- 000release-packages:SL-Micro-release
-
n/a
- cloud-netconfig:azure
-
- Update to version 1.16
+ Fix query of default CLOUD_NETCONFIG_MANAGE (bsc#1253223
+ Fix variable names in the README
- containerd
-
- Update to containerd v1.7.29. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.29>
* CVE-2024-25621 bsc#1253126
* CVE-2025-64329 bsc#1253132
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.28. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.28>
- curl
-
- Security fix: [bsc#1253757, CVE-2025-11563]
* curl: wcurl path traversal with percent-encoded slashes
* Add curl-CVE-2025-11563.patch
- docker
-
- Enable SELinux in default daemon.json config (--selinux-enabled). This has no
practical impact on non-SELinux systems. bsc#1252290
- Update to Docker 28.5.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2851>
- Rebased patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
* cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
- Remove upstreamed patch:
- 0007-Add-back-vendor.sum.patch
- Update to Docker 28.5.0-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2850>
- Backport <https://github.com/moby/moby/pull/51091> to re-add vendor.sum,
fixing our builds.
+ 0007-Add-back-vendor.sum.patch
- Rebased patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
* cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
- Update to docker-buildx v0.29.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.29.0>
- Remove git-core recommends also on openSUSE: the below argument
is valid for those users too.
- Remove git-core recommends on SLE. Most SLE systems have
installRecommends=yes by default and thus end up installing git with Docker.
bsc#1250508
This feature is mostly intended for developers ("docker build git://") so
most users already have the dependency installed, and the error when git is
missing is fairly straightforward (so they can easily figure out what they
need to install).
- dracut
-
- Update to version 059+suse.607.g05002594:
* fix(kernel-modules-extra): remove stray \ before / (bsc#1253029)
- glib2
-
- Add glib2-CVE-2025-7039.patch: fix computation of temporary file
name (bsc#1249055 CVE-2025-7039 glgo#GNOME/glib#3716).
- kernel-source:kernel-default
-
- nbd: restrict sockets to TCP and UDP (bsc#1252774
CVE-2025-40080).
- commit a7c3e39
- kernel-subpackage-spec: Do not doubly-sign modules (bsc#1251930).
- commit 0f034b6
- Delete
patches.kabi/KVM-x86-pmu-Allow-programming-events-that-match-unsu.patch.
This avoids a kbuild error in check-patchrv. This patch is not needed
anyway since 4f5efb71e1f4.
- commit 624b1b2
- vhost: vringh: Modify the return value check (CVE-2025-40051
bsc#1252858).
- commit 80d9f20
- btrfs: fix the incorrect max_bytes value for
find_lock_delalloc_range() (git-fixes).
- commit 91a9728
- KVM: x86: Introduce kvm_x86_call() to simplify static calls
of kvm_x86_ops (git-fixes).
- Refresh
patches.suse/KVM-x86-Don-t-inject-PV-async-PF-if-SEND_ALWAYS-0-an.patch.
- Refresh
patches.suse/KVM-x86-Exit-to-userspace-if-fastpath-triggers-one-o.patch.
- Refresh patches.suse/KVM-x86-Introduce-kvm_set_mp_state.patch.
- Refresh
patches.suse/KVM-x86-Route-non-canonical-checks-in-emulator-throu.patch.
- Refresh
patches.suse/KVM-x86-model-canonical-checks-more-precisely.patch.
- commit 3454959
- KVM: x86: Replace static_call_cond() with static_call()
(git-fixes).
- commit 6bb685c
- Update
patches.suse/ACPI-x86-s2idle-Catch-multiple-ACPI_TYPE_PACKAGE-obj.patch
(git-fixes CVE-2023-53708 bsc#1252537).
- Update
patches.suse/ALSA-usb-audio-Fix-NULL-pointer-deference-in-try_to_.patch
(git-fixes CVE-2025-40085 bsc#1252873).
- Update
patches.suse/ALSA-usb-audio-fix-race-condition-to-UAF-in-snd_usbm.patch
(git-fixes CVE-2025-39997 bsc#1252056).
- Update
patches.suse/ASoC-qcom-audioreach-fix-potential-null-pointer-dere.patch
(git-fixes CVE-2025-40013 bsc#1252348).
- Update patches.suse/Bluetooth-MGMT-Fix-possible-UAFs.patch
(git-fixes CVE-2025-39981 bsc#1252060).
- Update
patches.suse/Bluetooth-hci_event-Fix-UAF-in-hci_acl_create_conn_s.patch
(git-fixes CVE-2025-39982 bsc#1252083).
- Update
patches.suse/HID-amd_sfh-Fix-for-shift-out-of-bounds.patch
(bsc#1012628 CVE-2023-53703 bsc#1252553).
- Update
patches.suse/Input-uinput-zero-initialize-uinput_ff_upload_compat.patch
(git-fixes CVE-2025-40035 bsc#1252866).
- Update patches.suse/NFS-Fix-a-potential-data-corruption.patch
(git-fixes CVE-2023-53711 bsc#1252536).
- Update
patches.suse/NFSD-Define-a-proc_layoutcommit-for-the-FlexFiles-layout-type.patch
(git-fixes CVE-2025-40087 bsc#1252909).
- Update
patches.suse/PCI-endpoint-pci-epf-test-Add-NULL-check-for-DMA-cha.patch
(git-fixes CVE-2025-40032 bsc#1252841).
- Update
patches.suse/RDMA-rxe-Fix-race-in-do_task-when-draining.patch
(git-fixes CVE-2025-40061 bsc#1252849).
- Update
patches.suse/Squashfs-fix-uninit-value-in-squashfs_get_parent.patch
(git-fixes CVE-2025-40049 bsc#1252822).
- Update
patches.suse/USB-gadget-Fix-the-memory-leak-in-raw_gadget-dr.patch
(bsc#1012628 CVE-2023-53693 bsc#1252489).
- Update
patches.suse/afs-Fix-potential-null-pointer-dereference-in-afs_put_server.patch
(git-fixes CVE-2025-40010 bsc#1252332).
- Update
patches.suse/arm64-csum-Fix-OoB-access-in-IP-checksum-code-for-ne.patch
(git-fixes CVE-2023-53726 bsc#1252565).
- Update
patches.suse/arm64-sme-Use-STR-P-to-clear-FFR-context-field-.patch
(bsc#1012628 CVE-2023-53713 bsc#1252559).
- Update
patches.suse/blk-iocost-use-spin_lock_irqsave-in-adjust_inus.patch
(bsc#1012628 CVE-2023-53730 bsc#1252495).
- Update
patches.suse/bus-fsl-mc-Check-return-value-of-platform_get_resour.patch
(git-fixes CVE-2025-40029 bsc#1252772).
- Update
patches.suse/can-etas_es58x-populate-ndo_change_mtu-to-prevent-bu.patch
(git-fixes CVE-2025-39988 bsc#1252074).
- Update
patches.suse/can-hi311x-populate-ndo_change_mtu-to-prevent-buffer.patch
(git-fixes CVE-2025-39987 bsc#1252079).
- Update
patches.suse/can-mcba_usb-populate-ndo_change_mtu-to-prevent-buff.patch
(git-fixes CVE-2025-39985 bsc#1252082).
- Update
patches.suse/can-peak_usb-fix-shift-out-of-bounds-issue.patch
(git-fixes CVE-2025-40020 bsc#1252679).
- Update
patches.suse/can-sun4i_can-populate-ndo_change_mtu-to-prevent-buf.patch
(git-fixes CVE-2025-39986 bsc#1252078).
- Update
patches.suse/clk-imx-clk-imx8mp-improve-error-handling-in-im.patch
(bsc#1012628 CVE-2023-53704 bsc#1252490).
- Update
patches.suse/clocksource-drivers-cadence-ttc-Fix-memory-leak.patch
(bsc#1012628 CVE-2023-53725 bsc#1252492).
- Update
patches.suse/crypto-essiv-Check-ssize-for-decryption-and-in-place.patch
(git-fixes CVE-2025-40019 bsc#1252678).
- Update
patches.suse/crypto-hisilicon-qm-set-NULL-to-qm-debug.qm_diff_reg.patch
(git-fixes CVE-2025-40062 bsc#1252850).
- Update
patches.suse/drm-amdgpu-Fix-integer-overflow-in-amdgpu_cs_p.patch
(jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070
jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511
jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53707
bsc#1252632).
- Update
patches.suse/drm-gma500-Fix-null-dereference-in-hdmi-teardown.patch
(git-fixes CVE-2025-40011 bsc#1252336).
- Update
patches.suse/drm-sched-Fix-potential-double-free-in-drm_sched_job.patch
(git-fixes CVE-2025-40096 bsc#1252902).
- Update
patches.suse/fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch
(git-fixes CVE-2025-39967 bsc#1252033).
- Update
patches.suse/fs-udf-fix-OOB-read-in-lengthAllocDescs-handling.patch
(git-fixes CVE-2025-40044 bsc#1252785).
- Update
patches.suse/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch
(git-fixes CVE-2025-40088 bsc#1252904).
- Update
patches.suse/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc_followup.patch
(git-fixes CVE-2025-40082 bsc#1252775).
- Update
patches.suse/iommu-vt-d-Disallow-dirty-tracking-if-incoherent-pag.patch
(git-fixes CVE-2025-40058 bsc#1252854).
- Update
patches.suse/md-raid1-fix-potential-OOB-in-raid1_remove_disk-8b04.patch
(jsc#PED-7542 CVE-2023-53722 bsc#1252499).
- Update
patches.suse/media-b2c2-Fix-use-after-free-causing-by-irq_check_w.patch
(git-fixes CVE-2025-39996 bsc#1252065).
- Update
patches.suse/media-i2c-tc358743-Fix-use-after-free-bugs-caused-by.patch
(git-fixes CVE-2025-39995 bsc#1252064).
- Update
patches.suse/media-rc-fix-races-with-imon_disconnect.patch
(git-fixes CVE-2025-39993 bsc#1252070).
- Update
patches.suse/media-tuner-xc5000-Fix-use-after-free-in-xc5000_rele.patch
(git-fixes CVE-2025-39994 bsc#1252072).
- Update
patches.suse/media-uvcvideo-Mark-invalid-entities-with-id-UVC_INV.patch
(git-fixes CVE-2025-40016 bsc#1252346).
- Update
patches.suse/misc-fastrpc-fix-possible-map-leak-in-fastrpc_put_ar.patch
(git-fixes CVE-2025-40036 bsc#1252865).
- Update
patches.suse/net-nfc-nci-Add-parameter-validation-for-packet-data.patch
(git-fixes CVE-2025-40043 bsc#1252787).
- Update
patches.suse/net-sched-cls_u32-Undo-tcf_bind_filter-if-u32_r.patch
(bsc#1012628 CVE-2023-53733 bsc#1252685).
- Update
patches.suse/net-sched-fq_pie-avoid-stalls-in-fq_pie_timer.patch
(bsc#1220419 CVE-2023-53727 bsc#1252566).
- Update
patches.suse/netlink-fix-potential-deadlock-in-netlink_set_e.patch
(bsc#1012628 CVE-2023-53731 bsc#1252481).
- Update
patches.suse/nvdimm-Fix-memleak-of-pmu-attr_groups-in-unregister_-85ae.patch
(jsc#PED-5853 CVE-2023-53697 bsc#1252534).
- Update
patches.suse/posix-timers-Ensure-timer-ID-search-loop-limit-.patch
(bsc#1012628 CVE-2023-53728 bsc#1252668).
- Update
patches.suse/ring-buffer-Do-not-swap-cpu_buffer-during-resi.patch
(bsc#1012628 CVE-2023-53718 bsc#1252564).
- Update
patches.suse/riscv-move-memblock_allow_resize-after-linear-m.patch
(bsc#1012628 CVE-2023-53699 bsc#1252550).
- Update
patches.suse/smb-client-fix-crypto-buffers-in-non-linear-memory.patch
(bsc#1250491 boo#1239206 CVE-2025-40052 bsc#1252851).
- Update
patches.suse/soc-qcom-qmi_encdec-Restrict-string-length-in-decode.patch
(git-fixes CVE-2023-53729 bsc#1252496).
- Update
patches.suse/tty-n_gsm-Don-t-block-input-queue-by-waiting-MSC.patch
(git-fixes CVE-2025-40071 bsc#1252797).
- Update
patches.suse/wifi-ath11k-fix-NULL-dereference-in-ath11k_qmi_m3_lo.patch
(git-fixes CVE-2025-39991 bsc#1252075).
- Update
patches.suse/wifi-ath12k-Fix-a-NULL-pointer-dereference-in-ath12k.patch
(git-fixes CVE-2023-53721 bsc#1252561).
- Update
patches.suse/xfrm-xfrm_alloc_spi-shouldn-t-use-0-as-SPI.patch
(CVE-2025-39797 bsc#1249608 CVE-2025-39965 bsc#1251967).
- Update
patches.suse/xsk-fix-refcount-underflow-in-error-path.patch
(bsc#1012628 CVE-2023-53698 bsc#1252479).
- commit 9042362
- coresight: trbe: Return NULL pointer for allocation failures
(CVE-2025-40060 bsc#1252848).
- commit 4543e34
- regulator: bd718x7: Fix voltages scaled by resistor divider
(git-fixes).
- regmap: slimbus: fix bus_context pointer in regmap init calls
(git-fixes).
- commit 20abe4b
- drm/panel: kingdisplay-kd097d04: Disable EoTp (git-fixes).
- drm/panel: sitronix-st7789v: fix sync flags for t28cp45tn89
(git-fixes).
- drm/etnaviv: fix flush sequence logic (git-fixes).
- drm/msm/dpu: Fix pixel extension sub-sampling (git-fixes).
- drm/msm/a6xx: Fix GMU firmware parser (git-fixes).
- drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on
Iceland (git-fixes).
- drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji
(git-fixes).
- drm/amd/pm: fix smu table id bound check issue in
smu_cmn_update_table() (git-fixes).
- drm/mediatek: Fix device use-after-free on unbind (git-fixes).
- ASoC: fsl_sai: fix bit order for DSD format (git-fixes).
- ASoC: Intel: avs: Unprepare a stream when XRUN occurs
(git-fixes).
- ASoC: qdsp6: q6asm: do not sleep while atomic (git-fixes).
- ALSA: usb-audio: fix control pipe direction (git-fixes).
- commit acb4ea2
- smb: client: fix potential cfid UAF in smb2_query_info_compound
(bsc#1248886).
- commit 5e5239d
- vhost: vringh: Fix copy_to_iter return value check (CVE-2025-40056 bsc#1252826)
- commit 4efa16a
- btrfs: do not assert we found block group item when creating
free space tree (bsc#1252918 CVE-2025-40100).
- commit 327502f
- btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation
already running (git-fixes).
- commit f5ef369
- btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
(git-fixes).
- commit 8cb68fe
- KVM: x86/mmu: Prevent installing hugepages when mem attributes
are changing (git-fixes).
- commit 37d594a
- selftests/bpf: Fix a fd leak in error paths in open_netns
(git-fixes).
- commit 51d3745
- selftests/bpf: Fix umount cgroup2 error in test_sockmap
(git-fixes).
- commit 24ba5aa
- selftests/bpf: Use bpf_link__destroy in fill_link_info tests
(git-fixes).
- commit 9809b14
- ACPI: video: Fix use-after-free in
acpi_video_switch_brightness() (git-fixes).
- ACPI: button: Call input_free_device() on failing input device
registration (git-fixes).
- fbdev: atyfb: Check if pll_ops->init_pll failed (git-fixes).
- fbdev: valkyriefb: Fix reference count leak in valkyriefb_init
(git-fixes).
- net: phy: dp83869: fix STRAP_OPMODE bitmask (git-fixes).
- net: usb: asix_devices: Check return value of
usbnet_get_endpoints (git-fixes).
- Bluetooth: btmtksdio: Add pmctrl handling for BT closed state
during reset (git-fixes).
- Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
(git-fixes).
- usbnet: Prevents free active kevent (git-fixes).
- wifi: brcmfmac: fix crash while sending Action Frames in
standalone AP Mode (git-fixes).
- wifi: ath12k: free skb during idr cleanup callback (git-fixes).
- wifi: ath11k: Add missing platform IDs for quirk table
(git-fixes).
- wifi: ath10k: Fix memory leak on unsupported WMI command
(git-fixes).
- wifi: mac80211: reset FILS discovery and unsol probe resp
intervals (git-fixes).
- commit cc1ca5e
- bpf: Explicitly check accesses to bpf_sock_addr (CVE-2025-40078
bsc#1252789).
- commit 6edd4b3
- KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass
producer (git-fixes).
- commit fdfcdff
- KVM: x86: Plumb in the vCPU to kvm_x86_ops.hwapic_isr_update()
(git-fixes).
- commit cb2e3ab
- kdb: Replace deprecated strcpy() with memmove() in vkdb_printf()
(bsc#1252939).
- commit 7cb788c
- Revert "KVM: VMX: Move LOAD_IA32_PERF_GLOBAL_CTRL errata
handling out of setup_vmcs_config()" (git-fixes).
- commit 769724a
- hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
(git-fixes).
- commit 40898e0
- hfsplus: fix KMSAN uninit-value issue in
__hfsplus_ext_cache_extent() (git-fixes).
- commit a2e4db9
- hfs: validate record offset in hfsplus_bmap_alloc (git-fixes).
- commit 693ef92
- hfsplus: return EIO when type of hidden directory mismatch in
hfsplus_fill_super() (git-fixes).
- commit 6aec9cc
- ARM: tegra: Use I/O memcpy to write to IRAM (CVE-2025-39794 bsc#1249595)
- commit ad8d355
- ipvs: Defer ip_vs_ftp unregister during netns cleanup
(CVE-2025-40018 bsc#1252688).
- commit d48a123
- NFSD: Fix crash in nfsd4_read_release() (git-fixes).
- commit 1a326b8
- Fix Git-commit for patches.suse/cxl-downgrade-a-warning-message-to-debug-level-in-cxl.patch.
- commit 31a5035
- bpf: Allow helper bpf_get_[ns_]current_pid_tgid() for all prog
types (bsc#1252364).
- commit 82fd58d
- tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request()
(git-fixes).
- commit fceae30
- octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()
(CVE-2025-39978 bsc#1252069).
- tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect()
(CVE-2025-39955 bsc#1251804).
- commit 0468786
- Revert "e1000e: fix heap overflow in e1000_set_eeprom (CVE-2025-39898"
This reverts commit df2ae2c1bd0dd998b7e23e3d49e90e95ada467f0.
- commit 79fa523
- i40e: add max boundary check for VF filters (CVE-2025-39968
bsc#1252047).
- i40e: fix validation of VF state in get resources
(CVE-2025-39969 bsc#1252044).
- i40e: fix idx validation in i40e_validate_queue_map
(CVE-2025-39972 bsc#1252039).
- i40e: add validation for ring_len param (CVE-2025-39973
bsc#1252035).
- ice: fix Rx page leak on multi-buffer frames (CVE-2025-39948
bsc#1251233).
- qed: Don't collect too many protection override GRC elements
(CVE-2025-39949 bsc#1251177).
- commit 2c4293d
- Delete
patches.suse/cpuidle-menu-Avoid-discarding-useful-information.patch.
- commit c2e3ac6
- Delete
patches.suse/cpuidle-governors-menu-Avoid-using-invalid-recent-intervals-data.patch.
- commit b1a47b7
- nvme/tcp: handle tls partially sent records in write_space()
(git-fixes).
- nvme-multipath: Skip nr_active increments in RETRY disposition
(git-fixes).
- nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk
(git-fixes).
- commit 4b35633
- ACPI: battery: Add synchronization between interface updates
(git-fixes).
- locking/mutex: Mark devm_mutex_init() as __must_check
(stable-fixes).
- ACPI: battery: Check for error code from devm_mutex_init()
call (git-fixes).
- ACPI: battery: initialize mutexes through devm_ APIs
(stable-fixes).
- accel/ivpu: Add missing MODULE_FIRMWARE metadata (git-fixes).
- locking/mutex: Introduce devm_mutex_init() (stable-fixes).
- commit 7bacc8f
- wifi: rtw89: fix use-after-free in
rtw89_core_tx_kick_off_and_wait() (CVE-2025-40000 bsc#1252062).
- commit b7a479d
- sched/fair: set_load_weight() must also call reweight_task() (git-fixes)
- commit b185921
- misc: fastrpc: Save actual DMA size in fastrpc_map structure
(git-fixes).
- Refresh
patches.suse/misc-fastrpc-Skip-reference-for-DMA-handles.patch.
- commit b472422
- most: usb: hdm_probe: Fix calling put_device() before device
initialization (git-fixes).
- most: usb: Fix use-after-free in hdm_disconnect (git-fixes).
- misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup
(git-fixes).
- serial: 8250_dw: handle reset control deassert error
(git-fixes).
- xhci: dbc: enable back DbC in resume if it was enabled before
suspend (git-fixes).
- spi: spi-nxp-fspi: add extra delay after dll locked (git-fixes).
- net: usb: rtl8150: Fix frame padding (git-fixes).
- HID: multitouch: fix name of Stylus input devices (git-fixes).
- HID: hid-input: only ignore 0 battery events for digitizers
(git-fixes).
- r8169: fix packet truncation after S4 resume on
RTL8168H/RTL8111H (git-fixes).
- rtc: interface: Ensure alarm irq is enabled when UIE is enabled
(stable-fixes).
- rtc: interface: Fix long-standing race when setting alarm
(stable-fixes).
- PCI: j721e: Fix programming sequence of "strap" settings
(git-fixes).
- PCI: endpoint: pci-epf-test: Add NULL check for DMA channels
before release (git-fixes).
- PCI/AER: Support errors introduced by PCIe r6.0 (stable-fixes).
- phy: cadence: cdns-dphy: Update calibration wait time for
startup state machine (git-fixes).
- phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling
(git-fixes).
- phy: cdns-dphy: Store hs_clk_rate and return it (stable-fixes).
- mtd: rawnand: fsmc: Default to autodetect buswidth
(stable-fixes).
- wifi: mt76: mt7921u: Add VID/PID for Netgear A7500
(stable-fixes).
- media: nxp: imx8-isi: Drop unused argument to
mxc_isi_channel_chain() (stable-fixes).
- mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config
flag (git-fixes).
- mmc: core: SPI mode remove cmd7 (stable-fixes).
- lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and
older (stable-fixes).
- PM: runtime: Add new devm functions (stable-fixes).
- mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for
cache_type (stable-fixes).
- mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config
max_register value (stable-fixes).
- PCI: Add PCI_VDEVICE_SUB helper macro (stable-fixes).
- PCI: endpoint: Remove surplus return statement from
pci_epf_test_clean_dma_chan() (stable-fixes).
- PCI: j721e: Enable ACSPCIE Refclk if
"ti,syscon-acspcie-proxy-ctrl" exists (stable-fixes).
- misc: fastrpc: Add missing dev_err newlines (stable-fixes).
- commit 9f99f4e
- firmware: arm_scmi: Fix premature SCMI_XFER_FLAG_IS_RAW clearing
in raw mode (git-fixes).
- drm/sched: Fix potential double free in
drm_sched_job_add_resv_dependencies (git-fixes).
- drm/rockchip: vop2: use correct destination rectangle height
check (git-fixes).
- drm/bridge: lt9211: Drop check for last nibble of version
register (git-fixes).
- drm/amd/powerplay: Fix CIK shutdown temperature (git-fixes).
- drm/amdgpu: use atomic functions with memory barriers for vm
fault info (git-fixes).
- drm/i915/guc: Skip communication warning on reset in progress
(git-fixes).
- drm/amd: Check whether secure display TA loaded successfully
(stable-fixes).
- drm/exynos: exynos7_drm_decon: properly clear channels during
bind (stable-fixes).
- drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference
in functions (stable-fixes).
- commit 110d102
- can: netlink: can_changelink(): allow disabling of automatic
restart (git-fixes).
- can: bxcan: bxcan_start_xmit(): use can_dev_dropped_skb()
instead of can_dropped_invalid_skb() (git-fixes).
- ASoC: nau8821: Add DMI quirk to bypass jack debounce circuit
(git-fixes).
- ASoC: nau8821: Generalize helper to clear IRQ status
(git-fixes).
- ASoC: nau8821: Cancel jdet_work before handling jack ejection
(git-fixes).
- ASoC: codecs: Fix gain setting ranges for Renesas IDT821034
codec (git-fixes).
- ALSA: usb-audio: Fix NULL pointer deference in
try_to_register_card (git-fixes).
- ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings
(git-fixes).
- accel/qaic: Treat remaining == 0 as error in
find_and_map_user_pages() (git-fixes).
- Bluetooth: btusb: Add USB ID 2001:332a for D-Link AX9U rev. A1
(stable-fixes).
- ACPI: property: Add code comments explaining what is going on
(stable-fixes).
- ACPI: property: Disregard references in data-only subnode lists
(stable-fixes).
- ACPICA: Allow to skip Global Lock initialization (stable-fixes).
- ACPI: battery: allocate driver data through devm_ APIs
(stable-fixes).
- drm/msm/adreno: De-spaghettify the use of memory barriers
(stable-fixes).
- commit e53e617
- spi: cadence-quadspi: Implement refcount to handle unbind
during busy (CVE-2025-40005 bsc#1252349).
- commit 7406f70
- i40e: fix idx validation in config queues msg (CVE-2025-39971 bsc#1252052)
- commit 70699a8
- i40e: fix input validation logic for action_meta (CVE-2025-39970 bsc#1252051)
- commit 57401e3
- arm64, mm: avoid always making PTE dirty in pte_mkwrite() (git-fixes)
- commit 59db3fb
- arm64: errata: Apply workarounds for Neoverse-V3AE (git-fixes)
- commit da235eb
- arm64: cputype: Add Neoverse-V3AE definitions (git-fixes)
- commit 5587842
- NFSD: Minor cleanup in layoutcommit processing (git-fixes).
- commit baef4e7
- NFSD: Rework encoding and decoding of nfsd4_deviceid
(git-fixes).
- commit 72f1d28
- hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
(git-fixes).
- commit a6f88ab
- xfs: rename the old_crc variable in xlog_recover_process
(git-fixes).
- commit 677fb8c
- net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() (CVE-2025-39876 bsc#1250400)
- commit 137f367
- proc: fix type confusion in pde_set_flags() (bsc#1248630)
- commit c6a1bb4
- proc: fix missing pde_set_flags() for net proc files (bsc#1248630)
- commit 539da61
- proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al (CVE-2025-38653 bsc#1248630)
- commit bcff9b5
- ovl: fix file reference leak when submitting aio (stable-fixes).
- commit 57db5b5
- KVM: x86: Set PVCLOCK_GUEST_STOPPED only for kvmclock, not
for Xen PV clock (git-fixes).
- commit 85e57cf
- KVM: x86: Don't bleed PVCLOCK_GUEST_STOPPED across PV clocks
(git-fixes).
- commit cd63f69
- KVM: x86: Process "guest stopped request" once per guest time
update (git-fixes).
- commit 29a55cf
- add bug reference to existing hv_netvsc change (bsc#1252265)
- commit 95261dd
- KVM: SVM: Inject #GP if memory operand for INVPCID is
non-canonical (git-fixes).
- commit ed9dfb1
- KVM: x86: Clear pv_unhalted on all transitions to
KVM_MP_STATE_RUNNABLE (git-fixes).
- commit f4d45de
- KVM: x86: Introduce kvm_set_mp_state() (git-fixes).
- commit 4b1f2ec
- NFS: Fix a race when updating an existing write (bsc#1249319
bsc#1252236 CVE-2025-39697).
- commit 40cab0c
- nfs: Add missing release on error in
nfs_lock_and_join_requests() (bsc#1249319 bsc#1252236
CVE-2025-39697).
- commit b903556
- nfs: fold nfs_page_group_lock_subrequests into
nfs_lock_and_join_requests (bsc#1249319 bsc#1252236
CVE-2025-39697).
- commit 13ceff1
- nfs: fold nfs_folio_find_and_lock_request into
nfs_lock_and_join_requests (bsc#1249319 bsc#1252236
CVE-2025-39697).
- commit 14874ac
- nfs: simplify nfs_folio_find_and_lock_request (bsc#1249319
bsc#1252236 CVE-2025-39697).
- commit 1b25c26
- nfs: remove nfs_folio_private_request (bsc#1249319 bsc#1252236
CVE-2025-39697).
- commit c28ea5d
- nfs: remove dead code for the old swap over NFS implementation
(bsc#1249319 bsc#1252236 CVE-2025-39697).
- Refresh
patches.suse/NFS-fix-nfs_release_folio-to-not-deadlock-via-kcompa.patch.
- commit e7a5c52
- kABI fix for KVM: x86: Snapshot the host's DEBUGCTL in common
x86 (git-fixes).
- commit 0bb2570
- overlayfs: set ctime when setting mtime and atime
(stable-fixes).
- ovl: fix incorrect fdput() on aio completion (stable-fixes).
- ovl: Always reevaluate the file signature for IMA
(stable-fixes).
- commit 4cfc4ed
- i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path (CVE-2025-39911 bsc#1250704)
- commit 627f938
- sched: Fix sched_numa_find_nth_cpu() if mask offline (CVE-2025-39895 bsc#1250721)
- commit 581de7a
- sctp: initialize more fields in sctp_v6_from_sk() (CVE-2025-39812 bsc#1250202)
- commit 56a7db3
- ipv6: sr: Fix MAC comparison to be constant-time (CVE-2025-39702 bsc#1249317)
- commit 3d85c5c
- sctp: linearize cloned gso packets in sctp_rcv (CVE-2025-38718 bsc#1249161)
- commit 0083867
- scsi: qla4xxx: Prevent a potential error pointer dereference (CVE-2025-39676 bsc#1249302)
- commit a3b8686
- net: usb: lan78xx: Add error handling to
lan78xx_init_mac_address (git-fixes).
- commit f1ec116
- net/mlx5e: Harden uplink netdev access against device unbind
(CVE-2025-39947 bsc#1251232).
- commit d4278a0
- KVM: x86: Snapshot the host's DEBUGCTL after disabling IRQs
(git-fixes).
- commit 09e399f
- KVM: x86: Bypass register cache when querying CPL from
kvm_sched_out() (git-fixes).
- commit 27a06fc
- net: usb: lan78xx: fix use of improperly initialized dev->chipid
in lan78xx_reset (git-fixes).
- commit ad26239
- r8152: add error handling in rtl8152_driver_init (git-fixes).
- commit db73d98
- usbnet: Fix using smp_processor_id() in preemptible code
warnings (git-fixes).
- commit b2c518b
- config.sh: Update IBS project
- commit f8ef735
- cpufreq: scmi: Account for malformed DT in
scmi_dev_used_by_cpus() (git-fixes).
- commit 149500a
- cpuidle: governors: menu: Avoid using invalid recent intervals
data (git-fixes).
- commit a4ef664
- hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
(git-fixes).
- commit baddd40
- selftests/bpf: Fix backtrace printing for selftests crashes
(git-fixes).
- commit 63e24c4
- tools/resolve_btfids: Fix build when cross compiling kernel
with clang (git-fixes).
- commit f4f0a36
- samples/bpf: Fix compilation failure for samples/bpf on
LoongArch Fedora (git-fixes).
- commit fa036e9
- selftests/bpf: Fix cross-compiling urandom_read (git-fixes).
- commit d19eec5
- selftests/bpf: Fix compile if backtrace support missing in libc
(git-fixes).
- commit 3353a4b
- selftests/bpf: Fix redefinition errors compiling lwt_reroute.c
(git-fixes).
- commit b5270ce
- selftests/bpf: Fix C++ compile error from missing _Bool type
(git-fixes).
- commit 736692a
- selftests/bpf: Fix error compiling test_lru_map.c (git-fixes).
- commit 8aa3099
- selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c
(git-fixes).
- commit 35f5a49
- perf/core: Fix the WARN_ON_ONCE is out of lock protected region
(git-fixes).
- perf/x86/intel: Fix crash in icl_update_topdown_event()
(git-fixes).
- perf/x86: Fix non-sampling (counting) events on certain x86
platforms (git-fixes).
- commit 814983a
- doc/README.SUSE: Correct the character used for TAINT_NO_SUPPORT
The character was previously 'N', but upstream used it for TAINT_TEST,
which prompted the change of TAINT_NO_SUPPORT to 'n'. This occurred in
commit c35dc3823d08 ("Update to 6.0-rc1") on master and in d016c04d731d
("Bump to 6.4 kernel (jsc#PED-4593)") for SLE15-SP6 (and onwards).
Update the documentation to reflect this change.
- commit f42ecf5
- ACPI: property: Do not pass NULL handles to acpi_attach_data()
(stable-fixes git-fixes).
- commit 19fb175
- ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path
(stable-fixes).
- commit d0f4111
- cpufreq: CPPC: fix perf_to_khz/khz_to_perf conversion exception
(git-fixes).
- commit 59c2171
- ACPI: x86: Move acpi_quirk_skip_serdev_enumeration() out of
CONFIG_X86_ANDROID_TABLETS (stable-fixes).
- commit 793bb70
- cpuidle: qcom-spm: fix device and OF node leaks at probe
(git-fixes).
- commit 39be628
- cpuidle: menu: Avoid discarding useful information
(stable-fixes).
- commit b136410
- cpufreq: tegra186: Set target frequency for all cpus in policy
(git-fixes).
- commit e1cfca8
- cpufreq: intel_pstate: Fix object lifecycle issue in
update_qos_request() (stable-fixes git-fixes).
- commit 8b10f36
- cpufreq: armada-8k: Fix off by one in
armada_8k_cpufreq_free_table() (stable-fixes git-fixes).
- commit 3e7dc0b
- cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs
(stable-fixes).
- commit 2dde40f
- tcp_bpf: Fix copied value in tcp_bpf_sendmsg (bsc#1250650).
- skmsg: Return copied bytes in sk_msg_memcopy_from_iter
(bsc#1250650).
- commit 5925a0e
- sched/idle: Conditionally handle tick broadcast in
default_idle_call() (bsc#1248517).
- Update config files.
- commit 1a58311
- x86/idle: Sanitize X86_BUG_AMD_E400 handling (bsc#1248517).
- Refresh
patches.suse/x86-tdx-Fix-arch_safe_halt-execution-for-TDX-VMs.patch.
- commit be42a2d
- perf/aux: Fix pending disable flow when the AUX ring buffer
overruns (git-fixes).
- perf/core: Fix WARN in perf_cgroup_switch() (git-fixes).
- perf: Fix cgroup state vs ERROR (git-fixes).
- perf/core: Fix broken throttling when max_samples_per_tick=1
(git-fixes).
- perf: Ensure bpf_perf_link path is properly serialized
(git-fixes).
- perf/x86/intel: Only check the group flag for X86 leader
(git-fixes).
- perf/x86/intel: Allow to update user space GPRs from PEBS
records (git-fixes).
- perf/x86/intel/uncore: Fix the scale of IIO free running
counters on SPR (git-fixes).
- perf/x86/intel/uncore: Fix the scale of IIO free running
counters on ICX (git-fixes).
- perf/x86/intel/uncore: Fix the scale of IIO free running
counters on SNR (git-fixes).
- perf/core: Fix child_total_time_enabled accounting bug at task
exit (git-fixes).
- perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
(git-fixes).
- perf/bpf: Robustify perf_event_free_bpf_prog() (git-fixes).
- perf/hw_breakpoint: Return EOPNOTSUPP for unsupported breakpoint
type (git-fixes).
- perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample
read (git-fixes).
- perf/x86/intel: Apply static call for drain_pebs (git-fixes).
- perf/amd/ibs: Fix perf_ibs_op.cnt_mask for CurCnt (git-fixes).
- perf/amd/ibs: Fix ->config to sample period calculation for
OP PMU (git-fixes).
- perf/core: Fix pmus_lock vs. pmus_srcu ordering (git-fixes).
- perf/x86/intel: Use better start period for frequency mode
(git-fixes).
- perf/core: Fix low freq setting via IOC_PERIOD (git-fixes).
- perf/x86: Fix low freqency setting issue (git-fixes).
- perf/x86/intel/ds: Unconditionally drain PEBS DS when changing
PEBS_DATA_CFG (git-fixes).
- perf/x86/amd: Warn only on new bits set (git-fixes).
- s390: Initialize psw mask in perf_arch_fetch_caller_regs()
(git-fixes).
- perf/core: Fix small negative period being ignored (git-fixes).
- perf: Extract a few helpers (git-fixes).
- perf/x86/intel/pt: Fix sampling synchronization (git-fixes).
- perf/x86/intel: Allow to setup LBR for counting event for BPF
(git-fixes).
- drivers/perf: arm_spe: Use perf_allow_kernel() for permissions
(git-fixes).
- perf/amd: Prevent grouping of IBS events (git-fixes).
- commit 76eb280
- tls: make sure to abort the stream if headers are bogus
(CVE-2025-39946 bsc#1251114).
- commit d62deaa
- selftests/bpf: Fix error compiling tc_redirect.c with musl libc
(git-fixes).
- commit b2a359c
- selftests/bpf: Fix errors compiling cg_storage_multi.h with
musl libc (git-fixes).
- commit 799529b
- selftests/bpf: Fix errors compiling decap_sanity.c with musl
libc (git-fixes).
- commit f14b275
- selftests/bpf: Fix errors compiling lwt_redirect.c with musl
libc (git-fixes).
- commit 498999e
- selftests/bpf: Fix compiling core_reloc.c with musl-libc
(git-fixes).
- commit eb3a7bd
- selftests/bpf: Fix compiling tcp_rtt.c with musl-libc
(git-fixes).
- commit 109e7cc
- selftests/bpf: Fix compiling flow_dissector.c with musl-libc
(git-fixes).
- commit 9b43d04
- selftests/bpf: Fix compiling kfree_skb.c with musl-libc
(git-fixes).
- commit 442e8bf
- selftests/bpf: Fix compiling parse_tcp_hdr_opt.c with musl-libc
(git-fixes).
- commit 1f65169
- selftests/bpf: Fix error compiling bpf_iter_setsockopt.c with
musl libc (git-fixes).
- commit 7613608
- selftests/bpf: Add test for unpinning htab with internal timer
struct (git-fixes).
- commit 8a1df26
- bpf: Avoid RCU context warning when unpinning htab with internal
structs (git-fixes).
- commit 73d4d2d
- bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
(git-fixes).
- commit 1a82fe5
- kabi: hide new member allow_subflows in struct mptcp_sock
(CVE-2025-38552 bsc#1248230).
- commit f51a25e
- mptcp: plug races between subflow fail and subflow creation
(CVE-2025-38552 bsc#1248230).
- Refresh
patches.kabi/kabi-hide-new-member-fallback_lock-in-struct-mptcp_s.patch.
(also delete outdated part of a comment)
- commit fdbbed8
- Update
patches.suse/ALSA-ac97-Fix-possible-NULL-dereference-in-snd_.patch
(bsc#1012628 CVE-2023-53648 bsc#1251750).
- Update
patches.suse/ASoC-codecs-wcd938x-fix-missing-mbhc-init-error.patch
(bsc#1012628 CVE-2023-53666 bsc#1251760).
- Update
patches.suse/ASoC-qcom-q6apm-lpass-dais-Fix-NULL-pointer-derefere.patch
(git-fixes CVE-2025-39938 bsc#1251134).
- Update
patches.suse/Bluetooth-hci_event-call-disconnect-callback-be.patch
(bsc#1012628 CVE-2023-53673 bsc#1251763).
- Update
patches.suse/HID-hyperv-avoid-struct-memcpy-overrun-warning.patch
(bsc#1012628 CVE-2023-53553 bsc#1251068).
- Update
patches.suse/KVM-nSVM-Check-instead-of-asserting-on-nested-TSC-sc.patch
(git-fixes CVE-2023-53663 bsc#1251290).
- Update
patches.suse/RDMA-rxe-Fix-incomplete-state-save-in-rxe_requester.patch
(git-fixes CVE-2023-53539 bsc#1251060).
- Update
patches.suse/USB-Gadget-core-Help-prevent-panic-during-UVC-.patch
(bsc#1012628 CVE-2023-53580 bsc#1251105).
- Update
patches.suse/accel-qaic-Fix-a-leak-in-map_user_pages.patch
(bsc#1012628 CVE-2023-53633 bsc#1251746).
- Update
patches.suse/bcache-Fix-__bch_btree_node_alloc-to-make-the-f.patch
(bsc#1012628 CVE-2023-53681 bsc#1251769).
- Update
patches.suse/bonding-do-not-assume-skb-mac_header-is-set.patch
(bsc#1012628 CVE-2023-53601 bsc#1251153).
- Update
patches.suse/bpf-Make-bpf_refcount_acquire-fallible-for-non-.patch
(bsc#1012628 CVE-2023-53645 bsc#1251321).
- Update
patches.suse/bpf-cpumap-Handle-skb-as-well-when-clean-up-pt.patch
(bsc#1012628 CVE-2023-53660 bsc#1251721).
- Update
patches.suse/bpf-cpumap-Make-sure-kthread-is-running-before.patch
(bsc#1012628 CVE-2023-53577 bsc#1251028).
- Update
patches.suse/bpf-reject-unhashed-sockets-in-bpf_sk_assign.patch
(jsc#PED-6811 CVE-2023-53585 bsc#1251126).
- Update
patches.suse/btrfs-insert-tree-mod-log-move-in-push_node_lef.patch
(bsc#1012628 CVE-2023-53538 bsc#1251024).
- Update
patches.suse/btrfs-output-extra-debug-info-if-we-failed-to-find-a.patch
(git-fixes CVE-2023-53672 bsc#1251780).
- Update
patches.suse/btrfs-reject-invalid-reloc-tree-root-keys-with.patch
(bsc#1012628 CVE-2023-53618 bsc#1251748).
- Update
patches.suse/cifs-Release-folio-lock-on-fscache-read-hit.patch
(bsc#1012628 CVE-2023-53593 bsc#1251132).
- Update
patches.suse/cifs-fix-mid-leak-during-reconnection-after-tim.patch
(bsc#1012628 CVE-2023-53597 bsc#1251159).
- Update
patches.suse/clk-Fix-memory-leak-in-devm_clk_notifier_regist.patch
(bsc#1012628 CVE-2023-53674 bsc#1251764).
- Update
patches.suse/clk-imx-scu-use-_safe-list-iterator-to-avoid-a-.patch
(bsc#1012628 CVE-2023-53572 bsc#1251027).
- Update
patches.suse/cpufreq-amd-pstate-fix-global-sysfs-attribute-.patch
(bsc#1012628 CVE-2023-53550 bsc#1251071).
- Update
patches.suse/cpufreq-amd-pstate-ut-Fix-kernel-panic-when-loading-.patch
(git-fixes CVE-2023-53563 bsc#1251038).
- Update
patches.suse/crypto-af_alg-Fix-missing-initialisation-affecting-g.patch
(bsc#1216396 CVE-2023-53599 bsc#1251150).
- Update
patches.suse/crypto-af_alg-Set-merge-to-zero-early-in-af_alg_send.patch
(git-fixes CVE-2025-39931 bsc#1251100).
- Update
patches.suse/dax-Fix-dax_mapping_release-use-after-free.patch
(bsc#1012628 CVE-2023-53613 bsc#1251119).
- Update
patches.suse/drivers-base-Free-devm-resources-when-unregistering-.patch
(jsc#PED-6054 CVE-2023-53596 bsc#1251161).
- Update
patches.suse/drivers-perf-hisi-Don-t-migrate-perf-to-the-CPU.patch
(bsc#1012628 CVE-2023-53656 bsc#1251758).
- Update
patches.suse/drm-amdgpu-unmap-and-remove-csa_va-properly.patch
(jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070
jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511
jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53545
bsc#1251084).
- Update
patches.suse/drm-bridge-anx7625-Fix-NULL-pointer-dereference-with.patch
(git-fixes CVE-2025-39934 bsc#1251146).
- Update
patches.suse/drm-i915-mark-requests-for-GuC-virtual-engines-to-av.patch
(jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070
jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511
jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53552
bsc#1251065).
- Update
patches.suse/drm-i915-perf-add-sentinel-to-xehp_oa_b_counter.patch
(jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070
jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511
jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53646
bsc#1251742).
- Update
patches.suse/ext4-fix-memory-leaks-in-ext4_fname_-setup_filename-.patch
(bsc#1214954 CVE-2023-53662 bsc#1251282).
- Update
patches.suse/fbdev-omapfb-lcd_mipid-Fix-an-error-handling-pa.patch
(jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070
jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511
jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53650
bsc#1251283).
- Update
patches.suse/fprobe-Release-rethook-after-the-ftrace_ops-is-.patch
(bsc#1012628 CVE-2023-53557 bsc#1251054).
- Update
patches.suse/gfs2-Fix-possible-data-races-in-gfs2_show_opti.patch
(bsc#1012628 CVE-2023-53622 bsc#1251777).
- Update patches.suse/gpio-mvebu-fix-irq-domain-leak.patch
(bsc#1012628 CVE-2023-53579 bsc#1251170).
- Update
patches.suse/iavf-Fix-out-of-bounds-when-setting-channels-on.patch
(bsc#1012628 CVE-2023-53659 bsc#1251247).
- Update patches.suse/iavf-Fix-use-after-free-in-free_netdev.patch
(bsc#1012628 CVE-2023-53556 bsc#1251059).
- Update
patches.suse/ice-Don-t-tx-before-switchdev-is-fully-configured.patch
(jsc#PED-4876 CVE-2023-53657 bsc#1251319).
- Update
patches.suse/ip_vti-fix-potential-slab-use-after-free-in-de.patch
(bsc#1012628 CVE-2023-53559 bsc#1251052).
- Update patches.suse/ipmi_si-fix-a-memleak-in-try_smi_init.patch
(git-fixes CVE-2023-53611 bsc#1251123).
- Update
patches.suse/jfs-fix-invalid-free-of-JFS_IP-ipimap-i_imap-in-diUnmount.patch
(git-fixes CVE-2023-53616 bsc#1251215).
- Update
patches.suse/md-don-t-dereference-mddev-after-export_rdev-7dea.patch
(jsc#PED-7542 CVE-2023-53665 bsc#1251270).
- Update
patches.suse/media-amphion-fix-REVERSE_INULL-issues-reported-by-c.patch
(git-fixes CVE-2023-53653 bsc#1251755).
- Update
patches.suse/memcontrol-ensure-memcg-acquired-by-id-is-properly-s.patch
(git-fixes CVE-2023-53621 bsc#1251323).
- Update
patches.suse/mm-damon-core-initialize-damo_filter-list-from.patch
(bsc#1012628 CVE-2023-53555 bsc#1251056).
- Update
patches.suse/msft-hv-2870-Drivers-hv-vmbus-Don-t-dereference-ACPI-root-object-.patch
(git-fixes CVE-2023-53647 bsc#1251732).
- Update
patches.suse/mtd-rawnand-brcmnand-Fix-potential-out-of-bounds-acc.patch
(git-fixes CVE-2023-53541 bsc#1251043).
- Update
patches.suse/net-handshake-fix-null-ptr-deref-in-handshake_nl_don.patch
(bsc#1220419 CVE-2023-53686 bsc#1251771).
- Update
patches.suse/net-mlx5-DR-fix-memory-leak-in-mlx5dr_cmd_crea.patch
(bsc#1012628 CVE-2023-53546 bsc#1251079).
- Update
patches.suse/net-mlx5e-Check-for-NOT_READY-flag-state-after-.patch
(bsc#1012628 CVE-2023-53581 bsc#1251106).
- Update
patches.suse/net-mlx5e-Take-RTNL-lock-when-needed-before-ca.patch
(bsc#1012628 CVE-2023-53632 bsc#1251269).
- Update
patches.suse/net-rfkill-gpio-Fix-crash-due-to-dereferencering-uni.patch
(git-fixes CVE-2025-39937 bsc#1251143).
- Update
patches.suse/net-usbnet-Fix-WARNING-in-usbnet_start_xmit-us.patch
(bsc#1012628 CVE-2023-53548 bsc#1251066).
- Update
patches.suse/netfilter-conntrack-Avoid-nf_ct_helper_hash-use.patch
(bsc#1012628 CVE-2023-53619 bsc#1251743).
- Update patches.suse/nvme-core-fix-dev_pm_qos-memleak.patch
(bsc#1012628 CVE-2023-53670 bsc#1251762).
- Update
patches.suse/octeon_ep-cancel-queued-works-in-probe-error-p.patch
(bsc#1012628 CVE-2023-53638 bsc#1251328).
- Update
patches.suse/octeontx2-af-Add-validation-before-accessing-cg.patch
(bsc#1012628 CVE-2023-53654 bsc#1251756).
- Update
patches.suse/perf-RISC-V-Remove-PERF_HES_STOPPED-flag-checki.patch
(bsc#1012628 CVE-2023-53583 bsc#1251108).
- Update
patches.suse/perf-trace-Really-free-the-evsel-priv-area.patch
(perf-v6.7 (jsc#PED-6012 jsc#PED-6121) CVE-2023-53649
bsc#1251749).
- Update
patches.suse/platform-x86-dell-sysman-Fix-reference-leak.patch
(git-fixes CVE-2023-53631 bsc#1251529).
- Update
patches.suse/rcu-tasks-Avoid-pr_info-with-spin-lock-in-cblis.patch
(bsc#1012628 CVE-2023-53558 bsc#1251081).
- Update
patches.suse/ring-buffer-Fix-deadloop-issue-on-reading-trace.patch
(bsc#1012628 CVE-2023-53668 bsc#1251286).
- Update
patches.suse/s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch
(git-fixes bsc#1215143 CVE-2023-53568 bsc#1251035).
- Update
patches.suse/scsi-qla2xxx-Avoid-fcport-pointer-dereference.patch
(bsc#1012628 CVE-2023-53603 bsc#1251180).
- Update
patches.suse/scsi-qla2xxx-Fix-deletion-race-condition.patch
(git-fixes CVE-2023-53615 bsc#1251113).
- Update
patches.suse/soc-aspeed-socinfo-Add-kfree-for-kstrdup.patch
(bsc#1012628 CVE-2023-53617 bsc#1251268).
- Update
patches.suse/spi-bcm-qspi-return-error-if-neither-hif_mspi-n.patch
(bsc#1012628 CVE-2023-53658 bsc#1251759).
- Update
patches.suse/staging-ks7010-potential-buffer-overflow-in-ks_.patch
(bsc#1012628 CVE-2023-53554 bsc#1251057).
- Update
patches.suse/tracing-histograms-Add-histograms-to-hist_vars-.patch
(bsc#1012628 CVE-2023-53560 bsc#1251045).
- Update
patches.suse/tty-serial-samsung_tty-Fix-a-memory-leak-in-s3c-832e231.patch
(bsc#1012628 CVE-2023-53687 bsc#1251772).
- Update
patches.suse/tunnels-fix-kasan-splat-when-generating-ipv4-p.patch
(bsc#1012628 CVE-2023-53600 bsc#1251152).
- Update
patches.suse/vdpa-Add-features-attr-to-vdpa_nl_policy-for-n.patch
(bsc#1012628 CVE-2023-53652 bsc#1251754).
- Update
patches.suse/vdpa-Add-max-vqp-attr-to-vdpa_nl_policy-for-nl.patch
(bsc#1012628 CVE-2023-53543 bsc#1251083).
- Update
patches.suse/wifi-ath11k-fix-memory-leak-in-WMI-firmware-sta.patch
(bsc#1012628 CVE-2023-53602 bsc#1251076).
- Update
patches.suse/wifi-cfg80211-reject-auth-assoc-to-AP-with-our-addre.patch
(git-fixes CVE-2023-53540 bsc#1251053).
- Update
patches.suse/wifi-iwlwifi-mvm-fix-potential-array-out-of-bou.patch
(bsc#1012628 CVE-2023-53575 bsc#1251067).
- Update
patches.suse/wifi-mac80211-check-for-station-first-in-client-prob.patch
(git-fixes CVE-2023-53588 bsc#1251206).
- Update
patches.suse/wifi-mac80211-increase-scan_ies_len-for-S1G.patch
(stable-fixes CVE-2025-39957 bsc#1251810).
- Update
patches.suse/wifi-nl80211-fix-integer-overflow-in-nl80211_p.patch
(bsc#1012628 CVE-2023-53570 bsc#1251031).
- Update
patches.suse/wifi-rtw88-delete-timer-and-free-skb-queue-when-unlo.patch
(git-fixes CVE-2023-53574 bsc#1251222).
- Update
patches.suse/wifi-wilc1000-avoid-buffer-overflow-in-WID-string-co.patch
(stable-fixes CVE-2025-39952 bsc#1251216).
- commit 56ea93d
- iommu/vt-d: Disallow dirty tracking if incoherent page walk
(git-fixes).
- iommu/vt-d: PRS isn't usable if PDS isn't supported (git-fixes).
- commit 9da1184
- mm/page_alloc: fix race condition in unaccepted memory handling
(CVE-2025-38008 bsc#1244939).
- commit b445cb1
- mm/slub: avoid accessing metadata when pointer is invalid in
object_err() (CVE-2025-39902 bsc#1250702).
- commit 46c39b3
- NFSD: Define a proc_layoutcommit for the FlexFiles layout type
(git-fixes).
- commit b115f79
- tracing: Fix filter string testing (git-fixes).
- commit 864d37b
- selftests/tracing: Fix event filter test to retry up to 10 times
(git-fixes).
- commit a9de969
- tracing/selftests: Fix kprobe event name test for
.isra. functions (git-fixes).
- commit 6a094d4
- bpf: Check link_create.flags parameter for multi_kprobe
(git-fixes).
- commit 0e75825
- bpf: Check link_create.flags parameter for multi_uprobe
(git-fixes).
- commit 10550c7
- ftrace: fix incorrect hash size in register_ftrace_direct()
(git-fixes).
- commit 9288055
- bpf: Use preempt_count() directly in bpf_send_signal_common()
(git-fixes).
- commit 9258f2a
- tracing: Correct the refcount if the hist/hist_debug file
fails to open (git-fixes).
- commit 6e8ac35
- module: Prevent silent truncation of module name in
delete_module(2) (git-fixes).
- commit 44dc7b7
- tracing: Add down_write(trace_event_sem) when adding trace event
(bsc#1248211 CVE-2025-38539).
- commit b1816b0
- tracing: Limit access to parser->buffer when trace_get_user
failed (bsc#1249286 CVE-2025-39683).
- tracing: Remove unneeded goto out logic (bsc#1249286).
- commit 8eaad3a
- ftrace: Also allocate and copy hash for reading of filter files
(bsc#1250032 CVE-2025-39813).
- commit 69f706b
- media: i2c: tc358743: Fix use-after-free bugs caused by orphan
timer in probe (git-fixes).
- commit 4cb2ef2
- media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)
(git-fixes).
- commit eb03975
- ftrace: Fix potential warning in trace_printk_seq during
ftrace_dump (bsc#1250032 CVE-2025-39813).
- commit 287d6f8
- net: sysfs: Fix /sys/class/net/<iface> path (git-fixes).
- commit 753f6d8
- trace/fgraph: Fix the warning caused by missing unregister
notifier (bsc#1248211 CVE-2025-38539).
- commit 739d6c6
- i2c: ocores: use devm_ managed clks (git-fixes).
- commit bc09888
- USB: serial: option: add SIMCom 8230C compositions (git-fixes).
- commit fbae6a0
- usb: phy: twl6030: Fix incorrect type for ret (git-fixes).
- commit 2464609
- net: mana: Use page pool fragments for RX buffers instead of
full pages to improve memory efficiency (bsc#1248754).
- cnic: Fix use-after-free bugs in cnic_delete_task
(CVE-2025-39945 bsc#1251230).
- commit 8a42c4d
- selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len (git-fixes).
- commit 8628058
- powerpc/powernv/pci: Fix underflow and leak issue (bsc#1215199).
- powerpc/pseries/msi: Fix potential underflow and leak issue
(bsc#1215199).
- powerpc/kvm: Fix ifdef to remove build warning (bsc#1215199).
- KVM: PPC: Fix misleading interrupts comment in
kvmppc_prepare_to_enter() (bsc#1215199).
- powerpc: floppy: Add missing checks after DMA map (bsc#1215199).
- powerpc/boot: Fix build with gcc 15 (bsc#1215199).
- commit c79aae4
- crypto: rng - Ensure set_ent is always present (git-fixes).
- USB: serial: option: add SIMCom 8230C compositions
(stable-fixes).
- wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188
(stable-fixes).
- media: tuner: xc5000: Fix use-after-free in xc5000_release
(git-fixes).
- driver core/PM: Set power.no_callbacks along with power.no_pm
(stable-fixes).
- platform/x86/amd/pmc: Add Stellaris Slim Gen6 AMD to spurious
8042 quirks list (stable-fixes).
- can: rcar_canfd: Fix controller mode setting (stable-fixes).
- can: hi311x: fix null pointer dereference when resuming from
sleep before interface was enabled (stable-fixes).
- ASoC: rt5682s: Adjust SAR ADC button mode to fix noise issue
(stable-fixes).
- ASoC: amd: acp: Adjust pdm gain value (stable-fixes).
- platform/x86/amd/pmc: Add MECHREVO Yilong15Pro to spurious_8042
list (stable-fixes).
- hid: fix I2C read buffer overflow in raw_event() for mcp2221
(stable-fixes).
- media: tunner: xc5000: Refactor firmware load (stable-fixes).
- commit 6771085
- rtc: optee: fix memory leak on driver removal (git-fixes).
- rtc: x1205: Fix Xicor X1205 vendor prefix (git-fixes).
- commit 3f4b7b9
- drm/amd/display: Disable scaling on DCE6 for now (git-fixes).
- drm/amd/display: Properly disable scaling on DCE6 (git-fixes).
- drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6
(git-fixes).
- drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs
(git-fixes).
- drm/amdgpu: Add additional DCE6 SCL registers (git-fixes).
- drm/nouveau: fix bad ret code in nouveau_bo_move_prep
(git-fixes).
- drm/vmwgfx: Fix copy-paste typo in validation (git-fixes).
- drm/vmwgfx: Fix Use-after-free in validation (git-fixes).
- drm/vmwgfx: Fix a null-ptr access in the cursor snooper
(git-fixes).
- ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer
size (git-fixes).
- ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines
tear down (git-fixes).
- fbdev: Fix logic error in "offb" name match (git-fixes).
- gpio: wcd934x: mark the GPIO controller as sleeping (git-fixes).
- crypto: essiv - Check ssize for decryption and in-place
encryption (git-fixes).
- tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single
(git-fixes).
- commit a90f502
- scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory
is allocated (CVE-2025-38700 bsc#1249182).
- scsi: bfa: Double-free fix (CVE-2025-38699 bsc#1249224).
- commit d981d82
- Update
patches.suse/scsi-lpfc-Fix-buffer-free-clear-order-in-deferred-re.patch
(bsc#1250519 CVE-2025-39841 bsc#1250274).
added CVE number and associated bsc
- commit 11a7724
- KVM: x86: Snapshot the host's DEBUGCTL in common x86
(git-fixes).
- commit 090e1cd
- KVM: SVM: Set RFLAGS.IF=1 in C code, to get VMRUN out of the
STI shadow (git-fixes).
- Refresh
patches.suse/x86-bugs-Add-a-Transient-Scheduler-Attacks-mitigation.patch.
- commit ab98159
- KVM: SEV: Validate XCR0 provided by guest in GHCB (git-fixes).
- commit 3926356
- KVM: SVM: Pass through GHCB MSR if and only if VM is an SEV-ES
guest (git-fixes).
- commit 1163dde
- KVM: SEV: Read save fields from GHCB exactly once (git-fixes).
- commit 0fe255d
- KVM: SEV: Rename kvm_ghcb_get_sw_exit_code() to
kvm_get_cached_sw_exit_code() (git-fixes).
- commit 16f8d6e
- net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL
deadlock (git-fixes).
- commit 4ae0d43
- fs: writeback: fix use-after-free in __mark_inode_dirty()
(bsc#1250455 CVE-2025-39866).
- commit 5efc627
- kernfs: Fix UAF in polling when open file is released
(bsc#1250379 CVE-2025-39881).
- commit 278aed0
- fs: Prevent file descriptor table allocations exceeding INT_MAX
(bsc#1249512 CVE-2025-39756).
- commit eec00db
- ext4: avoid potential buffer over-read in
parse_apply_sb_mount_options() (git-fixes).
- commit b98ec86
- ext4: fix checks for orphan inodes (bsc#1250119).
- commit 63ca2b0
- ext4: fix hole length calculation overflow in non-extent inodes
(git-fixes).
- commit 61cf4bb
- ext4: don't try to clear the orphan_present feature block
device is r/o (git-fixes).
- commit f4163bf
- ext4: fix reserved gdt blocks handling in fsmap (git-fixes).
- commit 97b5bdf
- ext4: fix fsmap end of range reporting with bigalloc
(git-fixes).
- commit 91e12c8
- ext4: check fast symlink for ea_inode correctly (git-fixes).
- commit 42b6930
- ext4: preserve SB_I_VERSION on remount (git-fixes).
- commit 4260078
- ext4: fix largest free orders lists corruption on
mb_optimize_scan switch (git-fixes).
- commit 17d92cc
- ext4: fix zombie groups in average fragment size lists
(git-fixes).
- commit 321e541
- ext4: ensure i_size is smaller than maxbytes (git-fixes).
- commit 83487b1
- ext4: factor out ext4_get_maxbytes() (git-fixes).
- commit e58bd69
- netfilter: nft_objref: validate objref and objrefmap expressions
(bsc#1250237).
No CVE available yet, please see the bugzilla ticket referenced.
- commit 71d77ae
- ext4: fix calculation of credits for extent tree modification
(git-fixes).
- commit 9ee5795
- ext4: reorder capability check last (git-fixes).
- commit ed8a5ff
- jbd2: do not try to recover wiped journal (git-fixes).
- commit 71d37b6
- ext4: do not convert the unwritten extents if data writeback
fails (git-fixes).
- commit 9294482
- iomap: handle a post-direct I/O invalidate race in
iomap_write_delalloc_release (git-fixes).
- commit 1023af1
- iomap: Fix iomap_adjust_read_range for plen calculation
(git-fixes).
- commit dab9a8e
- fs: udf: fix OOB read in lengthAllocDescs handling (git-fixes).
- commit ab7fa65
- udf: Verify partition map count (git-fixes).
- commit acb53b7
- udf: Make sure i_lenExtents is uptodate on inode eviction
(git-fixes).
- commit 1f76b28
- isofs: Verify inode mode when loading from disk (git-fixes).
- commit 96bc3c7
- mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox
cleanup loop (git-fixes).
- mailbox: zynqmp-ipi: Remove dev.parent check in
zynqmp_ipi_free_mboxes (git-fixes).
- mailbox: zynqmp-ipi: Remove redundant
mbox_controller_unregister() call (git-fixes).
- Input: uinput - zero-initialize uinput_ff_upload_compat to
avoid info leak (git-fixes).
- commit c2e0f2f
- arm64: mte: Do not flag the zero page as PG_mte_tagged (git-fixes)
- commit cf556af
- KVM: x86: Don't inject PV async #PF if SEND_ALWAYS=0 and guest
state is protected (git-fixes).
- commit fa670d1
- misc: fastrpc: Skip reference for DMA handles (git-fixes).
- misc: fastrpc: fix possible map leak in fastrpc_put_args
(git-fixes).
- misc: fastrpc: Fix fastrpc_map_lookup operation (git-fixes).
- staging: axis-fifo: flush RX FIFO on read errors (git-fixes).
- staging: axis-fifo: fix TX handling on copy_from_user() failure
(git-fixes).
- staging: axis-fifo: fix maximum TX packet length check
(git-fixes).
- clk: at91: peripheral: fix return value (git-fixes).
- clk: mediatek: clk-mux: Do not pass flags to
clk_mux_determine_rate_flags() (git-fixes).
- clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m
(git-fixes).
- clk: tegra: do not overallocate memory for bpmp clocks
(git-fixes).
- commit ecaf254
- smb: client: fix crypto buffers in non-linear memory
(bsc#1250491, boo#1239206).
- commit b5fc334
- usb: xhci: Limit Stop Endpoint retries (git-fixes).
kABI fixup for 474538b8dd1cd9c666e56cfe8ef60fbb0fb513f4
- commit 6d76064
- kABI workaround for struct atmdev_ops extension (CVE-2025-39828
bsc#1250205).
- commit ece3f96
- Refresh
patches.suse/Bluetooth-L2CAP-Fix-not-checking-l2cap_chan-security.patch.
- commit 85c9004
- Refresh
patches.suse/Bluetooth-hci_core-Fix-calling-mgmt_device_connected.patch.
- commit 9720dbb
- nfsd: nfserr_jukebox in nlm_fopen should lead to a retry
(git-fixes).
- commit c2be588
- NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()
(git-fixes).
- commit 7b5a68a
- sunrpc: fix null pointer dereference on zero-length checksum
(git-fixes).
- commit c4c654a
- atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control()
(CVE-2025-39828 bsc#1250205).
- commit a2ac627
- e1000e: fix heap overflow in e1000_set_eeprom (CVE-2025-39898
bsc#1250742).
- vxlan: Fix NPD when refreshing an FDB entry with a nexthop
object (CVE-2025-39851 bsc#1250296).
- commit df2ae2c
- kmod
-
- man: modprobe.d: document the config file order handling (bsc#1253741)
* man-modprobe.d-document-the-config-file-order-handling.patch
- curl:mini
-
- Security fix: [bsc#1253757, CVE-2025-11563]
* curl: wcurl path traversal with percent-encoded slashes
* Add curl-CVE-2025-11563.patch
- mozilla-nss
-
- Add bmo1990242.patch to move NSS DB password hash away from SHA-1
- update to NSS 3.112.2
* bmo#1970079 - Prevent leaks during pkcs12 decoding.
* bmo#1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates
- Adding patch bmo1980465.patch to fix bug on s390x (bmo#1980465)
- Adding patch bmo1956754.patch to fix possible undefined behaviour (bmo#1956754)
- update to NSS 3.112.1
* bmo#1982742 - restore support for finding certificates by decoded serial number.
- update to NSS 3.112
* bmo#1963792 - Fix alias for mac workers on try
* bmo#1966786 - ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault
* bmo#1931930 - ABI/API break in ssl certificate processing
* bmo#1955971 - remove unnecessary assertion in sec_asn1d_init_state_based_on_template
* bmo#1965754 - update taskgraph to v14.2.1
* bmo#1964358 - Workflow for automation of the release on GitHub when pushing a tag
* bmo#1952860 - fix faulty assertions in SEC_ASN1DecoderUpdate
* bmo#1934877 - Renegotiations should use a fresh ECH GREASE buffer
* bmo#1951396 - update taskgraph to v14.1.1
* bmo#1962503 - Partial fix for ACVP build CI job
* bmo#1961827 - Initialize find in sftk_searchDatabase
* bmo#1963121 - Add clang-18 to extra builds
* bmo#1963044 - Fault tolerant git fetch for fuzzing
* bmo#1962556 - Tolerate intermittent failures in ssl_policy_pkix_ocsp
* bmo#1962770 - fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set
* bmo#1961835 - fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls
* bmo#1963102 - Remove Cryptofuzz CI version check
- update to NSS 3.111
* bmo#1930806 - FIPS changes need to be upstreamed: force ems policy
* bmo#1957685 - Turn off Websites Trust Bit from CAs
* bmo#1937338 - Update nssckbi version following April 2025 Batch of Changes
* bmo#1943135 - Disable SMIME ‘trust bit’ for GoDaddy CAs
* bmo#1874383 - Replaced deprecated sprintf function with snprintf in dbtool.c
* bmo#1954612 - Need up update NSS for PKCS 3.1
* bmo#1773374 - avoid leaking localCert if it is already set in ssl3_FillInCachedSID
* bmo#1953097 - Decrease ASAN quarantine size for Cryptofuzz in CI
* bmo#1943962 - selfserv: Add support for zlib certificate compression
- update to NSS 3.110
* bmo#1930806 - FIPS changes need to be upstreamed: force ems policy
* bmo#1954724 - Prevent excess allocations in sslBuffer_Grow
* bmo#1953429 - Remove Crl templates from ASN1 fuzz target
* bmo#1953429 - Remove CERT_CrlTemplate from ASN1 fuzz target
* bmo#1952855 - Fix memory leak in NSS_CMSMessage_IsSigned
* bmo#1930807 - NSS policy updates
* bmo#1951161 - Improve locking in nssPKIObject_GetInstances
* bmo#1951394 - Fix race in sdb_GetMetaData
* bmo#1951800 - Fix member access within null pointer
* bmo#1950077 - Increase smime fuzzer memory limit
* bmo#1949677 - Enable resumption when using custom extensions
* bmo#1952568 - change CN of server12 test certificate
* bmo#1949118 - Part 2: Add missing check in
NSS_CMSDigestContext_FinishSingle
* bmo#1949118 - Part 1: Fix smime UBSan errors
* bmo#1930806 - FIPS changes need to be upstreamed: updated key checks
* bmo#1951491 - Don't build libpkix in static builds
* bmo#1951395 - handle `-p all` in try syntax
* bmo#1951346 - fix opt-make builds to actually be opt
* bmo#1951346 - fix opt-static builds to actually be opt
* bmo#1916439 - Remove extraneous assert
- Removed upstreamed nss-fips-stricter-dh.patch
- Removed upstreamed nss-reproducible-chksums.patch
- Added bmo1962556.patch to fix test failures
- Rebased nss-fips-approved-crypto-non-ec.patch nss-fips-combined-hash-sign-dsa-ecdsa.patch
- update to NSS 3.109
* bmo#1939512 - Call BL_Init before RNG_RNGInit() so that special
SHA instructions can be used if available
* bmo#1930807 - NSS policy updates - fix inaccurate key policy issues
* bmo#1945883 - SMIME fuzz target
* bmo#1914256 - ASN1 decoder fuzz target
* bmo#1936001 - Part 2: Revert “Extract testcases from ssl gtests
for fuzzing”
* bmo#1915155 - Add fuzz/README.md
* bmo#1936001 - Part 4: Fix tstclnt arguments script
* bmo#1944545 - Extend pkcs7 fuzz target
* bmo#1912320 - Extend certDN fuzz target
* bmo#1944300 - revert changes to HACL* files from bug 1866841
* bmo#1936001 - Part 3: Package frida corpus script
- update to NSS 3.108
* bmo#1923285 - libclang-16 -> libclang-19
* bmo#1939086 - Turn off Secure Email Trust Bit for Security
Communication ECC RootCA1
* bmo#1937332 - Turn off Secure Email Trust Bit for BJCA Global Root
CA1 and BJCA Global Root CA2
* bmo#1915902 - Remove SwissSign Silver CA – G2
* bmo#1938245 - Add D-Trust 2023 TLS Roots to NSS
* bmo#1942301 - fix fips test failure on windows
* bmo#1935925 - change default sensitivity of KEM keys
* bmo#1936001 - Part 1: Introduce frida hooks and script
* bmo#1942350 - add missing arm_neon.h include to gcm.c
* bmo#1831552 - ci: update windows workers to win2022
* bmo#1831552 - strip trailing carriage returns in tools tests
* bmo#1880256 - work around unix/windows path translation issues
in cert test script
* bmo#1831552 - ci: let the windows setup script work without $m
* bmo#1880255 - detect msys
* bmo#1936680 - add a specialized CTR_Update variant for AES-GCM
* bmo#1930807 - NSS policy updates
* bmo#1930806 - FIPS changes need to be upstreamed: FIPS 140-3 RNG
* bmo#1930806 - FIPS changes need to be upstreamed: Add SafeZero
* bmo#1930806 - FIPS changes need to be upstreamed - updated POST
* bmo#1933031 - Segmentation fault in SECITEM_Hash during pkcs12 processing
* bmo#1929922 - Extending NSS with LoadModuleFromFunction functionality
* bmo#1935984 - Ensure zero-initialization of collectArgs.cert
* bmo#1934526 - pkcs7 fuzz target use CERT_DestroyCertificate
* bmo#1915898 - Fix actual underlying ODR violations issue
* bmo#1184059 - mozilla::pkix: allow reference ID labels to begin
and/or end with hyphens
* bmo#1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if
NSS_DISABLE_DBM is set
* bmo#1934526 - Fix memory leak in pkcs7 fuzz target
* bmo#1934529 - Set -O2 for ASan builds in CI
* bmo#1934543 - Change branch of tlsfuzzer dependency
* bmo#1915898 - Run tests in CI for ASan builds with detect_odr_violation=1
* bmo#1934241 - Fix coverage failure in CI
* bmo#1934213 - Add fuzzing for delegated credentials, DTLS short
header and Tls13BackendEch
* bmo#1927142 - Add fuzzing for SSL_EnableTls13GreaseEch and
SSL_SetDtls13VersionWorkaround
* bmo#1913677 - Part 3: Restructure fuzz/
* bmo#1931925 - Extract testcases from ssl gtests for fuzzing
* bmo#1923037 - Force Cryptofuzz to use NSS in CI
* bmo#1923037 - Fix Cryptofuzz on 32 bit in CI
* bmo#1933154 - Update Cryptofuzz repository link
* bmo#1926256 - fix build error from 9505f79d
* bmo#1926256 - simplify error handling in get_token_objects_for_cache
* bmo#1931973 - nss doc: fix a warning
* bmo#1930797 - pkcs12 fixes from RHEL need to be picked up
- remove obsolete patches
* nss-fips-safe-memset.patch
* nss-bmo1930797.patch
- update to NSS 3.107
* bmo#1923038 - Remove MPI fuzz targets.
* bmo#1925512 - Remove globals `lockStatus` and `locksEverDisabled`.
* bmo#1919015 - Enable PKCS8 fuzz target.
* bmo#1923037 - Integrate Cryptofuzz in CI.
* bmo#1913677 - Part 2: Set tls server target socket options in config class
* bmo#1913677 - Part 1: Set tls client target socket options in config class
* bmo#1913680 - Support building with thread sanitizer.
* bmo#1922392 - set nssckbi version number to 2.72.
* bmo#1919913 - remove Websites Trust Bit from Entrust Root
Certification Authority - G4.
* bmo#1920641 - remove Security Communication RootCA3 root cert.
* bmo#1918559 - remove SecureSign RootCA11 root cert.
* bmo#1922387 - Add distrust-after for TLS to Entrust Roots.
* bmo#1927096 - update expected error code in pk12util pbmac1 tests.
* bmo#1929041 - Use random tstclnt args with handshake collection script
* bmo#1920466 - Remove extraneous assert in ssl3gthr.c.
* bmo#1928402 - Adding missing release notes for NSS_3_105.
* bmo#1874451 - Enable the disabled mlkem tests for dtls.
* bmo#1874451 - NSS gtests filter cleans up the constucted buffer
before the use.
* bmo#1925505 - Make ssl_SetDefaultsFromEnvironment thread-safe.
* bmo#1925503 - Remove short circuit test from ssl_Init.
- fix build on loongarch64 (setting it as 64bit arch)
- Remove upstreamed bmo-1400603.patch
- Added nss-bmo1930797.patch to fix failing tests in testsuite
- update to NSS 3.106
* bmo#1925975 - NSS 3.106 should be distributed with NSPR 4.36.
* bmo#1923767 - pk12util: improve error handling in p12U_ReadPKCS12File.
* bmo#1899402 - Correctly destroy bulkkey in error scenario.
* bmo#1919997 - PKCS7 fuzz target, r=djackson,nss-reviewers.
* bmo#1923002 - Extract certificates with handshake collection script.
* bmo#1923006 - Specify len_control for fuzz targets.
* bmo#1923280 - Fix memory leak in dumpCertificatePEM.
* bmo#1102981 - Fix UBSan errors for SECU_PrintCertificate and
SECU_PrintCertificateBasicInfo.
* bmo#1921528 - add new error codes to mozilla::pkix for Firefox to use.
* bmo#1921768 - allow null phKey in NSC_DeriveKey.
* bmo#1921801 - Only create seed corpus zip from existing corpus.
* bmo#1826035 - Use explicit allowlist for for KDF PRFS.
* bmo#1920138 - Increase optimization level for fuzz builds.
* bmo#1920470 - Remove incorrect assert.
* bmo#1914870 - Use libFuzzer options from fuzz/options/\*.options in CI.
* bmo#1920945 - Polish corpus collection for automation.
* bmo#1917572 - Detect new and unfuzzed SSL options.
* bmo#1804646 - PKCS12 fuzzing target.
- requires NSPR 4.36
- update to NSS 3.105
* bmo#1915792 - Allow importing PKCS#8 private EC keys missing public key
* bmo#1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c
* bmo#1919577 - set KRML_MUSTINLINE=inline in makefile builds
* bmo#1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
* bmo#1918767 - override default definition of KRML_MUSTINLINE
* bmo#1916525 - libssl support for mlkem768x25519
* bmo#1916524 - support for ML-KEM-768 in softoken and pk11wrap
* bmo#1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL
* bmo#1911912 - Avoid misuse of ctype(3) functions
* bmo#1917311 - part 2: run clang-format
* bmo#1917311 - part 1: upgrade to clang-format 13
* bmo#1916953 - clang-format fuzz
* bmo#1910370 - DTLS client message buffer may not empty be on retransmit
* bmo#1916413 - Optionally print config for TLS client and server
fuzz target
* bmo#1916059 - Fix some simple documentation issues in NSS.
* bmo#1915439 - improve performance of NSC_FindObjectsInit when
template has CKA_TOKEN attr
* bmo#1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
- Fix build error under Leap by rebasing nss-fips-safe-memset.patch.
- update to NSS 3.104
* bmo#1910071 - Copy original corpus to heap-allocated buffer
* bmo#1910079 - Fix min ssl version for DTLS client fuzzer
* bmo#1908990 - Remove OS2 support just like we did on NSPR
* bmo#1910605 - clang-format NSS improvements
* bmo#1902078 - Adding basicutil.h to use HexString2SECItem function
* bmo#1908990 - removing dirent.c from build
* bmo#1902078 - Allow handing in keymaterial to shlibsign to make
the output reproducible
* bmo#1908990 - remove nec4.3, sunos4, riscos and SNI references
* bmo#1908990 - remove other old OS (BSDI, old HP UX, NCR,
openunix, sco, unixware or reliantUnix
* bmo#1908990 - remove mentions of WIN95
* bmo#1908990 - remove mentions of WIN16
* bmo#1913750 - More explicit directory naming
* bmo#1913755 - Add more options to TLS server fuzz target
* bmo#1913675 - Add more options to TLS client fuzz target
* bmo#1835240 - Use OSS-Fuzz corpus in NSS CI
* bmo#1908012 - set nssckbi version number to 2.70.
* bmo#1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert.
* bmo#1908009 - Remove Email Trust bit from certSIGN ROOT CA.
* bmo#1908006 - Add Cybertrust Japan Roots to NSS.
* bmo#1908004 - Add Taiwan CA Roots to NSS.
* bmo#1911354 - remove search by decoded serial in
nssToken_FindCertificateByIssuerAndSerialNumber
* bmo#1913132 - Fix tstclnt CI build failure
* bmo#1913047 - vfyserv: ensure peer cert chain is in db for
CERT_VerifyCertificateNow
* bmo#1912427 - Enable all supported protocol versions for UDP
* bmo#1910361 - Actually use random PSK hash type
* bmo#1911576 - Initialize NSS DB once
* bmo#1910361 - Additional ECH cipher suites and PSK hash types
* bmo#1903604 - Automate corpus file generation for TLS client Fuzzer
* bmo#1910364 - Fix crash with UNSAFE_FUZZER_MODE
* bmo#1910605 - clang-format shlibsign.c
- remove obsolete nss-reproducible-builds.patch
- update to NSS 3.103
* bmo#1908623 - move list size check after lock acquisition in sftk_PutObjectToList.
* bmo#1899542 - Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
* bmo#1909638 - Follow-up to fix test for presence of file nspr.patch.
* bmo#1903783 - Adjust libFuzzer size limits
* bmo#1899542 - Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
* bmo#1899542 - Add fuzzing support for SSL_ENABLE_GREASE and
SSL_ENABLE_CH_EXTENSION_PERMUTATION
- Add nss-reproducible-builds.patch to make the rpms reproducible,
by using a hardcoded, static key to generate the checksums (*.chk-files)
- Updated nss-fips-approved-crypto-non-ec.patch to enforce
approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
- update to NSS 3.102.1
* bmo#1905691 - ChaChaXor to return after the function
- update to NSS 3.102
* bmo#1880351 - Add Valgrind annotations to freebl Chacha20-Poly1305.
* bmo#1901932 - missing sqlite header.
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* bmo#1615298 - improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
* bmo#1660676 - correct length of raw SPKI data before printing in pp utility.
- Add nss-reproducible-chksums.patch to make NSS-build reproducible
Use key from openssl (bsc#1081723)
- Updated nss-fips-approved-crypto-non-ec.patch to exclude the
SHA-1 hash from SLI approval.
- libgcrypt
-
- Fix running the test suite in FIPS mode [bsc#1246934]
* Add libgcrypt-fix-pkcs12-test-in-FIPS-mode.patch
* Rebase libgcrypt-FIPS-SLI-kdf-leylength.patch
- gnutls
-
- Security fix bsc#1254132 CVE-2025-9820
* Fix buffer overflow in gnutls_pkcs11_token_init
* Added gnutls-CVE-2025-9820.patch
- gpgme
-
- Treat empty DISPLAY variable as unset. [bsc#1252425, bsc#1231055]
* To avoid gpgme constructing an invalid gpg command line when
the DISPLAY variable is empty it can be treated as unset.
* Add gpgme-Treat-empty-DISPLAY-variable-as-unset.patch
* Reported upstream: dev.gnupg.org/T7919
- libpng16
-
- security update
- added patches
CVE-2025-66293 [bsc#1254480], LIBPNG out-of-bounds read in png_image_read_composite
* libpng16-CVE-2025-66293-1.patch
* libpng16-CVE-2025-66293-2.patch
- security update
- added patches
CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index
* libpng16-CVE-2025-64505.patch
CVE-2025-64506 [bsc#1254158], heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled
* libpng16-CVE-2025-64506.patch
CVE-2025-64720 [bsc#1254159], buffer overflow in `png_image_read_composite` via incorrect palette premultiplication
* libpng16-CVE-2025-64720.patch
CVE-2025-65018 [bsc#1254160], heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`
* libpng16-CVE-2025-65018.patch
- python311:base
-
- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
quadratic complexity vulnerabilities of os.path.expandvars()
(CVE-2025-6075, bsc#1252974).
- Readjusted patches:
- CVE-2023-52425-libexpat-2.6.0-backport.patch
- CVE-2023-52425-remove-reparse_deferral-tests.patch
- fix_configure_rst.patch
- skip_if_buildbot-extend.patch
- Update to 3.11.14:
- Security
- gh-139700: Check consistency of the zip64 end of central
directory record. Support records with “zip64 extensible data”
if there are no bytes prepended to the ZIP file
(CVE-2025-8291, bsc#1251305).
- gh-139400: xml.parsers.expat: Make sure that parent Expat
parsers are only garbage-collected once they are no longer
referenced by subparsers created by
ExternalEntityParserCreate(). Patch by Sebastian Pipping.
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
* Whitespaces no longer accepted between </ and the tag name. E.g.
</ script> does not end the script section.
* Vertical tabulation (\v) and non-ASCII whitespaces no longer
recognized as whitespaces. The only whitespaces are \t\n\r\f and
space.
* Null character (U+0000) no longer ends the tag name.
* Attributes and slashes after the tag name in end tags are now
ignored, instead of terminating after the first > in quoted
attribute value. E.g. </script/foo=">"/>.
* Multiple slashes and whitespaces between the last attribute and
closing > are now ignored in both start and end tags. E.g. <a
foo=bar/ //>.
* Multiple = between attribute name and value are no longer
collapsed. E.g. <a foo==bar> produces attribute “foo” with value
“=bar”.
- gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
according to the HTML5 standard: ] ]> and ]] > no longer end the
CDATA section. Add private method _set_support_cdata() which can
be used to specify how to parse <[CDATA[ — as a CDATA section in
foreign content (SVG or MathML) or as a bogus comment in the
HTML namespace.
- gh-102555: Fix comment parsing in html.parser.HTMLParser
according to the HTML5 standard. --!> now ends the comment. -- >
no longer ends the comment. Support abnormally ended empty
comments <--> and <--->.
- gh-135462: Fix quadratic complexity in processing specially
crafted input in html.parser.HTMLParser. End-of-file errors are
now handled according to the HTML5 specs – comments and
declarations are automatically closed, tags are ignored.
- gh-118350: Fix support of escapable raw text mode (elements
“textarea” and “title”) in html.parser.HTMLParser.
- gh-86155: html.parser.HTMLParser.close() no longer loses data
when the <script> tag is not closed. Patch by Waylan Limberg.
- Library
- gh-139312: Upgrade bundled libexpat to 2.7.3
- gh-138998: Update bundled libexpat to 2.7.2
- gh-130577: tarfile now validates archives to ensure member
offsets are non-negative. (Contributed by Alexander Enrique
Urieles Nieto in gh-130577.)
- gh-135374: Update the bundled copy of setuptools to 79.0.1.
- Drop upstreamed patches:
- CVE-2025-8194-tarfile-no-neg-offsets.patch
- CVE-2025-6069-quad-complex-HTMLParser.patch
- Add gh139257-Support-docutils-0.22.patch to fix build with latest
docutils (>=0.22) gh#python/cpython#139257
- Drop AppStream buildrequires and don't run appstreamcli validate
as part of the build process: the appdata.xml is not updated by
source directly, so we have more contol. Having Appstream or the
deprecated appstream-glib result in a build cycle.
- Require AppStream to validate appdata file instead of deprecated
appstream-glib.
- Update idle3.appdata.xml to pass the more pedantic appstreamcli.
- sqlite3
-
- bsc#1252217: Add a %license file.
- bsc#1248586: Fix icu-enabled build.
- Update to version 3.50.4:
* Fix two long-standings cases of the use of uninitialized
variables in obscure circumstances.
- Update to version 3.50.3:
* Fix a possible memory error that can occur if a query is made
against against FTS5 index that has been deliberately corrupted
in a very specific way.
* Fix the parser so that it ignored SQL comments in all places of
a CREATE TRIGGER statement. This resolves a problem that was
introduced by the introduction of the
SQLITE_DBCONFIG_ENABLE_COMMENTS feature in version 3.49.0.
* Fix an incorrect answer due to over-optimization of an AND
operator.
- systemd
-
- Import commit 9ecd16228492f44212e2771bec11ec78245b4094
9ecd162284 timer: rebase last_trigger timestamp if needed
cd4a9103ef timer: rebase the next elapse timestamp only if timer didn't already run
c3f4407e97 timer: don't run service immediately after restart of a timer (bsc#1254563)
05bcfe3295 test: check the next elapse timer timestamp after deserialization
fe8f656975 test: restarting elapsed timer shouldn't trigger the corresponding service
e4dd315b6c units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356)
b58e72215a units: add dep on systemd-logind.service by user@.service
97ceca445c detect-virt: add bare-metal support for GCE (bsc#1244449
- Sync systemd-update-helper with the version shipped in Base:System
This includes the following changes:
- systemd-update-helper: do not stop or disable services when they are migrated
to other packages. This can occur during package renaming or splitting.
- systemd-update-helper: Fix invalid use of "break" in case statement
- systemd-update-helper: fix regression introduced when support for package
renaming/splitting was added (bsc#1245551)
- systemd-update-helper: backport commit 2d0af8bc354f4a1429ce
Since user@.service has `Type=notify-reload` (making the reloading process
synchronous) and reloading implies reexecuting with `ReloadSignal=RTMIN+25`,
reexecuting user managers synchronously can be achieved with `systemctl reload
user@*.service" now.
- systemd.spec: use %sysusers_generate_pre so that some systemd users are
already available in %pre. This is important because D-Bus automatically
reloads its configuration whenever new configuration files are installed,
i.e. between %pre and %post. (bsc#1248501)
No needs for systemd and udev packages as they are always installed during
the initial installation.
- Split systemd-network into two new sub-packages: systemd-networkd and
systemd-resolved (bsc#1224386 jsc#PED-12669)
- mozilla-nspr
-
- update to version 4.36
* remove support for OS/2
* remove support for Unixware, Bsdi, old AIX, old HPUX9 & scoos
* remove support for Windows 16 bit
* renamed the prwin16.h header to prwin.h
* configure was updated from 2.69 to 2.71
* various build, test and automation script fixes
* major parts of the source code were reformatted
- openssh
-
- Add openssh-cve-2025-61984-username-validation.patch
(bsc#1251198, CVE-2025-61984).
- Add openssh-cve-2025-61985-nul-url-encode.patch
(bsc#1251199, CVE-2025-61985).
- podman
-
- Add patch for CVE-2025-47914 (bsc#1253993), CVE-2025-47913 (bsc#1253542):
* 0012-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch
- Rebase patches:
* 0001-vendor-update-c-buildah-to-1.33.12.patch
* 0002-Backport-fix-for-CVE-2024-6104.patch
* 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
* 0004-http2-close-connections-when-receiving-too-many-head.patch
* 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
* 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
* 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch
* 0008-CVE-2025-6032-machine-init-fix-tls-check.patch
* 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch
* 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch
* 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
- Add patch for CVE-2025-31133,CVE-2025-52565,CVE-2025-52881 (bsc#1252376):
* 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
- Add patch for bsc#1252543:
* 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch
- Rebase patches:
* 0001-vendor-update-c-buildah-to-1.33.12.patch
* 0002-Backport-fix-for-CVE-2024-6104.patch
* 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
* 0004-http2-close-connections-when-receiving-too-many-head.patch
* 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
* 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
* 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch
* 0008-CVE-2025-6032-machine-init-fix-tls-check.patch
* 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch
- python-azure-agent
-
- Update to version 2.14.0.1 (bsc#1253001)
+ Drop - included upstream
~ agent-btrfs-use-f.patch included upstream
~ remove-mock.patch
+ FIPS 140-3 support
+ Block extensions disallowed by policy
+ Report ext policy errors in heartbeat
+ Implement signature validation helper functions
+ Prevent ssh public key override
+ Use proper filesystem creation flag for btrfs
+ Enable resource monitoring in cgroup v2 machines
+ Update agent cgroup cleanup
+ Add cgroupv2 distros to supported list
+ Clean old agent cgroup setup
+ Redact sas tokens in telemetry events and agent log
+ Add conf option to use hardcoded wireserver ip instead of dhcp request
to discover wireserver ip
+ Support for python 3.12
+ Update telemetry message for agent updates and send new telemetry for
ext resource governance
+ Disable rsm downgrade
+ Add community support for Chainguard OS
+ Swap out legacycrypt for crypt-r for Python 3.13+
+ Pin setuptools version
+ Set the agent config file path for FreeBSD
+ Handle errors importing crypt module
- From 2.13.1.1
+ Setup: Fix install_requires list syntax
+ Pickup latest goal state on tenant certificate rotation + Avoid
infinite loop when the tenant certificate is missing
+ Fix unsupported syntax in py2.6
+ Cgroup rewrite: uses systemctl for expressing desired configuration
instead drop-in files
+ Remove usages of tempfile.mktemp
+ Use random time for attempting new Agent update
+ Enable logcollector in v2 machines
+ Clean history files
+ Missing firewall rules reason
+ Add support for nftables (+ refactoring of firewall code)
+ Create walinuxagent nftable atomically
- python311
-
- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
quadratic complexity vulnerabilities of os.path.expandvars()
(CVE-2025-6075, bsc#1252974).
- Readjusted patches:
- CVE-2023-52425-libexpat-2.6.0-backport.patch
- CVE-2023-52425-remove-reparse_deferral-tests.patch
- fix_configure_rst.patch
- skip_if_buildbot-extend.patch
- Update to 3.11.14:
- Security
- gh-139700: Check consistency of the zip64 end of central
directory record. Support records with “zip64 extensible data”
if there are no bytes prepended to the ZIP file
(CVE-2025-8291, bsc#1251305).
- gh-139400: xml.parsers.expat: Make sure that parent Expat
parsers are only garbage-collected once they are no longer
referenced by subparsers created by
ExternalEntityParserCreate(). Patch by Sebastian Pipping.
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
* Whitespaces no longer accepted between </ and the tag name. E.g.
</ script> does not end the script section.
* Vertical tabulation (\v) and non-ASCII whitespaces no longer
recognized as whitespaces. The only whitespaces are \t\n\r\f and
space.
* Null character (U+0000) no longer ends the tag name.
* Attributes and slashes after the tag name in end tags are now
ignored, instead of terminating after the first > in quoted
attribute value. E.g. </script/foo=">"/>.
* Multiple slashes and whitespaces between the last attribute and
closing > are now ignored in both start and end tags. E.g. <a
foo=bar/ //>.
* Multiple = between attribute name and value are no longer
collapsed. E.g. <a foo==bar> produces attribute “foo” with value
“=bar”.
- gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
according to the HTML5 standard: ] ]> and ]] > no longer end the
CDATA section. Add private method _set_support_cdata() which can
be used to specify how to parse <[CDATA[ — as a CDATA section in
foreign content (SVG or MathML) or as a bogus comment in the
HTML namespace.
- gh-102555: Fix comment parsing in html.parser.HTMLParser
according to the HTML5 standard. --!> now ends the comment. -- >
no longer ends the comment. Support abnormally ended empty
comments <--> and <--->.
- gh-135462: Fix quadratic complexity in processing specially
crafted input in html.parser.HTMLParser. End-of-file errors are
now handled according to the HTML5 specs – comments and
declarations are automatically closed, tags are ignored.
- gh-118350: Fix support of escapable raw text mode (elements
“textarea” and “title”) in html.parser.HTMLParser.
- gh-86155: html.parser.HTMLParser.close() no longer loses data
when the <script> tag is not closed. Patch by Waylan Limberg.
- Library
- gh-139312: Upgrade bundled libexpat to 2.7.3
- gh-138998: Update bundled libexpat to 2.7.2
- gh-130577: tarfile now validates archives to ensure member
offsets are non-negative. (Contributed by Alexander Enrique
Urieles Nieto in gh-130577.)
- gh-135374: Update the bundled copy of setuptools to 79.0.1.
- Drop upstreamed patches:
- CVE-2025-8194-tarfile-no-neg-offsets.patch
- CVE-2025-6069-quad-complex-HTMLParser.patch
- Add gh139257-Support-docutils-0.22.patch to fix build with latest
docutils (>=0.22) gh#python/cpython#139257
- Drop AppStream buildrequires and don't run appstreamcli validate
as part of the build process: the appdata.xml is not updated by
source directly, so we have more contol. Having Appstream or the
deprecated appstream-glib result in a build cycle.
- Require AppStream to validate appdata file instead of deprecated
appstream-glib.
- Update idle3.appdata.xml to pass the more pedantic appstreamcli.
- runc
-
- Update to runc v1.3.4. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.4>. bsc#1254362
- Update to runc v1.3.3. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.3>. bsc#1252232
* CVE-2025-31133
* CVE-2025-52565
* CVE-2025-52881
- Remove upstreamed patches for bsc#1252232:
- 2025-11-05-CVEs.patch
[ This update was only released for SLE 12 and 15. ]
- Backport patches for three CVEs. All three vulnerabilities ultimately allow
(through different methods) for full container breakouts by bypassing runc's
restrictions for writing to arbitrary /proc files. bsc#1252232
* CVE-2025-31133
* CVE-2025-52565
* CVE-2025-52881
+ 2025-11-05-CVEs.patch
[ This update was only released for SLE 12 and 15. ]
- Update to runc v1.2.7. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.2.7>.
- Update to runc v1.3.2. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.2> bsc#1252110
- Includes an important fix for the CPUSet translation for cgroupv2.
- selinux-policy
-
- Fix systemd generator.early and generator.late file contexts (bsc#1255027)
- shim
-
- shim-install: Add ca_string for SL Micro to update fallback loader
The fallback loader, /boot/efi/EFI/BOOT/bootaa64.efi or bootx64.efi,
cannot be upgraded by shim-install on SL Micro. The issue case is
SL Micro 6.0. It causes that system gets regression bug because it's
fallback to a old shim. So this patch adds ca_string to SL Micro.
(bsc#1254336)
- Add DER format certificate files for the pretrans script to verify
that the necessary certificate is in the UEFI db
- openSUSE Secure Boot CA, 2013-2035
openSUSE_Secure_Boot_CA_2013.crt
- SUSE Linux Enterprise Secure Boot CA, 2013-2035
SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt
- Microsoft Corporation UEFI CA 2011, 2011-2026
Microsoft_Corporation_UEFI_CA_2011.crt
- Microsoft UEFI CA 2023, 2023-2038
Microsoft_UEFI_CA_2023.crt
- shim.spec: Add a pretrans script to verify that the necessary certificate
is in the UEFI db.
- Always put SUSE Linux Enterprise Secure Boot CA to target array.
(bsc#1254679)
- Update to 16.1
- RPMs
shim-16.1-150300.4.31.1.x86_64.rpm
shim-debuginfo-16.1-150300.4.31.1.x86_64.rpm
shim-debugsource-16.1-150300.4.31.1.x86_64.rpm
shim-16.1-150300.4.31.1.aarch64.rpm
shim-debuginfo-16.1-150300.4.31.1.aarch64.rpm
shim-debugsource-16.1-150300.4.31.1.aarch64.rpm
- submitreq: https://build.suse.de/request/show/395247
- repo: https://build.suse.de/package/show/SUSE:Maintenance:39913/shim.SUSE_SLE-15-SP3_Update
- Patches (git log --oneline --reverse 16.0..16.1)
4040ec4 shim_start_image(): fix guid/handle pairing when uninstalling protocols
39c0aa1 str2ip6(): parsing of "uncompressed" ipv6 addresses
3133d19 test-mock-variables: make our filter list entries safer.
d44405e mock-variables: remove unused variable
0e8459f Update CI to use ubuntu-24.04 instead of ubuntu-20.04
d16a5a6 SbatLevel_Variable.txt: minor typo fix.
32804cf Realloc() needs one more byte for sprintf()
431d370 IPv6: Add more check to avoid multiple double colon and illegal char
5e4d93c Loader Proto: make freeing of bprop.buffer conditional.
33deac2 Prepare to move things from shim.c to verify.c
030e7df Move a bunch of stuff from shim.c to verify.c
f3ddda7 handle_image(): make verification conditional
774f226 Cache sections of a loaded image and sub-images from them.
eb0d20b loader-protocol: handle sub-section loading for UKIs
2f64bb9 loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages
1abc7ca loader-protocol: NULL output variable in load_image on failure
fb77b44 Generate Authenticode for the entire PE file
b86b909 README: mention new loader protocol and interaction with UKIs
8522612 ci: add mkosi configuration and CI
9ebab84 mkosi workflow: fix the branch name for main.
72a4c41 shim: change automatically enable MOK_POLICY_REQUIRE_NX
a2f0dfa This is an organizational patch to move some things around in mok.c
54b9946 Update to the shim-16.1 branch of gnu-efi to get AsciiSPrint()
a5a6922 get_max_var_sz(): add more debugging for apple platforms
77a2922 Add a "VariableInfo" variable to mok-variables.
efc71c9 build: Avoid passing *FLAGS to sub-make
7670932 Fixes for 'make TOPDIR=... clean'
13ab598 add SbatLevel entry 2025051000 for PSA-2025-00012-1
617aed5 Update version to 16.1~rc1
d316ba8 format_variable_info(): fix wrong size test.
f5fad0e _do_sha256_sum(): Fix missing error check.
3a9734d doc: add howto for running mkosi locally
ced5f71 mkosi: remove spurious slashes from script
0076155 ci: update mkosi commit
5481105 fix http boot
121cddf loader-protocol: Handle UnloadImage after StartImage properly
6a1d1a9 loader-protocol: Fix memory leaks
27a5d22 gitignore: add more mkosi dirs and vscode dir
346ed15 mkosi: disable repository key check on Fedora
afc4955 Update version to 16.1
- 16.1 release note https://github.com/rhboot/shim/releases
shim_start_image(): fix guid/handle pairing when uninstalling protocols by @vathpela in #738
Fix uncompressed ipv6 netboot by @hrvach in #742
fix test segfaults caused by uninitialized memory by @Fabian-Gruenbichler in #739
Update CI to use ubuntu-24.04 instead of ubuntu-20.04 by @vathpela in #749
SbatLevel_Variable.txt: minor typo fix. by @vathpela in #751
Realloc() needs to allocate one more byte for sprintf() by @dennis-tseng99 in #746
IPv6: Add more check to avoid multiple double colon and illegal char by @dennis-tseng99 in #753
Loader proto v2 by @vathpela in #748
loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages by @bluca in #750
Generate Authenticode for the entire PE file by @esnowberg in #604
README: mention new loader protocol and interaction with UKIs by @bluca in #755
ci: add mkosi configuration and CI by @bluca in #764
shim: change automatically enable MOK_POLICY_REQUIRE_NX by @vathpela in #761
Save var info by @vathpela in #763
build: Avoid passing *FLAGS to sub-make by @rosslagerwall in #758
Fixes for 'make TOPDIR=... clean' by @bluca in #762
add SbatLevel entry 2025051000 for PSA-2025-00012-1 by @Fabian-Gruenbichler in #766
Coverity fixes 20250804 by @vathpela in #767
ci: fixlets and docs for mkosi workflow by @bluca in #768
fix http boot by @jsetje in #770
Fix double free and leak in the loader protocol by @rosslagerwall in #769
gitignore: add more mkosi dirs and vscode dir by @bluca in #771
- Drop upstreamed patch:
The following patches are merged to 16.1
- shim-alloc-one-more-byte-for-sprintf.patch
- 32804cf5d9 Realloc() needs one more byte for sprintf() [16.1]
- shim-change-automatically-enable-MOK_POLICY_REQUIRE_NX.patch (bsc#1205588)
- 72a4c41877 shim: change automatically enable MOK_POLICY_REQUIRE_NX [16.1]
- Building MokManager.efi and fallback.efi with POST_PROCESS_PE_FLAGS=-n (bsc#1205588)
- Building with the latest version of gcc in the codebase:
- The gcc13 can workaround dxe_get_mem_attrs() hsi_status problem
- We prefer that building shim with the latest version of gcc in codebase.
- Set the minimum version is gcc-13.
(bsc#1247432)
- SLE shim should includes vendor-dbx-sles.esl instead of
vendor-dbx-opensuse.esl. Fixed it in shim.spec.
- supportutils
-
- Changes to version 3.2.12
+ Optimized lsof usage and honors OPTION_OFILES (bsc#1232351, PR#274)
+ Run in containers without errors (bsc#1245667, PR#272)
+ Removed pmap PID from memory.txt (bsc#1246011, PR#263)
+ Added missing /proc/pagetypeinfo to memory.txt (bsc#1246025, PR#264)
+ Improved database perforce with kGraft patching (bsc#1249657, PR#273)
+ Using last boot for journalctl for optimization (bsc#1250224, PR#287)
+ Fixed extraction failures (bsc#1252318, PR#275)
+ Update supportconfig.conf path in docs (bsc#1254425, PR#281)
+ drm_sub_info: Catch error when dir doesn't exist (PR#265)
+ Replace remaining `egrep` with `grep -E` (PR#261, PR#266)
+ Add process affinity to slert logs (PR#269)
+ Reintroduce cgroup statistics (and v2) (PR#270)
+ Minor changes to basic-health-check: improve information level (PR#271)
+ Collect important machine health counters (PR#276)
+ powerpc: collect hot-pluggable PCI and PHB slots (PR#278)
+ podman: collect podman disk usage (PR#279)
+ Exclude binary files in crondir (PR#282)
+ kexec/kdump: collect everything under /sys/kernel/kexec dir (PR#284)
+ Use short-iso for journalctl (PR#288)
- Changes to version 3.2.11
+ Collect rsyslog frule files (bsc#1244003, pr#257)
+ Remove proxy passwords (bsc#1244011, pr#257)
+ Missing NetworkManager information (bsc#1241284, pr#257)
+ Include agama logs bsc#1244937, pr#256)
+ Additional NFS conf files (pr#253)
+ New fadump sysfs files (pr#252)
+ Fixed change log dates