storvsc: Don't report the host packet status as the hv
status (git-fixes).
- commit a5f8a2c
- kernel-obs-qa: Do not depend on srchash when qemu emulation is used
In this case the dependency is never fulfilled
Fixes: 485ae1da2b88 ("kernel-obs-qa: Use srchash for dependency as well")
- commit a840f87
- firmware: arm_scpi: Ensure scpi_info is not assigned if the
probe fails (CVE-2022-50087 bsc#1245119).
- commit ed98a38
- Update
patches.suse/0012-dm-thin-fix-use-after-free-crash-in-dm_sm_register_t.patch
(git-fixes CVE-2022-50092 bsc#1244848).
- Update
patches.suse/0014-dm-raid-fix-address-sanitizer-warning-in-raid_status.patch
(git-fixes CVE-2022-50084 bsc#1245117).
- Update
patches.suse/0023-loop-Check-for-overflow-while-configuring-loop.patch
(git-fixes CVE-2022-49993 bsc#1245121).
- Update
patches.suse/0025-drivers-md-fix-a-potential-use-after-free-bug.patch
(git-fixes CVE-2022-50022 bsc#1245131).
- Update
patches.suse/ALSA-bcd2000-Fix-a-UAF-bug-on-the-error-path-of-prob.patch
(git-fixes CVE-2022-50229 bsc#1244856).
- Update
patches.suse/ASoC-SOF-debug-Fix-potential-buffer-overflow-by-snpr.patch
(git-fixes CVE-2022-50051 bsc#1245041).
- Update
patches.suse/ASoC-mt6797-mt6351-Fix-refcount-leak-in-mt6797_mt635.patch
(git-fixes CVE-2022-50124 bsc#1244816).
- Update
patches.suse/HID-cp2112-prevent-a-buffer-overflow-in-cp2112_xfer.patch
(git-fixes CVE-2022-50156 bsc#1244782).
- Update
patches.suse/HID-hidraw-fix-memory-leak-in-hidraw_release.patch
(git-fixes CVE-2022-49981 bsc#1245072).
- Update
patches.suse/HID-steam-Prevent-NULL-pointer-dereference-in-steam_.patch
(git-fixes CVE-2022-49984 bsc#1244950).
- Update
patches.suse/Input-iforce-wake-up-after-clearing-IFORCE_XMIT_RUNN.patch
(git-fixes CVE-2022-49954 bsc#1244976).
- Update
patches.suse/NFSv4-pnfs-Fix-a-use-after-free-bug-in-open.patch
(git-fixes CVE-2022-50072 bsc#1244979).
- Update
patches.suse/PCI-dwc-Deallocate-EPC-memory-on-dw_pcie_ep_init-err.patch
(git-fixes CVE-2022-50146 bsc#1244788).
- Update
patches.suse/RDMA-qedr-Fix-potential-memory-leak-in-__qedr_alloc_.patch
(git-fixes CVE-2022-50138 bsc#1244797).
- Update
patches.suse/RDMA-rxe-Fix-error-unwind-in-rxe_create_qp.patch
(git-fixes CVE-2022-50127 bsc#1244815).
- Update
patches.suse/RDMA-siw-Fix-duplicated-reported-IW_CM_EVENT_CONNECT.patch
(git-fixes CVE-2022-50136 bsc#1244804).
- Update
patches.suse/ceph-don-t-leak-snap_rwsem-in-handle_cap_grant.patch
(bsc#1202810 CVE-2022-50059 bsc#1245031).
- Update
patches.suse/clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch
(git-fixes CVE-2022-50029 bsc#1245146).
- Update
patches.suse/crypto-arm64-poly1305-fix-a-read-out-of-bound.patch
(git-fixes CVE-2022-50231 bsc#1244853).
- Update
patches.suse/driver-core-fix-potential-deadlock-in-__driver_attac.patch
(git-fixes CVE-2022-50149 bsc#1244883).
- Update
patches.suse/drm-mcde-Fix-refcount-leak-in-mcde_dsi_bind.patch
(git-fixes CVE-2022-50176 bsc#1244902).
- Update
patches.suse/drm-meson-Fix-refcount-bugs-in-meson_vpu_has_availab.patch
(git-fixes CVE-2022-50038 bsc#1244943).
- Update
patches.suse/drm-msm-mdp5-Fix-global-state-lock-backoff.patch
(git-fixes CVE-2022-50173 bsc#1244992).
- Update
patches.suse/drm-radeon-fix-potential-buffer-overflow-in-ni_set_m.patch
(git-fixes CVE-2022-50185 bsc#1244887).
- Update
patches.suse/drm-sun4i-dsi-Prevent-underflow-when-computing-packe.patch
(git-fixes CVE-2022-50036 bsc#1244941).
- Update
patches.suse/ext4-avoid-resizing-to-a-partial-cluster-size.patch
(bsc#1206880 CVE-2022-50020 bsc#1245129).
- Update
patches.suse/fbdev-fb_pm2fb-Avoid-potential-divide-by-zero-error.patch
(git-fixes CVE-2022-49978 bsc#1245195).
- Update
patches.suse/ftrace-Fix-NULL-pointer-dereference-in-is_ftrace_trampoline-when-ftrace-is-dead.patch
(git-fixes CVE-2022-49977 bsc#1244936).
- Update patches.suse/gadgetfs-ep_io-wait-until-IRQ-finishes.patch
(git-fixes CVE-2022-50028 bsc#1245135).
- Update
patches.suse/hwmon-gpio-fan-Fix-array-out-of-bounds-access.patch
(git-fixes CVE-2022-49945 bsc#1244908).
- Update
patches.suse/ieee802154-adf7242-defer-destroy_workqueue-call.patch
(git-fixes CVE-2022-49968 bsc#1244959).
- Update
patches.suse/iio-light-isl29028-Fix-the-warning-in-isl29028_remov.patch
(git-fixes CVE-2022-50218 bsc#1244861).
- Update
patches.suse/intel_th-Fix-a-resource-leak-in-an-error-handling-pa.patch
(git-fixes CVE-2022-50143 bsc#1244790).
- Update patches.suse/intel_th-msu-Fix-vmalloced-buffers.patch
(git-fixes CVE-2022-50142 bsc#1244796).
- Update
patches.suse/iommu-vt-d-avoid-invalid-memory-access-via-node_online-NUMA_NO_N
(git-fixes CVE-2022-50093 bsc#1244849).
- Update
patches.suse/jbd2-fix-assertion-jh-b_frozen_data-NULL-failure-whe.patch
(bsc#1202716 CVE-2022-50126 bsc#1244813).
- Update
patches.suse/locking-csd_lock-Change-csdlock_debug-from-early_par.patch
(git-fixes CVE-2022-50091 bsc#1244885).
- Update patches.suse/md-call-__md_stop_writes-in-md_stop.patch
(git-fixes CVE-2022-49987 bsc#1245024).
- Update patches.suse/md-raid10-fix-KASAN-warning.patch (git-fixes
CVE-2022-50211 bsc#1245140).
- Update patches.suse/memstick-ms_block-Fix-a-memory-leak.patch
(git-fixes CVE-2022-50140 bsc#1244793).
- Update
patches.suse/meson-mx-socinfo-Fix-refcount-leak-in-meson_mx_socin.patch
(git-fixes CVE-2022-50209 bsc#1244868).
- Update
patches.suse/mfd-max77620-Fix-refcount-leak-in-max77620_initialis.patch
(git-fixes CVE-2022-50108 bsc#1244834).
- Update
patches.suse/misc-fastrpc-fix-memory-corruption-on-open.patch
(git-fixes CVE-2022-49950 bsc#1244958).
- Update
patches.suse/misc-fastrpc-fix-memory-corruption-on-probe.patch
(git-fixes CVE-2022-49952 bsc#1244945).
- Update
patches.suse/mmc-sdhci-of-esdhc-Fix-refcount-leak-in-esdhc_signal.patch
(git-fixes CVE-2022-50141 bsc#1244794).
- Update
patches.suse/msft-hv-2639-scsi-storvsc-Remove-WQ_MEM_RECLAIM-from-storvsc_erro.patch
(git-fixes CVE-2022-49986 bsc#1244948).
- Update
patches.suse/mt76-mt76x02u-fix-possible-memory-leak-in-__mt76x02u.patch
(git-fixes CVE-2022-50172 bsc#1244764).
- Update
patches.suse/mtd-maps-Fix-refcount-leak-in-ap_flash_init.patch
(git-fixes CVE-2022-50160 bsc#1244776).
- Update
patches.suse/mtd-maps-Fix-refcount-leak-in-of_flash_probe_versati.patch
(git-fixes CVE-2022-50161 bsc#1244774).
- Update
patches.suse/mtd-partitions-Fix-refcount-leak-in-parse_redboot_of.patch
(git-fixes CVE-2022-50158 bsc#1244779).
- Update
patches.suse/netfilter-nf_tables-do-not-allow-CHAIN_ID-to-refer-t.patch
(CVE-2022-2586 bsc#1202095 CVE-2022-50212 bsc#1244869).
- Update
patches.suse/pinctrl-nomadik-Fix-refcount-leak-in-nmk_pinctrl_dt_.patch
(git-fixes CVE-2022-50061 bsc#1245033).
- Update
patches.suse/powerpc-64-Init-jump-labels-before-parse_early_param.patch
(bsc#1065729 CVE-2022-50012 bsc#1245125).
- Update patches.suse/powerpc-pci-Fix-get_phb_number-locking.patch
(bsc#1065729 CVE-2022-50045 bsc#1244967).
- Update
patches.suse/powerpc-perf-Optimize-clearing-the-pending-PMI-and-r.patch
(bsc#1156395 CVE-2022-50118 bsc#1244825).
- Update
patches.suse/powerpc-xive-Fix-refcount-leak-in-xive_get_max_prio.patch
(fate#322438 git-fixess CVE-2022-50104 bsc#1244836).
- Update
patches.suse/regulator-of-Fix-refcount-leak-bug-in-of_get_regulat.patch
(git-fixes CVE-2022-50191 bsc#1244899).
- Update
patches.suse/s390-fix-double-free-of-GS-and-RI-CBs-on-fork-failure
(git-fixes CVE-2022-49990 bsc#1245006).
- Update
patches.suse/scsi-lpfc-Fix-possible-memory-leak-when-failing-to-i.patch
(bsc#1201956 CVE-2022-50027 bsc#1245073).
- Update
patches.suse/scsi-lpfc-Prevent-buffer-overflow-crashes-in-debugfs.patch
(bsc#1201956 CVE-2022-50030 bsc#1245265).
- Update
patches.suse/scsi-qla2xxx-fix-crash-due-to-stale-srb-access-around-i-o-timeouts.patch
(bsc#1201160 CVE-2022-50098 bsc#1244841).
- Update
patches.suse/scsi-sg-Allow-waiting-for-commands-to-complete-on-removed-device.patch
(git-fixes CVE-2022-50215 bsc#1245138).
- Update
patches.suse/spmi-trace-fix-stack-out-of-bound-access-in-SPMI-tracing-functions.patch
(git-fixes CVE-2022-50094 bsc#1244851).
- Update
patches.suse/tty-serial-Fix-refcount-leak-bug-in-ucc_uart.c.patch
(git-fixes CVE-2022-50019 bsc#1245098).
- Update
patches.suse/tty-vt-initialize-unicode-screen-buffer.patch
(git-fixes CVE-2022-50222 bsc#1245136).
- Update
patches.suse/usb-host-Fix-refcount-leak-in-ehci_hcd_ppc_of_probe.patch
(git-fixes CVE-2022-50153 bsc#1244786).
- Update
patches.suse/usb-host-ohci-ppc-of-Fix-refcount-leak-bug.patch
(git-fixes CVE-2022-50033 bsc#1245139).
- Update
patches.suse/usb-ohci-nxp-Fix-refcount-leak-in-ohci_hcd_nxp_probe.patch
(git-fixes CVE-2022-50152 bsc#1244783).
- Update patches.suse/usb-renesas-Fix-refcount-leak-bug.patch
(git-fixes CVE-2022-50032 bsc#1245103).
- Update
patches.suse/usbnet-Fix-linkwatch-use-after-free-on-disconnect.patch
(git-fixes CVE-2022-50220 bsc#1245348).
- Update
patches.suse/video-fbdev-amba-clcd-Fix-refcount-leak-bugs.patch
(git-fixes CVE-2022-50109 bsc#1244884).
- Update
patches.suse/video-fbdev-arkfb-Check-the-size-of-screen-before-me.patch
(git-fixes CVE-2022-50099 bsc#1244842).
- Update
patches.suse/video-fbdev-arkfb-Fix-a-divide-by-zero-bug-in-ark_se.patch
(git-fixes CVE-2022-50102 bsc#1244838).
- Update
patches.suse/video-fbdev-i740fb-Check-the-argument-of-i740_calc_v.patch
(git-fixes CVE-2022-50010 bsc#1245122).
- Update
patches.suse/video-fbdev-s3fb-Check-the-size-of-screen-before-mem.patch
(git-fixes CVE-2022-50097 bsc#1244845).
- Update
patches.suse/video-fbdev-vt8623fb-Check-the-size-of-screen-before.patch
(git-fixes CVE-2022-50101 bsc#1244839).
- Update
patches.suse/virtio-gpu-fix-a-missing-check-to-avoid-NULL-derefer.patch
(git-fixes CVE-2022-50181 bsc#1244901).
- Update
patches.suse/virtio_net-fix-memory-leak-inside-XPD_TX-with-mergea.patch
(git-fixes CVE-2022-50065 bsc#1244986).
- Update
patches.suse/vt-Clear-selection-before-changing-the-font.patch
(git-fixes CVE-2022-49948 bsc#1245058).
- Update
patches.suse/wifi-iwlwifi-mvm-fix-double-list_add-at-iwl_mvm_mac_.patch
(git-fixes CVE-2022-50164 bsc#1244770).
- Update
patches.suse/wifi-libertas-Fix-possible-refcount-leak-in-if_usb_p.patch
(git-fixes CVE-2022-50162 bsc#1244773).
- Update
patches.suse/wifi-mac80211-Don-t-finalize-CSA-in-IBSS-mode-if-sta.patch
(git-fixes CVE-2022-49942 bsc#1244881).
- Update
patches.suse/wifi-mac80211-Fix-UAF-in-ieee80211_scan_rx.patch
(git-fixes CVE-2022-49934 bsc#1245051).
- Update
patches.suse/wifi-wil6210-debugfs-fix-info-leak-in-wil_write_file.patch
(git-fixes CVE-2022-50169 bsc#1244767).
- Update
patches.suse/wifi-wil6210-debugfs-fix-uninitialized-variable-use-.patch
(git-fixes CVE-2022-50165 bsc#1244771).
- Update
patches.suse/xen-privcmd-fix-error-exit-of-privcmd_ioctl_dm_op.patch
(git-fixes CVE-2022-49989 bsc#1245007).
- commit 138997d
- Update
patches.suse/USB-core-Prevent-nested-device-reset-calls.patch
(bsc#1206664 CVE-2022-4662 CVE-2022-49936 bsc#1244984).
- Update
patches.suse/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch
(CVE-2022-1679 bsc#1199487 CVE-2022-50179 bsc#1244886).
- Update
patches.suse/bpf-Don-t-use-tnum_range-on-array-range-checking-for.patch
(bsc#1202564 bsc#1202860 CVE-2022-2905 CVE-2022-49985
bsc#1244956).
- Update
patches.suse/btrfs-unset-reloc-control-if-transaction-commit-fail.patch
(bsc#1212051 CVE-2023-3111 CVE-2022-50067 bsc#1245047).
- Update
patches.suse/ext4-add-EXT4_INODE_HAS_XATTR_SPACE-macro-in-xattr.h.patch
(bsc#1206878 CVE-2022-50083 bsc#1244968).
- Update
patches.suse/media-mceusb-Use-new-usb_control_msg_-routines.patch
(CVE-2022-3903 bsc#1205220 CVE-2022-49937 bsc#1245057).
- Update
patches.suse/netfilter-nf_tables-do-not-allow-SET_ID-to-refer-to-.patch
(CVE-2022-2586 bsc#1202095 CVE-2022-50213 bsc#1244867).
- Update patches.suse/sch_htb-make-htb_deactivate-idempotent.patch
(CVE-2025-37798 bsc#1242414 CVE-2025-37953 bsc#1243543).
- Update
patches.suse/sch_htb-make-htb_qlen_notify-idempotent.patch
(CVE-2025-37798 bsc#1242414 CVE-2025-37932 bsc#1243627).
- Update
patches.suse/staging-rtl8712-fix-use-after-free-bugs.patch
(CVE-2022-4095 bsc#1205514 CVE-2022-49956 bsc#1244969).
- commit cfda5f9
- selinux: Add boundary check in put_entry() (CVE-2022-50200
bsc#1245149).
- commit 66f4090
- net_sched: prio: fix a race in prio_tune() (CVE-2025-38083
bsc#1245183).
- commit 23a5ba6
- dm raid: fix address sanitizer warning in raid_resume
(CVE-2022-50085 bsc#1245147).
- commit 014ae24
- Remove host-memcpy-hack.h
This might have been usefult at some point but we have more things that
depend on specific library versions today.
- commit 0396c23
- Remove compress-vmlinux.sh
/usr/lib/rpm/brp-suse.d/brp-99-compress-vmlinux was added in
pesign-obs-integration during SLE12 RC. This workaround can be removed.
- commit 19caac0
- Remove try-disable-staging-driver
The config for linux-next is autogenerated from master config, and
defaults filled for missing options. This is unlikely to enable any
staging driver in the first place.
- commit a6f21ed
- kabi: place tstamp needed for nftables set in a hole
(CVE-2024-27397 bsc#1224095).
- commit 77b63ae
- netfilter: nf_tables: use timestamp to check for set element
timeout (CVE-2024-27397 bsc#1224095).
- commit 9049387
- netfilter: nft_set_rbtree: .deactivate fails if element has
expired (CVE-2024-27397 bsc#1224095).
- commit 1e980c4
- net_sched: hfsc: Address reentrant enqueue adding class to
eltree twice (CVE-2025-38001 bsc#1244234).
- commit f66f8f9
- sch_ets: make est_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
Note: this patch is only needed SLE15-SP3-LTSS as sch_ets was not
backported into other 5.3 based branches.
- commit 6c457bf
- sch_htb: make htb_deactivate() idempotent (CVE-2025-37798
bsc#1242414).
- codel: remove sch->q.qlen check before
qdisc_tree_reduce_backlog() (CVE-2025-37798 bsc#1242414).
- sch_qfq: make qfq_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_hfsc: make hfsc_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_drr: make drr_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_htb: make htb_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- commit 76ca52d
- packaging: Add support for suse-kabi-tools
The current workflow to check kABI stability during the RPM build of SUSE
kernels consists of the following steps:
* The downstream script rpm/modversions unpacks the consolidated kABI
symtypes reference data from kabi/<arch>/symtypes-<flavor> and creates
individual symref files.
* The build performs a regular kernel make. During this operation, genksyms
is invoked for each source file. The tool determines type signatures of
all exports within the file, reports any differences compared to the
associated symref reference, calculates symbol CRCs from the signatures
and writes new type data into a symtypes file.
* The script rpm/modversions is invoked again, this time it packs all new
symtypes files to a consolidated kABI file.
* The downstream script rpm/kabi.pl checks symbol CRCs in the new build and
compares them to a reference from kabi/<arch>/symvers-<flavor>, taking
kabi/severities into account.
suse-kabi-tools is a new set of tools to improve the kABI checking process.
The suite includes two tools, ksymtypes and ksymvers, which replace the
existing scripts rpm/modversions and rpm/kabi.pl, as well as the comparison
functionality previously provided by genksyms. The tools have their own
source repository and package.
The tools provide faster operation and more detailed, unified output. In
addition, they allow the use of the new upstream tool gendwarfksyms, which
lacks any built-in comparison functionality.
The updated workflow is as follows:
* The build performs a regular kernel make. During this operation, genksyms
(gendwarfksyms) is invoked as usual, determinining signatures and CRCs of
all exports and writing the type data to symtypes files. However,
genksyms no longer performs any comparison.
* 'ksymtypes consolidate' packs all new symtypes files to a consolidated
kABI file.
* 'ksymvers compare' checks symbol CRCs in the new build and compares them
to a reference from kabi/<arch>/symvers-<flavor>, taking kabi/severities
into account. The tool writes its result in a human-readable form on
standard output and also writes a list of all changed exports (not
ignored by kabi/severities) to the changed-exports file.
* 'ksymtypes compare' takes the changed-exports file, the consolidated kABI
symtypes reference data from kabi/<arch>/symtypes-<flavor> and the new
consolidated data. Based on this data, it produces a detailed report
explaining why the symbols changed.
The patch enables the use of suse-kabi-tools via rpm/config.sh, providing
explicit control to each branch. To enable the support, set
USE_SUSE_KABI_TOOLS=Yes in the config file.
- commit a2c6f89
- kernel-source: Remove log.sh from sources
- commit 96bd779
- scripts/python/kss-dashboard: implement CVSSv3.1 score consistency check
- commit 8794371
- scripts/python/kss-dashboard: attempt getting smash data
- commit dd02615
- netfilter: ipset: add missing range check in bitmap_ip_uadt (CVE-2024-53141 bsc#1234381)
- commit 21ac02b
- net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too
(CVE-2025-37823 bsc#1242924).
- commit dca98b0
- sch_hfsc: Fix qlen accounting bug when using peek in
hfsc_enqueue() (CVE-2025-38000 bsc#1244277).
- net_sched: hfsc: Fix a UAF vulnerability in class with netem
as child qdisc (CVE-2025-37890 bsc#1243330).
- net: sched: sch_multiq: fix possible OOB write in multiq_tune()
(CVE-2024-36978 bsc#1226514).
- commit 8d2bb29
- netfilter: ipset: fix region locking in hash types
(CVE-2025-37997 bsc#1243832).
- commit d102bab
- net: sched: Disallow replacing of child qdisc from one parent
to another (CVE-2025-21700 bsc#1237159).
- commit bde17d3
- netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
(git-fixes CVE-2025-21703 bsc#1237313).
- commit 982a71f
- pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (CVE-2025-21702 bsc#1237312)
- commit f34470d
- net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312)
- commit a87a922
- netfilter: nft_set_pipapo: do not free live element
(CVE-2024-26924 bsc#1223387).
- commit b465633
- net/sched: netem: account for backlog updates from child qdisc
(CVE-2024-56770 bsc#1235637).
- sch/netem: fix use after free in netem_dequeue (CVE-2024-56770
bsc#1235637 CVE-2024-46800 bsc#1230827).
- commit 3360a1a
- mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337).
- commit 7c95ae0
- MyBS: Do not build kernel-obs-qa with limit_packages
Fixes: 58e3f8c34b2b ("bs-upload-kernel: Pass limit_packages also on multibuild")
- commit f4c6047
- MyBS: Simplify qa_expr generation
Start with a 0 which makes the expression valid even if there are no QA
repositories (currently does not happen). Then separator is always
needed.
- commit e4c2851
- MyBS: Correctly generate build flags for non-multibuild package limit
(bsc# 1244241)
Fixes: 0999112774fc ("MyBS: Use buildflags to set which package to build")
- commit 27588c9
- bs-upload-kernel: Pass limit_packages also on multibuild
Fixes: 0999112774fc ("MyBS: Use buildflags to set which package to build")
Fixes: 747f601d4156 ("bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)")
- commit 8ef486c
- wifi: cfg80211: fix certs build to not depend on file order
(bsc#1243001).
- wifi: cfg80211: Add my certificate (bsc#1243001).
- commit eda1fcf
- kernel-source: Do not use multiple -r in sed parameters
This usage is enabled in commit b18d64d
(sed: allow multiple (non-conflicting) -E/-r parameters, 2016-07-31)
only available since sed 4.3
Fixes: dc2037cd8f94 ("kernel-source: Also replace bin/env"
- commit 91ad98e
- kabi/severities: workaround kABI checker complains after AX25 and HAMRADIO removals
KABI: symbol asc2ax(mod:net/ax25/ax25) lost
KABI: symbol ax25_bcast(mod:net/ax25/ax25) lost
KABI: symbol ax25_defaddr(mod:net/ax25/ax25) lost
KABI: symbol ax25_display_timer(mod:net/ax25/ax25) lost
KABI: symbol ax25_find_cb(mod:net/ax25/ax25) lost
KABI: symbol ax25_findbyuid(mod:net/ax25/ax25) lost
KABI: symbol ax25_header_ops(mod:net/ax25/ax25) lost
KABI: symbol ax25_ip_xmit(mod:net/ax25/ax25) lost
KABI: symbol ax25_linkfail_register(mod:net/ax25/ax25) lost
KABI: symbol ax25_linkfail_release(mod:net/ax25/ax25) lost
KABI: symbol ax25_listen_register(mod:net/ax25/ax25) lost
KABI: symbol ax25_listen_release(mod:net/ax25/ax25) lost
KABI: symbol ax25_protocol_release(mod:net/ax25/ax25) lost
KABI: symbol ax25_register_pid(mod:net/ax25/ax25) lost
KABI: symbol ax25_send_frame(mod:net/ax25/ax25) lost
KABI: symbol ax25_uid_policy(mod:net/ax25/ax25) lost
KABI: symbol ax25cmp(mod:net/ax25/ax25) lost
KABI: symbol ax2asc(mod:net/ax25/ax25) lost
KABI: symbol hdlcdrv_arbitrate(mod:drivers/net/hamradio/hdlcdrv) lost
KABI: symbol hdlcdrv_receiver(mod:drivers/net/hamradio/hdlcdrv) lost
KABI: symbol hdlcdrv_register(mod:drivers/net/hamradio/hdlcdrv) lost
KABI: symbol hdlcdrv_transmitter(mod:drivers/net/hamradio/hdlcdrv) lost
KABI: symbol hdlcdrv_unregister(mod:drivers/net/hamradio/hdlcdrv) lost
KABI: symbol null_ax25_address(mod:net/ax25/ax25) lost
- commit fc0b9ba
- drop rose drivers (bsc#1238471).
- drop netrom drivers (bsc#1238471).
- drop hamradio drivers (bsc#1238471).
- drop ax25 drivers (bsc#1238471).
- commit bde35e8
- krb5
-
- Remove des3-cbc-sha1 and arcfour-hmac-md5 from permitted
enctypes unless new special options "allow_des3" or "allow_rc4"
are set; (CVE-2025-3576); (bsc#1241219).
- Add patch 0015-CVE-2025-3576.patch
- expat
-
- Fix CVE-2025-59375 / bsc#1249584.
- Add patch file:
* CVE-2025-59375.patch
- gcc14
-
- Exclude shared objects present for link editing in the GCC specific
subdirectory from provides processing via __provides_exclude_from.
[bsc#1244050][bsc#1243991]
- Make cross-*-gcc14-bootstrap package conflict with the non-bootstrap
variant conflict with the unversioned cross-*-gcc package.
- Disable build of glibc cross to loongarch64 and hppa in SLFO
and SLE15.
- Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799
- Remove gcc14-pr120061.patch which is now included upstream.
- Add gcc14-pr120061.patch to fix the PR108900 fix instead of
reverting it.
- Remove gcc14-pr108900.patch
- Add gcc14-pr108900.patch to revert it, fixing libqt6webengine build.
- Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702
* Remove gcc14-pr118780.patch now on the upstream branch
- Fix build on s390x [bsc#1241549]
- Make sure link editing is done against our own shared library
copy rather than the installed system runtime. [bsc#1240788]
- Add gcc14-pr119680.patch to fix cross-compiler builds with
- -enable-host-pie.
- libgcrypt
-
- Security fix [bsc#1221107, CVE-2024-2236]
* Add --enable-marvin-workaround to spec to enable workaround
* Fix timing based side-channel in RSA implementation ( Marvin attack )
* Add libgcrypt-CVE-2024-2236_01.patch
* Add libgcrypt-CVE-2024-2236_01_s390x.patch
* Add libgcrypt-CVE-2024-2236_02.patch
* Add libgcrypt-CVE-2024-2236_03.patch
- gnutls
-
- Fix 1-byte heap buffer overflow when parsing templates with certtool
[bsc#1246267, CVE-2025-32990]
* Add patch gnutls-CVE-2025-32990.patch
- Fix double-free due to incorrect ownership handling in the export logic of
SAN entries containing an otherName [bsc#1246232, CVE-2025-32988]
* Add patch gnutls-CVE-2025-32988.patch
- Fix NULL pointer dereference when 2nd Client Hello omits PSK
[bsc#1246299, CVE-2025-6395]
* Add patch gnutls-CVE-2025-6395.patch
- openssl-1_1
-
- Security fix: [bsc#1250232 CVE-2025-9230]
* Fix out-of-bounds read & write in RFC 3211 KEK unwrap
* Add patch openssl3-CVE-2025-9230.patch
- polkit
-
- CVE-2025-7519: Fixed that a XML policy file with a large number of
nested elements may lead to out-of-bounds write (bsc#1246472)
added 0001-Nested-.policy-files-cause-xml-parsing-overflow-lead.patch
- python3
-
- Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now
validates archives to ensure member offsets are non-negative
(gh#python/cpython#130577, CVE-2025-8194, bsc#1247249).
- Add CVE-2025-4435-normalize-lnk-trgts-tarfile.patch
Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138,
CVE-2024-12718, CVE-2025-4435 on tarfile (bsc#1244032,
bsc#1244061, bsc#1244059, bsc#1244060, bsc#1244056).
The backported fixes do not contain changes for ntpath.py and
related tests, because the support for symlinks and junctions
were added later in Python 3.9, and it does not make sense to
backport them to 3.6 here.
The patch is contains the following changes:
- python@42deeab fixes symlink handling for tarfile.data_filter
- python@9d2c2a8 fixes handling of existing files/symlinks in tarfile
- python@00af979 adds a new "strict" argument to realpath()
- python@dd8f187 fixes mulriple CVE fixes in the tarfile module
- downstream only fixes that makes the changes work and
compatible with Python 3.6
- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
case quadratic complexity when processing certain crafted
malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
- Add python36-* provides/obsoletes to enable SLE-12 -> SLE-15
migration, bsc#1233012
- Add ipaddress-update-pr60.patch from gh#phihag/ipaddress!60 to
update vendored ipaddress module to 3.8 equivalent
- Add gh-128840_parse-IPv6-with-emb-IPv4.patch to limit buffer
size for IPv6 address parsing (gh#python/cpython#128840,
bsc#1244401).
- Update CVE-2025-4516-DecodeError-handler.patch not to break
_PyBytes_DecodeEscape signature.
- Add CVE-2025-4516-DecodeError-handler.patch fixing
CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
vulnerability, which could lead to DoS.
- ruby2.5
-
- add limit-decompressed-name-length.patch
- fix ruby: denial of service (DoS) due to an insufficient check
on the length of a decompressed domain name within a DNS packet
in resolv gem
bsc#1246430 CVE-2025-24294
- update suse.patch to 3f3682bf07fcd4f2fa875958853d3843ee7dcdb9
- fix remote DoS via YAML manifest
bsc#1225905 CVE-2024-35221
- update suse.patch to c76fb820676cfded16c697a62281a3bfeb8e4bb1
- fix webrick: Ruby WEBrick read_header HTTP Request Smuggling Vulnerability
bsc#1245254 CVE-2025-6442
- update suse.patch to 5d79fc609c5761864aec47e1ae4796b93db99104
- fix ruby: userinfo leakage in URI#join, URI#merge and URI#+
bsc#1237805 CVE-2025-27221
- libsolv
-
- add support for product-obsoletes() provides in the product
autopackage generation code
- bump version to 0.7.34
- improve transaction ordering by allowing more uninst->uninst
edges [bsc#1243457]
- implement color filtering when adding update targets
- support orderwithrequires dependencies in susedata.xml
- bump version to 0.7.33
- sqlite3
-
- Backpatch the URLs in sqlite3.n from https to http to avoid a
file conflict with the tcl package on SLE-15-GA up to SP2. In
SP3 and onwards the Tcl package does not contain the sqlite
extension anymore.
- Sync version 3.50.2 from Factory:
* CVE-2025-6965, bsc#1246597:
Raise an error early if the number of aggregate terms in a
query exceeds the maximum number of columns, to avoid
downstream assertion faults.
* Add subpackage for the lemon parser generator.
+ sqlite-3.49.0-fix-lemon-missing-cflags.patch
+ sqlite-3.6.23-lemon-system-template.patch
- libssh
-
- Security fix: [CVE-2025-8277, bsc#1249375]
* Memory Exhaustion via Repeated Key Exchange
* Add patches:
- libssh-CVE-2025-8277-packet-Adjust-packet-filter-to-work-wh.patch
- libssh-CVE-2025-8277-Fix-memory-leak-of-unused-ephemeral-ke.patch
- libssh-CVE-2025-8277-ecdh-Free-previously-allocated-pubkeys.patch
- Security fix: [CVE-2025-8114, bsc#1246974]
* NULL pointer dereference when calculating session ID during KEX
* Add libssh-CVE-2025-8114.patch
- Fix CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311)
* Add patch libssh-CVE-2025-5318.patch
- Fix CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309)
* Add patch libssh-CVE-2025-4877.patch
- Fix CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310)
* Add patches:
- libssh-CVE-2025-4878-1.patch
- libssh-CVE-2025-4878-2.patch
- Fix CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314)
* Add patch libssh-CVE-2025-5372.patch
- libxml2
-
- security update
- added patches
CVE-2025-7425 [bsc#1246296], Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr
+ libxml2-CVE-2025-7425.patch
- security update
- added patches
CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS)
CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS)
+ libxml2-CVE-2025-49794,49796.patch
- security update
- added patches
CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash
CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2
+ libxml2-CVE-2025-6170,6021.patch
- libzypp
-
- runposttrans: strip root prefix from tmppath (bsc#1250343)
- fixup! Make ld.so ignore the subarch packages during install
(bsc#1246912)
- version 17.37.18 (35)
- Make ld.so ignore the subarch packages during install
(bsc#1246912)
- version 17.37.17 (35)
- Fix evaluation of libproxy results (bsc#1247690)
- Replace URL variables inside mirrorlist/metalink files
(fixes #667)
- version 17.37.16 (35)
- Append RepoInfo::path() to the mirror URLs in Preloader
(bsc#1247054)
- version 17.37.15 (35)
- During installation indicate the backend being used (bsc#1246038)
If some package actually needs to know, it should test for
ZYPP_CLASSIC_RPMTRANS being set in the environment.
Otherwise the transaction is driven by librpm.
- version 17.37.14 (35)
- Workaround 'rpm -vv' leaving scriptlets /var/tmp (bsc#1218459)
- Verbose log libproxy results if PX_DEBUG=1 is set.
- BuildRequires: cmake >= 3.17.
- version 17.37.13 (35)
- Allow explicit request to probe an added repo's URL
(bsc#1246466)
- Fix tests with -DISABLE_MEDIABACKEND_TESTS=1 (fixes #661)
- version 17.37.12 (35)
- Add runtime check for a broken rpm-4.18.0 --runpostrans
(bsc#1246149)
- Add regression test for bsc#1245220 and some other filesize
related tests.
- version 17.37.11 (35)
- BuildRequires: %{libsolv_devel_package} >= 0.7.34 (bsc#1243486)
Newer rpm versions no longer allow a ':' in rpm package names or
obsoletes. So injecting an
Obsoletes: product:oldproductname < oldproductversion
into the -release package to indicate a product rename is no longer
possible.
Since libsolv-0.7.34 you can and should use:
Provides: product-obsoletes(oldproductname) < oldproductversion
in the -release package. libsolv will then inject the appropriate
Obsoletes into the Product.
- version 17.37.10 (35)
- Ignore DeltaRpm download errors (bsc#1245672)
DeltaRpms are in fact optional resources. In case of a failure
the full rpm is downloaded.
- Improve fix for incorrect filesize handling (bsc#1245220)
- version 17.37.9 (35)
- Do not trigger download data exceeded errors on HTTP non data
responses (bsc#1245220)
In some cases a HTTP 401 or 407 did trigger a "filesize exceeded"
error, because the response payload size was compared against the
expected filesize. This patch adds some checks if the response
code is in the success range and only then takes expected
filesize into account. Otherwise the response content-length is
used or a fallback of 2Mb if no content-length is known.
- version 17.37.8 (35)
- Fix SEGV in MediaDISK handler (bsc#1245452)
- Explicitly selecting DownloadAsNeeded also selects the
classic_rpmtrans backend.
DownloadAsNeeded can not be combined with the rpm singletrans
installer backend because a rpm transaction requires all package
headers to be available the the beginning of the transaction. So
explicitly selecting this mode also turns on the classic_rpmtrans
backend.
- Fix evaluation of libproxy results (bsc#1244710)
- version 17.37.7 (35)
- Enhancements regarding mirror handling during repo refresh.
Added means to disable the use of mirrors when downloading
security relevant files. Requires updaing zypper to 1.14.91.
- Fix autotestcase writer if ZYPP_FULLLOG=1 (bsc#1244042)
If ZYPP_FULLLOG=1 a solver testcase to
"/var/log/YaST2/autoTestcase" should be written for each solver
run. There was no testcase written for the very first solver run.
This is now fixed.
- Pass $1==2 to %posttrans script if it's an update (bsc#1243279)
- version 17.37.6 (35)
- net-tools
-
- Drop 0002-Do-not-warn-about-interface-socket-not-binded.patch. It
worked around a net-tools-1.60 specific problem, that does not
happen in net-tools-2.10. It is more harmful than useful, as it
can hide real problems. (bsc#430864#c15,
https://github.com/ecki/net-tools/issues/32#issuecomment-3265471116).
- Drop 0004-By-default-do-not-fopen-anything-in-netrom_gr.patch. It
was net-tools-1.60 specific leak fix and breaks netrom in
net-tools-2.10 (bnc#544339#c2).
- Drop old Fedora patch 0006-Allow-interface-stacking.patch. It
provided a fix for CVE-2025-46836 (bsc#142461), but it was fixes
by the upstream in 2025 in a different way. Revert interferring
net-tools-CVE-2025-46836.patch back to the upstream version.
- Fix stack buffer overflow in parse_hex (bsc#1248687,
GHSA-h667-qrp8-gj58, net-tools-parse_hex-stack-overflow.patch).
- Fix stack-based buffer overflow in proc_gen_fmt (bsc#1248687,
GHSA-w7jq-cmw2-cq59,
net-tools-proc_gen_fmt-buffer-overflow.patch).
- Avoid unsafe memcpy in ifconfig (bsc#1248687,
net-tools-ifconfig-avoid-unsafe-memcpy.patch).
- Prevent overflow in ax25 and netrom (bsc#1248687,
net-tools-ax25+netrom-overflow-1.patch,
net-tools-ax25+netrom-overflow-2.patch).
- Keep possibility to enter long interface names, even if they are
not accepted by the kernel, because it was always possible up to
CVE-2025-46836 fix. But issue a warning about an interface name
concatenation (bsc#1248410,
net-tools-ifconfig-long-name-warning.patch).
- Provide more readable error for interface name size checking
introduced by net-tools-CVE-2025-46836.patch
(bsc#1243581, net-tools-CVE-2025-46836-error-reporting.patch).
- Fix a regression in net-tools-CVE-2025-46836.patch (bsc#1246608).
- Perform bound checks when parsing interface labels in
/proc/net/dev (bsc#1243581, CVE-2025-46836, GHSA-pfwf-h6m3-63wf,
net-tools-CVE-2025-46836.patch,
net-tools-CVE-2025-46836-regression.patch).
- pam
-
- Make sure that the buffer containing encrypted passwords get's erased
bedore free.
- Replace to previous CVE fix which led to CPU performance issues.
[bsc#1246221, CVE-2024-10041,
+ libpam-introduce-secure-memory-erasure-helpers.patch
+ pam_modutil_get-overwrite-password-at-free.patch
- passverify-always-run-the-helper-to-obtain-shadow_pwd.patch]
- python-PyYAML
-
- Add python36-PyYAML provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-appdirs
-
- Add python36-appdirs provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-asn1crypto
-
- Add python36-asn1crypto provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-certifi
-
- Add python36-certifi provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-cffi
-
- Add python36-cffi provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-chardet
-
- Add python36-chardet provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-idna
-
- Add python36-idna provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-packaging
-
- Add python36-packaging provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-pyasn1
-
- Add python36-pyasn1 provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-pycparser
-
- Add python36-pycparser provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-pyparsing
-
- Add python36-pyparsing provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-pytz
-
- Add python36-pytz provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-py
-
- Add python36-py provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-requests
-
- Add python36- provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- salt
-
- Prevent tests failures when pygit2 is not present
- Several fixes for security issues
(bsc#1244561, CVE-2024-38822)
(bsc#1244564, CVE-2024-38823)
(bsc#1244565, CVE-2024-38824)
(bsc#1244566, CVE-2024-38825)
(bsc#1244567, CVE-2025-22240)
(bsc#1244568, CVE-2025-22236)
(bsc#1244570, CVE-2025-22241)
(bsc#1244571, CVE-2025-22237)
(bsc#1244572, CVE-2025-22238)
(bsc#1244574, CVE-2025-22239)
(bsc#1244575, CVE-2025-22242)
* Request server hardening
* Prevent traversal in local_cache::save_minions
* Add test and fix for file_recv cve
* Fix traversal in gitfs find_file
* Fix traversal in salt.utils.virt
* Fix traversal in pub_ret
* Reasonable failures when pillars timeout
* Make send_req_async wait longer
* Remove token to prevent decoding errors
* Fix checking of non-url style git remotes
* Allow subdirs in GitFS find_file check
- Add subsystem filter to udev.exportdb (bsc#1236621)
- tornado.httputil: raise errors instead of logging in
multipart/form-data parsing (CVE-2025-47287, bsc#1243268)
- Fix Ubuntu 24.04 edge-case test failures
- Fix broken tests for Ubuntu 24.04
- Fix refresh of osrelease and related grains on Python 3.10+
- Make "salt" package to obsolete "python3-salt" package on SLE15SP7+
- Fix issue requiring proper Python flavor for dependencies and recommended package
- Added:
* fix-tests-issues-in-salt-shaker-environments-721.patch
* several-fixes-for-security-issues.patch
* fix-of-cve-2025-47287-bsc-1243268-718.patch
* add-subsystem-filter-to-udev.exportdb-bsc-1236621-71.patch
* fix-ubuntu-24.04-specific-failures-716.patch
* fix-debian-tests-715.patch
* fix-refresh-of-osrelease-and-related-grains-on-pytho.patch
- python-six
-
- Add python36-six provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-urllib3
-
- Add patch CVE-2025-50181-poolmanager-redirects.patch:
* Pool managers now properly control redirects when retries is passed
(CVE-2025-50181, GHSA-pq67-6m6q-mj2v, bsc#1244925)
- Add python36-urllib3 provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- suse-build-key
-
- adjust UID (name + email) of SLES16 signing key with official
names. (bsc#1245223)
- suse-module-tools
-
- Update to version 15.3.19:
* add blacklist entry for reiserfs (jsc#PED-6167)
* Add more modules to file system blacklist (jsc#PED-6167)
* Add hfsplus to file system blacklist (bsc#1240950, jsc#PED-12632)
* Enable f2fs (bsc#1184415)
- sysconfig
-
- version 0.85.10
* codespell run for all repository files and changes file
* spec: define permissions for ghost file attrs to avoid
rpm --restore resets them to 0 (bsc#1237595).
* spec: fix name-repeated-in-summary rpmlint warning
- systemd-presets-branding-SMO
-
- Enable sysstat_collect.timer and sysstat_summary.timer.
Bugs: bsc#1244553 / bsc#1246835
- Modified sources:
* 50-default-SUSE_MicroOS.preset
- vim
-
- Refresh patch:
* vim-8.2.2411-globalvimrc.patch
- Add patch:
* reorder-exit-raw-mode.patch
- Fix the following CVEs and bugs:
* bsc#1246602 (CVE-2025-53906)
* bsc#1246604 (CVE-2025-53905)
* bsc#1247939 (CVE-2025-55158)
* bsc#1247938 (CVE-2025-55157)
- Update to 9.1.1629:
9.1.1629: Vim9: Not able to use more than 10 type arguments in a generic function
9.1.1628: fuzzy.c has a few issues
9.1.1627: fuzzy matching can be improved
9.1.1626: cindent: does not handle compound literals
9.1.1625: Autocompletion slow with include- and tag-completion
9.1.1624: Cscope not enabled on MacOS
9.1.1623: Buffer menu does not handle unicode names correctly
9.1.1622: Patch v9.1.1432 causes performance regressions
9.1.1621: flicker in popup menu during cmdline autocompletion
9.1.1620: filetype: composer.lock and symfony.lock files not recognized
9.1.1619: Incorrect E535 error message
9.1.1618: completion: incorrect selected index returned from complete_info()
9.1.1617: Vim9: some error messages can be improved
9.1.1616: xxd: possible buffer overflow with bitwise output
9.1.1615: diff format erroneously detected
9.1.1614: Vim9: possible variable type change
9.1.1613: tests: test_search leaves a few swapfiles behind
9.1.1612: Ctrl-G/Ctrl-T do not ignore the end search delimiter
9.1.1611: possible undefined behaviour in mb_decompose()
9.1.1610: completion: hang or E684 when 'tagfunc' calls complete()
9.1.1609: complete: Heap-buffer overflow with complete function
9.1.1608: No command-line completion for :unsilent {command}
9.1.1607: :apple command detected as :append
9.1.1606: filetype: a few more files are not recognized
9.1.1605: cannot specify scope for chdir()
9.1.1604: completion: incsearch highlight might be lost
9.1.1603: completion: cannot use autoloaded funcs in 'complete' F{func}
9.1.1602: filetype: requirements-*.txt files are not recognized
9.1.1601: Patch v8.1.0425 was wrong
9.1.1600: using diff anchors with hidden buffers fails silently
9.1.1599: :bnext doesn't go to unlisted help buffers
9.1.1598: filetype: waybar config file is not recognized
9.1.1597: CI reports leaks in libgtk3 library
9.1.1596: tests: Test_search_wildmenu_iminsert() depends on help file
9.1.1595: Wayland: non-portable use of select()
9.1.1594: completion: search completion throws errors
9.1.1593: Confusing error when compiling incomplete try block
9.1.1592: Vim9: crash with classes and garbage collection
9.1.1591: VMS support can be improved
9.1.1590: cannot perform autocompletion
9.1.1589: Cannot disable cscope interface using configure
9.1.1588: Vim9: cannot split dict inside command block
9.1.1587: Wayland: timeout not updated before select()
9.1.1586: Vim9: can define an enum/interface in a function
9.1.1585: Wayland: gvim still needs GVIM_ENABLE_WAYLAND
9.1.1584: using ints as boolean type
9.1.1583: gvim window lost its icons
9.1.1582: style issue in vim9type.c and vim9generics.c
9.1.1581: possible memory leak in vim9generics.c
9.1.1580: possible memory leak in vim9type.c
9.1.1579: Coverity complains about unchecked return value
9.1.1578: configure: comment still mentions autoconf 2.71
9.1.1577: Vim9: no generic support yet
9.1.1576: cannot easily trigger wildcard expansion
9.1.1575: tabpanel not drawn correctly with wrapped lines
9.1.1574: Dead code in mbyte.c
9.1.1573: Memory leak when pressing Ctrl-D in cmdline mode
9.1.1572: expanding $var does not escape whitespace for 'path'
9.1.1571: CmdlineChanged triggered to often
9.1.1570: Copilot suggested some improvements in cmdexpand.c
9.1.1569: tests: Vim9 tests can be improved
9.1.1568: need a few more default highlight groups
9.1.1567: crash when using inline diff mode
9.1.1566: self-referenced enum may not get freed
9.1.1565: configure: does not consider tiny version for wayland
9.1.1564: crash when opening popup to closing buffer
9.1.1563: completion: ruler may disappear
9.1.1562: close button always visible in the 'tabline'
9.1.1561: configure: wayland test can be improved
9.1.1560: configure: uses $PKG_CONFIG before it is defined
9.1.1559: tests: Test_popup_complete_info_01() fails when run alone
9.1.1558: str2blob() treats NULL string and empty string differently
9.1.1557: not possible to anchor specific lines in difff mode
9.1.1556: string handling in cmdexpand.c can be improved
9.1.1555: completion: repeated insertion of leader
9.1.1554: crash when omni-completion opens command-line window
9.1.1553: Vim9: crash when accessing a variable in if condition
9.1.1552: [security]: path traversal issue in tar.vim
9.1.1551: [security]: path traversal issue in zip.vim
9.1.1550: defaults: 'showcmd' is not enabled in non-compatible mode on Unix
9.1.1549: filetype: pkl files are not recognized
9.1.1548: filetype: OpenFGA files are not recognized
9.1.1547: Wayland: missing ifdef
9.1.1546: Vim9: error with has() and short circuit evaluation
9.1.1545: typo in os_unix.c
9.1.1544: :retab cannot be limited to indentation only
9.1.1543: Wayland: clipboard appears to not be working
9.1.1542: Coverity complains about uninitialized variable
9.1.1541: Vim9: error when last enum value ends with a comma
9.1.1540: completion: menu state wrong on interruption
9.1.1539: completion: messages don't respect 'shm' setting
9.1.1537: helptoc: still some issues when markdown code blocks
9.1.1536: tests: test_plugin_comment uses wrong :Check command
9.1.1535: the maximum search count uses hard-coded value 99
9.1.1534: unnecessary code in tabpanel.c
9.1.1533: helptoc: does not handle code sections in markdown well
9.1.1532: termdebug: not enough ways to configure breakpoints
9.1.1531: confusing error with nested legacy function
9.1.1530: Missing version change in v9.1.1529
9.1.1529: Win32: the toolbar in the GUI is old and dated
9.1.1528: completion: crash with getcompletion()
9.1.1527: Vim9: Crash with string compound assignment
9.1.1526: completion: search completion match may differ in case
9.1.1525: tests: testdir/ is a bit messy
9.1.1524: tests: too many imports in the test suite
9.1.1523: tests: test_clipmethod fails in non X11 environment
9.1.1522: tests: still some ANSI escape sequences in test output
9.1.1521: completion: pum does not reset scroll pos on reopen with 'noselect'
9.1.1520: completion: search completion doesn't handle 'smartcase' well
9.1.1519: tests: Test_termdebug_decimal_breakpoints() may fail
9.1.1518: getcompletiontype() may crash
9.1.1517: filetype: autopkgtest files are not recognized
9.1.1516: tests: no test that 'incsearch' is updated after search completion
9.1.1515: Coverity complains about potential unterminated strings
9.1.1514: Coverity complains about the use of tmpfile()
9.1.1513: resizing Vim window causes unexpected internal window width
9.1.1512: completion: can only complete from keyword characters
9.1.1511: tests: two edit tests change v:testing from 1 to 0
9.1.1510: Search completion may use invalid memory
9.1.1509: patch 9.1.1505 was not good
9.1.1508: string manipulation can be improved in cmdexpand.c
9.1.1507: symlinks are resolved on :cd commands
9.1.1506: tests: missing cleanup in Test_search_cmdline_incsearch_highlight()
9.1.1505: not possible to return completion type for :ex command
9.1.1504: filetype: numbat files are not recognized
9.1.1503: filetype: haxe files are not recognized
9.1.1502: filetype: quickbms files are not recognized
9.1.1501: filetype: flix files are not recognized
9.1.1500: if_python: typo in python error variable
9.1.1499: MS-Windows: no indication of ARM64 architecture
9.1.1498: completion: 'complete' funcs behave different to 'omnifunc'
9.1.1497: Link error with shm_open()
9.1.1496: terminal: still not highlighting empty cells correctly
9.1.1495: Wayland: uses $XDG_SEAT to determine seat
9.1.1494: runtime(tutor): no French translation for Chapter 2
9.1.1493: manually comparing positions on buffer
9.1.1492: tests: failure when Wayland compositor fails to start
9.1.1491: missing out-of-memory checks in cmdexpand.c
9.1.1490: 'wildchar' does not work in search contexts
9.1.1489: terminal: no visual highlight of empty cols with empty 'listchars'
9.1.1488: configure: using obsolete macro AC_PROG_GCC_TRADITIONAL
9.1.1487: :cl doesn't invoke :clist
9.1.1486: documentation issues with Wayland
9.1.1485: missing Wayland clipboard support
9.1.1484: tests: Turkish locale tests fails on Mac
9.1.1483: not possible to translation position in buffer
9.1.1482: scrolling with 'splitkeep' and line()
9.1.1481: gcc complains about uninitialized variable
9.1.1480: Turkish translation outdated
9.1.1479: regression when displaying localized percentage position
9.1.1478: Unused assignment in ex_uniq()
9.1.1476: no easy way to deduplicate text
9.1.1476: missing out-of-memory checks in cmdexpand.c
9.1.1475: completion: regression when "nearest" in 'completeopt'
9.1.1474: missing out-of-memory check in mark.c
9.1.1473: inconsistent range arg for :diffget/diffput
9.1.1472: if_python: PySequence_Fast_{GET_SIZE,GET_ITEM} removed
9.1.1471: completion: inconsistent ordering with CTRL-P
9.1.1470: use-after-free with popup callback on error
9.1.1469: potential buffer-underflow with invalid hl_id
9.1.1468: filetype: bright(er)script files are not recognized
9.1.1467: too many strlen() calls
9.1.1466: filetype: not all lex files are recognized
9.1.1465: tabpanel: not correctly drawn with 'equalalways'
9.1.1464: gv does not work in operator-pending mode
9.1.1463: Integer overflow in getmarklist() after linewise operation
9.1.1462: missing change from patch v9.1.1461
9.1.1461: tabpanel: tabpanel vanishes with popup menu
9.1.1460: MS-Windows: too many strlen() calls in os_win32.c
9.1.1459: xxd: coloring output is inefficient
9.1.1458: tabpanel: tabs not properly updated with 'stpl'
9.1.1457: compile warning with tabpanelopt
9.1.1456: comment plugin fails toggling if 'cms' contains \
9.1.1455: Haiku: dailog objects created with no reference
9.1.1454: tests: no test for pum at line break position
9.1.1453: tests: Test_geometry() may fail
9.1.1452: completion: redundant check for completion flags
9.1.1451: tabpanel rendering artifacts when scrolling
9.1.1450: Session has wrong arglist with :tcd and :arglocal
9.1.1449: typo in pum_display()
9.1.1448: tabpanel is not displayed correctly when msg_scrolled
9.1.1447: completion: crash when backspacing with fuzzy completion
9.1.1446: filetype: cuda-gdb config files are not recognized
9.1.1445: negative matchfuzzy scores although there is a match
9.1.1444: Unused assignment in set_fuzzy_score()
9.1.1443: potential buffer underflow in insertchar()
9.1.1442: tests: Test_diff_fold_redraw() is insufficient
9.1.1441: completion: code can be improved
9.1.1440: too many strlen() calls in os_win32.c
9.1.1439: Last diff folds not merged
9.1.1438: tests: Test_breakindent_list_split() fails
9.1.1437: MS-Windows: internal compile error in uc_list()
9.1.1436: GUI control code is displayed on the console on startup
9.1.1435: completion: various flaws in fuzzy completion
9.1.1434: MS-Windows: missing out-of-memory checks in os_win32.c
9.1.1433: Unnecessary :if when writing session
9.1.1432: GTK GUI: Buffer menu does not handle unicode correctly
9.1.1431: Hit-Enter Prompt when loading session files
9.1.1430: tabpanel may flicker in the GUI
9.1.1429: dragging outside the tabpanel changes tabpagenr
9.1.1428: completion: register completion needs cleanup
9.1.1427: rendering artifacts with the tabpanel
9.1.1426: completion: register contents not completed
9.1.1425: tabpanel: there are still some problems with the tabpanel
9.1.1424: PMenu selection broken with multi-line selection and limits
9.1.1423: :tag command not working correctly using Vim9 Script
9.1.1422: scheduling of complete function can be improved
9.1.1421: tests: need a test for the new-style tutor.tutor
9.1.1420: tests: could need some more tests for shebang lines
9.1.1419: It is difficult to ignore all but some events
9.1.1418: configures GUI auto detection favors GTK2
9.1.1417: missing info about register completion in complete_info()
9.1.1416: completion limits not respected for fuzzy completions
9.1.1415: potential use-after free when there is an error in 'tabpanel'
9.1.1414: MS-Windows: compile warnings in os_win32.c
9.1.1413: spurious CursorHold triggered in GUI on startup
9.1.1412: tests: Test_tabpanel_tabonly() fails on larger screens
9.1.1411: crash when calling non-existing function for tabpanel
9.1.1410: out-of-bounds access with 'completefunc'
9.1.1409: using f-flag in 'complete' conflicts with Neovim
9.1.1408: not easily possible to complete from register content
9.1.1407: Can't use getpos('v') in OptionSet when using setbufvar()
- xen
-
- bsc#1246112, bsc#1238896 - VUL-0: xen: More AMD transient
execution attack (XSA-471)
xsa471-01.patch
xsa471-02.patch
xsa471-03.patch
xsa471-04.patch
xsa471-05.patch
xsa471-06.patch
xsa471-07.patch
xsa471-08.patch
xsa471-09.patch
xsa471-10.patch
xsa471-11.patch
xsa471-12.patch
xsa471-13.patch
xsa471-14.patch
xsa471-15.patch
xsa471-16.patch
xsa471-17.patch
xsa471-18.patch
xsa471-19.patch
xsa471-20.patch
- bsc#1244644 - VUL-0: CVE-2025-27465: xen: x86: Incorrect stubs
exception handling for flags recovery (XSA-470)
xsa470.patch
- zypper
-
- Fixed `bash-completion`: `zypper refresh` now ignores
repository priority lines.
- Changes to support building against restructured libzypp in
stack build (bsc#1230267)
- version 1.14.94
- Fix addrepo to handle explicit --check and --no-check requests
(bsc#1246466)
- Accept "show" as alias for "info" (bsc#1245985)
- version 1.14.93
- sh: Reset solver options after command (bsc#1245496)
- Explicitly selecting DownloadAsNeeded also selects the
classic_rpmtrans backend.
- version 1.14.92
- BuildRequires: libzypp-devel >= 17.37.6.
Enhancements regarding mirror handling during repo refresh. Adapt
to libzypp API changes. (bsc#1230267)
- version 1.14.91