- aardvark-dns
-
- Add patch for bsc#1248744:
* 0001-serve-parse-resolv.conf-ourselves.patch
- bash
-
- Add patch bsc1245199.patch
* Fix histfile missing timestamp for the oldest record (bsc#1245199)
- bind
-
- Security Fixes:
* Address various spoofing attacks.
[CVE-2025-40778, bsc#1252379, bind-9.16-CVE-2025-40778.patch]
* Cache-poisoning due to weak pseudo-random number generator.
[CVE-2025-40780, bsc#1252380, bind-9.16-CVE-2025-40780.patch]
- containerd
-
- Update to containerd v1.7.29. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.29>
* CVE-2024-25621 bsc#1253126
* CVE-2025-64329 bsc#1253132
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.28. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.28>
- curl
-
- Security fix: [bsc#1253757, CVE-2025-11563]
* curl: wcurl path traversal with percent-encoded slashes
* Add curl-CVE-2025-11563.patch
- lvm2
-
- systemctl start lvmlockd.service times out (bsc#1233655)
* Add a patch containing multiple picked upstream patches
+ bug-1233655_configure-add-option-disable-enable-sd-notify-and-au.patch
* Update lvm2.spec
- add pkgconfig(systemd) for lvmlockd build
- enable configure option '--enable-sd-notify' for lvmlockd
- docker
-
- Enable SELinux in default daemon.json config (--selinux-enabled). This has no
practical impact on non-SELinux systems. bsc#1252290
- Update to Docker 28.5.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2851>
- Rebased patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
* cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
- Remove upstreamed patch:
- 0007-Add-back-vendor.sum.patch
- Update to Docker 28.5.0-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2850>
- Backport <https://github.com/moby/moby/pull/51091> to re-add vendor.sum,
fixing our builds.
+ 0007-Add-back-vendor.sum.patch
- Rebased patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
* cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
- Update to docker-buildx v0.29.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.29.0>
- Remove git-core recommends also on openSUSE: the below argument
is valid for those users too.
- Remove git-core recommends on SLE. Most SLE systems have
installRecommends=yes by default and thus end up installing git with Docker.
bsc#1250508
This feature is mostly intended for developers ("docker build git://") so
most users already have the dependency installed, and the error when git is
missing is fairly straightforward (so they can easily figure out what they
need to install).
- Update to docker-buildx v0.28.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.28.0>
- Update to Docker 28.4.0-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2840>
* Fixes a nil pointer panic in "docker push". bsc#1248373
- Rebased patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
* cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
- Update warnings and errors related to "docker buildx ..." so that they
reference our openSUSE docker-buildx packages.
+ cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
- Enable building docker-buildx for SLE15 systems with SUSEConnect secret
injection enabled. PED-12534 PED-8905 bsc#1247594
As docker-buildx does not support our SUSEConnect secret injection (and some
users depend "docker build" working transparently), patch the docker CLI so
that "docker build" will no longer automatically call "docker buildx build",
effectively making DOCKER_BUILDKIT=0 the default configuration. Users can
manually use "docker buildx ..." commands or set DOCKER_BUILDKIT=1 in order
to opt-in to using docker-buildx.
Users can silence the "docker build" warning by setting DOCKER_BUILDKIT=0
explicitly.
In order to inject SCC credentials with docker-buildx, users should use
RUN --mount=type=secret,id=SCCcredentials zypper -n ...
in their Dockerfiles, and
docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
when doing their builds.
+ cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
- python-kiwi
-
- Fix provides and obsoletes
When upgrading kiwi from a system that has still the old
python3-kiwi but not the new python311-kiwi installed the upgrade
fails because it tries to install one of the versioned sub-packages
that exists only once from python311-kiwi and in a higher version.
As such the install attempt becomes an unresolvable. The correct
behavior would be that the install moves from python3-kiwi to
python311-kiwi and its dependent sub-packages. This can be done
by a correct provides and obsoletes information. bsc#1250754
- ECO: Update kiwi in SLE15
With this patchset we update kiwi in SLE15, fixing the
following main defects and move to the python 3.11 stack
- Fixed get_partition_node_name bsc#1245190
- Add new eficsm type attribute bsc#1243381
This is related to jsc#ped-13168
- Fixed get_partition_node_name
The function get_partition_node_name takes the disk device
and the partition index as arguments to match against the
respective device node for this partition index. The partition
index is the position of the partition in the partition table
according to their start offset. For the code to function
properly it is required that the list of partitions provided
by lsblk is ordered according to the start address of the
partitions in the table. The way lsblk was called did not
enforce this ordering. This commit enforces the order to
be done against the start offset and fixes bsc#1245190
- Add new eficsm type attribute
Allow to produce EFI/UEFI images without hybrid CSM capabilities.
This is a reference commit for SLES. backport from upstream. See
https://github.com/SUSE/kiwi_sle15/pull/22 for details.
This Fixes bsc#1243381
- Fix F824 flake check for global assignments
- elfutils
-
- Add elfutils-fix-large-alignment.diff and elfutils-pr28190.diff
to fix build/testsuite for more recent glibc and kernels.
- Add elfutils-fuzz-1.diff, elfutils-fuzz-2.diff,
elfutils-fuzz-3.diff, elfutils-fuzz-4.diff [bsc#1237236,
bsc#1237240, bsc#1237241, bsc#1237242].
- Add elfutils-fix-debuginfod-groom-race.diff to fix a testsuite
race in run-debuginfod-find.sh.
- glib2
-
- Add CVE fixes:
+ glib2-CVE-2025-13601-1.patch, glib2-CVE-2025-13601-2.patch
(bsc#1254297 CVE-2025-13601 glgo#GNOME/glib#3827).
+ glib2-CVE-2025-14087-1.patch, glib2-CVE-2025-14087-2.patch,
glib2-CVE-2025-14087-3.patch (bsc#1254662 CVE-2025-14087
glgo#GNOME/glib#3834).
+ glib2-CVE-2025-14512.patch (bsc#1254878 CVE-2025-14512
glgo#GNOME/glib#3845).
- Add glib2-CVE-2025-7039.patch: fix computation of temporary file
name (bsc#1249055 CVE-2025-7039 glgo#GNOME/glib#3716).
- gpg2
-
- Security fix: [bsc#1239119, CVE-2025-30258]
* gpg: Lookup key for merging/inserting only by primary key.
* gpg: Remove a signature check function wrapper.
* gpg2: verification DoS due to a malicious subkey in the keyring
* gpg: Fix regression for the recent malicious subkey
* gpg: Fix another regression due to the T7547 fix.
* gpg: Fix double free of internal data.
* Add patches:
- gnupg-CVE-2025-30258-Lookup-key-for-merging-inserting-only-by-primary-key.patch
- gnupg-CVE-2025-30258-Remove-a-signature-check-function-wrapper.patch
- gnupg-CVE-2025-30258-Fix-a-verification-DoS-due-to-a-malicious-subkey-in-the-keyring.patch
- gnupg-CVE-2025-30258-Fix-regression-for-the-recent-malicious-subkey-DoS-fix.patch
- gnupg-CVE-2025-30258-Fix-another-regression-due-to-the-T7547-fix.patch
- gnupg-CVE-2025-30258-Fix-double-free-of-internal-data.patch
* Remove unrecognized configure option: --enable-Werror
- grub2
-
- Fix CVE-2025-54771 (bsc#1252931)
* 0001-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch
- Fix CVE-2025-61662 (bsc#1252933)
* 0002-gettext-gettext-Unregister-gettext-command-on-module.patch
- Fix CVE-2025-61663 (bsc#1252934)
- Fix CVE-2025-61664 (bsc#1252935)
* 0003-normal-main-Unregister-commands-on-module-unload.patch
* 0004-tests-lib-functional_test-Unregister-commands-on-mod.patch
- Fix CVE-2025-61661 (bsc#1252932)
* 0005-commands-usbtest-Use-correct-string-length-field.patch
* 0006-commands-usbtest-Ensure-string-length-is-sufficient-.patch
- Bump upstream SBAT generation to 6
- kernel-default
-
- nvme-multipath: fix lockdep WARN due to partition scan work
(git-fixes bsc#1233640 CVE-2024-53093).
- commit 79c505f
- scsi: storvsc: Prefer returning channel with the same CPU as on the I/O issuing CPU (bsc#1252267).
- uio_hv_generic: Let userspace take care of interrupt mask (CVE-2025-40048 bsc#1252862).
- commit 006946d
- sctp: Fix MAC comparison to be constant-time (CVE-2025-40204
bsc#1253436).
- commit 7866d14
- ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping
(CVE-2025-40121 bsc#1253367).
- ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
(CVE-2025-40154 bsc#1253431).
- commit 39cbf10
- Fix type signess in fbcon_set_font() (bsc#1252033)
The backport from bsc#1252033 failed because check_mul_overflow()
did not handle differences in type signs. Use unsigned types for
all calculations. Input arguments are unsigned anyway.
- commit e09ed3e
- scsi: target: iscsi: Fix buffer overflow in
lio_target_nacl_info_show() (bsc#1251786 CVE-2023-53676).
- commit 85b8224
- mm/ksm: fix flag-dropping behavior in ksm_madvise
(CVE-2025-40040 bsc#1252780).
- commit ef78c42
- net: mana: Use page pool fragments for RX buffers instead of
full pages to improve memory efficiency (bsc#1248754).
- commit b20aa3f
- net: mana: Switch to page pool for jumbo frames (bsc#1248754).
- commit 0ee5364
- Fixup build warning
patches.suse/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch.
Refresh
patches.suse/fs-udf-fix-OOB-read-in-lengthAllocDescs-handling.patch
- commit df1ebe7
- kernel-subpackage-spec: Do not doubly-sign modules (bsc#1251930).
- commit 0f034b6
- udf: fix uninit-value use in udf_get_fileshortad (bsc#1252785
CVE-2025-40044).
- commit 0ec48de
- fs: udf: fix OOB read in lengthAllocDescs handling (bsc#1252785 CVE-2025-40044).
- commit 2bd18d3
- pnode: terminate at peers of source (CVE-2022-50280 bsc#1249806)
- commit e4cf85f
- Update
patches.suse/drm-amdgpu-Fix-integer-overflow-in-amdgpu_cs_pass1.patch
(git-fixes CVE-2023-53707 bsc#1252632).
- Update
patches.suse/ima-Fix-memory-leak-in-__ima_inode_hash.patch
(git-fixes CVE-2022-50577 bsc#1252473).
- Update patches.suse/net-fix-skb-leak-in-__skb_tstamp_tx.patch
(git-fixes CVE-2023-53716 bsc#1252494).
- Update
patches.suse/nvdimm-Fix-memleak-of-pmu-attr_groups-in-unregister_-85ae.patch
(git-fixes CVE-2023-53697 bsc#1252534).
- commit 445819a
- Update
patches.suse/0032-blk-throttle-prevent-overflow-while-calculating-wait-time.patch
(git-fixes CVE-2022-50580 bsc#1252542).
- Update
patches.suse/0044-dm-thin-Fix-UAF-in-run_timer_softirq.patch
(git-fixes CVE-2022-50563 bsc#1252480).
- Update
patches.suse/ACPI-x86-s2idle-Catch-multiple-ACPI_TYPE_PACKAGE-obj.patch
(git-fixes CVE-2023-53708 bsc#1252537).
- Update
patches.suse/ASoC-audio-graph-card-fix-refcount-leak-of-cpu_ep-in.patch
(git-fixes CVE-2022-50572 bsc#1252526).
- Update patches.suse/NFS-Fix-a-potential-data-corruption.patch
(bsc#1211162 CVE-2023-53711 bsc#1252536).
- Update
patches.suse/USB-gadget-Fix-the-memory-leak-in-raw_gadget-driver.patch
(git-fixes CVE-2023-53693 bsc#1252489).
- Update
patches.suse/arm64-csum-Fix-OoB-access-in-IP-checksum-code-for-ne.patch
(git-fixes CVE-2023-53726 bsc#1252565).
- Update
patches.suse/arm64-ftrace-fix-module-PLTs-with-mcount.patch
(git-fixes CVE-2022-50579 bsc#1252521).
- Update
patches.suse/blk-iocost-use-spin_lock_irqsave-in-adjust_inuse_and.patch
(bsc#1214992 CVE-2023-53730 bsc#1252495).
- Update
patches.suse/class-fix-possible-memory-leak-in-__class_register.patch
(git-fixes CVE-2022-50578 bsc#1252519).
- Update
patches.suse/clk-imx-clk-imx8mp-improve-error-handling-in-imx8mp_.patch
(git-fixes CVE-2023-53704 bsc#1252490).
- Update
patches.suse/clk-imx-scu-fix-memleak-on-platform_device_add-fails.patch
(git-fixes CVE-2022-50559 bsc#1252535).
- Update
patches.suse/clocksource-drivers-cadence-ttc-Fix-memory-leak-in-t.patch
(git-fixes CVE-2023-53725 bsc#1252492).
- Update
patches.suse/drm-Fix-potential-null-ptr-deref-due-to-drmm_mode_co.patch
(git-fixes CVE-2022-50556 bsc#1252529).
- Update
patches.suse/drm-amdgpu-disable-sdma-ecc-irq-only-when-sdma-RAS-i.patch
(git-fixes CVE-2023-53723 bsc#1252634).
- Update
patches.suse/drm-meson-explicitly-remove-aggregate-driver-at-modu.patch
(git-fixes CVE-2022-50560 bsc#1252568).
- Update patches.suse/drm-omap-dss-Fix-refcount-leak-bugs.patch
(git-fixes CVE-2022-50574 bsc#1252516).
- Update
patches.suse/ext4-fix-use-after-free-read-in-ext4_find_extent-for.patch
(bsc#1213098 CVE-2023-53692 bsc#1252515).
- Update
patches.suse/fs-jfs-fix-shift-out-of-bounds-in-dbAllocAG.patch
(git-fixes CVE-2022-50567 bsc#1252486).
- Update patches.suse/hfs-fix-OOB-Read-in-__hfs_brec_find.patch
(git-fixes CVE-2022-50581 bsc#1252549).
- Update
patches.suse/iio-fix-memory-leak-in-iio_device_register_eventset.patch
(git-fixes CVE-2022-50561 bsc#1252474).
- Update
patches.suse/md-raid1-fix-potential-OOB-in-raid1_remove_disk-8b04.patch
(git-fixes CVE-2023-53722 bsc#1252499).
- Update
patches.suse/media-max9286-Fix-memleak-in-max9286_v4l2_register.patch
(git-fixes CVE-2023-53700 bsc#1252522).
- Update
patches.suse/mfd-pcf50633-adc-Fix-potential-memleak-in-pcf50633_a.patch
(git-fixes CVE-2023-53724 bsc#1252497).
- Update
patches.suse/mtd-Fix-device-name-leak-when-register-device-failed.patch
(git-fixes CVE-2022-50566 bsc#1252484).
- Update
patches.suse/platform-chrome-fix-memory-corruption-in-ioctl.patch
(git-fixes CVE-2022-50570 bsc#1252475).
- Update
patches.suse/regulator-core-Prevent-integer-underflow.patch
(git-fixes CVE-2022-50582 bsc#1252476).
- Update
patches.suse/ring-buffer-Do-not-swap-cpu_buffer-during-resize-process.patch
(git-fixes CVE-2023-53718 bsc#1252564).
- Update
patches.suse/ring-buffer-Handle-race-between-rb_move_tail-and-rb_check_pages.patch
(git-fixes CVE-2023-53709 bsc#1252532).
- Update
patches.suse/s390-netiucv-Fix-return-type-of-netiucv_tx.patch
(git-fixes bsc#1211692 CVE-2022-50564 bsc#1252538).
- Update
patches.suse/scsi-qla2xxx-Fix-memory-leak-in-qla2x00_probe_one.patch
(git-fixes CVE-2023-53696 bsc#1252513).
- Update
patches.suse/scsi-ses-Fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch
(git-fixes CVE-2023-7324 bsc#1252893).
- Update
patches.suse/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch
(git-fixes CVE-2023-53719 bsc#1252501).
- Update
patches.suse/serial-pch-Fix-PCI-device-refcount-leak-in-pch_reque.patch
(git-fixes CVE-2022-50576 bsc#1252508).
- Update
patches.suse/tpm-acpi-Call-acpi_put_table-to-fix-memory-leak.patch
(git-fixes CVE-2022-50562 bsc#1252528).
- Update
patches.suse/udf-Detect-system-inodes-linked-into-directory-hiera.patch
(bsc#1213114 CVE-2023-53695 bsc#1252539).
- Update
patches.suse/usb-gadget-f_hid-fix-f_hidg-lifetime-vs-cdev.patch
(git-fixes CVE-2022-50568 bsc#1252523).
- Update
patches.suse/wifi-ath9k-Fix-potential-stack-out-of-bounds-write-i.patch
(git-fixes CVE-2023-53717 bsc#1252560).
- Update
patches.suse/wifi-brcmfmac-cfg80211-Pass-the-PMK-in-binary-instea.patch
(git-fixes CVE-2023-53715 bsc#1252545).
- Update
patches.suse/xen-privcmd-Fix-a-possible-warning-in-privcmd_ioctl_.patch
(git-fixes CVE-2022-50575 bsc#1252509).
- Update
patches.suse/xfrm-xfrm_alloc_spi-shouldn-t-use-0-as-SPI.patch
(CVE-2025-39797 bsc#1249608 CVE-2025-39965 bsc#1251967).
- commit a20baaf
- cnic: Fix use-after-free bugs in cnic_delete_task
(CVE-2025-39945 bsc#1251230).
- commit cf588ad
- fbcon: Fix OOB access in font allocation (bsc#1252033)
- commit 9b4c3c9
- fbcon: fix integer overflow in fbcon_do_set_font (bsc#1252033 CVE-2025-39967)
- commit 1b6fabe
- ipv6: Fix out-of-bounds access in ipv6_find_tlv()
(CVE-2023-53705 bsc#1252554).
- commit 687e17e
- ipvs: Defer ip_vs_ftp unregister during netns cleanup
(CVE-2025-40018 bsc#1252688).
- commit c7af0e8
- i40e: add max boundary check for VF filters (CVE-2025-39968
bsc#1252047).
- i40e: add validation for ring_len param (CVE-2025-39973
bsc#1252035).
- commit 633f8e2
- Revert "e1000e: fix heap overflow in e1000_set_eeprom (CVE-2025-39898"
This reverts commit 379b618bf55370d4841c5198a0b5f351835122f9.
- commit e1cd1f0
- Revert "Refresh"
This reverts commit 9ad8cd50b6445581168619320b0c733a628c00ff.
- commit 329ba12
- octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()
(CVE-2025-39978 bsc#1252069).
- commit 54a21ef
- ip_vti: fix potential slab-use-after-free in decode_session6
(CVE-2023-53559 bsc#1251052).
- commit 0ec7a1a
- net: hv_netvsc: fix loss of early receive events from host during channel open (bsc#1252265).
- commit 1fd302f
- hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
(CVE-2022-50334 bsc#1249857).
- commit 706d0a6
- Refresh
patches.suse/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch.
Fix the following warning:
drivers/net/ethernet/intel/e1000e/ethtool.c: In function 'e1000_set_eeprom':
include/linux/overflow.h:61:15: warning: comparison of distinct pointer types lacks a cast
drivers/net/ethernet/intel/e1000e/ethtool.c:575:6: note: in expansion of macro 'check_add_overflow'
- commit 9ad8cd5
- doc/README.SUSE: Correct the character used for TAINT_NO_SUPPORT
The character was previously 'N', but upstream used it for TAINT_TEST,
which prompted the change of TAINT_NO_SUPPORT to 'n'. This occurred in
commit c35dc3823d08 ("Update to 6.0-rc1") on master and in d016c04d731d
("Bump to 6.4 kernel (jsc#PED-4593)") for SLE15-SP6 (and onwards).
Update the documentation to reflect this change.
- commit f42ecf5
- Bluetooth: MGMT: Fix possible UAFs (CVE-2025-39981 bsc#1252060).
- commit 41d3f36
- ip6mr: Fix skb_under_panic in ip6mr_cache_report()
(CVE-2023-53365 bsc#1249988).
- commit fe685ad
- mm: avoid unnecessary page fault retires on shared memory types
(bsc#1251823).
- commit fe04619
- Update patches.suse/0068-drm-amd-fix-potential-memory-leak.patch
(jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218
jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 jsc#PED-2849
CVE-2022-50479 bsc#1251037).
- Update
patches.suse/0198-drm-amdgpu-Fix-memory-leak-in-hpd_rx_irq_create_work.patch
(jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218
jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 jsc#PED-2849
CVE-2022-50515 bsc#1251315).
- Update
patches.suse/Bluetooth-hci_event-call-disconnect-callback-before-.patch
(git-fixes CVE-2023-53673 bsc#1251763).
- Update
patches.suse/RDMA-rxe-Fix-incomplete-state-save-in-rxe_requester.patch
(git-fixes CVE-2023-53539 bsc#1251060).
- Update patches.suse/RDMA-rxe-Fix-mr-map-double-free.patch
(git-fixes CVE-2022-50543 bsc#1251284).
- Update
patches.suse/USB-Gadget-core-Help-prevent-panic-during-UVC-unconf.patch
(git-fixes CVE-2023-53580 bsc#1251105).
- Update
patches.suse/bcache-Fix-__bch_btree_node_alloc-to-make-the-failur-80fc.patch
(git-fixes CVE-2023-53681 bsc#1251769).
- Update
patches.suse/bonding-do-not-assume-skb-mac_header-is-set.patch
(bsc#1214754 CVE-2023-53601 bsc#1251153).
- Update
patches.suse/bus-mhi-host-Range-check-CHDBOFF-and-ERDBOFF.patch
(git-fixes CVE-2023-53598 bsc#1251162).
- Update
patches.suse/dm-integrity-call-kmem_cache_destroy-in-dm_integrity-6b79.patch
(git-fixes CVE-2023-53604 bsc#1251210).
- Update patches.suse/drm-amdgpu-Fix-sdma-v4-sw-fini-error.patch
(git-fixes CVE-2023-53547 bsc#1251221).
- Update
patches.suse/drm-amdgpu-Fix-size-validation-for-non-exclusive-dom.patch
(bsc#1206843 CVE-2022-50527 bsc#1251738).
- Update
patches.suse/drm-msm-dp-fix-memory-corruption-with-too-many-bridg.patch
(git-fixes CVE-2022-50526 bsc#1251301).
- Update patches.suse/drm-msm-fix-vram-leak-on-bind-errors.patch
(git-fixes CVE-2023-53562 bsc#1251046).
- Update
patches.suse/fprobe-Release-rethook-after-the-ftrace_ops-is-unregistered.patch
(git-fixes CVE-2023-53557 bsc#1251054).
- Update
patches.suse/iommu-mediatek-Check-return-value-after-calling-platform_get_res
(git-fixes CVE-2022-50524 bsc#1251307).
- Update
patches.suse/net-mlx5-DR-fix-memory-leak-in-mlx5dr_cmd_create_ref.patch
(git-fixes CVE-2023-53546 bsc#1251079).
- Update
patches.suse/net-mlx5e-Check-for-NOT_READY-flag-state-after-locki.patch
(git-fixes CVE-2023-53581 bsc#1251106).
- Update
patches.suse/net-mlx5e-Fix-deadlock-in-tc-route-query-code.patch
(jsc#PED-1549 CVE-2023-53591 bsc#1251167).
- Update
patches.suse/net-qrtr-Fix-an-uninit-variable-access-bug-in-qrtr_t.patch
(git-fixes CVE-2023-53578 bsc#1251174).
- commit f70c727
- Update patches.suse/0046-dm-cache-Fix-UAF-in-destroy.patch
(git-fixes CVE-2022-50496 bsc#1251091).
- Update
patches.suse/0048-dm-thin-Fix-ABBA-deadlock-between-shrink_slab-and-dm_pool_abort_metadata.patch
(git-fixes CVE-2022-50549 bsc#1251550).
- Update
patches.suse/0052-dm-thin-Use-last-transaction-s-pmd-root-when-commit-failed.patch
(git-fixes CVE-2022-50534 bsc#1251292).
- Update
patches.suse/0053-block-bfq-fix-possible-uaf-for-bfqq-bic.patch
(git-fixes CVE-2022-50488 bsc#1251201).
- Update
patches.suse/ALSA-ac97-Fix-possible-NULL-dereference-in-snd_ac97_.patch
(git-fixes CVE-2023-53648 bsc#1251750).
- Update
patches.suse/ALSA-usb-audio-Fix-potential-memory-leaks.patch
(git-fixes CVE-2022-50484 bsc#1251115).
- Update
patches.suse/ALSA-ymfpci-Fix-BUG_ON-in-probe-function.patch
(git-fixes CVE-2023-53607 bsc#1251136).
- Update
patches.suse/ARM-dts-exynos-Use-Exynos5420-compatible-for-the-MIP.patch
(git-fixes CVE-2023-53542 bsc#1251154).
- Update
patches.suse/ASoC-lpass-Fix-for-KASAN-use_after_free-out-of-bound.patch
(git-fixes CVE-2023-53640 bsc#1251327).
- Update
patches.suse/IB-mad-Don-t-call-to-function-that-might-sleep-while-in-atomic-context.patch
(git-fixes CVE-2022-50472 bsc#1251101).
- Update
patches.suse/Input-exc3000-properly-stop-timer-on-shutdown.patch
(git-fixes CVE-2023-53651 bsc#1251753).
- Update
patches.suse/Input-raspberrypi-ts-fix-refcount-leak-in-rpi_ts_pro.patch
(git-fixes CVE-2023-53533 bsc#1251080).
- Update
patches.suse/NFSD-Avoid-calling-OPDESC-with-ops-opnum-OP_ILLEGAL.patch
(git-fixes CVE-2023-53680 bsc#1251767).
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch
(bsc#1205128 CVE-2022-43945 CVE-2022-50487 bsc#1251208).
- Update
patches.suse/RDMA-core-Make-sure-ib_port-is-valid-when-access-sys.patch
(git-fixes CVE-2022-50475 bsc#1251104).
- Update
patches.suse/binfmt_misc-fix-shift-out-of-bounds-in-check_special.patch
(git-fixes CVE-2022-50497 bsc#1251223).
- Update
patches.suse/blk-mq-fix-null-pointer-dereference-in-blk_mq_clear_.patch
(bsc#1217366 CVE-2022-50530 bsc#1251299).
- Update
patches.suse/cifs-fix-mid-leak-during-reconnection-after-timeout-threshold.patch
(git-fixes CVE-2023-53597 bsc#1251159).
- Update
patches.suse/clk-Fix-memory-leak-in-devm_clk_notifier_register.patch
(git-fixes CVE-2023-53674 bsc#1251764).
- Update
patches.suse/clk-imx-scu-use-_safe-list-iterator-to-avoid-a-use-a.patch
(git-fixes CVE-2023-53572 bsc#1251027).
- Update
patches.suse/clk-rockchip-Fix-memory-leak-in-rockchip_clk_registe.patch
(git-fixes CVE-2022-50523 bsc#1251306).
- Update
patches.suse/dmaengine-ti-k3-udma-Reset-UDMA_CHAN_RT-byte-counter.patch
(git-fixes CVE-2022-50541 bsc#1251519).
- Update
patches.suse/driver-core-fix-resource-leak-in-device_add.patch
(git-fixes CVE-2023-53594 bsc#1251166).
- Update patches.suse/drm-amd-display-Fix-memory-leakage.patch
(git-fixes CVE-2023-53605 bsc#1251149).
- Update
patches.suse/drm-amd-display-Fix-potential-null-deref-in-dm_resum.patch
(git-fixes CVE-2022-50535 bsc#1251331).
- Update patches.suse/drm-amdkfd-Fix-memory-leakage.patch
(git-fixes CVE-2022-50528 bsc#1251303).
- Update
patches.suse/drm-i915-Make-intel_get_crtc_new_encoder-less-oopsy.patch
(git-fixes CVE-2023-53571 bsc#1251032).
- Update
patches.suse/drm-i915-gvt-fix-vgpu-debugfs-clean-in-remove.patch
(git-fixes CVE-2023-53625 bsc#1251324).
- Update
patches.suse/drm-i915-mark-requests-for-GuC-virtual-engines-to-av.patch
(git-fixes CVE-2023-53552 bsc#1251065).
- Update
patches.suse/drm-mediatek-mtk_drm_crtc-Add-checks-for-devm_kcallo.patch
(git-fixes CVE-2023-53534 bsc#1251082).
- Update
patches.suse/drm-mipi-dsi-Detach-devices-when-removing-the-host.patch
(git-fixes CVE-2022-50489 bsc#1251169).
- Update
patches.suse/drm-msm-fix-use-after-free-on-probe-deferral.patch
(git-fixes CVE-2022-50492 bsc#1251087).
- Update
patches.suse/drm-radeon-Fix-PCI-device-refcount-leak-in-radeon_at.patch
(git-fixes CVE-2022-50520 bsc#1251310).
- Update patches.suse/eth-alx-take-rtnl_lock-on-resume.patch
(git-fixes CVE-2022-50498 bsc#1251092).
- Update
patches.suse/ext4-add-EXT4_IGET_BAD-flag-to-prevent-unexpected-ba.patch
(bsc#1207619 CVE-2022-50485 bsc#1251197).
- Update
patches.suse/ext4-fix-memory-leaks-in-ext4_fname_-setup_filename-.patch
(bsc#1214954 CVE-2023-53662 bsc#1251282).
- Update
patches.suse/ext4-fix-possible-double-unlock-when-moving-a-direct.patch
(bsc#1210763 CVE-2023-53626 bsc#1251775).
- Update
patches.suse/ext4-fix-potential-memory-leak-in-ext4_fc_record_reg.patch
(bsc#1207612 CVE-2022-50512 bsc#1251296).
- Update
patches.suse/ext4-fix-uninititialized-value-in-ext4_evict_inode.patch
(bsc#1206893 CVE-2022-50546 bsc#1251723).
- Update
patches.suse/fbdev-omapfb-lcd_mipid-Fix-an-error-handling-path-in.patch
(git-fixes CVE-2023-53650 bsc#1251283).
- Update
patches.suse/firmware-raspberrypi-fix-possible-memory-leak-in-rpi.patch
(git-fixes CVE-2022-50537 bsc#1251294).
- Update
patches.suse/fs-hfsplus-remove-WARN_ON-from-hfsplus_cat_-read-write-_inode.patch
(git-fixes CVE-2023-53683 bsc#1251329).
- Update
patches.suse/gfs2-Fix-possible-data-races-in-gfs2_show_options.patch
(git-fixes CVE-2023-53622 bsc#1251777).
- Update patches.suse/gpio-mvebu-fix-irq-domain-leak.patch
(git-fixes CVE-2023-53579 bsc#1251170).
- Update
patches.suse/gpio-sifive-Fix-refcount-leak-in-sifive_gpio_probe.patch
(git-fixes CVE-2023-53592 bsc#1251147).
- Update
patches.suse/hwmon-coretemp-Simplify-platform-device-handling.patch
(git-fixes CVE-2023-53612 bsc#1251218).
- Update
patches.suse/iavf-Fix-out-of-bounds-when-setting-channels-on-remo.patch
(git-fixes CVE-2023-53659 bsc#1251247).
- Update patches.suse/iavf-Fix-use-after-free-in-free_netdev.patch
(git-fixes CVE-2023-53556 bsc#1251059).
- Update
patches.suse/iommu-amd-Fix-pci-device-refcount-leak-in-ppr_notifier
(git-fixes CVE-2022-50505 bsc#1251086).
- Update
patches.suse/iommu-fsl_pamu-Fix-resource-leak-in-fsl_pamu_probe
(git-fixes CVE-2022-50525 bsc#1251302).
- Update
patches.suse/iommu-vt-d-Clean-up-si_domain-in-the-init_dmars-error-path
(git-fixes CVE-2022-50482 bsc#1251133).
- Update patches.suse/ipmi_si-fix-a-memleak-in-try_smi_init.patch
(git-fixes CVE-2023-53611 bsc#1251123).
- Update
patches.suse/jfs-fix-invalid-free-of-JFS_IP-ipimap-i_imap-in-diUnmount.patch
(git-fixes CVE-2023-53616 bsc#1251215).
- Update
patches.suse/lib-fonts-fix-undefined-behavior-in-bit-shift-for-ge.patch
(git-fixes CVE-2022-50511 bsc#1251527).
- Update
patches.suse/media-coda-Add-check-for-dcoda_iram_alloc.patch
(git-fixes CVE-2022-50501 bsc#1251099).
- Update patches.suse/media-coda-Add-check-for-kmalloc.patch
(git-fixes CVE-2022-50509 bsc#1251522).
- Update
patches.suse/media-dvb-core-Fix-double-free-in-dvb_register_devic.patch
(git-fixes CVE-2022-50499 bsc#1251093).
- Update
patches.suse/media-i2c-ov772x-Fix-memleak-in-ov772x_probe.patch
(git-fixes CVE-2023-53637 bsc#1251326).
- Update patches.suse/media-radio-shark-Add-endpoint-checks.patch
(git-fixes CVE-2023-53644 bsc#1251736).
- Update
patches.suse/media-si470x-Fix-use-after-free-in-si470x_int_in_cal.patch
(git-fixes CVE-2022-50542 bsc#1251330).
- Update
patches.suse/memory-pl353-smc-Fix-refcount-leak-bug-in-pl353_smc_.patch
(git-fixes CVE-2022-50480 bsc#1251047).
- Update
patches.suse/msft-hv-2831-HID-hyperv-avoid-struct-memcpy-overrun-warning.patch
(git-fixes CVE-2023-53553 bsc#1251068).
- Update
patches.suse/mtd-lpddr2_nvm-Fix-possible-null-ptr-deref.patch
(git-fixes CVE-2022-50503 bsc#1251097).
- Update
patches.suse/mtd-rawnand-brcmnand-Fix-potential-out-of-bounds-acc.patch
(git-fixes CVE-2023-53541 bsc#1251043).
- Update
patches.suse/net-cdc_ncm-Deal-with-too-low-values-of-dwNtbOutMaxS.patch
(git-fixes CVE-2023-53667 bsc#1251761).
- Update
patches.suse/net-usbnet-Fix-WARNING-in-usbnet_start_xmit-usb_subm.patch
(git-fixes CVE-2023-53548 bsc#1251066).
- Update
patches.suse/netfilter-nft_set_rbtree-fix-null-deref-on-element-inserti.patch
(CVE-2023-52923 bsc#1236104 CVE-2023-53566 bsc#1251040).
- Update
patches.suse/nilfs2-fix-potential-UAF-of-struct-nilfs_sc_info-in-.patch
(git-fixes CVE-2023-53608 bsc#1251178).
- Update
patches.suse/nilfs2-fix-shift-out-of-bounds-overflow-in-nilfs_sb2.patch
(git-fixes CVE-2022-50478 bsc#1251200).
- Update
patches.suse/nilfs2-replace-WARN_ONs-by-nilfs_error-for-checkpoin.patch
(git-fixes CVE-2022-50519 bsc#1251295).
- Update patches.suse/nvme-core-fix-dev_pm_qos-memleak.patch
(git-fixes CVE-2023-53670 bsc#1251762).
- Update
patches.suse/ocfs2-fix-defrag-path-triggering-jbd2-ASSERT.patch
(git-fixes CVE-2023-53564 bsc#1251072).
- Update
patches.suse/platform-x86-dell-sysman-Fix-reference-leak.patch
(git-fixes CVE-2023-53631 bsc#1251529).
- Update
patches.suse/platform-x86-mxm-wmi-fix-memleak-in-mxm_wmi_call_mx-.patch
(git-fixes CVE-2022-50521 bsc#1251312).
- Update
patches.suse/powerpc-rtas-avoid-scheduling-in-rtas_os_term.patch
(bsc#1065729 CVE-2022-50504 bsc#1251182).
- Update patches.suse/r6040-Fix-kmemleak-in-probe-and-remove.patch
(git-fixes CVE-2022-50545 bsc#1251285).
- Update
patches.suse/ring-buffer-Fix-deadloop-issue-on-reading-trace_pipe.patch
(git-fixes CVE-2023-53668 bsc#1251286).
- Update
patches.suse/ring-buffer-Sync-IRQ-works-before-buffer-destruction.patch
(git-fixes CVE-2023-53587 bsc#1251128).
- Update
patches.suse/s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch
(git-fixes bsc#1215148 CVE-2023-53568 bsc#1251035).
- Update
patches.suse/scsi-mpt3sas-Fix-possible-resource-leaks-in-mpt3sas_transport_port_add.patch
(git-fixes CVE-2022-50532 bsc#1251300).
- Update
patches.suse/scsi-qla2xxx-Avoid-fcport-pointer-dereference.patch
(bsc#1213747 CVE-2023-53603 bsc#1251180).
- Update
patches.suse/scsi-qla2xxx-Fix-crash-when-I-O-abort-times-out.patch
(jsc#PED-568 CVE-2022-50493 bsc#1251088).
- Update
patches.suse/scsi-qla2xxx-Fix-deletion-race-condition.patch
(bsc#1213747 CVE-2023-53615 bsc#1251113).
- Update
patches.suse/scsi-ses-Fix-possible-desc_ptr-out-of-bounds-accesses.patch
(git-fixes CVE-2023-53675 bsc#1251325).
- Update
patches.suse/soc-aspeed-socinfo-Add-kfree-for-kstrdup.patch
(git-fixes CVE-2023-53617 bsc#1251268).
- Update
patches.suse/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch
(git-fixes CVE-2023-53658 bsc#1251759).
- Update
patches.suse/spi-qup-Don-t-skip-cleanup-in-remove-s-error-path.patch
(git-fixes CVE-2023-53567 bsc#1251034).
- Update
patches.suse/staging-ks7010-potential-buffer-overflow-in-ks_wlan_.patch
(git-fixes CVE-2023-53554 bsc#1251057).
- Update
patches.suse/staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch
(git-fixes CVE-2022-50513 bsc#1251730).
- Update
patches.suse/test_firmware-fix-memory-leak-in-test_firmware_init.patch
(git-fixes CVE-2022-50529 bsc#1251298).
- Update
patches.suse/thermal-intel_powerclamp-Use-get_cpu-instead-of-smp_.patch
(git-fixes CVE-2022-50494 bsc#1251173).
- Update
patches.suse/tracing-hist-Fix-out-of-bound-write-on-action_data.var_ref_idx.patch
(git-fixes CVE-2022-50553 bsc#1251281).
- Update
patches.suse/tracing-histograms-Add-histograms-to-hist_vars-if-they-have-referenced-variables.patch
(git-fixes CVE-2023-53560 bsc#1251045).
- Update
patches.suse/tty-serial-samsung_tty-Fix-a-memory-leak-in-s3c24xx_-832e231cff47.patch
(git-fixes CVE-2023-53687 bsc#1251772).
- Update
patches.suse/usb-gadget-f_hid-fix-refcount-leak-on-error-path.patch
(git-fixes CVE-2022-50514 bsc#1251737).
- Update
patches.suse/usb-gadget-u_serial-Add-null-pointer-check-in-gseria.patch
(git-fixes CVE-2023-53551 bsc#1251063).
- Update
patches.suse/usb-host-xhci-Fix-potential-memory-leak-in-xhci_allo.patch
(git-fixes CVE-2022-50544 bsc#1251725).
- Update
patches.suse/wifi-ath6kl-reduce-WARN-to-dev_dbg-in-callback.patch
(git-fixes CVE-2023-53639 bsc#1251521).
- Update
patches.suse/wifi-ath9k-hif_usb-fix-memory-leak-of-remain_skbs.patch
(git-fixes CVE-2023-53641 bsc#1251728).
- Update
patches.suse/wifi-brcmfmac-Fix-potential-shift-out-of-bounds-in-b.patch
(git-fixes CVE-2022-50551 bsc#1251322).
- Update
patches.suse/wifi-brcmfmac-ensure-CLM-version-is-null-terminated-.patch
(git-fixes CVE-2023-53582 bsc#1251061).
- Update
patches.suse/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch
(git-fixes CVE-2023-53589 bsc#1251129).
- Update patches.suse/wifi-mt7601u-fix-an-integer-underflow.patch
(git-fixes CVE-2023-53679 bsc#1251785).
- Update patches.suse/xen-gntdev-Accommodate-VMA-splitting.patch
(git-fixes CVE-2022-50471 bsc#1251110).
- Update
patches.suse/xhci-Remove-device-endpoints-from-bandwidth-list-whe.patch
(git-fixes CVE-2022-50470 bsc#1251202).
- commit 043e2c3
- netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
(CVE-2023-53619 bsc#1251743).
- commit 7ac9023
- xfrm: fix slab-use-after-free in decode_session6 (CVE-2023-53500
bsc#1250816).
- commit a6d416d
- e1000e: fix heap overflow in e1000_set_eeprom (CVE-2025-39898
bsc#1250742).
- commit 379b618
- Refresh
patches.suse/netfilter-nf_tables-reject-duplicate-device-on-updates.patch.
Fix warning:
* unused-variable (nft_net) in ../net/netfilter/nf_tables_api.c in nf_tables_updchain
../net/netfilter/nf_tables_api.c: In function 'nf_tables_updchain':
../net/netfilter/nf_tables_api.c:2348:26: warning: unused variable 'nft_net' [-Wunused-variable]
- commit 2ca55c8
- fs: dlm: fix invalid derefence of sb_lvbptr (bsc#1251741
CVE-2022-50516).
- commit 329a4e4
- Bluetooth: hci_event: call disconnect callback before deleting
conn (CVE-2023-53673 bsc#1251763).
- commit 0293ef5
- bpf: Propagate error from htab_lock_bucket() to userspace
(CVE-2022-50490 bsc#1251164).
- commit f2d82dc
- ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value (CVE-2022-50327 bsc#1249859)
- commit 2911a91
- netfilter: nft_objref: validate objref and objrefmap expressions
(bsc#1250237).
No CVE available yet, please see the bugzilla ticket referenced.
- commit 4f0eb33
- xfrm: xfrm_alloc_spi shouldn't use 0 as SPI (CVE-2025-39797
bsc#1249608).
- commit 159b5f2
- xfrm: Duplicate SPI Handling (CVE-2025-39797 bsc#1249608).
- commit be6d0eb
- wifi: rtw88: delete timer and free skb queue when unloading
(CVE-2023-53574 bsc#1251222).
- commit cd1f46a
- rpl: Fix use-after-free in rpl_do_srh_inline() (CVE-2025-38476
bsc#1247317).
- commit a8ae790
- KVM: x86: Reset IRTE to host control if *new* route isn't postable (bsc#1242960, CVE-2025-37885).
- commit d2a1295
- kmod
-
- man: modprobe.d: document the config file order handling (bsc#1253741)
* man-modprobe.d-document-the-config-file-order-handling.patch
- freetype2
-
- package FTL.TXT and GPLv2.TXT as %license [bsc#1252148]
- gnutls
-
- Security fix bsc#1254132 CVE-2025-9820
* Fix buffer overflow in gnutls_pkcs11_token_init
* Added gnutls-CVE-2025-9820.patch
- pciutils
-
- pciutils.spec: Add a strict dependency to libpci. [bsc#1252338]
Mixing different versions of pciutils and libpci could result in
a segmentation fault due to incompatible ABI.
- Synchronize SLE-12 and openSUSE:Factory [jsc#PED-4587].
The following patches are now obsolete in version 3.13.0:
* add-decoding-of-vendor-specific-vpd-fields.patch
* pciutils-3.1.7-fix-memory-leak-in-get_cache_name.patch
* pciutils-3.2.0_update-dist.patch
* pciutils-3.5.1-add-support-for-32-bit-pci-domains.patch
* pciutils-lspci-Correct-Root-Capabilities-CRS-Software-Visibil.patch
* show-gen4-speed-properly.patch
- Synchronize SLE-15 and openSUSE:Factory [jsc#PED-8393, bsc#1224138].
The following patches are now obsolete in version 3.13.0:
* lspci-Fixed-buffer-overflows-in-ls-tree.c.patch
* pciutils-Add-PCIe-5.0-data-rate-32-GT-s-support.patch
* pciutils-Add-PCIe-6.0-data-rate-64-GT-s-support.patch
* pciutils-Add-decoding-of-vendor-specific-VPD-fields.patch
* pciutils-VPD-Cleanup.patch
* pciutils-VPD-When-printing-item-IDs-escape-non-ASCII-characte.patch
- update to 3.13.0:
* lspci decodes CXL 1.1 device link status information.
* Further development of the pcilmr (the link margining
utility)
* Dump parsing supports 6-digit domain numbers.
* Bug fixes in PCIe link state reporting.
* Decode more fields in PCIe AER capability.
* Fixed build on Linux systems with musl libc.
* Updated pci.ids.
- update to 3.12.0:
* lspci decodes the IDE (Integrity & Data Encryption) and
TEE-IO extended capabilities.
* Optimization flags used for compiling individual object files
should be the same as optimization flags for linking the final
executable to make link-time optimization possible.
* no longer look up subsystems in the HWDB
* Updated pci.ids
- include changes from 3.11:
* update-pciids now supports XZ compression
* update-pciids now sends itself as the User-Agent.
* Added a pcilmr utility for PCIe lane margining
* ECAM back-end now scans ACPI and BIOS memory faster.
* Linux systems without pread/pwrite are no longer supported
* Improved decoding of PCIe control and status registers.
* Decoding of CXL capabilities now supports up to CXL 3.0.
* lspci now displays interrupt message numbers consistently across
different capabilities.
* Cache of IDs resolved via DNS, which was located in ~/.pci-ids
by default, is now stored according to the XDG base directory
specification in $XDG_CACHE_HOME/pci-ids.
* All source files now have SPDX license identifiers.
* various minor bug fixes and updated pci.ids.
- libpng16
-
- security update
- added patches
CVE-2025-66293 [bsc#1254480], LIBPNG out-of-bounds read in png_image_read_composite
* libpng16-CVE-2025-66293-1.patch
* libpng16-CVE-2025-66293-2.patch
- security update
- added patches
CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index
* libpng16-CVE-2025-64505.patch
CVE-2025-64506 [bsc#1254158], heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled
* libpng16-CVE-2025-64506.patch
CVE-2025-64720 [bsc#1254159], buffer overflow in `png_image_read_composite` via incorrect palette premultiplication
* libpng16-CVE-2025-64720.patch
CVE-2025-65018 [bsc#1254160], heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`
* libpng16-CVE-2025-65018.patch
- python3
-
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
CVE-2025-13836) to prevent reading an HTTP response from
a server, if no read amount is specified, with using
Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
behavior in node ID cache clearing (CVE-2025-12084,
bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
against OOM when loading malicious content (CVE-2025-13837,
bsc#1254401).
- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
quadratic complexity vulnerabilities of os.path.expandvars()
(CVE-2025-6075, bsc#1252974).
- Skip test_curses on ppc64le (gh#python/cpython#141534)
- Add CVE-2025-8291-consistency-zip64.patch which checks
consistency of the zip64 end of central directory record, and
preventing obfuscation of the payload, i.e., you scanning for
malicious content in a ZIP file with one ZIP parser (let's say
a Rust one) then unpack it in production with another (e.g.,
the Python one) and get malicious content that the other parser
did not see (CVE-2025-8291, bsc#1251305)
- Readjust patches while synchronizing between openSUSE and SLE trees:
- F00251-change-user-install-location.patch
- doc-py38-to-py36.patch
- gh126985-mv-pyvenv.cfg2getpath.patch
- libxslt
-
- security update
- added patches
CVE-2025-11731 [bsc#1251979], type confusion in exsltFuncResultCompfunction leading to denial of service
* libxslt-CVE-2025-11731.patch
- propagate test failure into build failure
- added sources
* libxslt-test-results.ref
- security update
- added patches
CVE-2025-10911 [bsc#1250553], use-after-free with key data stored cross-RVT
* libxslt-CVE-2025-10911.patch
- openssh
-
- Add openssh-cve-2025-61984-username-validation.patch
(bsc#1251198, CVE-2025-61984).
- Add openssh-cve-2025-61985-nul-url-encode.patch
(bsc#1251199, CVE-2025-61985).
- podman
-
- Add patch for CVE-2025-47913 (bsc#1253542):
* 0012-CVE-2025-47913-ssh-agent-return-an-error-for-unexpec.patch
- Rebase patches:
* 0001-vendor-update-c-buildah-to-1.33.12.patch
* 0002-Backport-fix-for-CVE-2024-6104.patch
* 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
* 0004-http2-close-connections-when-receiving-too-many-head.patch
* 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
* 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
* 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch
* 0008-CVE-2025-6032-machine-init-fix-tls-check.patch
* 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch
* 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch
* 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
- Add patch for CVE-2025-31133,CVE-2025-52565,CVE-2025-52881 (bsc#1252376):
* 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
- Rebase patches:
* 0001-vendor-update-c-buildah-to-1.33.12.patch
* 0002-Backport-fix-for-CVE-2024-6104.patch
* 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
* 0004-http2-close-connections-when-receiving-too-many-head.patch
* 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
* 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
* 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch
* 0008-CVE-2025-6032-machine-init-fix-tls-check.patch
* 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch
* 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch
- Add patch for bsc#1252543:
* 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch
- Rebase patches:
* 0001-vendor-update-c-buildah-to-1.33.12.patch
* 0002-Backport-fix-for-CVE-2024-6104.patch
* 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
* 0004-http2-close-connections-when-receiving-too-many-head.patch
* 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
* 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
* 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch
* 0008-CVE-2025-6032-machine-init-fix-tls-check.patch
* 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch
- python-azure-agent
-
- Update to version 2.14.0.1 (bsc#1253001)
+ Drop - included upstream
~ agent-btrfs-use-f.patch included upstream
~ remove-mock.patch
+ FIPS 140-3 support
+ Block extensions disallowed by policy
+ Report ext policy errors in heartbeat
+ Implement signature validation helper functions
+ Prevent ssh public key override
+ Use proper filesystem creation flag for btrfs
+ Enable resource monitoring in cgroup v2 machines
+ Update agent cgroup cleanup
+ Add cgroupv2 distros to supported list
+ Clean old agent cgroup setup
+ Redact sas tokens in telemetry events and agent log
+ Add conf option to use hardcoded wireserver ip instead of dhcp request
to discover wireserver ip
+ Support for python 3.12
+ Update telemetry message for agent updates and send new telemetry for
ext resource governance
+ Disable rsm downgrade
+ Add community support for Chainguard OS
+ Swap out legacycrypt for crypt-r for Python 3.13+
+ Pin setuptools version
+ Set the agent config file path for FreeBSD
+ Handle errors importing crypt module
- From 2.13.1.1
+ Setup: Fix install_requires list syntax
+ Pickup latest goal state on tenant certificate rotation + Avoid
infinite loop when the tenant certificate is missing
+ Fix unsupported syntax in py2.6
+ Cgroup rewrite: uses systemctl for expressing desired configuration
instead drop-in files
+ Remove usages of tempfile.mktemp
+ Use random time for attempting new Agent update
+ Enable logcollector in v2 machines
+ Clean history files
+ Missing firewall rules reason
+ Add support for nftables (+ refactoring of firewall code)
+ Create walinuxagent nftable atomically
- salt
-
- Add minimum_auth_version to enforce security (CVE-2025-62349)
- Backport security fixes for vendored tornado
* BDSA-2024-3438
* BDSA-2024-3439
* BDSA-2024-9026
- Junos module yaml loader fix (CVE-2025-62348)
- Added:
* backport-3006.17-security-fixes-739.patch
- Require Python dependencies only for used Python version
- Fix TLS and x509 modules for OSes with older cryptography module
- Require python-legacy-cgi only for Python > 3.12
- Builds with py >=3.13 require python-legacy-cgi
- Fix Salt for Python > 3.11 (bsc#1252285) (bsc#1252244)
* Use external tornado on Python > 3.11
* Make tls and x509 to use python-cryptography
* Remove usage of spwd
- Added:
* fix-tls-and-x509-modules-for-older-cryptography-modu.patch
* fix-salt-for-python-3.11.patch
- Fix payload signature verification on Tumbleweed (bsc#1251776)
- Fix broken symlink on migration to Leap 16.0 (bsc#1250755)
- Use versioned python interpreter for salt-ssh
- Fix known_hosts error on gitfs (bsc#1250520) (bsc#1227207)
- Add python3.11 as preferable for salt-ssh to avoid tests fails
- Make test_pillar_timeout test more reliable
- Modify README and other doc files for openSUSE
- Set python-CherryPy as required for python-salt-testsuite (#115)
- Added:
* do-not-break-signature-verification-on-latest-m2cryp.patch
* use-versioned-python-interpreter-for-salt-ssh.patch
* allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch
* add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch
* even-more-reliable-pillar-timeout-test.patch
* modify-readme-for-opensuse-728.patch
- Revert require M2Crypto >= 0.44.0 for SUSE Family distros
- This reverts commit aa40615dcf7a15325ef71bbc09a5423ce512491d.
- Improve SL Micro 6.2 detection with grains
- Fix functional.states.test_user for SLES 16 and Micro systems
- Fix the tests failing on AlmaLinux 10 and other clones
- Added:
* improve-sl-micro-6.2-detection-with-grains.patch
* fix-functional.states.test_user-for-sles-16-and-micr.patch
* fix-the-tests-failing-on-almalinux-10-and-other-clon.patch
- rsync
-
- Security update (CVE-2025-10158, bsc#1254441): rsync: Out of
bounds array access via negative index
- Add rsync-CVE-2025-10158.patch
- runc
-
- Update to runc v1.3.4. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.4>. bsc#1254362
- Update to runc v1.3.3. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.3>. bsc#1252232
* CVE-2025-31133
* CVE-2025-52565
* CVE-2025-52881
- Remove upstreamed patches for bsc#1252232:
- 2025-11-05-CVEs.patch
[ This update was only released for SLE 12 and 15. ]
- Backport patches for three CVEs. All three vulnerabilities ultimately allow
(through different methods) for full container breakouts by bypassing runc's
restrictions for writing to arbitrary /proc files. bsc#1252232
* CVE-2025-31133
* CVE-2025-52565
* CVE-2025-52881
+ 2025-11-05-CVEs.patch
[ This update was only released for SLE 12 and 15. ]
- Update to runc v1.2.7. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.2.7>.
- Update to runc v1.3.2. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.2> bsc#1252110
- Includes an important fix for the CPUSet translation for cgroupv2.
- Update to runc v1.3.1. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.1>
- Fix runc 1.3.x builds on SLE-12 by enabling --std=gnu11.
- Update to runc v1.3.0. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.0>
- vim
-
- Fix for bsc#1250593.
- Backported from 9.1.1683 (xxd: Avoid null dereference in autoskip colorless).
- Fix for bsc#1229750.
- nocompatible must be set before the syntax highlighting is turned on.