- cloud-netconfig:azure
-
- Update to version 1.15
+ Add support for creating IPv6 default route in GCE (bsc#1240869)
+ Minor fix when looking up IPv6 default route
- Update to version 1.14
+ Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757)
- cloud-regionsrv-client
-
- Update version to 10.5.2 (bsc#1247539)
+ When an instance fails verification server side the default credentials
were left behind requireing manual intervantion prior to the next
registration attempt.
+ Fix issue triggered when using instance-billing-flavor-check due to
IP address handling as object rather than string introduced 10.5.0
- Update version to 10.5.1
+ Fix issue with picking up configured server names from the
regionsrv config file. Previously only IP addresses were collected
+ Update scriptlet for package uninstall to avoid issues in the
build service
- Update version to 10.5.0
+ Use region server IP addresses to determine Internet access rather
than a generic address. Region server IP addresses may not be blocked
in the network construct. (bsc#1245305)
- Update version to 10.4.0
+ Remove repositories when the package is being removed
We do not want to leave repositories behind refering to the plugin that
is being removed when the package gets removed (bsc#1240310, bsc#1240311)
+ Turn docker into an optional setup (jsc#PCT-560)
Change the Requires into a Recommends and adapt the code accordingly
+ Support flexible licenses in GCE (jsc#PCT-531)
+ Drop the azure-addon package it is geting replaced by the
license-watcher package which has a generic implementation of the
same functionality.
+ Handle cache inconsistencies (bsc#1218345)
+ Properly handle the zypper root target argument (bsc#1240997)
- containerd
-
- Update to containerd v1.7.27. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.27>
bsc#1239749 CVE-2024-40635
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.26. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.26>
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.25. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.25>
<https://github.com/containerd/containerd/releases/tag/v1.7.24>
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.23. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.23>
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.22. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.22>
- Bump minimum Go version to 1.22.
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- coreutils:systemd
-
- coreutils-9.4.sort-CVE-2025-5278.patch: Add upstream patch:
sort with key character offsets of SIZE_MAX, could induce
a read of 1 byte before an allocated heap buffer.
(CVE-2025-5278, bsc#1243767)
- coreutils
-
- coreutils-9.4.sort-CVE-2025-5278.patch: Add upstream patch:
sort with key character offsets of SIZE_MAX, could induce
a read of 1 byte before an allocated heap buffer.
(CVE-2025-5278, bsc#1243767)
- docker
-
- Update to Go 1.24 for builds, to match upstream.
- Update to Docker 28.3.2-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2832>
- Update to Docker 28.3.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2831>
- Update to Docker 28.3.0-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2830>
bsc#1246556
- Rebase patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
[ This update is a no-op, only needed to work around unfortunate automated
packaging script behaviour on SLES. ]
- The following patches were removed in openSUSE in the Docker 28.1.1-ce
update, but the patch names were later renamed in a SLES-only update before
Docker 28.1.1-ce was submitted to SLES.
This causes the SLES build scripts to refuse the update because the patches
are not referenced in the changelog. There is no obvious place to put the
patch removals (the 28.1.1-ce update removing the patches chronologically
predates their renaming in SLES), so they are included here a dummy changelog
entry to work around the issue.
- 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Update to docker-buildx v0.25.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.25.0>
- Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as
Docker does not have permission to access the host zypper credentials in this
mode (and unprivileged users cannot disable the feature using
/etc/docker/suse-secrets-enable.) bsc#1240150
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- Rebase patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Always clear SUSEConnect suse_* secrets when starting containers regardless
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.
This was a long-standing issue with our secrets support but until recently
this would've required migrating from SLE packages to openSUSE packages
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
away from in-built SUSEConnect support, this is now a practical issue users
will run into. bsc#1244035
+ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
- Rearrange patches:
- 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
- 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
[NOTE: This update was only ever released in SLES and Leap.]
- Always clear SUSEConnect suse_* secrets when starting containers regardless
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.
This was a long-standing issue with our secrets support but until recently
this would've required migrating from SLE packages to openSUSE packages
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
away from in-built SUSEConnect support, this is now a practical issue users
will run into. bsc#1244035
+ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
- Rearrange patches:
- 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
- 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+ 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+ 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Update to Docker 28.2.2-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2822>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Update to Docker 28.2.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2820> bsc#1243833
<https://github.com/moby/moby/releases/tag/v28.2.1>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Update to docker-buildx v0.24.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.24.0>
- Update to Docker 28.1.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2811> bsc#1242114
Includes upstream fixes:
- CVE-2025-22872 bsc#1241830
- Remove long-outdated build handling for deprecated and unsupported
devicemapper and AUFS storage drivers. AUFS was removed in v24, and
devicemapper was removed in v25.
<https://docs.docker.com/engine/deprecated/#aufs-storage-driver>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Remove upstreamed patches:
- 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to docker-buildx v0.23.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.23.0>
- Update to docker-buildx v0.22.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.22.0>
* Includes fixes for CVE-2025-0495. bsc#1239765
- Disable transparent SUSEConnect support for SLE-16. PED-12534
When this patchset was first added in 2013 (and rewritten over the years),
there was no upstream way to easily provide SLE customers with a way to build
container images based on SLE using the host subscription. However, with
docker-buildx you can now define secrets for builds (this is not entirely
transparent, but we can easily document this new requirement for SLE-16).
Users should use
RUN --mount=type=secret,id=SCCcredentials zypper -n ...
in their Dockerfiles, and
docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
when doing their builds.
- Now that the only blocker for docker-buildx support was removed for SLE-16,
enable docker-buildx for SLE-16 as well. PED-8905
- Don't use the new container-selinux conditional requires on SLE-12, as the
RPM version there doesn't support it. Arguably the change itself is a bit
suspect but we can fix that later. bsc#1237367
- Add backport for golang.org/x/oauth2 CVE-2025-22868 fix. bsc#1239185
+ 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- Add backport for golang.org/x/crypto CVE-2025-22869 fix. bsc#1239322
+ 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Refresh patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Make container-selinux requirement conditional on selinux-policy
(bsc#1237367)
- python-kiwi
-
- Bump version: 10.2.28 → 10.2.29
- Fix return from repart stage
If we return from the repart stage it's important to wait
for the root device to appear. This is because the device
setup from udev might still be held back due to a former
lock on the device. This means if we return fast after
locking for example when check_repart_possible() quickly
finds out that it's not possible, then udev has not yet
got the time to create the device nodes.
This Fixes #2863
- Bump version: 10.2.27 → 10.2.28
- Fix dracut code to be POSIX compliant
The redirect type "< <(...)" is not POSIX complians and leads
to a syntax error in dracut which calls bash as "sh" leading
it to be restricted to POSIX only
- Extend test-image-lvm integration test
For testing a bit more complex resize procedure, update
the lvm integration test to run more resize actions
with required device locking
- Apply proper udev locking
Several commands during repart, resize and other actions
require a proper lock to be set for udev such that other
events knows about the locked state of a device and do
not mess with it until the command for which the lock
persists has completed. This commit applies proper udev
locks to all commands that requires it. In addition
incorrect code that was expected to prevent such race
conditions got dropped from the implementation.
This is related to bsc#1242987
- relocate GPT at the end of disk using sfdisk
Using sfdisk for relocation and verification makes this
part more consistent. We also want to move away from gdisk.
This is related to #2851
- Do not strictly require config.partids in repart
The kiwi-repart implementation requires a metadata file
named config.partids which holds information about
partition ids and more stored at the time the image was
built. Depending on the complexity of the image and the
resize request some of the information can be rebuilt
in case the metadata file is missing. This commit adds
the rebuild of the minimum required information to run
a standard resize and therefore allows the kiwi-repart
dracut module to work also without config.partids to be
present in the system
- Do not drop /config.partids
The partition id metadata file is used in the kiwi-repart
module. If a user wants to use the kiwi repart module
permanently, this metadata file needs to stay in the system.
Therefore it should not be automatically deleted by the
cleanup. A disk.sh hook script can be used to force the
deletion of the file though. This is related #2851
- Fix centos/test-image-live-disk-v10
There is no package named iprutils
- Fix centos/test-image-live-disk-v10
Update package names
- Added centos/test-image-live-disk-v10 build test
- Fix tumbleweed/test-image-gce integration test
Drop obsolete growpart
- Followup fix to support older apt versions for bootstrap
There are apt versions that do not create missing state files.
Make sure the intermediate bootstrap state file is created in
any case. This Fixes #2857
- Fixed integration test builds
Next round of fixes for integration tests. Missing
or wrong service activations
- Fix arm/tumbleweed/test-image-rpi
Fix snapper setup for this integration test
- Fixed test-image-live-disk
Added missing openssh-server package
- Fixed test-image-azure
Add missing python-azure-agent-config-default package
- Fixed debian integration test builds
secure shell service is named ssh and not sshd there
- Fixed integration test builds
Second round of fixes for integration tests. Again errors
now became visible due to the refactoring of the script code
- Fixed integration test builds
Errors from scripts were no longer ignored due to the last
cleanup of the integration test script code. This commit
fixes the now exposed build errors
- Fix check_target_dir_on_unsupported_filesystem
Find the first existing path in the target path and
check the filesystem capabilities for this path.
This Fixes #2858
- Cleanup integration tests config.sh script code
Add script code to shellcheck and fix all reported issues.
Get rid of suseXX and baseXX methods as much as possible.
Add set -ex for all script code. Do not allow any script
code to fail.
- defaults: Add patterns for shim/grub2 on riscv64
A recent commit changed the way these are looked up and
accidentally broke image building on riscv64, with
KiwiBootLoaderGrubSecureBootError: Signed grub2 efi loader not found
now being raised for kiwi recipes that worked just fine
before that moment.
Fixes: 197572378cf4f25103934beac2ceca4fbbcfcbc0
Thanks: David Abdurachmanov <davidlt@rivosinc.com>
Thanks: Marcus Schäfer <marcus.schaefer@gmail.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
- Add SLFO test-image-disk-simple integration test
Add simple disk test and allow for testing the new
transparent container idea for the aws toolchain. also
add SLFO builds to the helper script
- Fixed check for unallocated space on disk
So far the check for unallocated space was only working for GPT
and there it was also not really stable. The check was based on
verifying if the backup GPT table is really at the end of the
disk. Depending on which tool was used to dump the image on the
target this "mistake" often got corrected by the tools that
dumped the image. In this case the check no longer worked.
This commit improves the check by another test which looks
for the real free bytes on disk compared to the current
partition geometry.
- Move to neutral directory for calling osc
When calling the helper/build_status.sh script to get an
overview about the results of the integration tests, there
is a stupid new behavior from the osc tool that it assumes
a package name according to the name of the directory you
are in probably connected to the fact that the data in this
directory is a git checkout or some other strange assumption.
This commit moves to a neutral directory where none of the
osc internal assumptions applies and it just does what it
should do... showing results of the given project.
- Bump version: 10.2.26 → 10.2.27
- Fix regression in get_partition_node_name
backwards compat for lsblk before 2.38
if START column not supported, fall back to default sort
- Add global option --setenv
Allow to set environment variables in the caller environment
via the commandline, e.g --setenv SOURCE_DATE_EPOCH=42
- Seed filesystem UUIDs with SOURCE_DATE_EPOCH
For reproducible builds the calculation of the filesystem UUID
should be persistent with each rebuild of the image. To achieve
this the UUID is calculated using the SOURCE_DATE_EPOCH from
the environment plus a char-number representation of the filesystem
label name as random seed. In kiwi every filesystem is created
with a label, thus only in case there is no SOURCE_DATE_EPOCH
available we continue to create the UUID as random data.
This Fixes #2761
- Add label attribute for <partition> section
Allow to specify a filesystem label as part of a <partition>
definition. So far the label was set by the name of the
partition. With the new label attribute, a filesystem label
different from the partition name can be set. This commit
also updates/fixes the documentation in this regard.
- Improve log message in SystemIdentifier
Add some scope information such that we know from where
this log information originates from.
- Add rd.kiwi.install.devicepersistency
Allow to specify which type of persistent device name should
be used to build up the list of installation disk devices.
For example rd.kiwi.install.devicepersistency=by-path would
use the by-path representations for the available disk
devices. The default (by-id) stays untouched. In case an
invalid or not present device representation is selected, kiwi
falls back to the non persistent unix node names.
- Update test-image-disk
Add NetworkManager for better remote debugging capabilities
- Make mbr-id deterministic
Log the value of SDE so it is available to review,
even if the build system does not tell about it.
Update the tests to cover the new code-path.
Co-Authored-By: Marcus Schäfer <marcus.schaefer@gmail.com>
- Ensure dracut initrd is reproducible
This helps a bit with issue #2358
Add reproducible flag for UKI too
Update tests accordingly
Co-Authored-By: Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 10.2.25 → 10.2.26
- Add kernel parameter support for dm-verity options
Implement rd.kiwi.verity_options= parameter to allow runtime customization of veritysetup options
Closes #2837
- Fix shim lookup for arm on SUSE
Add missing search path for shim binary on arm based SUSE
systems. Also update the tumbleweed/test-image-live-disk
integration test for arm to build with secure boot enabled
to actually test a secure boot enabled ISO build.
This Fixes #2842
- Add container_import template test
- Bump version: 10.2.24 → 10.2.25
- Fixed get_partition_node_name
The function get_partition_node_name takes the disk device
and the partition index as arguments to match against the
respective device node for this partition index. The partition
index is the position of the partition in the partition table
according to their start offset. For the code to function
properly it is required that the list of partitions provided
by lsblk is ordered according to the start address of the
partitions in the table. The way lsblk was called did not
enforce this ordering. This commit enforces the order to
be done against the start offset and fixes bsc#1245190
- Add support for container-snap as a container-image engine
With this commit, we can now pre-load images using container-snap directly
during the kiwi image build
- Update test-image-MicroOS for local build
Fix bootstrap setup such that micro-os patterns can resolve
- Fix logging of stderr data in command calls
The stderr data was presented as one blob without line
breaks. Hard to read and smells like a bug. This commit
fixes the output to become readable
- Update test-image-MicroOS/disk.sh
Add a findmnt for / to check if there is a proper root
device reference
- Fix mount system for root_is_snapper_snapshot
If root is a snapper snapshot we have to tell the
chroot a proper root mount point which can be achieved
by a bind mount pointing to itself. This Fixes
bsc#1244668
- There is no shim for aarch64 on SUSE
Fix integration test for standard EFI (no secure boot)
setup on arm
- Add driver configuration support for dracut initrd
Add driver configuration support for dracut initrd
Add support for specifying kernel drivers to be included or omitted
in the dracut initrd configuration. This extends the existing dracut
configuration capabilities like in the following example
<initrd action="add">
<dracut driver="erofs"/>
</initrd>
- Fixed rootfs size calculation with spare part
In case a spare_part setup is combined with the root_clone feature,
the size calculation for the rootfs did not take the cloning into
account and lead to the wrong value. In addition when requesting
the spare part to be last and no size information was given, the
partition was not created at all. This commit fixes both defects
and Fixes #2831
- Add dependency for isomd5sum for iso images and set in kiwi-settings
This ensures that isomd5sum is pulled into the environment for ISO image
builds, and the updated settings makes it so that kiwi boxes will use it.
- Allow /boot to be a btrfs subvolume
In a btrfs based design, allow to put /boot as subvolume.
This required a small fix in the mount order in a way that
boot/efi gets mounted after the subvolume mounts are done.
The respective integration test has been updated to test
this functionality. This Fixes #2824
- Use f-strings where feasible
This is a slightly shorter and easier to read syntax
- Allow multiple EFI arch binaries/modules
Allow to lookup and included EFI binaries/modules for
multiple architectures. For testing the integration
test in rawhide/test-image-live-disk has been adapted
accordingly to install 32bit and 64bit EFI binaries.
This Fixes #2822
- Log warning message for disabled runtime checks
Complete type hints for RuntimeConfig class and log
a warning message for each disabled runtime check
- Fix static type argument int vs. str
- Move it inside the context that actually uses it
also rename it to "supported" as that seems to closer match
what it resembles
- Add overlayfs as supporting xattr/ACLs as well
- Fix disk_type validation for zipl loader
If the targettype is set to GPT in combination with plain
zipl as loader, the code to validate the targettype against
the targetgeometry was not effective and zipl failed.
This Fixes #2821
- Fixup overlay unit enablement
- Fixup overlay mount dependencies
- Update test-image-overlayroot integration test
Use proper systemd mount units to setup the custom overlay.
The handling of fstab entries by systemd is limited and
should be better handled by self managed mount units
- Use proper mount units for overlay setup
Instead of manual mounting create a proper systemd mount
unit. This allows to manage mount dependencies and the order
of nested mounts in a clean way
- Bump version: 10.2.23 → 10.2.24
- Cleanup build metadata
Make sure the final image rootfs does not contain unneeded
metadata files used during build time. The respective cleanup
call is performed after the root sync and after all initrd/boot
processing has been done. This is because up to that point it's
still possible that the information is required. This means
when building images with a read-only rootfs, it might not be
possible that the metadata can be deleted due to a chicken&egg
situation. Furthermore the cleanup is applied to the disk
builder only as other builders do not really suffer from
this data and for the container builder the metadata can
also be used for the stackbuild feature when building images
derived from containers. This Fixes #2668
- Update overlay integration test for partial write
Update the sdboot_uki_verity_erofs profile of the
test-image-overlayroot integration test with a custom
fstab example to overlay only parts of the system
for writing. This Fixes #2815
- bootloader setup without overlay write partition
If overlayroot_write_partition="false" is set, no system
indicator was stored. This cause the bootloader setup to
be skipped completely which is not required for e.g.
systemd-boot.
- Make sure to create overlay directories
Create overlay directories even if rd.root.overlay.readonly
is set. This allows individual fstab overlays mounts to be
performed
- Fixed rd.root.overlay.readonly overlay mode
When booting an overlayroot image with rd.root.overlay.readonly
set, the system will boot with only the read-only root mounted.
There was a bug in the dracut code which prevented this mount
from succeeding when the read-only rootfs is different from
squashfs. This commit changes the mount to be a simple bind
mount, independent of the origin filesystem. This works because
the read-only mount is performed in the dracut overlay code
anyway. This is related to Issue #2815
- The way we build debs requires setuptools
debbuild doesn't work when setuptools is not there
- Drop use of setuptools
Since we moved to poetry and no code using setuptools anymore,
this requirement can be dropped. The commit also updates the
plugin documentation which was still based on setup.py
- Update live boot remote boot features
Like the upstream module also support the root=live:http://...
remote boot options. The kiwi-live dracut module is scheduled
to become obsolete, but it's still in use and should support
remote boot not only for AoE. As we got more issue reports than
working AoE remote boot success, this commit also updates the
documentation and switches to the capabilities of this PR.
- Add UKI support for the grub bootloader
In addition to systemd_boot also add support for UKI creation
when grub is used. This includes the creation of a UKI image
via dracut in the same way as it's done for systemd_boot.
In addition an earlyboot grub script chainloads the UKI and
bypasses any written grub configuration. In Theory this should
also allow to use the shim loader for chainloading an UKI.
However I haven't done testing in this direction and I also
expect security issues with this approach because loading
any non signed data by shim is not expected to work. A new
profile named grub_uki_verity_erofs has been added to the
integration test that experiments with UKIs
- Bump version: 10.2.22 → 10.2.23
- Add support for <initrd> section as part of <type>
Extend scope and content of the <initrd> section to be allowed
as part of the <type> section. This allows to specify custom
call options and modules for the dracut tool. In particular
this commit implementes support for passing the uefi option
to dracut to enable building an UKI EFI binary as follows:
<initrd action="setup">
<dracut uefi="true"/>
</initrd>
This Fixes #2809 and Fixes #2408
- Fix systemd-boot loader setup
To make sure only loader entries from /boot/efi/loader/entries
kiwi deleted eventually existing entry files from /boot/loader.
However that is a problem for read-only systems and should actually
also not performed by kiwi. This Fixes #2805
- Bump version: 10.2.21 → 10.2.22
- Apply security context on writable root only
Make sure to perform setfiles only on a writable target. In case
of a read-only root it is expected that the security context set
by kiwi in an earlier stage is complete. As there is no way to
modify data when root is read-only, there is also no way to change
the security context of any file such that we skip setfiles
in this case. Should there be a read-only system that has writable
partitions such as /boot and their content changes while the rest
of the root system is read-only it is in the responsibility of
the author of the image description to call setfiles only on
the affected and still writable files via a custom disk.sh
script. Along with the fix the respective integration test was
modified to enable selinux such that this change is actually
integration tested. This Fixes #2805
- Docs: fix typo in users.rst
- Docs: minor punctuation and grammar fixes
- Give test-image-overlayroot enough space
- Allow ext2/ext3 as valid build target
stat reports the value 'ext2/ext3' which is a valid target
- Added check_target_dir_on_unsupported_filesystem
Add runtime check to make sure the selected target directory
for the image and/or the image rootfs lives on a filesystem
that provides all required features like extended permissions,
ACLs or xattrs.
- Fix rd.kiwi.oem.luks.reencrypt_randompass workflow
When requesting a new random key prior reencryption, make
sure that this new key is referenced in the current in
memory initrd crypttab such that all subsequent
tasks e.g. luks resize have permissions to complete while
inside of this initrd instance
- Add support for new tarball-based WSL format
With the new image="wsl" type one can build a WSL container
image that uses the new tarball format. This Fixes #2678
- Update SL-Micro build test
For details see: https://build.opensuse.org/request/show/1272418
- Required read-only-root-fs for SL-Micro test build
Changes from the SL-Micro team requires adaptions to the
integration test description
- Delete fstab.script from SL-Micro test build
This was only needed when /var was an extra partition, but
it's a volume with copy-on-write disabled for some time
- Add systemd-resolved to TW integration tests
For some reason it's not longer part of the systemd standard
installation
- Bump version: 10.2.20 → 10.2.21
- Add dkms to test-image-embedded integration test
- Fixed access issue to etc/kernel for sdboot
In case of an overlayroot setup we have to make sure
that etc/kernel is writable. This is done by a bind
mount of the ESP
- Update test-image-overlayroot
Add another build using grub instead of systemd-boot and use
btrfs as write partition instead of xfs. Please note this test
requires a boot partition because grub cannot read from erofs
and unlike systemd-boot grub does not read all boot data from
the ESP.
- Fixed get_volume_management
If a volume capable filesystem like btrfs is requested, there
must also be a volume definition available to report that
the volume management is actively used. Just the request of
the filesystem can also mean it's being used without volumes
like it could be the case for an overlayroot setup that
requests btrfs as write partition.
- Update test-image-overlayroot
Move to systemd-boot as bootloader, activate secure boot
and drop the extra boot partition. Use XFS for the write
space
- Allow initrd updates on read-only devices
Move initrd to ESP for boot loaders that reads data
from there
- Fix ordering issue for device assignment
wrong assignment of a boot partition in overlayroot setup
without boot partition
- Add kiwi-settings package for TW
de-blacklist erofs to allow building integration tests
with this filesystem
- Switch to dracut-kiwi-verity
So far no luck with the systemd verity generator. This
commit adds the parsing of /etc/veritytab in the existing
kiwi-verity dracut module and uses it in the overlayroot
integration test.
- Update test-image-overlayroot integration test
Switch to erofs for overlay testing. Additionally split the build
into two profiles. The first one just builds a simple overlayroot
oem disk based on erofs. The second one adds a veritysetup layer
and configures the systemd-veritysetup-generator for use in dracut.
This Fixes #2799
- Add documentation for new attribute
Add details how to use the new overlayroot_readonly_filesystem attribute
- Add support for selecting the overlay read-only fs
Add new overlayroot_readonly_filesystem attribute which allows
to select for either squashfs or erofs as the read-only filesystem
in an OEM overlay disk setup.
- Fixed root setup for verity overlay disk
When building an image with overlayroot set to true and
activated verity data, the root= parameter must be
set to root=overlay:MAPPER=verityroot instead of the standard
overlay:PARTUUID mapping.
- Make sure the verity record has a superblock
- Drop distro specific runtime check
The check_efi_mode_for_disk_overlay_correctly_setup exists because
shim-install does not work on read-only devices. However, shim-install
is a SUSE only tool that runs a SUSE specific secure boot setup.
For other secure boot processes this runtime check is not useful.
As runtime checks aims to be generally useful, this one gets
dropped.
- Fix root clone size setup
If the root_clone attribute is specified without providing a
fixed size for the system, kiwi estimates the size needed for
the root part and assigns the rest to the clone. This leads to
different partition sizes for the root clones. As per definition
of a clone the expectation is that the size is the same, this
commit changes the behavior such that the calculated size for
the system is applied to the origin root and all its clones.
As a consequence this can leave unpartitioned space free in
the image. This Fixes #2463
- Bump version: 10.2.19 → 10.2.20
- Fix reencryption master key passphrase
Make sure to use the correct passphrase for the master
key such that it can be decrypted with the same credentials
as before. The credentials reset is a subsequent task
after reencryption.
- Bump version: 10.2.18 → 10.2.19
- Fixed targettype setup in zipl.conf
The special targettype set to GPT still indicates SCSI for
the zipl.conf but tells kiwi to create a GPT disk layout
- Fixed s390 integration test
targettype attribute in wrong section
- Add support for GPT targettype on s390
Allow to build s390 images using GPT instead of the old DOS
partition table. zipl has added support to read from GPT.
This Fixes #2694
- Add --no-compress option to bundler
Allow to skip the compression for bundle files marked
to become compressed. This Fixes #2736
- Rawhide (F43) has removed basesystem package
The basesystem package was retired with rawhide (F43).
https://src.fedoraproject.org/rpms/filesystem/pull-request/20
- rawhide install shadow-utils for usermod
Using `kiwi-ng` version 10.2.18 (EL9)
Currently with:
```
sudo kiwi-ng system build \
- -description kiwi/build-tests/x86/fedora/test-image-docker
- -set-repo http://ftp.fau.de/fedora/linux/development/rawhide/Everything/x86_64/os/ \
- -target-dir /tmp/myimage1
```
This fails with:
```
[ INFO ]: 09:46:38 | Setting up user root
[ INFO ]: 09:46:38 | --> Modifying user: root
[ INFO ]: 09:46:38 | --> Primary group for user root: root
[ ERROR ]: 09:46:38 | KiwiCommandError: chroot: stderr: /sbin/chroot: failed to run command ‘usermod’: No such file or directory
```
Install the package `shadow-utils` to provide `usermod`.
- Fixed default bls value setup
Fixed get_build_type_bootloader_bls behavior in case the bls
attribute is not set. In this case get_bls() returns a None value
which was returned. However in this case the attribute value
should not be taken into account and the method defined default
value for bls should be returned. This Fixes #2542
- Bump version: 10.2.17 → 10.2.18
- Fix setup of use_disk_password for random secret
When using luks="random" in combination with use_disk_password="true"
the resulting cryptomount call in grub is wrong. This commit fixes it
- Drop copying GRUB2 modules to /boot with Secure Boot UEFI images
Copying the modules creates a situation where future updates
applied to a running system can cause GRUB to crash due to mixed
modules and GRUB EFI binaries.
It is not needed anyway since GRUB EFI binaries for Secure Boot have
all modules compiled into the binaries.
Fixes: https://github.com/OSInside/kiwi/issues/2790
- Make sure editbootinstall runs offline
editbootinstall expects the system to be umounted
- Make sure post sync actions are in scope
- Follow up fix for overlayroot builds for EFI path
Only perform the boot overlay if there is an extra boot partition
- Only remove entries from exclude list if present
- Fix overlayroot builds for EFI path
make sure to keep boot/efi mountpoint directories
in the read-only area as they can't be created later
- doc: overview: Add list of supported Linux distributions
These are the Linux distributions that are developed and actively
tested for with the latest kiwi releases.
This should offer greater clarity about what we're able to support
as an upstream project.
- Fixed mount of image system for volume managers
The ImageSystem.mount() method implemented its own handling
for mounting the volumes of a volume manager based system.
First and foremost this duplicates code that already exists
in the respective VolumeManager implementation and second
the code behaved wrong in case of btrfs when there is no
default subvolume configured
- Handle grub fix functions less strict
If called on full read-only systems, log the information
that the files can't be modified but do not fail. On
such systems the expectation is that no fix code must
be applied and as such the fix function can be considered
an optional step.
- Fixed root setup for encrypted overlay disk
When building an image with overlayroot set to true and
activated luks encryption, the root= parameter must be
set to root=overlay:MAPPER=luks instead of the standard
overlay:PARTUUID mapping. This Fixes #2776
- Change suffix for package manager config files
Use .config instead of .conf for the temporary package
manager config files. Reason for this change is a bug in
dracut which reads and executes all /*.conf files from
the system. This Fixes #2780
- Set security context after root sync
On selinux enabled image builds we call setfiles initially
after the root tree is complete and after each script invocation
that might change the system. However the security context
also applies to mount points e.g volumes which only exists
at the time when the root tree gets synced to the actual image
binary. Thus this commit also calls setfiles on the mounted
root tree after data sync. This Fixes rh#2333743
- Fix broken doc link
Rephrase chapter pointing to a documentation side at VMware.
They are constantly changing their documentation URLs that
I'm tired of fixing this. This Fixes #2782
- Bump version: 10.2.16 → 10.2.17
- Fix key slot selection for luks reencrypt
Depending on the type setup for a luks encrypted image, there
might be one or two key slots available. When kiwi is requested
to perform the reencryption process at least one key-slot and
the proper keyfile/passphrase must be provided. This commit
stores the information about the key-slot number for which
a decryption information exists in the initrd. In addition to
the code change also the corresponding integration test image
was updated.
- Fixed test-image-gce integration test
python3-gcemetadata was renamed to python-gcemetadata
- Fixed integration test builds for TW
Request dracut explicitly when needed
- Add support for filtering out files from the ESP image for GRUB
Prior to this change, KIWI blindly synced the ESP directory into the
embedded ESP image. Depending on the distribution and packages included
for the created image, this can have undesirable side-effects.
For image builds that need some more fine-grained control over the
creation of the embedded ESP image (particularly for ISO images),
this change introduces the ability to inject an exclusion list
similar to what is used to filter out files for the root filesystem.
Fixes: https://github.com/OSInside/kiwi/issues/2008
Fixes: https://github.com/OSInside/kiwi/issues/2777
- Fix bundle extension for container types
When building result files that use container types like oci or docker,
kiwi creates them as archive tarballs with an extension prefix to
indicate the special nature of the archive. However, the bundler
code does not retain the prefix, which results in the wrong file
extension for these archives.
This change adds exceptions for these types and refactors the
exception handling to unify it with the Vagrant image filename
handling, which operates similarly.
Fixes: https://github.com/OSInside/kiwi/issues/2628
- Update LOADER_TYPE setup for grub
If the bootloader attribute: bls is set to true, make sure
the LOADER_TYPE changes to grub2-bls. This is related to
Issue #2773
- Fix Agama PXE build
A bootloader setup is needed to create config.bootoptions
Even though a ramdisk deployment does not require a bootloader
setup we need it because part of the setup is the root device
reference which is still needed to pivot root into the
system
- Fix firmware setting for Agama PXE image
- Added obs BUILD_FLAVOR for agama
Required for multibuild (multiple profiles) build
- Update Agama integration test
Split the build into two profiles ISO and PXE to differentiate
the build results into a small Agama for remote installations
and a standard Agama for iso based installations
- Prevent loading unused data in oem deployment
In case rd.kiwi.ramdisk is used as part of a remote deployment
setup, it's not needed to load the system kernel and initrd
because it's not used as kexec is not called with the system
deployed into memory. For ramdisk deployments the system is
booted using the currently active kernel and initrd and as
such we can avoid loading an extra kernel and initrd for
booting the system via kexec.
- Update Agama integration test
Make use of <oem-ramdisk-size> in the Agama integration test
- Added <oem-ramdisk-size> element
So far it was only possible to specify the size of the ramdisk
via the kernel commandline option: ramdisk_size. In a remote
deployment it was therefore required to carry this size as a
mandatory information to the deployment server. With this commit
we allow to specify the size for the ramdisk to be configured as
part of the image configuration which makes this information
also available inside of the initrd. If provided the ramdisk_size
kernel commandline option still takes precedence over the
<oem-ramdisk-size> setting to avoid any behavior change and to
still allow dynamic overrides of the ramdisk size.
- reinstall bootstrap packs in image phase for apt
Due to the special bootstrap process, the packages unpacked
during bootstrap are not properly listed in the apt index.
Therefore the bootstrap packages are added to the install
phase which causes an install of this packages again to
fix the apt index and provide a consistent system from
an apt perspective. This Fixes #2768
- Fixed restore of keyfile after reencryption
When kiwi runs the reencryption it also restores an eventual
existing keyfile. However if the option rd.kiwi.oem.luks.reencrypt_randompass
is specified no former keyfile should be restored. The purpose
of reencrypt_randompass is to make sure only this in memory
passphrase can access the luks pool such that tooling at boot
time gets the opportunity to work with the luks pool for e.g.
setting up a TPM key or set a passphrase only known to the user.
- Update dracut kiwi-lib module setup
Make sure all tools used in code are requested for inclusion
- keep /usr/bin/sha256sum
dropping md5sum was okay, but now we need
the current tool to verify the checksum
- Restrict keyfile permissions
For reencrypt in combination with rd.kiwi.oem.luks.reencrypt_randompass
make sure that the temporary random pass keyfile has 0400 root
owned access permissions set
- package: Add kiwi-image:oci Provides to -systemdeps-containers
This allows the Open Build Service to correctly resolve dependencies
when building OCI images.
- Better logging which kiwi file is read
Improve the log message that tells about reading the
kiwi config file to actually show the file path that
is read in. This is especially an issue if more than
one kiwi file is read in during the build process.
- also keep the ts binary, might be needed to provide timestamped logfiles
- Update documentation
Add information about new apk (Alpine) support
- Add support for Alpine
Add apk repository and package manager support and provide
an integration test build for the Alpine distribution
- Fix F824 flake check for global assignments
- Use metalink repos for local test builds
- schema: Allow C as a valid locale
It should be permitted to set the "C.UTF-8" locale for minimal images
that are not preloaded with locales. The "C.UTF-8" locale has been
supported in Linux distributions for many years.
- Bump version: 10.2.15 → 10.2.16
- Support sourcetype setting on the commandline
Allow to specifiy the sourcetype(metalink|baseurl|mirrorlist)
also on the commandline via --set-repo/--add-repo options. So
far this was only possible as part of the kiwi description file
- Bump version: 10.2.14 → 10.2.15
- Fix gh-pages deployment
poetry install was not called, thus sphinx was not present
- Bump version: 10.2.13 → 10.2.14
- Drop use of travis-sphinx
According to the documentation of peaceiris/actions-gh-pages
the sphinx-build output can be directly consumed to publish
to github pages
- Allow stderr data in CommandProcess
Enhance poll_show_progress() method to allow polling on
stderr data too. The new parameter with_stderr is used
together with the dnf5 package manager. dnf5 has changed
in a way that a lot of useful information during the
install of packages is printed to stderr. From my perspective
a clear regression to former behavior but we can fix this
in kiwi to poll on both channels. This Fixes #2748
- Support arch attribute for <users> section
Allow to setup users per arch. This Fixes #2737
- Add Debian_12_update repo for testing with typer
Even though we will add support for the typer Cli with kiwi-11
I want our integration test images to be able to build with the
open PR #2751. Debian 12 is the only target in the support matrix
which uses a too old veryion of typer. Therefore to be able to
test this target I built a newer version of typer in an update
repo for Debian 12 and added it to the integration test
description
- Fixed python3_sitelib for debbuild in OBS
- Fixed test-image-agama
Service setup-systemd-proxy-env.path no longer exists
- Explicitly request shadow-utils
Make sure shadow-utils gets installed for rawhide
integration tests
- Drop test-image-suse-on-dnf test
This was just a "can this work" test but has no real
relevance for users since nobody would use dnf to build
a suse image, there is also no help when it does not
work. So let's drop this test build
- distutils sysconfig is deprecated
Move to sysconfig module
- Make integration tests to build outside of OBS
Update and extend all integration tests such that they also
build outside of the Open Build Service. Along with the changes
on the descriptions a simple build-tests.sh script was added
to drive the build process. The build is based on the kiwi
boxbuild plugin in container mode to build the tests
from a given build-tests directory. A new chapter to document
how to Build the Build Tests is also provided and referenced
on the github main page.
- Add rd.kiwi.oem.luks.reencrypt_randompass
For OEM LUKS2 encrypted disk images in combination
with rd.kiwi.oem.luks.reencrypt. Reset insecure built time
passphrase with a random onetime passphrase
- Bump version: 10.2.12 → 10.2.13
- Lookup CHRP loader instead of using a static name
On ppc the CHRP loader name can vary between distributions.
This commit adds a search method to lookup different ELF
loader names. In addition an integration test image for
Fedora was added. This Fixes #2741
- dracut
-
- Update to version 059+suse.639.g19f24feb:
* fix(dracut-util): crash if CMDLINE ends with quotation mark (bsc#1247819)
- Update to version 059+suse.637.g85a5109c:
* fix(rngd): adjust license to match the license of the whole project
* fix(dracut): kernel module name normalization in drivers lists (bsc#1241680)
* fix(dracut-init): assign real path to srcmods (bsc#1241114)
- glib2
-
- Add glib2-CVE-2025-4373.patch: carefully handle gssize parameters
(bsc#1242844 CVE-2025-4373 glgo#GNOME/glib#3677).
- Add glib2-CVE-2025-3360.patch:
Backport 8d60d7dc from upstream, Fix integer overflow when
parsing very long ISO8601 inputs. This will only happen with
invalid (or maliciously invalid) potential ISO8601 strings,
but `g_date_time_new_from_iso8601()` needs to be robust against
that.
(CVE-2025-3360, bsc#1240897)
- Have the glib2-tools postun trigger exit normally if
glib2-compile-schemas can't be run. Fixes error when uninstalling
if libgio is uninstalled first (bsc#1231463).
- glibc
-
- static-setuid-ld-library-path.patch: elf: Ignore LD_LIBRARY_PATH and
debug env var for setuid for static (CVE-2025-4802, bsc#1243317)
- pthread-wakeup.patch: pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ
[#25847])
- Mark functions in libc_nonshared.a as hidden (bsc#1239883)
- gpg2
-
- Security fix: [bsc#1236931, bsc#1239119, CVE-2025-30258]
* gpg: Fix regression for the recent malicious subkey DoS fix.
* gpg: Fix another regression due to the T7547 fix.
* gpg: Allow the use of an ADSK subkey as ADSK subkey.
* Add patches:
- gnupg-gpg-Fix-regression-for-the-recent-malicious-subkey-D.patch
- gnupg-gpg-Fix-another-regression-due-to-the-T7547-fix.patch
- gnupg-gpg-Allow-the-use-of-an-ADSK-subkey-as-ADSK-subkey.patch
- Don't install expired sks certificate [bsc#1243069]
* Add patch gnupg-dirmngr-Don-t-install-expired-sks-certificate.patch
- Fix a verification DoS due to a malicious subkey in the keyring: [bsc#1239119]
* Add patch gnupg-gpg-Fix-a-verification-DoS-due-to-a-malicious-subkey-in-the-keyring.patch
- gptfdisk
-
- fix boot failure with qcow and vmdk images (bsc#1242987)
* 0001-Do-not-check-for-writable-device-if-we-don-t-need-it.patch
- iputils
-
- Security fix [bsc#1243772, CVE-2025-48964]
* Fix integer overflow in ping statistics via zero timestamp
* Add iputils-CVE-2025-48964_01.patch
* Add iputils-CVE-2025-48964_02.patch
* Add iputils-CVE-2025-48964_03.patch
* Add iputils-CVE-2025-48964_regression.patch
- Fix bsc#1243284 - ping on s390x prints invalid ttl
* Add iputils-invalid-ttl-s390x.patch
* Fix ipv4 ttl value when using SOCK_DGRAM on big endian systems
- Security fix [bsc#1242300, CVE-2025-47268]
* integer overflow in RTT calculation can lead to undefined behavior
* Add iputils-CVE-2025-47268.patch
- kernel-source:kernel-default
-
- smb3: move server check earlier when setting channel sequence
number (git-fixes).
- commit df2adca
- ring-buffer: Do not allow events in NMI with generic atomic64
cmpxchg() (git-fixes).
- commit 890fc59
- module: Restore the moduleparam prefix length check (git-fixes).
- commit ad2fc48
- module: Remove unnecessary +1 from last_unloaded_module::name
size (git-fixes).
- commit 3efc8ab
- audit,module: restore audit logging in load failure case
(git-fixes).
- kABI: Fix the module::name type in audit_context (git-fixes).
- commit 7e23359
- module: Fix memory deallocation on error path in move_module()
(git-fixes).
- commit bb37d39
- SMB3: rename macro CIFS_SERVER_IS_CHAN to avoid confusion
(git-fixes).
- Refresh
patches.suse/smb-client-fix-use-after-free-of-signing-key.patch.
- commit ee8ada8
- smb: client: fix potential deadlock when reconnecting channels
(bsc#1246183, CVE-2025-38244).
- commit fcf601a
- cifs: reconnect helper should set reconnect for the right
channel (git-fixes).
- commit ae3173e
- [SMB3] send channel sequence number in SMB3 requests after
reconnects (git-fixes).
- commit baa81e9
- net: mana: Add debug logs in MANA network driver (bsc#1246212).
- Refresh
patches.suse/msft-hv-3280-net-mana-Add-support-for-Multi-Vports-on-Bare-metal.patch.
- commit 1b4ad82
- netlink: avoid infinite retry looping in netlink_unicast()
(CVE-2025-38465 bsc#1247118).
- net: mana: Set tx_packets to post gso processing packet count
(bsc#1245731).
- net: mana: Allocate MSI-X vectors dynamically (bsc#1245457).
- net: mana: Allow irq_setup() to skip cpus for affinity
(bsc#1245457).
- net: mana: explain irq_setup() algorithm (bsc#1245457).
- PCI: hv: Allow dynamic MSI-X vector allocation (bsc#1245457).
- PCI/MSI: Export pci_msix_prepare_desc() for dynamic MSI-X
allocations (bsc#1245457).
- net: mana: Add handler for hardware servicing events
(bsc#1245730).
- net: mana: Expose additional hardware counters for drop and
TC via ethtool (bsc#1245729).
- hv_netvsc: Use VF's tso_max_size value when data path is VF
(bsc#1246203).
- net: mana: Allow tso_max_size to go up-to GSO_MAX_SIZE
(bsc#1246203).
- commit bdd7f41
- NFS: Fix wakeup of __nfs_lookup_revalidate() in
unblock_revalidate() (git-fixes).
- commit 80e576f
- sched: Add test_and_clear_wake_up_bit() and
atomic_dec_and_wake_up() (git-fixes).
- commit 3754627
- drm/amdgpu: Add basic validation for RAS header (bsc#1247252 CVE-2025-38426)
- commit 5d23e74
- NFS: Fix the setting of capabilities when automounting a new
filesystem (git-fixes).
- commit fabe208
- sunrpc: fix client side handling of tls alerts (git-fixes).
- commit 4c093f3
- NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY
(git-fixes).
- commit fd58755
- NFSv4.2: another fix for listxattr (git-fixes).
- commit 5a2e576
- NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
(git-fixes).
- commit 094541e
- pNFS/flexfiles: don't attempt pnfs on fatal DS errors
(git-fixes).
- commit ec1d884
- gpio: mlxbf2: use platform_get_irq_optional() (git-fixes).
- ALSA: hda/ca0132: Fix missing error handling in
ca0132_alt_select_out() (git-fixes).
- ALSA: intel_hdmi: Fix off-by-one error in
__hdmi_lpe_audio_probe() (git-fixes).
- commit 1750f05
- posix-cpu-timers: fix race between handle_posix_cpu_timers()
and posix_cpu_timer_del() (bsc#1246911 CVE-2025-38352).
- commit ab7e2c1
- tls: always refresh the queue when reading sock (CVE-2025-38471
bsc#1247450).
- ext4: only dirty folios when data journaling regular files
(CVE-2025-38220 bsc#1245966).
- commit 4468ab0
- net/sched: mqprio: fix stack out-of-bounds write in tc entry
parsing (git-fixes).
- commit 87e34c3
- net/packet: fix a race in packet_set_ring() and
packet_notifier() (git-fixes).
- commit caa5d02
- net/sched: taprio: enforce minimum value for picos_per_byte
(git-fixes).
- commit d33d37f
- ipv6: reject malicious packets in ipv6_gso_segment()
(git-fixes).
- commit e120573
- netpoll: prevent hanging NAPI when netcons gets enabled
(git-fixes).
- commit d8e3fe4
- tracing/kprobes: Fix to free objects when failed to copy a
symbol (git-fixes).
- commit a2d3373
- tracing/kprobe: Make trace_kprobe's module callback called
after jump_label update (git-fixes).
- commit 34ee7ea
- kABI fix for net: vlan: fix VLAN 0 refcount imbalance of
toggling (CVE-2025-38470 bsc#1247288).
- commit 00f8e79
- net: vlan: fix VLAN 0 refcount imbalance of toggling filtering
during runtime (CVE-2025-38470 bsc#1247288).
- net/sched: Abort __tc_modify_qdisc if parent class does not
exist (CVE-2025-38457 bsc#1247098).
- atm: clip: Fix potential null-ptr-deref in to_atmarpd()
(CVE-2025-38460 bsc#1247143).
- idpf: convert control queue mutex to a spinlock (CVE-2025-38392
bsc#1247169).
- commit 4f53008
- drm/amd/display: Don't overwrite dce60_clk_mgr (git-fixes).
- Revert "vgacon: Add check for vc_origin address range in
vgacon_scroll()" (stable-fixes).
- commit 6cc69eb
- exfat: fdatasync flag should be same like generic_write_sync()
(git-fixes).
- commit ec3f01f
- do_change_type(): refuse to operate on unmounted/not ours mounts (CVE-2025-38498 bsc#1247374)
- commit 545afad
- vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages() (CVE-2024-56742 bsc#1235613)
- commit ff30550
- scsi: target: Fix NULL pointer dereference in
core_scsi3_decode_spec_i_port() (CVE-2025-38399 bsc#1247097).
- commit e689eaa
- RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages (git-fixes)
- commit 39fb4df
- drm/v3d: Disable interrupts before resetting the GPU
(CVE-2025-38371 bsc#1247178).
- commit 4160ac6
- btrfs: fix log tree replay failure due to file with 0 links
and extents (git-fixes).
- commit fd0c9dd
- netlink: make sure we allow at least one dump skb
(CVE-2025-38465 bsc#1247118).
- netlink: Fix rmem check in netlink_broadcast_deliver()
(CVE-2025-38465 bsc#1247118).
- netlink: Fix wraparounds of sk->sk_rmem_alloc (CVE-2025-38465
bsc#1247118).
- commit b3ac9f0
- Refresh
patches.kabi/xsk-Fix-race-condition-in-AF_XDP-generic-RX-path.patch.
Drop the static_assert() kABI checks temporarily until we have a proper
solution to signal kABI verification.
- commit d4817c8
- af_unix: Add a prompt to CONFIG_AF_UNIX_OOB (bsc#1246093).
- commit 9dcc611
- net: usbnet: Fix the wrong netif_carrier_on() call (git-fixes).
- commit 3ed80f8
- kABI: restore layout of struct msi_desc (CVE-2025-38062
bsc#1245216).
- genirq/msi: Store the IOMMU IOVA directly in msi_desc instead
of iommu_cookie (CVE-2025-38062 bsc#1245216).
- commit 19502f4
- Delete
patches.suse/af_unix-Disable-MSG_OOB-for-unprivileged-users.patch.
- commit e99b1bb
- Update config files. (CVE-2025-38236 bsc#1246093)
Disable CONFIG_AF_UNIX_OOB as the implementation is ridden with security
bugs whose fixes would be hard to backport and the feature has no known
users.
- commit f8cd607
- Refresh patches.suse/x86-its-Enumerate-Indirect-Target-Selection-ITS-bug.patch.
- Refresh
patches.suse/x86-its-Add-vmexit-option-to-skip-mitigation-on-some-CPUs.patch.
Fix affected model steppings.
- commit 115d04b
- KVM: x86: Reset IRTE to host control if *new* route isn't
postable (bsc#1242960 CVE-2025-37885).
- commit b463fcd
- enabled CONFIG_X86_INTEL_TSX_MODE_AUTO
This is a response to bsc#1246695. As result of TAA vulnerability
(CVE-2019-11135) we have aimed to follow the upstream default for TSX
but due to a mistake we have ended up using CONFIG_X86_INTEL_TSX_MODE_ON
rather than CONFIG_X86_INTEL_TSX_MODE_OFF. This has been noticed later
on and fixed to align with upstream. Which has made some users unhappy
because they have lost a default TSX functionality even on HW that is
not susceptible to CVE-2019-11135.
We have discussed different ways to deal with that but the likely most
straightforward turned out to be to go with CONFIG_X86_INTEL_TSX_MODE_AUTO
which disables TSX only on CVE-2019-11135 affected HW. We are still
diverging from the upstream here but there are some positive indications
that no new TSX based side channels have been discovered since.
- commit 395c9dd
- tcp: call tcp_measure_rcv_mss() for ooo packets (git-fixes).
- commit 54261d2
- net/sched: sch_qfq: Avoid triggering might_sleep in atomic
context in qfq_delete_class (git-fixes).
- commit cdfb027
- Refresh
patches.suse/af_unix-Disable-MSG_OOB-for-unprivileged-users.patch.
Print message upon disabled use.
- commit 31d5690
- Refresh
patches.suse/virtio-blk-scsi-use-block-layer-helpers-to-calculate.patch.
- commit 773f5a0
- Rename to
patches.suse/scsi-use-block-layer-helpers-to-calculate-num-of-que.patch.
- commit dd839b8
- Refresh
patches.suse/nvme-pci-use-block-layer-helpers-to-calculate-num-of.patch.
- commit e114e47
- Refresh
patches.suse/blk-mq-add-number-of-queue-calc-helper.patch.
- commit db4fa45
- Rename to
patches.suse/lib-group_cpus-Let-group_cpu_evenly-return-the-numbe.patch.
Refresh:
- patches.kabi/kabi-fix-group-cpus-evenly.patch
- patches.suse/lib-group_cpus-honor-housekeeping-config-when-grouping.patch
- commit ca07a82
- btrfs: tests: fix chunk map leak after failure to add it to
the tree (git-fixes).
- commit 4c3fd9d
- lib/group_cpus: fix NULL pointer dereference from
group_cpus_evenly() (bsc#1236897).
- lib/group_cpus.c: avoid acquiring cpu hotplug lock in
group_cpus_evenly (bsc#1236897).
- commit 749ceff
- btrfs: fix ssd_spread overallocation (git-fixes).
- commit 760f402
- btrfs: use btrfs_record_snapshot_destroy() during rmdir
(git-fixes).
- commit 05219d1
- btrfs: propagate last_unlink_trans earlier when doing a rmdir
(git-fixes).
- btrfs: rename err to ret in btrfs_rmdir() (git-fixes).
- commit 6fea6c3
- btrfs: don't skip remaining extrefs if dir not found during
log replay (git-fixes).
- commit ae66e11
- btrfs: don't ignore inode missing when replaying log tree
(git-fixes).
- commit 87671c8
- btrfs: fix inode lookup error handling during log replay
(git-fixes).
- commit a89d2a6
- nvmet-tcp: fix callback lock for TLS handshake (git-fixes).
- nvme: fix misaccounting of nvme-mpath inflight I/O (git-fixes).
- nvme: fix endianness of command word prints in
nvme_log_err_passthru() (git-fixes).
- nvme: fix inconsistent RCU list manipulation in
nvme_ns_add_to_ctrl_list() (git-fixes).
- commit bbf2481
- RDMA/core: Rate limit GID cache warning messages (git-fixes)
- commit fd0e41a
- kernel-syms.spec: Drop old rpm release number hack (bsc#1247172).
- commit b4fa2d1
- rtc: rv3028: fix incorrect maximum clock rate handling
(git-fixes).
- rtc: pcf8563: fix incorrect maximum clock rate handling
(git-fixes).
- rtc: pcf85063: fix incorrect maximum clock rate handling
(git-fixes).
- rtc: nct3018y: fix incorrect maximum clock rate handling
(git-fixes).
- rtc: hym8563: fix incorrect maximum clock rate handling
(git-fixes).
- rtc: ds1307: fix incorrect maximum clock rate handling
(git-fixes).
- ucount: fix atomic_long_inc_below() argument type (git-fixes).
- i3c: fix module_i3c_i2c_driver() with I3C=n (git-fixes).
- commit e466472
- pinmux: fix race causing mux_owner NULL with active mux_usecount
(git-fixes).
- pinctrl: sunxi: Fix memory leak on krealloc failure (git-fixes).
- fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref
(git-fixes).
- firewire: ohci: correct code comments about bus_reset tasklet
(git-fixes).
- commit fd1a6ae
- PCI: rockchip-host: Fix "Unexpected Completion" log message
(git-fixes).
- PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem
attribute (git-fixes).
- PCI: endpoint: pci-epf-vntb: Return -ENOENT if
pci_epc_get_next_free_bar() fails (git-fixes).
- PCI: endpoint: Fix configfs group removal on driver teardown
(git-fixes).
- PCI: endpoint: Fix configfs group list head handling
(git-fixes).
- watchdog: ziirave_wdt: check record length in
ziirave_firm_verify() (git-fixes).
- dmaengine: nbpfaxi: Add missing check after DMA map (git-fixes).
- dmaengine: mv_xor: Fix missing check after DMA map and missing
unmap (git-fixes).
- dmaengine: qcom: gpi: Drop unused gpi_write_reg_field()
(git-fixes).
- dmaengine: dw-edma: Drop unused dchan2dev() and chan2dev()
(git-fixes).
- ASoC: fsl_xcvr: get channel status data when PHY is not exists
(git-fixes).
- soundwire: stream: restore params when prepare ports fail
(git-fixes).
- power: supply: max14577: Handle NULL pdata when CONFIG_OF is
not set (git-fixes).
- power: supply: cpcap-charger: Fix null check for
power_supply_get_by_name (git-fixes).
- ALSA: hda/realtek - Add mute LED support for HP Pavilion
15-eg0xxx (stable-fixes).
- can: netlink: can_changelink(): fix NULL pointer deref of
struct can_priv::do_set_mode (git-fixes).
- ALSA: hda: Add missing NVIDIA HDA codec IDs (stable-fixes).
- usb: typec: tcpm: apply vbus before data bringup in
tcpm_src_attach (git-fixes).
- usb: typec: tcpm: allow switching to mode accessory to mux
properly (stable-fixes).
- usb: typec: tcpm: allow to use sink in accessory mode
(stable-fixes).
- ALSA: hda/tegra: Add Tegra264 support (stable-fixes).
- can: dev: can_restart(): move debug message and stats after
successful restart (stable-fixes).
- can: dev: can_restart(): reverse logic to remove need for goto
(stable-fixes).
- commit 0f0c0d9
- btrfs: don't silently ignore unexpected extent type when
replaying log (git-fixes).
- commit e423498
- btrfs: fix invalid inode pointer dereferences during log replay
(git-fixes).
- commit 78cbba9
- btrfs: return a btrfs_inode from read_one_inode() (git-fixes).
- commit b3a9472
- iommu/arm-smmu-qcom: Add SM6115 MDSS compatible (git-fixes).
- iommu/amd: Fix geometry.aperture_end for V2 tables (git-fixes).
- commit f8c05a9
- btrfs: return a btrfs_inode from btrfs_iget_logging()
(git-fixes).
- commit 88ed97b
- btrfs: use NOFS context when getting inodes during logging
and log replay (git-fixes).
- commit 88eb1d5
- virtio-net: ensure the received length does not exceed allocated
size (CVE-2025-38375 bsc#1247177).
- commit 2adf745
- btrfs: update superblock's device bytes_used when dropping chunk
(git-fixes).
- commit e33076b
- Update
patches.suse/0001-mm-hugetlb-fix-huge_pmd_unshare-vs-GUP-fast-race.patch
(bsc#1245431 CVE-2025-38085 bsc#1245499).
- Update
patches.suse/0001-mm-hugetlb-unshare-page-tables-during-VMA-split-not-.patch
(bsc#1245431 CVE-2025-38084 bsc#1245498).
- Update
patches.suse/ACPI-CPPC-Fix-NULL-pointer-dereference-when-nosmp-is.patch
(git-fixes CVE-2025-38113 bsc#1245683).
- Update
patches.suse/ACPICA-Refuse-to-evaluate-a-method-if-arguments-are-.patch
(stable-fixes CVE-2025-38386 bsc#1247138).
- Update
patches.suse/ACPICA-fix-acpi-operand-cache-leak-in-dswstate.c.patch
(stable-fixes CVE-2025-38345 bsc#1246337).
- Update
patches.suse/ACPICA-fix-acpi-parse-and-parseext-cache-leaks.patch
(stable-fixes CVE-2025-38344 bsc#1246334).
- Update
patches.suse/ALSA-usb-audio-Fix-out-of-bounds-read-in-snd_usb_get.patch
(git-fixes CVE-2025-38249 bsc#1246171).
- Update
patches.suse/ASoC-Intel-avs-Verify-content-returned-by-parse_int_.patch
(git-fixes CVE-2025-38307 bsc#1246364).
- Update
patches.suse/ASoC-codecs-wcd9335-Fix-missing-free-of-regulator-su.patch
(git-fixes CVE-2025-38259 bsc#1246220).
- Update
patches.suse/Bluetooth-Fix-NULL-pointer-deference-on-eir_get_serv.patch
(git-fixes CVE-2025-38304 bsc#1246240).
- Update
patches.suse/Bluetooth-Fix-null-ptr-deref-in-l2cap_sock_resume_cb.patch
(git-fixes CVE-2025-38473 bsc#1247289).
- Update
patches.suse/Bluetooth-MGMT-Fix-UAF-on-mgmt_remove_adv_monitor_co.patch
(git-fixes CVE-2025-38118 bsc#1245670).
- Update
patches.suse/HID-core-do-not-bypass-hid_hw_raw_request.patch
(stable-fixes CVE-2025-38494 bsc#1247349).
- Update
patches.suse/HID-core-ensure-the-allocated-report-buffer-can-cont.patch
(stable-fixes CVE-2025-38495 bsc#1247348).
- Update
patches.suse/IB-mlx5-Fix-potential-deadlock-in-MR-deregistration.patch
(git-fixes CVE-2025-38373 bsc#1247033).
- Update
patches.suse/Input-ims-pcu-check-record-size-in-ims_pcu_flash_fir.patch
(git-fixes CVE-2025-38428 bsc#1247150).
- Update
patches.suse/NFC-nci-uart-Set-tty-disc_data-only-in-success-path.patch
(git-fixes CVE-2025-38416 bsc#1247151).
- Update
patches.suse/NFSv4-pNFS-Fix-a-race-to-wake-on-NFS_LAYOUT_DRAIN.patch
(git-fixes CVE-2025-38393 bsc#1247170).
- Update
patches.suse/RDMA-cma-Fix-hang-when-cma_netevent_callback-fails-t.patch
(git-fixes CVE-2025-38151 bsc#1245745).
- Update
patches.suse/RDMA-iwcm-Fix-use-after-free-of-work-objects-after-c.patch
(git-fixes CVE-2025-38211 bsc#1246008).
- Update
patches.suse/RDMA-mlx5-Fix-error-flow-upon-firmware-failure-for-R.patch
(git-fixes CVE-2025-38161 bsc#1245777).
- Update
patches.suse/RDMA-mlx5-Initialize-obj_event-obj_sub_list-before-x.patch
(git-fixes CVE-2025-38387 bsc#1247154).
- Update
patches.suse/Squashfs-check-return-result-of-sb_min_blocksize.patch
(git-fixes CVE-2025-38415 bsc#1247147).
- Update
patches.suse/VMCI-fix-race-between-vmci_host_setup_notify-and-vmc.patch
(git-fixes CVE-2025-38102 bsc#1245669).
- Update
patches.suse/aoe-clean-device-rq_list-in-aoedev_downdev.patch
(git-fixes CVE-2025-38326 bsc#1246490).
- Update
patches.suse/ata-pata_via-Force-PIO-for-ATAPI-devices-on-VT6415-V.patch
(stable-fixes CVE-2025-38336 bsc#1246370).
- Update
patches.suse/backlight-pm8941-Add-NULL-check-in-wled_configure.patch
(git-fixes CVE-2025-38143 bsc#1245714).
- Update patches.suse/bnxt-properly-flush-XDP-redirect-lists.patch
(git-fixes CVE-2025-38246 bsc#1246195).
- Update
patches.suse/bpf-sockmap-Fix-panic-when-calling-skb_linearize.patch
(bsc#1245749 CVE-2025-38154 CVE-2025-38165 bsc#1245757).
- Update patches.suse/bus-fsl-mc-fix-double-free-on-mc_dev.patch
(git-fixes CVE-2025-38313 bsc#1246342).
- Update
patches.suse/calipso-Fix-null-ptr-deref-in-calipso_req_-set-del-a.patch
(git-fixes CVE-2025-38181 bsc#1246000).
- Update
patches.suse/comedi-Fail-COMEDI_INSNLIST-ioctl-if-n_insns-is-too-.patch
(git-fixes CVE-2025-38481 bsc#1247276).
- Update
patches.suse/comedi-Fix-initialization-of-data-for-instructions-t.patch
(git-fixes CVE-2025-38478 bsc#1247273).
- Update
patches.suse/comedi-Fix-use-of-uninitialized-data-in-insn_rw_emul.patch
(git-fixes CVE-2025-38480 bsc#1247274).
- Update
patches.suse/comedi-das16m1-Fix-bit-shift-out-of-bounds.patch
(git-fixes CVE-2025-38483 bsc#1247278).
- Update
patches.suse/comedi-das6402-Fix-bit-shift-out-of-bounds.patch
(git-fixes CVE-2025-38482 bsc#1247277).
- Update
patches.suse/crypto-marvell-cesa-Handle-zero-length-skcipher-requ.patch
(git-fixes CVE-2025-38173 bsc#1245769).
- Update
patches.suse/crypto-sun8i-ce-cipher-fix-error-handling-in-sun8i_c.patch
(git-fixes CVE-2025-38300 bsc#1246349).
- Update patches.suse/dm-bufio-fix-sched-in-atomic-context.patch
(git-fixes CVE-2025-38496 bsc#1247284).
- Update
patches.suse/dma-buf-insert-memory-barrier-before-updating-num_fe.patch
(git-fixes CVE-2025-38095 bsc#1245658).
- Update
patches.suse/dmaengine-idxd-Check-availability-of-workqueue-alloc.patch
(stable-fixes CVE-2025-38369 bsc#1247209).
- Update
patches.suse/dmaengine-ti-Add-NULL-check-in-udma_probe.patch
(git-fixes CVE-2025-38138 bsc#1245719).
- Update
patches.suse/drivers-rapidio-rio_cm.c-prevent-possible-heap-overw.patch
(stable-fixes CVE-2025-38090 bsc#1245510).
- Update
patches.suse/drm-amd-display-Add-null-pointer-check-for-get_first.patch
(git-fixes CVE-2025-38362 bsc#1247089).
- Update
patches.suse/drm-amd-pp-Fix-potential-NULL-pointer-dereference-in.patch
(git-fixes CVE-2025-38319 bsc#1246243).
- Update
patches.suse/drm-exynos-exynos7_drm_decon-add-vblank-check-in-IRQ.patch
(git-fixes CVE-2025-38467 bsc#1247146).
- Update
patches.suse/drm-gem-Acquire-references-on-GEM-handles-for-frameb.patch
(stable-fixes CVE-2025-38449 bsc#1247255).
- Update
patches.suse/drm-i915-gt-Fix-timeline-left-held-on-VMA-alloc-erro.patch
(git-fixes CVE-2025-38389 bsc#1247153).
- Update
patches.suse/drm-msm-Fix-a-fence-leak-in-submit-error-path.patch
(stable-fixes CVE-2025-38410 bsc#1247128).
- Update
patches.suse/drm-msm-Fix-another-leak-in-the-submit-error-path.patch
(stable-fixes CVE-2025-38409 bsc#1247285).
- Update
patches.suse/drm-msm-gpu-Fix-crash-when-throttling-GPU-immediatel.patch
(git-fixes CVE-2025-38354 bsc#1247061).
- Update
patches.suse/drm-scheduler-signal-scheduled-fence-when-kill-job.patch
(stable-fixes CVE-2025-38436 bsc#1247227).
- Update
patches.suse/drm-tegra-Fix-a-possible-null-pointer-dereference.patch
(git-fixes CVE-2025-38363 bsc#1247018).
- Update
patches.suse/fbcon-Make-sure-modelist-not-set-on-unregistered-con.patch
(stable-fixes CVE-2025-38198 bsc#1245952).
- Update
patches.suse/fbdev-Fix-do_register_framebuffer-to-prevent-null-pt.patch
(git-fixes CVE-2025-38215 bsc#1246109).
- Update
patches.suse/fbdev-Fix-fb_set_var-to-prevent-null-ptr-deref-in-fb.patch
(git-fixes CVE-2025-38214 bsc#1246042).
- Update
patches.suse/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch
(git-fixes CVE-2025-38312 bsc#1246386).
- Update
patches.suse/fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empty_folio.patch
(git-fixes CVE-2025-38338 bsc#1246258).
- Update
patches.suse/gve-add-missing-NULL-check-for-gve_alloc_pending_pac.patch
(git-fixes CVE-2025-38122 bsc#1245746).
- Update
patches.suse/hwmon-asus-ec-sensors-check-sensor-index-in-read_str.patch
(git-fixes CVE-2025-38142 bsc#1245713).
- Update
patches.suse/hwmon-ftsteutates-Fix-TOCTOU-race-in-fts_read.patch
(git-fixes CVE-2025-38217 bsc#1246002).
- Update
patches.suse/i2c-designware-Fix-an-initialization-issue.patch
(git-fixes CVE-2025-38380 bsc#1247028).
- Update
patches.suse/i2c-tegra-check-msg-length-in-SMBUS-block-read.patch
(bsc#1242086 CVE-2025-38425 bsc#1247251).
- Update
patches.suse/ice-fix-Tx-scheduler-error-handling-in-XDP-callback.patch
(git-fixes CVE-2025-38127 bsc#1245705).
- Update
patches.suse/iio-accel-fxls8962af-Fix-use-after-free-in-fxls8962a.patch
(git-fixes CVE-2025-38485 bsc#1247236).
- Update
patches.suse/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch
(git-fixes CVE-2025-38328 bsc#1246249).
- Update
patches.suse/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch
(git-fixes CVE-2025-38194 bsc#1245957).
- Update
patches.suse/media-cxusb-no-longer-judge-rbuf-when-the-write-fail.patch
(git-fixes CVE-2025-38229 bsc#1246049).
- Update
patches.suse/media-imx-jpeg-Cleanup-after-an-allocation-error.patch
(git-fixes CVE-2025-38225 bsc#1246041).
- Update
patches.suse/media-vidtv-Terminating-the-subsequent-process-of-in.patch
(git-fixes CVE-2025-38227 bsc#1246031).
- Update
patches.suse/media-vivid-Change-the-siize-of-the-composing.patch
(git-fixes CVE-2025-38226 bsc#1246050).
- Update
patches.suse/mtd-nand-ecc-mxic-Fix-use-of-uninitialized-variable-.patch
(git-fixes CVE-2025-38277 bsc#1246246).
- Update
patches.suse/mtd-spinand-fix-memory-leak-of-ECC-engine-conf.patch
(stable-fixes CVE-2025-38384 bsc#1247035).
- Update
patches.suse/mtk-sd-Prevent-memory-corruption-from-DMA-map-failur.patch
(git-fixes CVE-2025-38401 bsc#1247125).
- Update
patches.suse/nbd-fix-uaf-in-nbd_genl_connect-error-path.patch
(git-fixes CVE-2025-38443 bsc#1247164).
- Update patches.suse/net-Fix-TOCTOU-issue-in-sk_is_readable.patch
(git-fixes CVE-2025-38112 bsc#1245668).
- Update
patches.suse/net-fix-udp-gso-skb_segment-after-pull-from-frag_lis.patch
(git-fixes CVE-2025-38124 bsc#1245690).
- Update
patches.suse/net-mdiobus-Fix-potential-out-of-bounds-clause-45-re.patch
(git-fixes CVE-2025-38110 bsc#1245665).
- Update
patches.suse/net-mdiobus-Fix-potential-out-of-bounds-read-write-a.patch
(git-fixes CVE-2025-38111 bsc#1245666).
- Update
patches.suse/net-mlx5-Fix-ECVF-vports-unload-on-shutdown-flow.patch
(git-fixes CVE-2025-38109 bsc#1245684).
- Update
patches.suse/net-phy-clear-phydev-devlink-when-the-link-is-delete.patch
(git-fixes CVE-2025-38149 bsc#1245737).
- Update
patches.suse/net-phy-mscc-Fix-memory-leak-when-using-one-step-tim.patch
(git-fixes CVE-2025-38148 bsc#1245735).
- Update
patches.suse/net-sched-Return-NULL-when-htb_lookup_leaf-encounter.patch
(git-fixes CVE-2025-38468 bsc#1247437).
- Update
patches.suse/net-sched-fix-use-after-free-in-taprio_dev_notifier.patch
(git-fixes CVE-2025-38087 bsc#1245504).
- Update
patches.suse/net-sched-sch_qfq-Fix-race-condition-on-qfq_aggregat.patch
(git-fixes CVE-2025-38477 bsc#1247314).
- Update
patches.suse/net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch
(CVE-2025-38052 bsc#1244749 CVE-2025-38273 bsc#1246266).
- Update
patches.suse/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch
(git-fixes CVE-2025-38153 bsc#1245744).
- Update
patches.suse/net-usb-lan78xx-fix-WARN-in-__netif_napi_del_locked-.patch
(git-fixes CVE-2025-38385 bsc#1247149).
- Update patches.suse/net-wwan-t7xx-Fix-napi-rx-poll-issue.patch
(git-fixes CVE-2025-38123 bsc#1245688).
- Update
patches.suse/net_sched-ets-fix-a-race-in-ets_qdisc_change.patch
(git-fixes CVE-2025-38107 bsc#1245676).
- Update
patches.suse/net_sched-red-fix-a-race-in-__red_change.patch
(git-fixes CVE-2025-38108 bsc#1245675).
- Update
patches.suse/net_sched-sch_sfq-reject-invalid-perturb-period.patch
(git-fixes CVE-2025-38193 bsc#1245945).
- Update
patches.suse/netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch
(git-fixes CVE-2024-57947 bsc#1236333 CVE-2025-38120
bsc#1245711).
- Update
patches.suse/nfs-Clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_init-fails.patch
(git-fixes CVE-2025-38400 bsc#1247123).
- Update
patches.suse/nfsd-Initialize-ssc-before-laundromat_work-to-prevent-NULL-dereference.patch
(git-fixes CVE-2025-38231 bsc#1246055).
- Update
patches.suse/nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch
(git-fixes CVE-2025-38430 bsc#1247160).
- Update
patches.suse/page_pool-Fix-use-after-free-in-page_pool_recycle_in.patch
(git-fixes CVE-2025-38129 bsc#1245723).
- Update patches.suse/perf-Fix-sample-vs-do_exit.patch
(bsc#1246547 CVE-2025-38424 bsc#1247293).
- Update
patches.suse/phy-qcom-qmp-usb-Fix-an-NULL-vs-IS_ERR-bug.patch
(git-fixes CVE-2025-38275 bsc#1246236).
- Update
patches.suse/pinctrl-at91-Fix-possible-out-of-boundary-access.patch
(git-fixes CVE-2025-38286 bsc#1246283).
- Update
patches.suse/platform-x86-dell-wmi-sysman-Fix-WMI-data-block-retr.patch
(git-fixes CVE-2025-38412 bsc#1247132).
- Update patches.suse/platform-x86-dell_rbu-Fix-list-usage.patch
(git-fixes CVE-2025-38197 bsc#1246047).
- Update
patches.suse/powerpc-powernv-memtrace-Fix-out-of-bounds-issue-in-.patch
(bsc#1244309 ltc#213790 CVE-2025-38088 bsc#1245506).
- Update
patches.suse/ptp-remove-ptp-n_vclocks-check-logic-in-ptp_vclock_i.patch
(git-fixes CVE-2025-38305 bsc#1246358).
- Update
patches.suse/regulator-gpio-Fix-the-out-of-bounds-access-to-drvda.patch
(git-fixes CVE-2025-38395 bsc#1247171).
- Update
patches.suse/rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch
(git-fixes CVE-2025-38377 bsc#1247174).
- Update
patches.suse/rpl-Fix-use-after-free-in-rpl_do_srh_inline.patch
(git-fixes CVE-2025-38476 bsc#1247317).
- Update
patches.suse/s390-bpf-Fix-bpf_arch_text_poke-with-new_addr-NULL-again.patch
(git-fixes bsc#1246870 CVE-2025-38489 bsc#1247241).
- Update
patches.suse/s390-pkey-Prevent-overflow-in-size-calculation-for-memdup_.patch
(git-fixes bsc#1245598 CVE-2025-38257 bsc#1246186).
- Update
patches.suse/sch_hfsc-make-hfsc_qlen_notify-idempotent.patch
(CVE-2025-37798 bsc#1242414 CVE-2025-38177 bsc#1245986).
- Update
patches.suse/scsi-lpfc-Avoid-potential-ndlp-use-after-free-in-dev.patch
(bsc#1242993 CVE-2025-38289 bsc#1246287).
- Update patches.suse/scsi-lpfc-Use-memcpy-for-BIOS-version.patch
(bsc#1240966 CVE-2025-38332 bsc#1246375).
- Update
patches.suse/serial-Fix-potential-null-ptr-deref-in-mlb_usio_prob.patch
(git-fixes CVE-2025-38135 bsc#1246023).
- Update
patches.suse/soc-aspeed-Add-NULL-check-in-aspeed_lpc_enable_snoop.patch
(git-fixes CVE-2025-38145 bsc#1245765).
- Update
patches.suse/soc-aspeed-lpc-snoop-Don-t-disable-channels-that-are.patch
(git-fixes CVE-2025-38487 bsc#1247238).
- Update
patches.suse/software-node-Correct-a-OOB-check-in-software_node_g.patch
(stable-fixes CVE-2025-38342 bsc#1246453).
- Update
patches.suse/sunrpc-handle-SVC_GARBAGE-during-svc-auth-processing-as-auth-error.patch
(git-fixes CVE-2025-38089 bsc#1245508).
- Update
patches.suse/thunderbolt-Do-not-double-dequeue-a-configuration-re.patch
(stable-fixes CVE-2025-38174 bsc#1245781).
- Update
patches.suse/usb-chipidea-udc-disconnect-reconnect-from-host-when.patch
(git-fixes CVE-2025-38376 bsc#1247176).
- Update
patches.suse/usb-gadget-u_serial-Fix-race-condition-in-TTY-wakeup.patch
(git-fixes CVE-2025-38448 bsc#1247233).
- Update
patches.suse/usb-net-sierra-check-for-no-status-endpoint.patch
(git-fixes CVE-2025-38474 bsc#1247311).
- Update
patches.suse/usb-renesas_usbhs-Reorder-clock-handling-and-power-m.patch
(git-fixes CVE-2025-38136 bsc#1245691).
- Update
patches.suse/usb-typec-altmodes-displayport-do-not-index-invalid-.patch
(git-fixes CVE-2025-38391 bsc#1247181).
- Update
patches.suse/usb-typec-displayport-Fix-potential-deadlock.patch
(git-fixes CVE-2025-38404 bsc#1247271).
- Update
patches.suse/vgacon-Add-check-for-vc_origin-address-range-in-vgac.patch
(git-fixes CVE-2025-38213 bsc#1246037).
- Update
patches.suse/wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch
(git-fixes CVE-2025-38293 bsc#1246292).
- Update
patches.suse/wifi-ath12k-fix-invalid-access-to-memory.patch
(git-fixes CVE-2025-38292 bsc#1246295).
- Update
patches.suse/wifi-ath12k-fix-node-corruption-in-ar-arvifs-list.patch
(git-fixes CVE-2025-38290 bsc#1246293).
- Update
patches.suse/wifi-ath6kl-remove-WARN-on-bad-firmware-input.patch
(stable-fixes CVE-2025-38406 bsc#1247210).
- Update
patches.suse/wifi-ath9k_htc-Abort-software-beacon-handling-if-dis.patch
(git-fixes CVE-2025-38157 bsc#1245747).
- Update
patches.suse/wifi-carl9170-do-not-ping-device-which-has-failed-to.patch
(git-fixes CVE-2025-38420 bsc#1247279).
- Update
patches.suse/wifi-mt76-mt7915-Fix-null-ptr-deref-in-mt7915_mmio_w.patch
(git-fixes CVE-2025-38155 bsc#1245748).
- Update
patches.suse/wifi-mt76-mt7996-drop-fragments-with-multicast-or-br.patch
(stable-fixes CVE-2025-38343 bsc#1246438).
- Update
patches.suse/wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_re.patch
(git-fixes CVE-2025-38348 bsc#1246262).
- Update
patches.suse/wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch
(git-fixes CVE-2025-38159 bsc#1245751).
- commit de345c9
- Revert "cgroup_freezer: cgroup_freezing: Check if not frozen"
(bsc#1219338).
- sched,freezer: Remove unnecessary warning in __thaw_task
(bsc#1219338).
- commit 108588a
- ipv6: fix possible infinite loop in fib6_info_uses_dev()
(git-fixes).
- commit 16f1f6e
- ipv6: prevent infinite loop in rt6_nlmsg_size() (git-fixes).
- commit cb535e8
- net/sched: Restrict conditions for adding duplicating netems
to qdisc tree (git-fixes).
- commit 6fae648
- Refresh
patches.suse/af_unix-Disable-MSG_OOB-for-unprivileged-users.patch.
Add cmdline override.
- commit 4b6e594
- af_unix: Disable MSG_OOB for unprivileged users (CVE-2025-38236
bsc#1246093).
- commit 6110a63
- fs/orangefs: Allow 2 more characters in do_c_string()
(git-fixes).
- commit 642fa26
- jfs: fix metapage reference count leak in dbAllocCtl
(git-fixes).
- commit 58c926b
- x86/mce/amd: Fix threshold limit reset (git-fixes).
- commit 468e2ae
- bus: mhi: ep: Update read pointer only after buffer is written
(CVE-2025-38429 bsc#1247253).
- commit 3341565
- x86/mce: Don't remove sysfs if thresholding sysfs init fails (git-fixes).
- commit 3d8385a
- x86/mce: Make sure CMCI banks are cleared during shutdown on Intel (git-fixes).
- commit fe9eb0f
- x86/mce/amd: Add default names for MCA banks and blocks (git-fixes).
- commit 27f7700
- x86/traps: Initialize DR6 by writing its architectural reset value (git-fixes).
- commit 80ddfd8
- media: venus: vdec: Clamp param smaller than 1fps and bigger
than 240 (git-fixes).
- commit 1212a93
- x86/cpu/amd: Fix workaround for erratum 1054 (git-fixes).
- commit 2d80ddf
- mtd: rawnand: atmel: set pmecc data setup time (git-fixes).
- mtd: spinand: propagate spinand_wait() errors from
spinand_write_page() (git-fixes).
- mtd: rawnand: fsmc: Add missing check after DMA map (git-fixes).
- mtd: rawnand: rockchip: Add missing check after DMA map
(git-fixes).
- mtd: rawnand: atmel: Fix dma_mapping_error() address
(git-fixes).
- mtd: rawnand: renesas: Add missing check after DMA map
(git-fixes).
- mtd: spi-nor: Fix spi_nor_try_unlock_all() (git-fixes).
- mtd: fix possible integer overflow in erase_xfer() (git-fixes).
- clk: sunxi-ng: v3s: Fix de clock definition (git-fixes).
- clk: clk-axi-clkgen: fix fpfd_max frequency for zynq
(git-fixes).
- clk: xilinx: vcu: unregister pll_post only if registered
correctly (git-fixes).
- clk: davinci: Add NULL check in davinci_lpsc_clk_register()
(git-fixes).
- hwmon: (gsc-hwmon) fix fan pwm setpoint show functions
(git-fixes).
- pwm: imx-tpm: Reset counter if CMOD is 0 (git-fixes).
- media: uvcvideo: Do not mark valid metadata as invalid
(git-fixes).
- media: ov2659: Fix memory leaks in ov2659_probe() (git-fixes).
- media: hi556: correct the test pattern configuration
(git-fixes).
- media: vivid: fix wrong pixel_array control size (git-fixes).
- media: venus: hfi: explicitly release IRQ during teardown
(git-fixes).
- media: venus: Add a check for packet size after reading from
shared memory (git-fixes).
- media: venus: protect against spurious interrupts during probe
(git-fixes).
- media: venus: venc: Clamp param smaller than 1fps and bigger
than 240 (git-fixes).
- media: v4l2-ctrls: Don't reset handler's error in
v4l2_ctrl_handler_free() (git-fixes).
- media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check
(git-fixes).
- media: imx: fix a potential memory leak in
imx_media_csc_scaler_device_init() (git-fixes).
- media: rainshadow-cec: fix TOCTOU race condition in
rain_interrupt() (git-fixes).
- media: gspca: Add bounds checking to firmware parser
(git-fixes).
- media: usbtv: Lock resolution while streaming (git-fixes).
- media: uvcvideo: Fix 1-byte out-of-bounds read in
uvc_parse_format() (git-fixes).
- crypto: qat - fix seq_file position update in adf_ring_next()
(git-fixes).
- crypto: qat - fix DMA direction for compression on GEN2 devices
(git-fixes).
- crypto: qat - flush misc workqueue during device shutdown
(git-fixes).
- crypto: qat - disable ZUC-256 capability for QAT GEN5
(git-fixes).
- crypto: img-hash - Fix dma_unmap_sg() nents value (git-fixes).
- crypto: keembay - Fix dma_unmap_sg() nents value (git-fixes).
- hwrng: mtk - handle devm_pm_runtime_enable errors (git-fixes).
- crypto: ccp - Fix crash when rebind ccp device for ccp.ko
(git-fixes).
- crypto: inside-secure - Fix `dma_unmap_sg()` nents value
(git-fixes).
- crypto: ccp - Fix locking on alloc failure handling (git-fixes).
- crypto: arm/aes-neonbs - work around gcc-15 warning (git-fixes).
- crypto: qat - fix state restore for banks with exceptions
(git-fixes).
- crypto: qat - allow enabling VFs in the absence of IOMMU
(git-fixes).
- crypto: marvell/cesa - Fix engine load inaccuracy (git-fixes).
- crypto: qat - use unmanaged allocation for dc_data (git-fixes).
- crypto: sun8i-ce - fix nents passed to dma_unmap_sg()
(git-fixes).
- commit 8f3fb2a
- Move upstreamed SCSI and ACPI patches into sorted section
- commit 09d9d7c
- RDMA/uverbs: Add empty rdma_uattrs_has_raw_cap() declaration (git-fixes)
- commit ced3c6d
- Update config files.
run_oldconfig, no functional change.
- commit 0b6044b
- RDMA/mlx5: Fix compilation warning when USER_ACCESS isn't set (git-fixes)
- commit dce79bd
- RDMA/hns: Fix -Wframe-larger-than issue (git-fixes)
- commit 90a067b
- RDMA/hns: Drop GFP_NOWARN (git-fixes)
- commit 927f6d6
- RDMA/hns: Fix accessing uninitialized resources (git-fixes)
- commit c1be2f8
- RDMA/hns: Get message length of ack_req from FW (git-fixes)
- commit 2e9a431
- RDMA/hns: Fix HW configurations not cleared in error flow (git-fixes)
- commit ba6e757
- RDMA/hns: Fix double destruction of rsv_qp (git-fixes)
- commit 0d7fee3
- Fix dma_unmap_sg() nents value (git-fixes)
- commit 89d1cb0
- RDMA/counter: Check CAP_NET_RAW check in user namespace for RDMA counters (git-fixes)
- commit c5238e7
- RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify (git-fixes)
- commit 0d7ab5b
- RDMA/mlx5: Check CAP_NET_RAW in user namespace for devx create (git-fixes)
- commit c162c8c
- RDMA/uverbs: Check CAP_NET_RAW in user namespace for RAW QP create (git-fixes)
- commit 3292115
- RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create (git-fixes)
- commit 90f88d3
- RDMA/mlx5: Check CAP_NET_RAW in user namespace for anchor create (git-fixes)
- commit a812e80
- RDMA/mlx5: Check CAP_NET_RAW in user namespace for flow create (git-fixes)
- commit 9dcd5e1
- RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create (git-fixes)
- commit eaff4b0
- vsock: Fix transport_{g2h,h2g} TOCTOU (CVE-2025-38462
bsc#1247104).
- commit f5da768
- tcp: Correct signedness in skb remaining space calculation
(CVE-2025-38463 bsc#1247113).
- net/sched: Always pass notifications when child class becomes
empty (CVE-2025-38350 bsc#1246781).
- maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate()
(CVE-2025-38364 bsc#1247091).
- commit 7390872
- x86: UV RTC: Add parameter to disable RTC clocksource
(bsc#1241345).
- commit 79ccdce
- clocksource: Set cs_watchdog_read() checks based on
.uncertainty_margin (bsc#1241345 bsc#1244457).
- commit 09911af
- clocksource: Scale the watchdog read retries automatically
(bsc#1241345 bsc#1244457).
- Refresh
patches.suse/clocksource-Fix-brown-bag-boolean-thinko-in-cs_watch.patch.
- Refresh
patches.suse/clocksource-Make-watchdog-and-suspend-timing-multipl.patch.
- commit fdf040b
- wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start()
(git-fixes).
- wifi: iwlwifi: return ERR_PTR from opmode start()
(stable-fixes).
- commit bb4c593
- drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and
value (git-fixes).
- fbcon: Fix outdated registered_fb reference in comment
(git-fixes).
- drm/msm/dpu: Fill in min_prefill_lines for SC8180X (git-fixes).
- drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel
(git-fixes).
- drm/panfrost: Fix panfrost device variable name in devfreq
(git-fixes).
- drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed
(git-fixes).
- can: peak_usb: fix USB FD devices potential malfunction
(git-fixes).
- net: phy: micrel: fix KSZ8081/KSZ8091 cable test (git-fixes).
- net: usbnet: Avoid potential RCU stall on LINK_CHANGE event
(git-fixes).
- can: kvaser_usb: Assign netdev.dev_port based on device channel
index (git-fixes).
- can: kvaser_pciefd: Store device channel index (git-fixes).
- Bluetooth: hci_event: Mask data status from LE ext adv reports
(git-fixes).
- wifi: ath12k: fix endianness handling while accessing wmi
service bit (git-fixes).
- wifi: ath11k: fix sleeping-in-atomic in
ath11k_mac_op_set_bitrate_mask() (git-fixes).
- wifi: ath12k: fix dest ring-buffer corruption when ring is full
(git-fixes).
- wifi: ath12k: fix source ring-buffer corruption (git-fixes).
- wifi: ath12k: fix dest ring-buffer corruption (git-fixes).
- wifi: ath11k: fix dest ring-buffer corruption when ring is full
(git-fixes).
- wifi: ath11k: fix source ring-buffer corruption (git-fixes).
- wifi: ath11k: fix dest ring-buffer corruption (git-fixes).
- wifi: ath11k: fix suspend use-after-free after probe failure
(git-fixes).
- wifi: ath11k: clear initialized flag for deinit-ed srng lists
(git-fixes).
- wifi: brcmfmac: fix P2P discovery failure in P2P peer due to
missing P2P IE (git-fixes).
- Reapply "wifi: mac80211: Update skb's control block key in
ieee80211_tx_dequeue()" (git-fixes).
- wifi: mac80211: Check 802.11 encaps offloading in
ieee80211_tx_h_select_key() (git-fixes).
- wifi: mac80211: Don't call fq_flow_idx() for management frames
(git-fixes).
- wifi: mac80211: Do not schedule stopped TXQs (git-fixes).
- wifi: plfxlc: Fix error handling in usb driver probe
(git-fixes).
- wifi: mac80211: reject TDLS operations when station is not
associated (git-fixes).
- wifi: brcmsmac: Remove const from tbl_ptr parameter in
wlc_lcnphy_common_read_table() (git-fixes).
- mwl8k: Add missing check after DMA map (git-fixes).
- iwlwifi: Add missing check for alloc_ordered_workqueue
(git-fixes).
- wifi: iwlwifi: Fix memory leak in iwl_mvm_init() (git-fixes).
- wifi: rtl818x: Kill URBs before clearing tx status queue
(git-fixes).
- wifi: rtw89: avoid NULL dereference when RX problematic packet
on unsupported 6 GHz band (git-fixes).
- commit 338f129
- usb: gadget: configfs: Fix OOB read on empty string write
(CVE-2025-38497 bsc#1247347).
- commit 96c22e3
- fs: export anon_inode_make_secure_inode() and fix secretmem
LSM bypass (CVE-2025-38396 bsc#1247156).
- commit 281f5f1
- wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850
(CVE-2025-38414 bsc#1247145).
- commit be37365
- Docs/ABI: Fix sysfs-kernel-address_bits path (git-fixes).
- soc: qcom: pmic_glink: fix OF node leak (git-fixes).
- soc: qcom: fix endianness for QMI header (git-fixes).
- soc: qcom: QMI encoding/decoding for big endian (git-fixes).
- soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS
(git-fixes).
- usb: musb: omap2430: fix device leak at unbind (git-fixes).
- usb: gadget: udc: renesas_usb3: fix device leak at unbind
(git-fixes).
- usb: dwc3: meson-g12a: fix device leaks at unbind (git-fixes).
- usb: atm: cxacru: Merge cxacru_upload_firmware() into
cxacru_heavy_init() (git-fixes).
- thunderbolt: Fix copy+paste error in match_service_id()
(git-fixes).
- usb: typec: ucsi: Update power_supply on power role change
(git-fixes).
- usb: gadget : fix use-after-free in composite_dev_cleanup()
(git-fixes).
- cdc-acm: fix race between initial clearing halt and open
(git-fixes).
- usb: early: xhci-dbc: Fix early_ioremap leak (git-fixes).
- usb: misc: apple-mfi-fastcharge: Make power supply names unique
(git-fixes).
- Documentation: usb: gadget: Wrap remaining usage snippets in
literal code block (git-fixes).
- usb: host: xhci-plat: fix incorrect type for of_match variable
in xhci_plat_probe() (git-fixes).
- vt: defkeymap: Map keycodes above 127 to K_HOLE (git-fixes).
- vt: keyboard: Don't process Unicode characters in K_OFF mode
(git-fixes).
- staging: axis-fifo: remove sysfs interface (git-fixes).
- staging: nvec: Fix incorrect null termination of battery
manufacturer (git-fixes).
- staging: fbtft: fix potential memory leak in
fbtft_framebuffer_alloc() (git-fixes).
- iio: adc: ad_sigma_delta: change to buffer predisable
(git-fixes).
- iio: imu: bno055: fix OOB access of hw_xlate array (git-fixes).
- bus: mhi: host: Detect events pointing to unexpected TREs
(git-fixes).
- misc: rtsx: usb: Ensure mmc child device is active when card
is present (git-fixes).
- vmci: Prevent the dispatching of uninitialized payloads
(git-fixes).
- samples: mei: Fix building on musl libc (git-fixes).
- platform/chrome: cros_ec: Unregister notifier in
cros_ec_unregister() (git-fixes).
- gpio: virtio: Fix config space reading (git-fixes).
- ASoC: ops: dynamically allocate struct snd_ctl_elem_value
(git-fixes).
- ASoC: soc-dai: tidyup return value of
snd_soc_xlate_tdm_slot_mask() (git-fixes).
- Documentation: ACPI: Fix parent device references (git-fixes).
- ACPI: LPSS: Remove AudioDSP related ID (git-fixes).
- ACPI: processor: perflib: Fix initial _PPC limit application
(git-fixes).
- powercap: dtpm_cpu: Fix NULL pointer dereference in
get_pd_power_uw() (git-fixes).
- PM / devfreq: Check governor before using governor->name
(git-fixes).
- commit fbd21ae
- apple-mfi-fastcharge: protect first device name (git-fixes).
- commit 903dc58
- vsock/vmci: Clear the vmci transport packet properly when
initializing it (CVE-2025-38403 bsc#1247141).
- commit 6379963
- KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation
is in-flight (CVE-2025-38455 bsc#1247101).
- commit ca76701
- vsock: Fix transport_* TOCTOU (CVE-2025-38461 bsc#1247103).
- commit 916fdd6
- eventpoll: don't decrement ep refcount while still holding
the ep mutex (bsc#1246777 CVE-2025-38349).
- commit 6c5e857
- jbd2: fix data-race and null-ptr-deref in
jbd2_journal_dirty_metadata() (bsc#1246253 CVE-2025-38337).
- commit 4cfb834
- ext4: inline: fix len overflow in ext4_prepare_inline_data
(bsc#1245976 CVE-2025-38222).
- commit bdddb2f
- ublk: santizize the arguments from userspace when adding a
device (bsc#1245937 CVE-2025-38182).
- commit c70260e
- __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under
mount_lock (bsc#1245151 CVE-2025-38058).
- commit 5d79b46
- xfs: remove unused trace event xfs_reflink_cow_enospc
(git-fixes).
- commit 43f2e3c
- xfs: only create event xfs_file_compat_ioctl when CONFIG_COMPAT
is configure (git-fixes).
- commit 90cf0ff
- xfs: remove usused xfs_end_io_direct events (git-fixes).
- commit 973d0e0
- xfs: remove unused event xfs_pagecache_inval (git-fixes).
- commit 92f5436
- xfs: remove unused event xfs_alloc_near_nominleft (git-fixes).
- commit cce777b
- xfs: remove unused event xfs_alloc_near_error (git-fixes).
- commit 5b572bf
- xfs: remove unused event xfs_attr_node_removename (git-fixes).
- commit 4753b23
- xfs: remove unused xfs_attr events (git-fixes).
- commit 1b0cc0c
- xfs: remove unused trace event xfs_attr_rmtval_set (git-fixes).
- commit d855e56
- xfs: remove unused xfs_reflink_compare_extents events
(git-fixes).
- commit a7afc4b
- xfs: remove unused event xfs_ioctl_clone (git-fixes).
- commit b5dfc1b
- xfs: remove unused event xlog_iclog_want_sync (git-fixes).
- commit 217c9f9
- xfs: remove unused trace event xfs_attr_remove_iter_return
(git-fixes).
- commit 70b1bc5
- NFSD: detect mismatch of file handle and delegation stateid
in OPEN op (git-fixes).
- commit 00b51c6
- nfsd: handle get_client_locked() failure in
nfsd4_setclientid_confirm() (git-fixes).
- commit b0cf612
- hfsplus: remove mutex_lock check in hfsplus_free_extents
(git-fixes).
- commit e14f374
- s390/entry: Fix last breaking event handling in case of stack
corruption (git-fixes bsc#1243806).
- commit d31e65a
- hfs: make splice write available again (git-fixes).
- commit 96498bf
- hfsplus: make splice write available again (git-fixes).
- commit 5121068
- Refresh
patches.suse/btrfs-always-fallback-to-buffered-write-if-the-inode.patch.
To remove an incorrectly generated file which is not utilized at all.
- commit 8e57a15
- btrfs: fix non-empty delayed iputs list on unmount due to
async workers (git-fixes).
- commit 285c1f5
- btrfs: fix assertion when building free space tree (git-fixes).
- commit a3fd65f
- btrfs: fix iteration of extrefs during log replay (bsc#1247031
CVE-2025-38382).
- commit 5e64fe6
- btrfs: fix missing error handling when searching for inode
refs during log replay (git-fixes).
- commit a8205e6
- i2c: qup: jump out of the loop in case of timeout (git-fixes).
- i2c: virtio: Avoid hang by using interruptible completion wait
(git-fixes).
- i2c: tegra: Fix reset error handling with ACPI (git-fixes).
- commit 5a2e6c7
- btrfs: fix a race between renames and directory logging
(bsc#1247023 CVE-2025-38365).
- commit 322c28e
- supported.conf: move nvme-apple to optional again
- commit a3e3a0c
- llist: add interface to check if a node is on a list
(CVE-2025-38264 bsc#1246387).
- commit f06e99c
- nvme-tcp: sanitize request list handling (CVE-2025-38264
bsc#1246387).
- commit 33933f9
- supported.conf: sort entries again
- commit 2db834f
- supported.conf: add missing entries for armv7hl
- commit 3fcf489
- nilfs2: reject invalid file types when reading inodes
(git-fixes).
- commit b094111
- resource: fix false warning in __request_region() (git-fixes).
- bus: fsl-mc: Fix potential double device reference in
fsl_mc_get_endpoint() (git-fixes).
- USB: serial: option: add Telit Cinterion FE910C04 (ECM)
composition (stable-fixes).
- USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI
(stable-fixes).
- USB: serial: option: add Foxconn T99W640 (stable-fixes).
- iio: adc: max1363: Reorder mode_list[] entries (stable-fixes).
- iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[]
(stable-fixes).
- ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS
(stable-fixes).
- HID: core: do not bypass hid_hw_raw_request (stable-fixes).
- HID: core: ensure the allocated report buffer can contain the
reserved report ID (stable-fixes).
- regulator: pwm-regulator: Calculate the output voltage for
disabled PWMs (stable-fixes).
- commit 829a426
- supported.conf: add missing entries explicitly
Those are implicitly added as unsupported. List up explicitly.
- commit 06a6015
- rpm/kernel-subpackage-spec: Skip brp-strip-debug to avoid file truncation (bsc#1246879)
Put the same workaround to avoid file truncation of vmlinux and co in
kernel-default-base package, too.
- commit 2329734
- iommu/vt-d: Fix possible circular locking dependency
(git-fixes).
- commit 0774c7d
- drm/bridge: ti-sn65dsi86: Remove extra semicolon in
ti_sn_bridge_probe() (git-fixes).
- drm/sched: Remove optimization that causes hang when killing
dependent jobs (git-fixes).
- platform/x86: ideapad-laptop: Fix kbd backlight not remembered
among boots (git-fixes).
- commit 0083a37
- iommu/vt-d: Fix system hang on reboot -f (git-fixes).
- commit 034e69f
- rpm/kernel-binary.spec.in: Ignore return code from ksymtypes compare
When using suse-kabi-tools, the RPM build invokes 'ksymvers compare' to
compare the resulting symbol CRCs with the reference data. If the values
differ, it then invokes 'ksymtypes compare' to provide a detailed report
explaining why the symbols differ. The build expects the latter
'ksymtypes compare' command to always return zero, even if the two
compared kABI corpuses are different.
This is currently the case for 'ksymtypes compare'. However, I plan to
update the command to return a non-zero code when the comparison detects
any differences. This should ensure consistent behavior with 'ksymvers
compare'.
Since the build uses 'ksymtypes compare' only for more detailed
diagnostics, ignore its return code.
- commit 5ac1381
- net: atm: fix /proc/net/atm/lec handling (CVE-2025-38180
bsc#1245970).
- net: atm: add lec_mutex (CVE-2025-38323 bsc#1246473).
- commit 1698a7c
- KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (bsc#1239061 CVE-2025-21839).
- commit fe1f630
- net: dsa: b53: do not enable EEE on bcm63xx (CVE-2025-38272
bsc#1246268).
- commit ee16b59
- Refresh
patches.suse/selftests-bpf-Clean-up-open-coded-gettid-syscall-inv.patch.
Fix following BPF selftests compilation error due to missing dependency.
/home/runner/work/libbpf/libbpf/.kernel/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c: In function ‘test_current_pid_tgid’:
/home/runner/work/libbpf/libbpf/.kernel/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c:31:9: error: invalid type argument of unary ‘*’ (have ‘pid_t’ {aka ‘int’})
31 | *pid = sys_gettid();
| ^~~~
- commit d85d5ff
- Delete
patches.suse/selftests-bpf-Add-tests-for-sdiv-smod-overflow-cases.patch.
The __arch_x86_64 macro is not yet supported in BPF selftests (depends
on c64d2f72bf2e "selftests/bpf: *_arch** macro to limit test cases to
specific archs"), so drop tests that uses it.
- commit 55e800e
- Bluetooth: hci_sync: Fix UAF on create_le_conn_complete
(git-fixes).
- commit 7a089da
- hci_dev centralize extra lock (CVE-2025-38117 bsc#1245695).
- commit 892de21
- Bluetooth: MGMT: Protect mgmt_pending list with its own lock
(CVE-2025-38117 bsc#1245695).
- commit e0d8b29
- Bluetooth: hci_sync: Introduce
hci_cmd_sync_run/hci_cmd_sync_run_once (CVE-2025-38117
bsc#1245695).
- commit c86dd9a
- Bluetooth: hci_core: Make hci_is_le_conn_scanning public
(CVE-2025-38117 bsc#1245695).
- Refresh
patches.suse/Bluetooth-hci_sync-Use-QoS-to-determine-which-PHY-to.patch.
- commit 566b348
- Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL
(git-fixes).
- commit 79fc3de
- gpiolib: of: Add polarity quirk for s5m8767 (stable-fixes).
- gpio: vf610: add locking to gpio direction functions
(git-fixes).
- gpio: pca953x: log an error when failing to get the reset GPIO
(git-fixes).
- gpiolib: cdev: Ignore reconfiguration without direction
(git-fixes).
- gpiolib: acpi: Fix failed in acpi_gpiochip_find() by adding
parent node match (bsc#1233300).
- gpiolib: Fix debug messaging in gpiod_find_and_request()
(git-fixes).
- gpiolib: Handle no pin_ranges in gpiochip_generic_config()
(git-fixes).
- gpio: sim: include a missing header (git-fixes).
- gpiolib: acpi: Don't use GPIO chip fwnode in
acpi_gpiochip_find() (bsc#1233300).
- commit 75afc01
- Bluetooth: MGMT: convert timeouts to secs_to_jiffies()
(CVE-2025-38117 bsc#1245695).
- commit 3e2758a
- bluetooth: mgmt: convert timeouts to secs_to_jiffies()
(CVE-2025-38117 bsc#1245695).
- commit b8976eb
- s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again
(git-fixes bsc#1246870).
- commit 8e4fb25
- Fix build warning
Refresh
patches.suse/mm-hugetlb-fix-DEBUG_LOCKS_WARN_ON-1-when-dissolve_f.patch.
- commit ccb6e90
- Bluetooth: MGMT: Fix not generating command complete for
MGMT_OP_DISCONNECT (git-fixes).
- Refresh
patches.suse/Bluetooth-hci_event-Fix-not-using-key-encryption-siz.patch.
- commit 6f743e7
- Bluetooth: hci_sync: Attempt to dequeue connection attempt
(git-fixes).
- Refresh
patches.suse/Bluetooth-L2CAP-Fix-slab-use-after-free-Read-in-l2ca.patch.
- Refresh
patches.suse/Bluetooth-hci_event-Fix-not-using-key-encryption-siz.patch.
- Refresh
patches.suse/Bluetooth-hci_sync-Fix-UAF-in-hci_acl_create_conn_sy.patch.
- commit 22a7d25
- Bluetooth: hci_conn: Fix sending
BT_HCI_CMD_LE_CREATE_CONN_CANCEL (git-fixes).
- commit defb49e
- Bluetooth: mgmt: remove NULL check in
add_ext_adv_params_complete() (CVE-2025-38117 bsc#1245695).
- Bluetooth: mgmt: remove NULL check in
mgmt_set_connectable_complete() (CVE-2025-38117 bsc#1245695).
- commit 3217653
- bluetooth: restore le_scan_restart in struct hci_dev
(CVE-2025-38117 bsc#1245695).
- commit 7e7eb69
- Bluetooth: hci_core: Remove le_restart_scan work (CVE-2025-38117
bsc#1245695).
- commit 9530108
- Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT
(CVE-2025-38335 bsc#1246250).
- commit 4b421f0
- Correctly put RDMA kabi patch into patches.kabi instead of patches.suse
- commit 0433d1f
- kABI workaround for bluetooth hci_dev changes (CVE-2025-38250
bsc#1246182).
- commit 2bfeee5
- Bluetooth: hci_core: Fix use-after-free in vhci_flush()
(CVE-2025-38250 bsc#1246182).
- commit 45dea35
- selftests/bpf: Support more socket types in create_pair()
(bsc#1239470 CVE-2025-21854).
- selftests/bpf: Refactor out helper functions for a few tests
(bsc#1239470 CVE-2025-21854).
- commit 21d7fea
- mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when
dissolve_free_hugetlb_folio() (bsc#1225707 CVE-2024-36028).
- commit ce47e5b
- Delete
patches.suse/selftest-bpf-Add-test-for-af_vsock-poll.patch.
It requires the "bpf_program__attach_sockmap" API in libbpf, which isn't
backported.
- Refresh patches.suse/selftest-bpf-Add-vsock-test-for-sockmap-rejecting-un.patch
- commit a7dddad
- i2c: stm32: fix the device used for the DMA map (git-fixes).
- usb: hub: Don't try to recover devices lost during warm reset
(git-fixes).
- usb: musb: fix gadget state on disconnect (git-fixes).
- thunderbolt: Fix bit masking in tb_dp_port_set_hops()
(git-fixes).
- thunderbolt: Fix wake on connect at runtime (git-fixes).
- pch_uart: Fix dma_sync_sg_for_device() nents value (git-fixes).
- comedi: Fix initialization of data for instructions that write
to subdevice (git-fixes).
- comedi: Fix use of uninitialized data in insn_rw_emulate_bits()
(git-fixes).
- comedi: das6402: Fix bit shift out of bounds (git-fixes).
- comedi: aio_iiro_16: Fix bit shift out of bounds (git-fixes).
- comedi: pcl812: Fix bit shift out of bounds (git-fixes).
- comedi: das16m1: Fix bit shift out of bounds (git-fixes).
- comedi: Fix some signed shift left operations (git-fixes).
- comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
(git-fixes).
- iio: adc: ad7949: use spi_is_bpw_supported() (git-fixes).
- iio: accel: fxls8962af: Fix use after free in
fxls8962af_fifo_flush (git-fixes).
- iio: adc: stm32-adc: Fix race in installing chained IRQ handler
(git-fixes).
- regmap: fix potential memory leak of regmap_bus (git-fixes).
- Input: xpad - set correct controller type for Acer NGR200
(git-fixes).
- commit 08dfa63
- jfs: Fix null-ptr-deref in jfs_ioc_trim (bsc#1246044
CVE-2025-38203).
- commit e88ea13
- hwmon: (corsair-cpro) Validate the size of the received input
buffer (git-fixes).
- drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume
(git-fixes).
- soundwire: amd: fix for clearing command status register
(git-fixes).
- dmaengine: nbpfaxi: Fix memory corruption in probe()
(git-fixes).
- phy: tegra: xusb: Fix unbalanced regulator disable in UTMI
PHY mode (git-fixes).
- memstick: core: Zero initialize id_reg in
h_memstick_read_dev_id() (git-fixes).
- mmc: bcm2835: Fix dma_unmap_sg() nents value (git-fixes).
- mmc: sdhci_am654: Workaround for Errata i2312 (git-fixes).
- mmc: sdhci-pci: Quirk for broken command queuing on Intel
GLK-based Positivo models (git-fixes).
- commit 0d9aae2
- net/sched: Return NULL when htb_lookup_leaf encounters an
empty rbtree (git-fixes).
- commit fb42307
- ipv6: mcast: Delay put pmc->idev in mld_del_delrec()
(git-fixes).
- commit 505c14c
- rpl: Fix use-after-free in rpl_do_srh_inline() (git-fixes).
- commit 3342938
- af_packet: fix the SO_SNDTIMEO constraint not effective on
tpacked_snd() (git-fixes).
- commit 877c186
- net/sched: sch_qfq: Fix race condition on qfq_aggregate
(git-fixes).
- commit 2e8a829
- kABI workaround for struct drm_framebuffer changes (git-fixes).
- commit 7b3cefa
- drm/framebuffer: Acquire internal references on GEM handles
(git-fixes).
- commit 736ff8d
- Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU
(git-fixes).
- Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855
GF variant without board ID (git-fixes).
- Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout
(git-fixes).
- Bluetooth: SMP: If an unallowed command is received consider
it a failure (git-fixes).
- Bluetooth: hci_sync: fix connectable extended advertising when
using static random address (git-fixes).
- Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
(git-fixes).
- usb: net: sierra: check for no status endpoint (git-fixes).
- net: phy: Don't register LEDs for genphy (git-fixes).
- drm/gem: Fix race in drm_gem_handle_create_tail()
(stable-fixes).
- wifi: prevent A-MSDU attacks in mesh networks (stable-fixes).
- Revert "ACPI: battery: negate current when discharging"
(stable-fixes).
- usb: cdnsp: Fix issue with CV Bad Descriptor test (git-fixes).
- drm/gem: Acquire references on GEM handles for framebuffers
(stable-fixes).
- vt: add missing notification when switching back to text mode
(stable-fixes).
- ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic
(stable-fixes).
- ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop
15-eg100 (stable-fixes).
- HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard
Gen2 (stable-fixes).
- HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY (stable-fixes).
- HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras
(stable-fixes).
- net: usb: qmi_wwan: add SIMCom 8230C composition (stable-fixes).
- usb: cdnsp: Replace snprintf() with the safer scnprintf()
variant (stable-fixes).
- usb:cdnsp: remove TRB_FLUSH_ENDPOINT command (stable-fixes).
- commit b8ce602
- Refresh
patches.suse/selftests-bpf-Add-tests-for-iter-next-method-returni.patch.
Fix BPF selftests build failure in progs/iters_testmod.c due to missing
definition of 'struct bpf_iter_task_vma' and 'bpf_iter_task_vma()'.
- commit ca03a47
- ptp: fix breakage after ptp_vclock_in_use() rework
(bsc#1246506).
- commit 001cddf
- x86/virt/tdx: Avoid indirect calls to TDX assembly functions (git-fixes).
- commit 9c296c1
- soc: aspeed: lpc-snoop: Don't disable channels that aren't
enabled (git-fixes).
- soc: aspeed: lpc-snoop: Cleanup resources in stack-order
(git-fixes).
- HID: core: ensure __hid_request reserves the report ID as the
first byte (git-fixes).
- commit 5cd5cd3
- drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE (CVE-2025-38188
bsc#1246098).
- drm/msm/a6xx+: Insert a fence wait before SMMU table update
(CVE-2025-38188 bsc#1246098).
- commit e22ddaf
- x86/iopl: Cure TIF_IO_BITMAP inconsistencies (CVE-2025-38100
bsc#1245650).
- commit 143bbc6
- Bluetooth: eir: Fix possible crashes on eir_create_adv_data
(CVE-2025-38303 bsc#1246354).
- commit 89447f6
- btrfs: explicitly ref count block_group on new_bgs list (bsc#1243068)
- commit 8647d2c
- btrfs: make btrfs_discard_workfn() block_group ref explicit (bsc#1243068)
- commit 32e19f5
- btrfs: harden block_group::bg_list against list_del() races (CVE-2025-37856 bsc#1243068)
- commit 3333359
- btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref (CVE-2025-38034 bsc#1244792)
- commit 55c0ec4
- btrfs: do not BUG_ON() when freeing tree block after error (CVE-2024-44963 1230216)
- commit d292416
- config: enable RBD (jsc#PED-13238)
- commit 9e8693b
- scsi: megaraid_sas: Fix invalid node index (CVE-2025-38239
bsc#1246178).
- seg6: Fix validation of nexthop addresses (CVE-2025-38310
bsc#1246361).
- x86/sgx: Prevent attempts to reclaim poisoned pages
(CVE-2025-38334 bsc#1246384).
- commit 740f6c2
- selftests/bpf: Add tests with stack ptr register in conditional
jmp (bsc#1246264 CVE-2025-38279).
- bpf: Do not include stack ptr register in precision backtracking
bookkeeping (bsc#1246264 CVE-2025-38279).
- Refresh patches.kabi/bpf-verifier-kABI-workarounds.patch
- commit ccc2c5b
- bridge: mcast: Fix use-after-free during router port
configuration (CVE-2025-38248 bsc#1246173).
- net: stmmac: make sure that ptp_rate is not 0 before configuring
timestamping (CVE-2025-38126 bsc#1245708).
- bpf: fix ktls panic with sockmap (CVE-2025-38166 bsc#1245758).
- commit 01133bb
- iommu/amd: Set the pgsize_bitmap correctly (git-fixes).
- commit 8746ec5
- scsi: core: Enforce unlimited max_segment_size when
virt_boundary_mask is set (git-fixes).
- scsi: qla4xxx: Fix missing DMA mapping error in
qla4xxx_alloc_pdu() (git-fixes).
- scsi: qla2xxx: Fix DMA mapping test in
qla24xx_get_port_database() (git-fixes).
- scsi: megaraid_sas: Fix invalid node index (git-fixes).
- aoe: clean device rq_list in aoedev_downdev() (git-fixes).
- md/md-bitmap: fix dm-raid max_write_behind setting (git-fixes).
- commit 2e07501
- dm-bufio: fix sched in atomic context (git-fixes).
- commit c664ddf
- Update
patches.suse/nvme-pci-fix-queue-unquiesce-check-on-slot_reset.patch
(git-fixes bsc#1240885).
- commit 08c0025
- perf: Fix sample vs do_exit() (bsc#1246547).
- commit 5327721
- nvme-pci: refresh visible attrs after being checked (git-fixes).
- nvme: Fix incorrect cdw15 value in passthru error logging
(git-fixes).
- commit c5d3460
- scsi: lpfc: Copyright updates for 14.4.0.10 patches (bsc#1245260
bsc#1243100 bsc#1246125).
- commit 58f7c6e
- scsi: lpfc: Update lpfc version to 14.4.0.10 (bsc#1245260
bsc#1243100 bsc#1246125).
- scsi: lpfc: Modify end-of-life adapters' model descriptions
(bsc#1245260 bsc#1243100 bsc#1246125 bsc#1204142).
- scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions
(bsc#1245260 bsc#1243100 bsc#1246125).
- scsi: lpfc: Move clearing of HBA_SETUP flag to before
lpfc_sli4_queue_unset (bsc#1245260 bsc#1243100 bsc#1246125).
- scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in
dev_loss_tmo_callbk (bsc#1245260 bsc#1243100 bsc#1246125).
- scsi: lpfc: Relocate clearing initial phba flags from link up
to link down hdlr (bsc#1245260 bsc#1243100 bsc#1246125).
- scsi: lpfc: Simplify error handling for failed
lpfc_get_sli4_parameters cmd (bsc#1245260 bsc#1243100
bsc#1246125).
- scsi: lpfc: Early return out of FDMI cmpl for locally rejected
statuses (bsc#1245260 bsc#1243100 bsc#1246125).
- scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set
(bsc#1245260 bsc#1243100 bsc#1246125).
- scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport
structure (bsc#1245260 bsc#1243100 bsc#1246125).
- scsi: lpfc: Update debugfs trace ring initialization messages
(bsc#1245260 bsc#1243100 bsc#1246125).
- scsi: lpfc: Revise logging format for failed CT MIB requests
(bsc#1245260 bsc#1243100 bsc#1246125).
- commit 14dcfed
- Update
patches.suse/net-clear-the-dst-when-changing-skb-protocol.patch
(bsc#1245954 CVE-2025-38192).
Fix incorrect CVE reference.
- commit 288e8f6
- drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() (bsc#1245951 CVE-2025-38187)
- commit 62c6956
- bpf: Check rcu_read_lock_trace_held() in
bpf_map_lookup_percpu_elem() (bsc#1245980 CVE-2025-38202).
- commit 630834e
- selftest/bpf/benchs: Add benchmark for sockmap usage
(bsc#1245749 CVE-2025-38154).
- commit ac96089
- bpf, sockmap: Avoid using sk_socket after free when sending
(bsc#1245749 CVE-2025-38154).
- bpf, sockmap: Fix panic when calling skb_linearize (bsc#1245749
CVE-2025-38154).
- bpf, sockmap: fix duplicated data transmission (bsc#1245749
CVE-2025-38154).
- bpf, sockmap: Fix data lost during EAGAIN retries (bsc#1245749
CVE-2025-38154).
- commit bc1361f
- bpf: Fix memory leak in bpf_core_apply (git-fixes).
- commit 44b4ba3
- bpf/selftests: Check errno when percpu map value size exceeds
(git-fixes).
- bpf: Check percpu map value size first (git-fixes).
- commit 81feacb
- bpftool: Fix undefined behavior caused by shifting into the
sign bit (git-fixes).
- commit 9363920
- ipc: fix to protect IPCS lookups using RCU (CVE-2025-38212
bsc#1246029).
- commit 9ff5b2e
- calipso: unlock rcu before returning -EAFNOSUPPORT
(CVE-2025-38147 bsc#1245768).
- calipso: Don't call calipso functions for AF_INET sk
(CVE-2025-38147 bsc#1245768).
- commit 74ee184
- ucsi_operations: add stubs for all operations (git-fixes).
- commit 1e9baf6
- drm/amd/display: Don't treat wb connector as physical in (bsc#1245654 CVE-2025-38098)
- commit 277f764
- selftests/bpf: Add tests for iter next method returning valid
pointer (git-fixes).
- bpf: Make the pointer returned by iter next method valid
(git-fixes).
- commit fcdc4ee
- hisi_acc_vfio_pci: bugfix live migration function without VF
device driver (CVE-2025-38283 bsc#1246273).
- configfs-tsm-report: Fix NULL dereference of tsm_ops
(CVE-2025-38210 bsc#1246020).
- commit eef28a4
- kasan: remove kasan_find_vm_area() to prevent possible deadlock
(git-fixes).
- maple_tree: fix mt_destroy_walk() on root leaf node (git-fixes).
- commit aaacc92
- drm/tegra: nvdec: Fix dma_alloc_coherent error check
(git-fixes).
- nbd: fix uaf in nbd_genl_connect() error path (git-fixes).
- can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx
message to debug level (git-fixes).
- net: phy: microchip: limit 100M workaround to link-down events
on LAN88xx (git-fixes).
- wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init()
(git-fixes).
- wifi: mt76: mt7925: fix invalid array index in ssid assignment
during hw scan (git-fixes).
- wifi: mt76: mt7925: fix the wrong config for tx interrupt
(git-fixes).
- wifi: zd1211rw: Fix potential NULL pointer dereference in
zd_mac_tx_to_dev() (git-fixes).
- commit 067b949
- xfs: fix off-by-one error in fsmap's end_daddr usage
(bsc#1235837).
- commit 919d943
- hisi_acc_vfio_pci: fix XQE dma address error (CVE-2025-38158
bsc#1245750).
- commit 373ef61
- i40e: fix MMIO write access to an invalid page in i40e_clear_hw
(CVE-2025-38200 bsc#1246045).
- net: cadence: macb: Fix a possible deadlock in macb_halt_tx
(CVE-2025-38094 bsc#1245649).
- commit 45301b8
- platform/x86: think-lmi: Create ksets consecutively
(stable-fixes).
- Refresh
patches.suse/platform-x86-think-lmi-Fix-kobject-cleanup.patch.
- commit 5072bed
- net: phy: smsc: Fix link failure in forced mode with Auto-MDIX
(git-fixes).
- net: phy: smsc: Fix Auto-MDIX configuration when disabled by
strap (git-fixes).
- Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as
connected (git-fixes).
- Bluetooth: hci_sync: Fix not disabling advertising instance
(git-fixes).
- usb: xhci: quirk for data loss in ISOC transfers (stable-fixes).
- Logitech C-270 even more broken (stable-fixes).
- Input: xpad - support Acer NGR 200 Controller (stable-fixes).
- dma-buf: fix timeout handling in dma_resv_wait_timeout v2
(stable-fixes).
- mmc: sdhci: Add a helper function for dump register in dynamic
debug mode (stable-fixes).
- ACPICA: Refuse to evaluate a method if arguments are missing
(stable-fixes).
- mtd: spinand: fix memory leak of ECC engine conf (stable-fixes).
- ASoC: amd: yc: update quirk data for HP Victus (stable-fixes).
- ASoC: amd: yc: Add quirk for MSI Bravo 17 D7VF internal mic
(stable-fixes).
- ALSA: sb: Force to disable DMAs once when DMA mode is changed
(stable-fixes).
- ALSA: sb: Don't allow changing the DMA mode during operations
(stable-fixes).
- drm/msm: Fix another leak in the submit error path
(stable-fixes).
- drm/msm: Fix a fence leak in submit error path (stable-fixes).
- regulator: fan53555: add enable_time support and soft-start
times (stable-fixes).
- wifi: ath6kl: remove WARN on bad firmware input (stable-fixes).
- wifi: mac80211: drop invalid source address OCB frames
(stable-fixes).
- ata: pata_cs5536: fix build on 32-bit UML (stable-fixes).
- platform/x86/amd/pmc: Add PCSpecialist Lafite Pro V 14M to
8042 quirks list (stable-fixes).
- Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts
on DG1" (stable-fixes).
- wifi: mac80211: Add link iteration macro for link data
(stable-fixes).
- wifi: mac80211: chan: chandef is non-NULL for reserved
(stable-fixes).
- commit 66a4a55
- net: clear the dst when changing skb protocol (bsc#1245954
CVE-2024-49861).
- commit eed1284
- usb: typec: ucsi: Set orientation as none when connector is
unplugged (git-fixes).
- commit 9b64a84
- usb: typec: ucsi: glink: fix off-by-one in connector_status
(git-fixes).
- commit 63d64a6
- coresight: prevent deactivate active config while enabling
the config (CVE-2025-38131 bsc#1245677).
- coresight: holding cscfg_csdev_lock while removing cscfg from
csdev (CVE-2025-38132 bsc#1245679).
- commit f8db328
- ACPI: PRM: Reduce unnecessary printing to avoid user confusion
(bsc#1246122).
- commit f060328
- usb: typec: ucsi: Fix busy loop on ASUS VivoBooks (git-fixes).
- usb: typec: ucsi: Fix the partner PD revision (git-fixes).
- commit cb5cfe6
- restore UCSI_CONNECTOR_RESET_HARD definition (git-fixes).
- commit 3a50af7
- usb: typec: ucsi: Add DATA_RESET option of Connector Reset
command (git-fixes).
- commit ebc917a
- pinctrl: amd: Clear GPIO debounce for suspend (git-fixes).
- pinctrl: qcom: msm: mark certain pins as invalid for interrupts
(git-fixes).
- commit 7a0a421
- efi/mokvar-table: Avoid repeated map/unmap of the same page
(bsc#1240323 CVE-2025-21872).
- commit a16e799
- usb: typec: ucsi: move ucsi_acknowledge() from ucsi_read_error()
(git-fixes).
- commit 9793505
- kabi: restore encap_sk in struct xfrm_state (CVE-2025-38097
bsc#1245660).
- espintcp: remove encap socket caching to avoid reference leak
(CVE-2025-38097 bsc#1245660).
- commit 94f2735
- net: lan743x: fix potential out-of-bounds write in
lan743x_ptp_io_event_clock_get() (CVE-2025-38183 bsc#1246006).
- commit 0eb12cd
- net_sched: sch_sfq: fix a potential crash on gso_skb handling
(CVE-2025-38115 bsc#1245689).
- commit 6a4ffd3
- usb: typec: ucsi_acpi: Add LG Gram quirk (git-fixes).
- commit da7fb49
- usb: typec: ucsi: don't retrieve PDOs if not supported
(git-fixes).
- commit d303a5e
- usb: typec: ucsi: Delay alternate mode discovery (git-fixes).
- commit b7ba22d
- usb: typec: Update sysfs when setting ops (git-fixes).
- commit b336d78
- usb: typec: ucsi: glink: increase max ports for x1e80100
(git-fixes).
- commit 31de9c9
- ucsi_ops: adapt update_connector to kABI consistency
(git-fixes).
- usb: typec: ucsi: add update_connector callback (git-fixes).
- blacklist.conf: needed for infrastructure. kABI fix added
- Refresh
patches.kabi/struct-ucsi_operations-use-padding-for-new-operation.patch.
- Refresh patches.suse/paddings-add-paddings-to-TypeC-stuff.patch.
- commit a70b9ee
- ALSA: usb-audio: Kill timer properly at removal (CVE-2025-38105
bsc#1245682).
- commit 2bf6099
- x86/process: Move the buffer clearing before MONITOR (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349).
- commit 9303368
- usb: typec: ucsi: glink: use typec_set_orientation (git-fixes).
- Refresh
patches.suse/soc-qcom-pmic_glink-Fix-race-during-initialization.patch.
- Refresh
patches.suse/usb-typec-ucsi-glink-fix-child-node-release-in-probe.patch.
- commit b105e3e
- KVM: SVM: Advertise TSA CPUID bits to guests (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349).
- commit 67b316f
- Bluetooth: btusb: Fix regression in the initialization of fake
Bluetooth controllers (CVE-2025-38099 bsc#1245671).
- Bluetooth: Disable SCO support if READ_VOICE_SETTING is
unsupported/broken (CVE-2025-38099 bsc#1245671).
- Bluetooth: Add quirk for broken READ_PAGE_SCAN_TYPE
(CVE-2025-38099 bsc#1245671).
- Bluetooth: Add quirk for broken READ_VOICE_SETTING
(CVE-2025-38099 bsc#1245671).
- commit 254e65a
- jfs: fix array-index-out-of-bounds read in add_missing_indices
(bsc#1245983 CVE-2025-38204).
- commit 65d9d7f
- usb: typec: ucsi_glink: drop NO_PARTNER_PDOS quirk for sm8550 /
sm8650 (git-fixes).
- commit 380eca4
- usb: typec: ucsi_glink: enable the UCSI_DELAY_DEVICE_PDOS
quirk on qcm6490 (git-fixes).
- commit 3de42d7
- usb: typec: ucsi_glink: enable the UCSI_DELAY_DEVICE_PDOS quirk
(git-fixes).
- commit 2a3ce34
- usb: typec: ucsi_glink: rework quirks implementation
(git-fixes).
- commit b78f907
- usb: typec: ucsi: support delaying GET_PDOS for device
(git-fixes).
- Refresh patches.kabi/struct-usci-hide-additional-member.patch.
- commit 95f3b03
- rpm/mkspec: Fix missing kernel-syms-rt creation (bsc#1244337)
- commit 630f139
- usb: typec: ucsi: extract code to read PD caps (git-fixes).
- commit ebc6c46
- usb: typec: ucsi: properly register partner's PD device
(git-fixes).
- commit 7b95fc1
- usb: typec: ucsi: fix UCSI on SM8550 & SM8650 Qualcomm devices
(git-fixes).
- commit c40444f
- usb: typec: ucsi: Add qcm6490-pmic-glink as needing PDOS quirk
(git-fixes).
- commit 46f5c2a
- ucsi_ccg: Refine the UCSI Interrupt handling (git-fixes).
- commit e97f436
- exfat: fix double free in delayed_free (bsc#1246073
CVE-2025-38206).
- commit 38c1950
- usb: typec: ucsi: Get PD revision for partner (git-fixes).
- commit a80ec70
- x86/bugs: Add a Transient Scheduler Attacks mitigation (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349).
- Update config files.
- commit 45d6a14
- pwm: mediatek: Ensure to disable clocks in error path
(git-fixes).
- ASoC: cs35l56: probe() should fail if the device ID is not
recognized (git-fixes).
- ASoC: fsl_asrc: use internal measured ratio for non-ideal
ratio mode (git-fixes).
- commit 5b2c070
- dm-raid: fix variable in journal device check (git-fixes).
- commit 7e51a3f
- dm-verity: fix a memory leak if some arguments are specified
multiple times (git-fixes).
- commit 18c3347
- dm-mirror: fix a tiny race condition (git-fixes).
- commit 6d6aef6
- dm-flakey: make corrupting read bios work (git-fixes).
- commit bbf383a
- dm-flakey: error all IOs when num_features is absent
(git-fixes).
- commit d4d758e
- dm: free table mempools if not used in __bind (git-fixes).
- commit 6abd700
- dm: don't change md if dm_table_set_restrictions() fails
(git-fixes).
- commit 0d534aa
- dm: restrict dm device size to 2^63-512 bytes (git-fixes).
- commit 240dadc
- virtgpu: don't reset on shutdown (git-fixes).
- commit 82f42df
- kernel/fork: only call untrack_pfn_clear() on VMAs duplicated
for fork() (git-fix for CVE-2025-22090 bsc#1241537).
- commit 852f7f4
- netfilter: nft_set_pipapo: prevent overflow in lookup table
allocation (CVE-2025-38162 bsc#1245752).
- commit c7520cc
- efi: Don't map the entire mokvar table to determine its size
(bsc#1240323 CVE-2025-21872).
- commit aefffb0
- ucsi-glink: adapt to kABI consistency (git-fixes).
- usb: typec: ucsi: glink: move GPIO reading into connector_status
callback (git-fixes).
- Refresh
patches.suse/usb-typec-ucsi-Move-unregister-out-of-atomic-section.patch.
- commit 8ae6c79
- vhost-scsi: protect vq->log_used with vq->mutex (CVE-2025-38074
bsc#1244735).
- commit 29ecfb7
- struct ucsi_operations: use padding for new operation
(git-fixes).
- commit 5fe6bda
- crypto: ecdsa - Harden against integer overflows in
DIV_ROUND_UP() (CVE-2025-37984 bsc#1243669).
- commit 4115893
- virtio: break and reset virtio devices on device_shutdown()
(CVE-2025-38064 bsc#1245201).
- commit 1ef712f
- usb: typec: ucsi: add callback for connector status updates
(git-fixes).
- blacklist.conf: needed as infrastructure. kABI workaround following
- Refresh patches.suse/paddings-add-paddings-to-TypeC-stuff.patch.
- Refresh
patches.suse/usb-typec-ucsi-displayport-Fix-deadlock.patch.
- commit de5a5b0
- struct cdns: move new member to the end (git-fixes).
- commit 4384b08
- usb: cdnsp: Fix issue with resuming from L1 (git-fixes).
- commit c8b7c96
- net: dsa: clean up FDB, MDB, VLAN entries on unbind
(CVE-2025-37864 bsc#1242965).
- commit d1f463e
- NFSv4: Always set NLINK even if the server doesn't support it
(git-fixes).
- commit 84005c5
- NFSv4.2: fix listxattr to return selinux security label
(git-fixes).
- commit 0319baa
- NFSv4: xattr handlers should check for absent nfs filehandles
(git-fixes).
- commit 80ac5a3
- sunrpc: don't immediately retransmit on seqno miss (git-fixes).
- commit ceebf6f
- fs/jfs: consolidate sanity checking in dbMount (git-fixes).
- commit 5c4bc1b
- objtool: Ignore end-of-section jumps for KCOV/GCOV (git-fixes).
- commit e383ffb
- objtool: Silence more KCOV warnings, part 2 (git-fixes).
- commit ddae9d6
- netfilter: nf_set_pipapo_avx2: fix initial map fill (git-fixes
CVE-2024-57947 bsc#1236333).
- commit cedcb24
- usb: typec: displayport: Fix potential deadlock (git-fixes).
- commit a45e2f9
- drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type
(git-fixes).
- ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15
(stable-fixes).
- Bluetooth: L2CAP: Fix L2CAP MTU negotiation (stable-fixes).
- drm/amdkfd: Fix race in GWS queue scheduling (stable-fixes).
- ASoC: codecs: wcd9335: Fix missing free of regulator supplies
(git-fixes).
- ALSA: hda: Ignore unsol events for cards being shut down
(stable-fixes).
- ALSA: hda: Add new pci id for AMD GPU display HD audio
controller (stable-fixes).
- usb: dwc2: also exit clock_gating when stopping udc while
suspended (stable-fixes).
- usb: potential integer overflow in usbg_make_tpg()
(stable-fixes).
- usb: common: usb-conn-gpio: use a unique name for usb connector
device (stable-fixes).
- usb: Add checks for snprintf() calls in usb_alloc_dev()
(stable-fixes).
- usb: cdc-wdm: avoid setting WDM_READ for ZLP-s (stable-fixes).
- usb: typec: displayport: Receive DP Status Update NAK request
exit dp altmode (stable-fixes).
- usb: typec: mux: do not return on EOPNOTSUPP in {mux,
switch}_set (stable-fixes).
- iio: pressure: zpa2326: Use aligned_s64 for the timestamp
(stable-fixes).
- iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos
(stable-fixes).
- drm/scheduler: signal scheduled fence when kill job
(stable-fixes).
- amd/amdkfd: fix a kfd_process ref leak (stable-fixes).
- drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram
(stable-fixes).
- dmaengine: idxd: Check availability of workqueue allocated by
idxd wq driver before using (stable-fixes).
- dmaengine: xilinx_dma: Set dma_device directions (stable-fixes).
- PCI: dwc: Make link training more robust by setting
PORT_LOGIC_LINK_WIDTH to one lane (stable-fixes).
- leds: multicolor: Fix intensity setting while SW blinking
(stable-fixes).
- mfd: max14577: Fix wakeup source leaks on device unbind
(stable-fixes).
- hwmon: (pmbus/max34440) Fix support for max34451 (stable-fixes).
- drm/bridge: ti-sn65dsi86: make use of debugfs_init callback
(stable-fixes).
- ASoC: codec: wcd9335: Convert to GPIO descriptors
(stable-fixes).
- types: Complement the aligned types with signed 64-bit one
(stable-fixes).
- ASoC: codecs: wcd9335: Handle nicer probe deferral and simplify
with dev_err_probe() (stable-fixes).
- commit 9aa1e05
- i2c/designware: Fix an initialization issue (git-fixes).
- commit d80f186
- powercap: intel_rapl: Do not change CLAMPING bit if ENABLE
bit cannot be changed (git-fixes).
- regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods
(git-fixes).
- spi: spi-fsl-dspi: Clear completion counter before initiating
transfer (git-fixes).
- platform/x86: think-lmi: Fix sysfs group cleanup (git-fixes).
- platform/x86: think-lmi: Fix kobject cleanup (git-fixes).
- platform/mellanox: mlxreg-lc: Fix logic error in power state
check (git-fixes).
- platform/x86: dell-wmi-sysman: Fix WMI data block retrieval
in sysfs callbacks (git-fixes).
- platform/mellanox: nvsw-sn2201: Fix bus number in adapter
error message (git-fixes).
- platform/mellanox: mlxbf-pmc: Fix duplicate event ID for
CACHE_DATA1 (git-fixes).
- platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment
(git-fixes).
- xhci: dbc: Flush queued requests before stopping dbc
(git-fixes).
- xhci: dbctty: disable ECHO flag by default (git-fixes).
- xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS
(git-fixes).
- usb: typec: altmodes/displayport: do not index invalid
pin_assignments (git-fixes).
- Revert "usb: xhci: Implement xhci_handshake_check_state()
helper" (git-fixes).
- usb: xhci: Skip xhci_reset in xhci_resume if xhci is being
removed (git-fixes).
- usb: gadget: u_serial: Fix race condition in TTY wakeup
(git-fixes).
- usb: chipidea: udc: disconnect/reconnect from host when do
suspend/resume (git-fixes).
- usb: cdnsp: do not disable slot for disabled slot (git-fixes).
- Input: iqs7222 - explicitly define number of external channels
(git-fixes).
- Input: xpad - adjust error handling for disconnect (git-fixes).
- drm/exynos: fimd: Guard display clock control with runtime PM
calls (git-fixes).
- drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling
(git-fixes).
- drm/i915/gsc: mei interrupt top half should be in irq disabled
context (git-fixes).
- drm/i915/gt: Fix timeline left held on VMA alloc error
(git-fixes).
- drm/i915/selftests: Change mock_request() to return error
pointers (git-fixes).
- drm/sched: Increment job count before swapping tail spsc queue
(git-fixes).
- drm/bridge: panel: move prepare_prev_first handling to
drm_panel_bridge_add_typed (git-fixes).
- drm/ttm: fix error handling in ttm_buffer_object_transfer
(git-fixes).
- powercap: call put_device() on an error path in
powercap_register_control_type() (stable-fixes).
- commit d0cb71b
- dm: fix unconditional IO throttle caused by REQ_PREFLUSH
(CVE-2025-38063 bsc#1245202).
- commit 65fa7b7
- smb: client: Fix use-after-free in cifs_fill_dirent
(CVE-2025-38051 bsc#1244750).
- commit 0f203bf
- cgroup,freezer: fix incomplete freezing when attaching tasks
(bsc#1245789).
- commit 1970df7
- cgroup/cpuset: Extend kthread_is_per_cpu() check to all
PF_NO_SETAFFINITY tasks (bsc#1241166).
- commit 86012b8
- objtool: Stop UNRET validation on UD2 (git-fixes).
- commit 0be0bc6
- objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret()
(git-fixes).
- commit f1073e2
- objtool: Properly disable uaccess validation (git-fixes).
- commit b170301
- mm/memory-failure: fix handling of dissolved but not taken
off from buddy pages (CVE-2024-39298 bsc#1227082).
Refreshed:
blacklist.conf: De-blacklist 8cf360b9d6a840700e06864236a01a883b34bbad
- commit 1d1f80f
- rose: fix dangling neighbour pointers in rose_rt_device_down()
(git-fixes).
- Bluetooth: MGMT: mesh_send: check instances prior disabling
advertising (git-fixes).
- Bluetooth: MGMT: set_mesh: update LE scan interval and window
(git-fixes).
- Bluetooth: hci_sync: revert some mesh modifications (git-fixes).
- Bluetooth: Prevent unintended pause by checking if advertising
is active (git-fixes).
- net: usb: lan78xx: fix WARN in __netif_napi_del_locked on
disconnect (git-fixes).
- commit 9d01c7e
- objtool: Silence more KCOV warnings (git-fixes).
- commit 246e013
- objtool: Fix error handling inconsistencies in check()
(git-fixes).
- commit 2b123dd
- objtool: Ignore dangling jump table entries (git-fixes).
- commit 694bcb3
- objtool: Fix UNWIND_HINT_{SAVE,RESTORE} across basic blocks
(git-fixes).
- commit 24df4fe
- x86/tdx: Fix __noreturn build warning around
__tdx_hypercall_failed() (git-fixes).
- Refresh
patches.suse/x86-virt-tdx-Define-TDX-supported-page-sizes-as-macros.patch.
- commit 741a25e
- objtool: Fix _THIS_IP_ detection for cold functions (git-fixes).
- commit b2539b9
- nvmet-tcp: don't restore null sk_state_change (bsc#1244801
CVE-2025-38035).
- commit a1cc55e
- s390/pci: Fix stale function handles in error handling
(git-fixes bsc#1245647).
- commit 1f0ecfd
- s390/pci: Do not try re-enabling load/store if device is
disabled (git-fixes bsc#1245646).
- commit a7a5884
- NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN (git-fixes).
- commit cbe692c
- nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init()
fails (git-fixes).
- commit 29c2a95
- IB/mlx5: Fix potential deadlock in MR deregistration (git-fixes)
- commit a31c762
- RDMA/mlx5: Fix vport loopback for MPV device (git-fixes)
- commit 50aa3ad
- RDMA/mlx5: Fix CC counters query for MPV (git-fixes)
- commit 6fac6aa
- RDMA/mlx5: Fix HW counters query for non-representor devices (git-fixes)
- commit f645a5e
- RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert (git-fixes)
- commit 9bf32eb
- mtk-sd: reset host->mrq on prepare_data() error (git-fixes).
- commit 85b8654
- Revert "mmc: sdhci: Disable SD card clock before changing
parameters" (git-fixes).
- mtk-sd: Prevent memory corruption from DMA map failure
(git-fixes).
- mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data
(git-fixes).
- mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier
(git-fixes).
- commit 4977a9e
- kABI workaround for xsk: Fix race condition in AF_XDP generic
RX path (CVE-2025-37920 bsc#1243479).
- commit 2cbaa5f
- xsk: Fix race condition in AF_XDP generic RX path
(CVE-2025-37920 bsc#1243479).
- commit b0fed9b
- bpf, sockmap: Fix sk_msg_reset_curr (git-fixes).
- commit 3936762
- scsi: s390: zfcp: Ensure synchronous unit_add (git-fixes
bsc#1245599).
- commit 4cb28a8
- s390/pkey: Prevent overflow in size calculation for
memdup_user() (git-fixes bsc#1245598).
- commit 458c9d8
- s390: Add z17 elf platform (LTC#214086 bsc#1245540).
- commit a338278
- net: pktgen: fix access outside of user given buffer in
pktgen_thread_write() (CVE-2025-38061 bsc#1245440).
- commit 386f111
- net: tipc: fix refcount warning in tipc_aead_encrypt
(CVE-2025-38052 bsc#1244749).
- net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done
(CVE-2025-38052 bsc#1244749).
- commit 39309cf
- r8152: add vendor/device ID pair for Dell Alienware AW1022z
(git-fixes).
- commit 9bd4e20
- net: vlan: don't propagate flags on open (CVE-2025-23163
bsc#1242837).
- commit a49d71b
- rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes).
- commit d8e756f
- add bug reference to existing hv_storvsc change (bsc#1245455).
- net: mana: Record doorbell physical address in PF mode (bsc#1244229).
- commit 1c553b0
- kernel-obs-qa: Do not depend on srchash when qemu emulation is used
In this case the dependency is never fulfilled
Fixes: 485ae1da2b88 ("kernel-obs-qa: Use srchash for dependency as well")
- commit a840f87
- nfsd: nfsd4_spo_must_allow() must check this is a v4 compound
request (git-fixes).
- commit 784f61d
- mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
(bsc#1245431).
- commit dd145d5
- netlink: specs: dpll: replace underscores with dashes in names
(git-fixes).
- bnxt: properly flush XDP redirect lists (git-fixes).
- e1000e: set fixed clock frequency indication for Nahum 11 and
Nahum 13 (git-fixes).
- net: ice: Perform accurate aRFS flow match (git-fixes).
- net/mlx5e: Fix leak of Geneve TLV option object (git-fixes).
- net/mlx5: Fix return value when searching for existing flow
group (git-fixes).
- net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes).
- net/mlx5: Ensure fw pages are always allocated on same NUMA
(git-fixes).
- i40e: retry VFLR handling if there is ongoing VF reset
(git-fixes).
- i40e: return false from i40e_reset_vf if reset is in progress
(git-fixes).
- gve: add missing NULL check for gve_alloc_pending_packet()
in TX DQO (git-fixes).
- ice: fix rebuilding the Tx scheduler tree for large queue counts
(git-fixes).
- ice: create new Tx scheduler nodes for new queues only
(git-fixes).
- ice: fix Tx scheduler error handling in XDP callback
(git-fixes).
- net/mlx4_en: Prevent potential integer overflow calculating Hz
(git-fixes).
- gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt
(git-fixes).
- net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()
(git-fixes).
- net/mlx5_core: Add error handling
inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes).
- idpf: fix null-ptr-deref in idpf_features_check (CVE-2025-38053
bsc#1244746).
- ice: Fix LACP bonds without SRIOV environment (git-fixes).
- ice: fix vf->num_mac count with port representors (git-fixes).
- devlink: fix port dump cmd type (git-fixes).
- devlink: Fix referring to hw_addr attribute during state
validation (git-fixes).
- netlink: fix potential sleeping issue in mqueue_flush_file
(git-fixes).
- commit 6dccf5f
- mm/hugetlb: unshare page tables during VMA split, not before
(bsc#1245431).
- commit bf8eb79
- bpf: Add a possibly-zero-sized read test (git-fixes).
- bpf: Simplify checking size of helper accesses (git-fixes).
- commit 04f6dc5
- staging: rtl8723bs: Avoid memset() in aes_cipher() and
aes_decipher() (git-fixes).
- serial: imx: Restore original RXTL for console to fix data loss
(git-fixes).
- commit 652de47
- drm/amdgpu: csa unmap use uninterruptible lock (CVE-2025-38011
bsc#1244729).
- commit d370e7c
- selftests/bpf: Fix prog numbers in test_sockmap (git-fixes).
- bpftool: Un-const bpf_func_info to fix it for llvm 17 and newer
(git-fixes).
- commit fadce21
- bpf: fix order of args in call to bpf_map_kvcalloc (git-fixes).
- bpf: Harden __bpf_kfunc tag against linker kfunc removal
(git-fixes).
- compiler_types.h: Define __retain for
__attribute__((__retain__)) (git-fixes).
- powerpc/bpf: enforce full ordering for ATOMIC operations with
BPF_FETCH (git-fixes).
- commit e32b4e5
- bpf: Fix potential integer overflow in resolve_btfids
(git-fixes).
- commit 7ce99c9
- selftests/bpf: Fix a few tests for GCC related warnings
(git-fixes).
- selftests/bpf: Change functions definitions to support GCC
(git-fixes).
- selftests/bpf: Add CFLAGS per source file and runner
(git-fixes).
- bpf: Disable some `attribute ignored' warnings in GCC
(git-fixes).
- bpf: Avoid __hidden__ attribute in static object (git-fixes).
- selftests/bpf: Fix pointer arithmetic in test_xdp_do_redirect
(git-fixes).
- commit 71918be
- bpftool: Mount bpffs on provided dir instead of parent dir
(git-fixes).
- commit 1bba21b
- bpftool: Remove unnecessary source files from bootstrap version
(git-fixes).
- bpf/lpm_trie: Inline longest_prefix_match for fastpath
(git-fixes).
- commit 99d4fb6
- bpftool: Fix missing pids during link show (git-fixes).
- bpf: sockmap, updating the sg structure should also update curr
(git-fixes).
- commit 2322e0e
- i2c: tiny-usb: disable zero-length read messages (git-fixes).
- i2c: robotfuzz-osif: disable zero-length read messages
(git-fixes).
- drm/i915: fix build error some more (git-fixes).
- ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR
(git-fixes).
- ALSA: usb-audio: Fix out-of-bounds read in
snd_usb_get_audioformat_uac3() (git-fixes).
- ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged
(stable-fixes).
- ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the
KTMicro sound card (stable-fixes).
- ALSA: hda/intel: Add Thinkpad E15 to PM deny list
(stable-fixes).
- ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330
(stable-fixes).
- drivers/rapidio/rio_cm.c: prevent possible heap overwrite
(stable-fixes).
- watchdog: da9052_wdt: respect TWDMIN (stable-fixes).
- watchdog: fix watchdog may detect false positive of softlockup
(stable-fixes).
- fbcon: Make sure modelist not set on unregistered console
(stable-fixes).
- bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value
(stable-fixes).
- i2c: designware: Invoke runtime suspend on quick slave
re-registration (stable-fixes).
- i2c: npcm: Add clock toggle recovery (stable-fixes).
- pinctrl: armada-37xx: propagate error from
armada_37xx_pmx_set_by_name() (stable-fixes).
- pinctrl: armada-37xx: propagate error from
armada_37xx_gpio_get_direction() (stable-fixes).
- pinctrl: armada-37xx: propagate error from
armada_37xx_pmx_gpio_set_direction() (stable-fixes).
- pinctrl: armada-37xx: propagate error from
armada_37xx_gpio_get() (stable-fixes).
- pinctrl: mcp23s08: Reset all pins to input at probe
(stable-fixes).
- software node: Correct a OOB check in
software_node_get_reference_args() (stable-fixes).
- wifi: mt76: mt7996: drop fragments with multicast or broadcast
RA (stable-fixes).
- wifi: mt76: mt7921: add 160 MHz AP for mt7922 device
(stable-fixes).
- wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R
(stable-fixes).
- wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET
(stable-fixes).
- wifi: ath12k: fix a possible dead lock caused by ab->base_lock
(stable-fixes).
- wifi: ath11k: Fix QMI memory reuse logic (stable-fixes).
- wifi: rtw89: leave idle mode when setting WEP encryption for
AP mode (stable-fixes).
- wifi: mac80211: do not offer a mesh path if forwarding is
disabled (stable-fixes).
- wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes).
- wifi: mac80211_hwsim: Prevent tsf from setting if beacon is
disabled (stable-fixes).
- wifi: ath12k: fix failed to set mhi state error during reboot
with hardware grouping (stable-fixes).
- wifi: ath12k: fix link valid field initialization in the
monitor Rx (stable-fixes).
- wifi: ath12k: fix incorrect CE addresses (stable-fixes).
- wifi: ath12k: Pass correct values of center freq1 and center
freq2 for 160 MHz (stable-fixes).
- wifi: mac80211: VLAN traffic in multicast path (stable-fixes).
- wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0
(stable-fixes).
- usbnet: asix AX88772: leave the carrier control to phylink
(stable-fixes).
- PM: runtime: fix denying of auto suspend in
pm_suspend_timer_fn() (stable-fixes).
- ACPI: battery: negate current when discharging (stable-fixes).
- ACPICA: Avoid sequence overread in call to strncmp()
(stable-fixes).
- ACPICA: utilities: Fix overflow check in vsnprintf()
(stable-fixes).
- ACPICA: fix acpi parse and parseext cache leaks (stable-fixes).
- ACPICA: fix acpi operand cache leak in dswstate.c
(stable-fixes).
- ACPI: bus: Bail out if acpi_kobj registration fails
(stable-fixes).
- mmc: Add quirk to disable DDR50 tuning (stable-fixes).
- power: supply: bq27xxx: Retrieve again when busy (stable-fixes).
- power: supply: collie: Fix wakeup source leaks on device unbind
(stable-fixes).
- ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9
(stable-fixes).
- ASoC: tegra210_ahub: Add check to of_device_get_match_data()
(stable-fixes).
- ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change
(stable-fixes).
- Input: sparcspkr - avoid unannotated fall-through
(stable-fixes).
- commit 0dc7dde
- Update
patches.suse/HID-uclogic-Add-NULL-check-in-uclogic_input_configur.patch
(git-fixes CVE-2025-38007 bsc#1244938).
- Update
patches.suse/RDMA-core-Fix-KASAN-slab-use-after-free-Read-in-ib_r.patch
(git-fixes CVE-2025-38022 bsc#1245003).
- Update
patches.suse/RDMA-rxe-Fix-slab-use-after-free-Read-in-rxe_queue_c.patch
(git-fixes CVE-2025-38024 bsc#1245025).
- Update
patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-csu.patch
(bsc#1243342 CVE-2025-38059 bsc#1244759).
- Update
patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-ext.patch
(bsc#1236208 CVE-2025-21658).
- Update
patches.suse/can-bcm-add-locking-for-bcm_op-runtime-updates.patch
(git-fixes CVE-2025-38004 bsc#1244274).
- Update
patches.suse/can-bcm-add-missing-rcu-read-protection-for-procfs-c.patch
(git-fixes CVE-2025-38003 bsc#1244275).
- Update
patches.suse/crypto-algif_hash-fix-double-free-in-hash_accept.patch
(git-fixes CVE-2025-38079 bsc#1245217).
- Update
patches.suse/crypto-lzo-Fix-compression-buffer-overrun.patch
(stable-fixes CVE-2025-38068 bsc#1245210).
- Update
patches.suse/dmaengine-idxd-Refactor-remove-call-with-idxd_cleanu.patch
(git-fixes CVE-2025-38014 bsc#1244732).
- Update
patches.suse/dmaengine-idxd-fix-memory-leak-in-error-handling-pat-46a5cca.patch
(git-fixes CVE-2025-38015 bsc#1244789).
- Update
patches.suse/dmaengine-ti-k3-udma-Add-missing-locking.patch
(git-fixes CVE-2025-38005 bsc#1244727).
- Update
patches.suse/drm-amd-display-Increase-block_sequence-array-size.patch
(stable-fixes CVE-2025-38080 bsc#1244738).
- Update
patches.suse/ext4-goto-right-label-out_mmap_sem-in-ext4_setattr.patch
(bsc#1242556 CVE-2025-22120 bsc#1241592).
- Update
patches.suse/firmware-arm_ffa-Set-dma_mask-for-ffa-devices.patch
(stable-fixes CVE-2025-38043 bsc#1245081).
- Update patches.suse/media-cx231xx-set-device_caps-for-417.patch
(stable-fixes CVE-2025-38044 bsc#1245082).
- Update
patches.suse/net-handshake-Fix-handshake_req_destroy_test1.patch
(git-fixes CVE-2024-26831 bsc#1223008).
- Update
patches.suse/net-mlx5e-Disable-MACsec-offload-for-uplink-represen.patch
(git-fixes CVE-2025-38020 bsc#1245001).
- Update patches.suse/net_sched-prio-fix-a-race-in-prio_tune.patch
(git-fixes CVE-2025-38083 bsc#1245183).
- Update
patches.suse/nfs-handle-failure-of-nfs_get_lock_context-in-unlock-path.patch
(git-fixes CVE-2025-38023 bsc#1245004).
- Update patches.suse/orangefs-Do-not-truncate-file-size.patch
(git-fixes CVE-2025-38065 bsc#1244906).
- Update
patches.suse/padata-do-not-leak-refcount-in-reorder_work.patch
(git-fixes CVE-2025-38031 bsc#1245046).
- Update
patches.suse/phy-tegra-xusb-Use-a-bitmask-for-UTMI-pad-power-stat.patch
(git-fixes CVE-2025-38010 bsc#1244996).
- Update
patches.suse/platform-x86-dell-wmi-sysman-Avoid-buffer-overflow-i.patch
(git-fixes CVE-2025-38077 bsc#1244736).
- Update
patches.suse/regulator-max20086-fix-invalid-memory-access.patch
(git-fixes CVE-2025-38027 bsc#1245042).
- Update
patches.suse/s390-pci-Fix-duplicate-pci_dev_put-in-disable_slot-w.patch
(git-fixes bsc#1244145 CVE-2025-37946 bsc#1243506).
- Update
patches.suse/s390-pci-fix-potential-double-remove-of-hotplug-slot.patch
(bsc#1244145 CVE-2024-56699 bsc#1235490).
- Update
patches.suse/sched-numa-fix-memory-leak-due-to-the-overwritten-vma-numab_state.patch
(git fixes (sched/numa) CVE-2024-56613 bsc#1244176).
- Update
patches.suse/serial-mctrl_gpio-split-disable_ms-into-sync-and-no_.patch
(git-fixes CVE-2025-38040 bsc#1245078).
- Update
patches.suse/spi-rockchip-Fix-register-out-of-bounds-access.patch
(stable-fixes CVE-2025-38081 bsc#1244739).
- Update
patches.suse/usb-typec-ucsi-displayport-Fix-NULL-pointer-access.patch
(git-fixes CVE-2025-37994 bsc#1243823).
- Update
patches.suse/vhost-scsi-Fix-handling-of-multiple-calls-to-vhost_s.patch
(git-fixes CVE-2025-22083 bsc#1241414).
- Update
patches.suse/wifi-cfg80211-fix-out-of-bounds-access-during-multi-.patch
(git-fixes CVE-2025-37973 bsc#1244172).
- Update patches.suse/wifi-iwlwifi-fix-debug-actions-order.patch
(stable-fixes CVE-2025-38045 bsc#1245083).
- Update
patches.suse/wifi-mac80211-Set-n_channels-after-allocating-struct.patch
(git-fixes CVE-2025-38013 bsc#1244731).
- Update
patches.suse/wifi-mt76-disable-napi-on-driver-removal.patch
(git-fixes CVE-2025-38009 bsc#1244995).
- commit fee1c31
- HID: lenovo: Restrict F7/9/11 mode to compact keyboards only
(git-fixes).
- HID: wacom: fix kobject reference count leak (git-fixes).
- HID: wacom: fix memory leak on sysfs attribute creation failure
(git-fixes).
- HID: wacom: fix memory leak on kobject creation failure
(git-fixes).
- wifi: mac80211: fix beacon interval calculation overflow
(git-fixes).
- commit 8d2d6ad
- scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes).
- net: mana: Add support for Multi Vports on Bare metal (bsc#1244229).
- scsi: storvsc: Don't report the host packet status as the hv status (git-fixes).
- commit cde971c
- btrfs: fix fsync of files with no hard links not persisting
deletion (git-fixes).
- btrfs: remove end_no_trans label from btrfs_log_inode_parent()
(git-fixes).
- btrfs: simplify condition for logging new dentries at
btrfs_log_inode_parent() (git-fixes).
- commit 9370aa3
- btrfs: fix wrong start offset for delalloc space release during
mmap write (git-fixes).
- commit 59b0f84
- btrfs: fix invalid data space release when truncating block
in NOCOW mode (git-fixes).
- commit b11e8b5
- btrfs: fix qgroup reservation leak on failure to allocate
ordered extent (git-fixes).
- commit e13d6e0
- ntp: Remove invalid cast in time offset math (git-fixes)
- commit 92649f3
- timekeeping: Fix bogus clock_was_set() invocation in (git-fixes)
- commit 17fecee
- ntp: Safeguard against time_constant overflow (git-fixes)
- commit fb90573
- ntp: Clamp maxerror and esterror to operating range (git-fixes)
- commit 947fc29
- clocksource: Fix brown-bag boolean thinko in (git-fixes)
- commit f65bb99
- clocksource: Make watchdog and suspend-timing multiplication (git-fixes)
- commit a87f573
- timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes)
- commit 1a57489
- timekeeping: Fix cross-timestamp interpolation corner case (git-fixes)
- commit dc250ae
- timekeeping: Fix cross-timestamp interpolation on counter (git-fixes)
- commit 4e863aa
- Refresh
patches.kabi/kabi-restore-layout-of-struct-mem_control.patch.
- commit 5049495
- kabi: restore layout of struct cgroup_subsys (bsc#1241166).
- commit 2014732
- cgroup/cpuset: Fix race between newly created partition and
dying one (bsc#1241166).
- commit 36dffbc
- fgraph: Still initialize idle shadow stacks when starting
(git-fixes).
- commit 1697414
- tracing/eprobe: Fix to release eprobe when failed to add
dyn_event (git-fixes).
- commit a8fd69f
- tracing: Fix cmp_entries_dup() to respect sort() comparison
rules (git-fixes).
- commit f73056c
- tracing: Use atomic64_inc_return() in trace_clock_counter()
(git-fixes).
- commit 23262fc
- trace/trace_event_perf: remove duplicate samples on the first
tracepoint event (git-fixes).
- commit b4e63e6
- bpf: Force uprobe bpf program to always return 0 (git-fixes).
- commit 90effed
- uprobes: Use kzalloc to allocate xol area (git-fixes).
- Refresh
patches.suse/uprobes-introduce-the-global-struct-vm_special_mapping-xol_mapping.patch.
- commit 30d8536
- bpf: abort verification if env->cur_state->loop_entry != NULL
(CVE-2025-38060 bsc#1245155).
- Refresh patches.kabi/bpf-verifier-kABI-workarounds.patch.
- commit c80eca0
- selftests/bpf: check states pruning for deeply nested iterator
(CVE-2025-38060 bsc#1245155).
- bpf: don't do clean_live_states when state->loop_entry->branches
> 0 (CVE-2025-38060 bsc#1245155).
- commit f0d9333
- vmxnet3: support higher link speeds from vmxnet3 v9
(bsc#1244626).
- commit 0aa445e
- vmxnet3: correctly report gso type for UDP tunnels
(bsc#1244626).
- commit 44584be
- vmxnet3: update MTU after device quiesce (bsc#1244626).
- commit 14400a7
- scsi: elx: efct: Fix memory leak in efct_hw_parse_filter()
(git-fixes).
- commit 11611ac
- tracing: Fix compilation warning on arm32 (bsc#1243551).
- commit bc2f48d
- tracing: Fix oob write in trace_seq_to_buffer() (CVE-2025-37923
bsc#1243551).
- commit ff6a777
- ata: libata-eh: Do not use ATAPI DMA for a device limited to
PIO mode (stable-fixes).
- commit 07065f3
- bpf: copy_verifier_state() should copy 'loop_entry' field
(CVE-2025-38060 bsc#1245155).
- Refresh patches.kabi/bpf-verifier-kABI-workarounds.patch.
- commit 815fadf
- selftests/bpf: test correct loop_entry update in
copy_verifier_state (CVE-2025-38060 bsc#1245155).
- commit b2e3449
- tracing: Fix use-after-free in print_graph_function_flags
during tracer switching (CVE-2025-22035 bsc#1241544).
- commit b6d43f4
- bpf: Fix deadlock between rcu_tasks_trace and event_mutex
(CVE-2025-37884 bsc#1243060).
- commit 7f690ab
- truct dwc3 hide new member wakeup_pending_funcs (git-fixes).
- commit 84579a6
- kabi: restore layout of struct page_counter (jsc#PED-12551).
- commit ef34a22
- usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes).
- commit 39cb14b
- ucsi_debugfs_entry: hide signedness change (git-fixes).
- commit 154816e
- usb: typec: ucsi: fix Clang -Wsign-conversion warning
(git-fixes).
- Refresh patches.suse/paddings-add-paddings-to-TypeC-stuff.patch.
- commit 40f2bc3
- hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu
(git-fixes).
- commit b5678d7
- net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538)
- commit 416e192
- hwmon: (peci/dimmtemp) Do not provide fake thresholds data
(git-fixes).
- hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol
namespace (git-fixes).
- commit 53b0cf2
- Update reference for patches.suse/net_sched-sch_sfq-use-a-temporary-work-area-for-vali.patch (bsc#1242504)
- commit 8730da1
- s390/tty: Fix a potential memory leak bug (git-fixes
bsc#1245228).
- commit e4f3ff4
- s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes
bsc#1245226).
- commit 7cf700b
- ceph: fix memory leaks in __ceph_sync_read() (git-fixes).
- Refresh
patches.suse/ceph-improve-error-handling-and-short-overflow-read-.patch.
- commit 04880f5
- ceph: allocate sparse_ext map only for sparse reads (git-fixes).
- commit e7c7fa7
- ceph: Fix incorrect flush end position calculation (git-fixes).
- commit 626f897
- KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes
bsc#1245225).
- commit 7cc3455
- iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid
(CVE-2025-37927 bsc#1243620).
- commit 4916f47
- nvme-fc: do not reference lsrsp after failure (bsc#1245193).
- nvmet-fcloop: don't wait for lport cleanup (bsc#1245193).
- nvmet-fcloop: add missing fcloop_callback_host_done
(bsc#1245193).
- nvmet-fc: take tgtport refs for portentry (bsc#1245193).
- nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193).
- nvmet-fcloop: drop response if targetport is gone (bsc#1245193).
- nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193).
- nvmet-fcloop: prevent double port deletion (bsc#1245193).
- nvmet-fcloop: access fcpreq only when holding reqlock
(bsc#1245193).
- nvmet-fcloop: update refs on tfcp_req (bsc#1245193).
- nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193).
- nvmet-fcloop: refactor fcloop_nport_alloc and track lport
(bsc#1245193).
- nvmet-fcloop: remove nport from list on last user (bsc#1245193).
- nvmet-fcloop: track ref counts for nports (bsc#1245193).
- commit 20104c4
- Remove host-memcpy-hack.h
This might have been usefult at some point but we have more things that
depend on specific library versions today.
- commit 0396c23
- Remove compress-vmlinux.sh
/usr/lib/rpm/brp-suse.d/brp-99-compress-vmlinux was added in
pesign-obs-integration during SLE12 RC. This workaround can be removed.
- commit 19caac0
- Remove try-disable-staging-driver
The config for linux-next is autogenerated from master config, and
defaults filled for missing options. This is unlikely to enable any
staging driver in the first place.
- commit a6f21ed
- nvme: always punt polled uring_cmd end_io work to task_work
(git-fixes).
- nvme: fix implicit bool to flags conversion (git-fixes).
- commit 36de06b
- net/tls: fix kernel panic when alloc_page failed (CVE-2025-38018
bsc#1244999).
- commit 1124110
- espintcp: fix skb leaks (CVE-2025-38057 bsc#1244862).
- commit dffbfd5
- nvme: fix command limits status code (git-fixes).
- nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44
Pro (git-fixes).
- nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes).
- nvme-pci: add quirks for device 126f:1001 (git-fixes).
- commit 990928c
- sunrpc: handle SVC_GARBAGE during svc auth processing as auth
error (git-fixes).
- commit afe6d07
- x86/microcode/AMD: Add get_patch_level() (git-fixes).
- commit 73bb23d
- x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes).
- commit c818693
- x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes).
- commit 761df14
- x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes).
- commit d6c2d35
- x86/microcode: Consolidate the loader enablement checking (git-fixes).
- commit d0fff01
- scsi: iscsi: Fix incorrect error path labels for flashnode
operations (git-fixes).
- md/raid1,raid10: don't handle IO error for REQ_RAHEAD and
REQ_NOWAIT (git-fixes).
- commit cbd3a76
- PCI/PM: Set up runtime PM even for devices without PCI PM
(git-fixes).
- commit 871b129
- gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes).
- ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA
(git-fixes).
- drm/etnaviv: Protect the scheduler's pending list with its lock
(git-fixes).
- drm/nouveau/bl: increase buffer size to avoid truncate warning
(git-fixes).
- drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes).
- drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes).
- drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled
(git-fixes).
- drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate
(git-fixes).
- drm/msm/disp: Correct porch timing for SDM845 (git-fixes).
- commit 3df7edd
- libnvdimm/labels: Fix divide error in nd_label_data_init()
(bsc#1244743, CVE-2025-38072).
- commit 42a394c
- kabi: restore layout of struct mem_control (jsc#PED-12551).
- commit e948e2e
- mm, memcg: cg2 memory{.swap,}.peak write handlers
(jsc#PED-12551).
- mm/memcontrol: export memcg.swap watermark via sysfs for v2
memcg (jsc#PED-12551).
- commit 97c4d37
- can: tcan4x5x: fix power regulator retrieval during probe
(git-fixes).
- commit 5798451
- wifi: carl9170: do not ping device which has failed to load
firmware (git-fixes).
- NFC: nci: uart: Set tty->disc_data only in success path
(git-fixes).
- hwmon: (occ) fix unaligned accesses (git-fixes).
- hwmon: (occ) Rework attribute registration for stack usage
(git-fixes).
- hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes).
- wifi: ath11k: move some firmware stats related functions
outside of debugfs (git-fixes).
- wifi: ath11k: don't wait when there is no vdev started
(git-fixes).
- wifi: ath11k: don't use static variables in
ath11k_debugfs_fw_stats_process() (git-fixes).
- wifi: ath11k: avoid burning CPU in
ath11k_debugfs_fw_stats_request() (git-fixes).
- USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB
(stable-fixes).
- usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage
device (stable-fixes).
- usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE
(stable-fixes).
- thunderbolt: Do not double dequeue a configuration request
(stable-fixes).
- rtc: Make rtc_time64_to_tm() support dates before 1970
(stable-fixes).
- firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES
(git-fixes).
- Bluetooth: MGMT: Remove unused mgmt_pending_find_data
(stable-fixes).
- serial: sh-sci: Move runtime PM enable to sci_probe_single()
(stable-fixes).
- wifi: ath11k: convert timeouts to secs_to_jiffies()
(stable-fixes).
- wifi: ath11k: fix soc_dp_stats debugfs file permission
(stable-fixes).
- commit d77b71f
- Update patches.suse/ALSA-pcm-Fix-race-of-buffer-access-at-PCM-OSS-layer.patch
(CVE-2025-38078 bsc#1244737).
- commit 9ad878b
- calipso: Fix null-ptr-deref in calipso_req_{set,del}attr()
(git-fixes).
- commit 1a53756
- net/sched: fix use-after-free in taprio_dev_notifier
(git-fixes).
- commit bd7e23e
- net_sched: ets: fix a race in ets_qdisc_change() (git-fixes).
- commit c8863c2
- net_sched: tbf: fix a race in tbf_change() (git-fixes).
- commit 8dd49d3
- net_sched: red: fix a race in __red_change() (git-fixes).
- commit eb63704
- net_sched: prio: fix a race in prio_tune() (git-fixes).
- commit 2898595
- net_sched: sch_sfq: reject invalid perturb period (git-fixes).
- commit 11af7b7
- net: Fix TOCTOU issue in sk_is_readable() (git-fixes).
- commit 9bf44e9
- Update patches.suse/dlm-mask-sk_shutdown-value.patch
(bsc#1241278).
- Update patches.suse/dlm-use-SHUT_RDWR-for-SCTP-shutdown.patch
(bsc#1241278).
Original bsc number was wrong. Fix it.
- commit 37c9443
- net_sched: hfsc: Address reentrant enqueue adding class to
eltree twice (CVE-2025-38001 bsc#1244234).
- commit 6a31481
- packaging: Add support for suse-kabi-tools
The current workflow to check kABI stability during the RPM build of SUSE
kernels consists of the following steps:
* The downstream script rpm/modversions unpacks the consolidated kABI
symtypes reference data from kabi/<arch>/symtypes-<flavor> and creates
individual symref files.
* The build performs a regular kernel make. During this operation, genksyms
is invoked for each source file. The tool determines type signatures of
all exports within the file, reports any differences compared to the
associated symref reference, calculates symbol CRCs from the signatures
and writes new type data into a symtypes file.
* The script rpm/modversions is invoked again, this time it packs all new
symtypes files to a consolidated kABI file.
* The downstream script rpm/kabi.pl checks symbol CRCs in the new build and
compares them to a reference from kabi/<arch>/symvers-<flavor>, taking
kabi/severities into account.
suse-kabi-tools is a new set of tools to improve the kABI checking process.
The suite includes two tools, ksymtypes and ksymvers, which replace the
existing scripts rpm/modversions and rpm/kabi.pl, as well as the comparison
functionality previously provided by genksyms. The tools have their own
source repository and package.
The tools provide faster operation and more detailed, unified output. In
addition, they allow the use of the new upstream tool gendwarfksyms, which
lacks any built-in comparison functionality.
The updated workflow is as follows:
* The build performs a regular kernel make. During this operation, genksyms
(gendwarfksyms) is invoked as usual, determinining signatures and CRCs of
all exports and writing the type data to symtypes files. However,
genksyms no longer performs any comparison.
* 'ksymtypes consolidate' packs all new symtypes files to a consolidated
kABI file.
* 'ksymvers compare' checks symbol CRCs in the new build and compares them
to a reference from kabi/<arch>/symvers-<flavor>, taking kabi/severities
into account. The tool writes its result in a human-readable form on
standard output and also writes a list of all changed exports (not
ignored by kabi/severities) to the changed-exports file.
* 'ksymtypes compare' takes the changed-exports file, the consolidated kABI
symtypes reference data from kabi/<arch>/symtypes-<flavor> and the new
consolidated data. Based on this data, it produces a detailed report
explaining why the symbols changed.
The patch enables the use of suse-kabi-tools via rpm/config.sh, providing
explicit control to each branch. To enable the support, set
USE_SUSE_KABI_TOOLS=Yes in the config file.
- commit a2c6f89
- rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725)
- commit 5432961
- platform/x86: ideapad-laptop: use usleep_range() for EC polling
(git-fixes).
- commit 1373cac
- platform/x86: dell_rbu: Stop overwriting data buffer
(git-fixes).
- platform/x86: dell_rbu: Fix list usage (git-fixes).
- platform/x86/amd: pmc: Clear metrics table at start of cycle
(git-fixes).
- platform/x86/intel-uncore-freq: Fail module load when plat_info
is NULL (git-fixes).
- commit 4eb007c
- Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync
(git-fixes).
- Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes).
- Bluetooth: hci_conn: Fix UAF Write in
__hci_acl_create_connection_sync (git-fixes).
- commit cc24dff
- Bluetooth: hci_event: Fix not using key encryption size when
its known (git-fixes).
- Bluetooth: Remove pending ACL connection attempts
(stable-fixes).
- Bluetooth: hci_conn: Only do ACL connections sequentially
(stable-fixes).
- commit 45b89a8
- kernel-source: Remove log.sh from sources
- commit 96bd779
- powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO
EEH recovery (bsc#1215199).
- commit 8ae69e3
- ima: Suspend PCR extends and log appends when rebooting
(bsc#1210025 ltc#196650).
- commit 25c308f
- ACPI: CPPC: Fix NULL pointer dereference when nosmp is used
(git-fixes).
- regulator: max20086: Fix refcount leak in
max20086_parse_regulators_dt() (git-fixes).
- commit 5b8c5a3
- scsi: dc395x: Remove leftover if statement in reselect()
(git-fixes).
- commit c259874
- loop: add file_start_write() and file_end_write() (git-fixes).
- scsi: dc395x: Remove DEBUG conditional compilation (git-fixes).
- scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk
(git-fixes).
- scsi: qedf: Use designated initializer for struct
qed_fcoe_cb_ops (git-fixes).
- scsi: sd_zbc: block: Respect bio vector limits for REPORT
ZONES buffer (git-fixes).
- scsi: mpi3mr: Add level check to control event logging
(git-fixes).
- scsi: st: Tighten the page format heuristics with MODE SELECT
(git-fixes).
- scsi: st: ERASE does not change tape location (git-fixes).
- scsi: mpt3sas: Send a diag reset if target reset fails
(git-fixes).
- scsi: st: Restore some drive settings after reset (git-fixes).
- commit 6dba36f
- x86/mm/init: Handle the special case of device private
pages in add_pages(), to not increase max_pfn and trigger
dma_addressing_limited() bounce buffers (git-fixes).
- commit d67c7bf
- PCI/MSI: Size device MSI domain with the maximum number of
vectors (git-fixes).
- PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from
rockchip_pcie_link_up() (git-fixes).
- PCI: apple: Set only available ports up (git-fixes).
- PCI: dwc: ep: Correct PBA offset in .set_msix() callback
(git-fixes).
- PCI: endpoint: Retain fixed-size BAR size as well as aligned
size (git-fixes).
- kABI: PCI: endpoint: Retain fixed-size BAR size as well as
aligned size (git-fixes).
- PCI/DPC: Log Error Source ID only when valid (git-fixes).
- serial: mctrl_gpio: split disable_ms into sync and no_sync APIs
(git-fixes).
- kABI: serial: mctrl_gpio: split disable_ms into sync and
no_sync APIs (git-fixes).
- x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes).
- PCI/DPC: Use defines with DPC reason fields (git-fixes).
- commit 67e24e5
- Bluetooth: MGMT: Fix sparse errors (git-fixes).
- commit bcd5c33
- wifi: ath11k: validate ath11k_crypto_mode on top of
ath11k_core_qmi_firmware_ready (git-fixes).
- ath10k: snoc: fix unbalanced IRQ enable in crash recovery
(git-fixes).
- Bluetooth: hci_sync: Fix broadcast/PA when using an existing
instance (git-fixes).
- Bluetooth: Fix NULL pointer deference on eir_get_service_data
(git-fixes).
- net/mdiobus: Fix potential out-of-bounds clause 45 read/write
access (git-fixes).
- net/mdiobus: Fix potential out-of-bounds read/write access
(git-fixes).
- Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
(git-fixes).
- Bluetooth: hci_core: fix list_for_each_entry_rcu usage
(git-fixes).
- ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()
(git-fixes).
- pinctrl: st: Drop unused st_gpio_bank() function (git-fixes).
- pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes).
- commit d9ecc09
- sch_hfsc: Fix qlen accounting bug when using peek in
hfsc_enqueue() (CVE-2025-38000 bsc#1244277).
- commit ffb9ab4
- net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312)
- commit 8196566
- Revert "ipv6: save dontfrag in cork (git-fixes)."
This reverts commit d3fe600164867bd0529ed1049fbd53ca9fce2eaf.
See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/
and https://bugzilla.suse.com/show_bug.cgi?id=1244313.
- commit b9e7a4e
- Revert "kABI: ipv6: save dontfrag in cork (git-fixes)."
This reverts commit cbc81e238815721048ac709726467c90981753c9.
See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/
and https://bugzilla.suse.com/show_bug.cgi?id=1244313.
- commit 38d0091
- kABI fix for net: Remove RTNL dance for SIOCBRADDIF and
SIOCBRDELIF (CVE-2025-22111 bsc#1241572).
- commit edfd43c
- page_pool: avoid infinite loop to schedule delayed worker
(CVE-2025-37859 bsc#1243051).
- commit b8f1dfd
- tipc: fix memory leak in tipc_link_xmit (CVE-2025-37757 bsc#1242521)
- commit 48e0415
- struct usci: hide additional member (git-fixes).
- commit 1b8456a
- net_sched: Flush gso_skb list too during ->change()
(CVE-2025-37992 bsc#1243698).
- netfilter: ipset: fix region locking in hash types
(CVE-2025-37997 bsc#1243832).
- ipvs: fix uninit-value for saddr in do_output_route4
(CVE-2025-37961 bsc#1243523).
- net: dsa: free routing table on probe failure (CVE-2025-37786
bsc#1242725).
- net: tls: explicitly disallow disconnect (CVE-2025-37756
bsc#1242515).
- net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF
(CVE-2025-22111 bsc#1241572).
- vlan: enforce underlying device type (CVE-2025-21920
bsc#1240686).
- xfrm: delete intermediate secpath entry in packet offload mode
(CVE-2025-21720 bsc#1238859).
- xfrm: state: fix out-of-bounds read during lookup
(CVE-2024-57982 bsc#1237913).
- rxrpc: Fix handling of received connection abort (CVE-2024-58053
bsc#1238982).
- commit d3e755f
- isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774).
Return the correct upper limit of the allocated cpumask.
modified:
- patches.suse/lib-group_cpus-honor-housekeeping-config-when-grouping.patch
- patches.suse/lib-group_cpus-let-group_cpu_evenly-return-number.patch
- commit 092bf4a
- xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes)
- commit 24d5250
- arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes)
- commit 28d162e
- Revert "arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes)
- commit 9dd3301
- xen/x86: fix initial memory balloon target (git-fixes).
- commit 7e938b1
- ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt
3 dock (stable-fixes).
- ALSA: usb-audio: Fix NULL pointer deref in
snd_usb_power_domain_set() (git-fixes).
- commit 9d209cd
- ALSA: usb-audio: Rename Pioneer mixer channel controls
(git-fixes).
- ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes).
- ALSA: usb-audio: Fix duplicated name in MIDI substream names
(stable-fixes).
- ALSA: usb-audio: mixer: Remove temporary string use in
parse_clock_source_unit (stable-fixes).
- commit e8737ac
- ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI
1.0 entry (stable-fixes).
- ALSA: usb-audio: Accept multiple protocols in GTBs
(stable-fixes).
- ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes).
- commit 498a796
- Revert "ALSA: usb-audio: Skip setting clock selector for single
connections" (stable-fixes).
- Refresh
patches.suse/ALSA-usb-audio-Ignore-clock-selector-errors-for-sing.patch.
- Refresh
patches.suse/ALSA-usb-audio-Support-multiple-control-interfaces.patch.
- commit d0138e9
- ALSA: usb-audio: Support read-only clock selector control
(stable-fixes).
- Refresh
patches.suse/ALSA-usb-audio-Ignore-clock-selector-errors-for-sing.patch.
- Refresh
patches.suse/ALSA-usb-audio-Support-multiple-control-interfaces.patch.
- commit ee97bec
- ALSA: usb-audio: Skip setting clock selector for single
connections (stable-fixes).
- Refresh
patches.suse/ALSA-usb-audio-Ignore-clock-selector-errors-for-sing.patch.
- Refresh
patches.suse/ALSA-usb-audio-Support-multiple-control-interfaces.patch.
- commit 7326e0b
- ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1
(stable-fixes).
- ALSA: usb-audio: enable support for Presonus Studio 1824c
within 1810c file (stable-fixes).
- ALSA: usb-audio: Support multiple control interfaces
(stable-fixes).
- ALSA: usb-audio: Check shutdown at endpoint_set_interface()
(stable-fixes).
- commit d4a0ce3
- wifi: ath11k: update channel list in worker when wait flag is
set (bsc#1243847).
- commit 4cfebaa
- net: lan743x: Fix memleak issue when GSO enabled (CVE-2025-37909
bsc#1243467).
- vxlan: vnifilter: Fix unlocked deletion of default FDB entry
(CVE-2025-37921 bsc#1243480).
- commit 788c92a
- watchdog: mediatek: Add support for MT6735 TOPRGU/WDT
(git-fixes).
- commit 4df631e
- watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04
(git-fixes).
- commit ba2db88
- module: ensure that kobject_put() is safe for module type kobjects (CVE-2025-37995 bsc#1243827)
- commit 6979c9a
- mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337).
- commit 7c95ae0
- x86/xen: fix balloon target initialization for PVH dom0
(git-fixes).
- commit ad18aba
- powerpc/vas: Return -EINVAL if the offset is non-zero in mmap()
(bsc#1244309 ltc#213790).
- powerpc/powernv/memtrace: Fix out of bounds issue in memtrace
mmap (bsc#1244309 ltc#213790).
- commit 2d4ad48
- tracing: Verify event formats that have "%*p.." (CVE-2025-37938
bsc#1243544).
- tracing: Add __print_dynamic_array() helper (bsc#1243544).
- tracing: Add __string_len() example (bsc#1243544).
- commit c705d1d
- fbdev/efifb: Remove PM for parent device (bsc#1244261).
- Refresh
patches.suse/fbdev-efifb-Register-sysfs-groups-through-driver-cor.patch.
- commit 0c56458
- RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() (git-fixes)
- commit 7d2ce51
- RDMA/core: Fix best page size finding when it can cross SG entries (git-fixes)
- commit bfdc372
- MyBS: Do not build kernel-obs-qa with limit_packages
Fixes: 58e3f8c34b2b ("bs-upload-kernel: Pass limit_packages also on multibuild")
- commit f4c6047
- MyBS: Simplify qa_expr generation
Start with a 0 which makes the expression valid even if there are no QA
repositories (currently does not happen). Then separator is always
needed.
- commit e4c2851
- MyBS: Correctly generate build flags for non-multibuild package limit
(bsc# 1244241)
Fixes: 0999112774fc ("MyBS: Use buildflags to set which package to build")
- commit 27588c9
- bs-upload-kernel: Pass limit_packages also on multibuild
Fixes: 0999112774fc ("MyBS: Use buildflags to set which package to build")
Fixes: 747f601d4156 ("bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)")
- commit 8ef486c
- ftrace: Avoid potential division by zero in function_stat_show()
(CVE-2025-21898 bsc#1240610).
- commit d476f96
- tracing: Fix bad hist from corrupting named_triggers list
(CVE-2025-21899 bsc#1240577).
- commit 60219e4
- iommu: Skip PASID validation for devices without PASID capability (bsc#1244100)
- commit 647b2f4
- iommu: Validate the PASID in iommu_attach_device_pasid() (bsc#1244100)
- commit ca42766
- nfsd: Initialize ssc before laundromat_work to prevent NULL
dereference (git-fixes).
- commit 153c2a2
- nfsd: validate the nfsd_serv pointer before calling svc_wake_up
(git-fixes).
- commit af8b93e
- NFSD: Insulate nfsd4_encode_read_plus() from page boundaries
in the encode buffer (git-fixes).
- commit 91b6192
- jffs2: check jffs2_prealloc_raw_node_refs() result in few
other places (git-fixes).
- commit 254a145
- jffs2: check that raw node were preallocated before writing
summary (git-fixes).
- commit 4a6701a
- x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes).
- commit ae818bc
- x86/microcode/AMD: Make __verify_patch_size() return bool (git-fixes).
- commit dcdd8b6
- x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes).
- commit 65dff7c
- x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes).
- commit 662ffcd
- x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes).
- commit 15bb5b3
- blacklist.conf: Disable fineibt part of ITS mitigation
- Refresh
patches.suse/x86-its-Enumerate-Indirect-Target-Selection-ITS-bug.patch.
- commit cedb857
- xsk: fix an integer overflow in xp_create_and_assign_umem()
(bsc#1240823 CVE-2025-21997).
- commit 931fc27
- dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854).
- dlm: mask sk_shutdown value (bsc#1228854).
- commit 730d8cf
- ASoC: Intel: avs: Verify content returned by parse_int_array()
(git-fixes).
- ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX
(git-fixes).
- ASoC: codecs: hda: Fix RPM usage count underflow (git-fixes).
- commit 7d227ae
- spi: bcm63xx-hsspi: fix shared reset (git-fixes).
- spi: bcm63xx-spi: fix shared reset (git-fixes).
- regulator: max14577: Add error check for max14577_read_reg()
(git-fixes).
- usb: usbtmc: Fix timeout value in get_stb (git-fixes).
- usb: usbtmc: Fix read_stb function and get_stb ioctl
(git-fixes).
- usb: cdnsp: Fix issue with detecting command completion event
(git-fixes).
- usb: cdnsp: Fix issue with detecting USB 3.2 speed (git-fixes).
- usb: Flush altsetting 0 endpoints before reinitializating them
after reset (git-fixes).
- usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx()
(git-fixes).
- thunderbolt: Fix a logic error in wake on connect (git-fixes).
- usb: renesas_usbhs: Reorder clock handling and power management
in probe (git-fixes).
- vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()
(git-fixes).
- serial: Fix potential null-ptr-deref in mlb_usio_probe()
(git-fixes).
- staging: iio: ad5933: Correct settling cycles encoding per
datasheet (git-fixes).
- iio: adc: ad7124: Fix 3dB filter frequency reading (git-fixes).
- iio: filter: admv8818: Support frequencies >= 2^32 (git-fixes).
- iio: filter: admv8818: fix range calculation (git-fixes).
- iio: filter: admv8818: fix integer overflow (git-fixes).
- iio: filter: admv8818: fix band 4, state 15 (git-fixes).
- VMCI: fix race between vmci_host_setup_notify and
vmci_ctx_unset_notify (git-fixes).
- iio: accel: fxls8962af: Fix temperature scan element sign
(git-fixes).
- iio: imu: inv_icm42600: Fix temperature calculation (git-fixes).
- iio: adc: ad7606_spi: fix reg write value mask (git-fixes).
- bus: mhi: host: Fix conflict between power_up and SYSERR
(git-fixes).
- drm/amd/display: Add null pointer check for
get_first_active_display() (git-fixes).
- drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1
(git-fixes).
- commit def2214
- s390/pci: Serialize device addition and removal (bsc#1244145).
- commit f1ae730
- s390/pci: Allow re-add of a reserved but not yet removed device
(bsc#1244145).
- commit a73fcdb
- s390/pci: Prevent self deletion in disable_slot() (bsc#1244145).
- commit 136fe4f
- s390/pci: Remove redundant bus removal and disable from
zpci_release_device() (bsc#1244145).
- commit 9bbc219
- s390/pci: Fix potential double remove of hotplug slot
(bsc#1244145).
- commit 9714d95
- s390/pci: remove hotplug slot when releasing the device
(bsc#1244145).
- commit 1415bb1
- s390/pci: Fix duplicate pci_dev_put() in disable_slot() when
PF has child VFs (git-fixes bsc#1244145).
- commit 3430d11
- s390/pci: introduce lock to synchronize state of zpci_dev's
(jsc#PED-10253 bsc#1244145).
- Refresh
patches.suse/s390-pci-Fix-leak-of-struct-zpci_dev-when-zpci_add_device-fails.patch.
- Refresh
patches.suse/s390-pci-Sort-PCI-functions-prior-to-creating-virtual-busses.patch.
- commit 2644b79
- s390/pci: rename lock member in struct zpci_dev (jsc#PED-10253
bsc#1244145).
- Refresh
patches.suse/s390-pci-Fix-leak-of-struct-zpci_dev-when-zpci_add_device-fails.patch.
- Refresh
patches.suse/s390-pci-Sort-PCI-functions-prior-to-creating-virtual-busses.patch.
- Refresh
patches.suse/s390-pci-Use-topology-ID-for-multi-function-devices.patch.
- commit 9223df0
- media: mediatek: vcodec: Only free buffer VA that is not NULL
(CVE-2023-52888 bsc#1228557).
- commit 0299171
- net: fix udp gso skb_segment after pull from frag_list
(git-fixes).
- commit 8353437
- page_pool: Fix use-after-free in page_pool_recycle_in_ring
(git-fixes).
- commit 69ccdcd
- net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)
(git-fixes).
- commit d107edf
- net: sched: em_text: fix possible memory leak in
em_text_destroy() (git-fixes).
- commit 71395f7
- neighbour: Don't let neigh_forced_gc() disable preemption for
long (git-fixes).
- commit fea49bb
- net: sched: cls_u32: Fix allocation size in u32_init()
(git-fixes).
- commit eea3eab
- Move upstreamed patches into sorted section
- commit c9465fb
- kernel-source: Do not use multiple -r in sed parameters
This usage is enabled in commit b18d64d
(sed: allow multiple (non-conflicting) -E/-r parameters, 2016-07-31)
only available since sed 4.3
Fixes: dc2037cd8f94 ("kernel-source: Also replace bin/env"
- commit 91ad98e
- Drop AMDGPU patch that may cause regressions (bsc#1243782)
Deleted:
patches.suse/drm-amd-display-more-liberal-vmin-vmax-update-for-fr.patch
- commit c23b99f
- wifi: ath12k: Avoid memory leak while enabling statistics
(CVE-2025-37743 bsc#1242163).
- commit f493528
- PM: sleep: Fix power.is_suspended cleanup for direct-complete
devices (git-fixes).
- net: wwan: t7xx: Fix napi rx poll issue (git-fixes).
- Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION
(git-fixes).
- Bluetooth: hci_qca: move the SoC type check to the right place
(git-fixes).
- rtc: Fix offset calculation for .start_secs < 0 (git-fixes).
- rtc: stm32: drop unused module alias (git-fixes).
- rtc: s3c: drop unused module alias (git-fixes).
- rtc: pm8xxx: drop unused module alias (git-fixes).
- rtc: jz4740: drop unused module alias (git-fixes).
- rtc: da9063: drop unused module alias (git-fixes).
- rtc: cpcap: drop unused module alias (git-fixes).
- rtc: at91rm9200: drop unused module alias (git-fixes).
- rtc: sh: assign correct interrupts with DT (git-fixes).
- dmaengine: ti: Add NULL check in udma_probe() (git-fixes).
- phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug (git-fixes).
- commit ec23ee6
- net: usb: aqc111: debug info before sanitation (git-fixes).
- commit fc18979
- openvswitch: Fix unsafe attribute parsing in output_userspace() (CVE-2025-37998 bsc#1243836)
- commit 51afd13
- octeon_ep: Fix host hang issue during device reboot (CVE-2025-37933 bsc#1243628)
- commit 44230dd
- kABI: ipv6: save dontfrag in cork (git-fixes).
Patch-up the kABI change with an #ifdef __GENKSYMS__. This change is
safe (as detailed in the patch commit message) due to the struct
having a 6-byte hole at the end we can use.
- commit cbc81e2
- ipv6: save dontfrag in cork (git-fixes).
- commit d3fe600
- tcp: bring back NUMA dispersion in inet_ehash_locks_alloc()
(git-fixes).
- commit 756fa72
- netpoll: hold rcu read lock in __netpoll_send_skb() (git-fixes).
- commit e02eac4
- ipvs: Always clear ipvs_property flag in skb_scrub_packet()
(git-fixes).
- commit d943643
- tcp/dccp: allow a connection when sk_max_ack_backlog is zero
(git-fixes).
- commit 09561a1
- xsk: always clear DMA mapping information when unmapping the
pool (git-fixes).
- commit 9908bc6
- net: sched: fix erspan_opt settings in cls_flower (git-fixes).
- commit fc52734
- spi: spi-imx: Add check for spi_imx_setupxfer() (CVE-2025-37801 bsc#1242850)
- commit f3955e7
- ipmr: fix tables suspicious RCU usage (git-fixes).
- commit d029f0f
- ip6mr: fix tables suspicious RCU usage (git-fixes).
- commit 79bb134
- netpoll: Use rcu_access_pointer() in __netpoll_setup
(git-fixes).
- commit f180c62
- netdev-genl: Hold rcu_read_lock in napi_get (git-fixes).
- commit 895e121
- net/neighbor: clear error in case strict check is not set
(git-fixes).
- commit 9eb711a
- ipv4: Convert ip_route_input() to dscp_t (git-fixes).
- commit 401defe
- net: sched: consistently use rcu_replace_pointer() in
taprio_change() (git-fixes).
- commit a6910eb
- udp: fix receiving fraglist GSO packets (git-fixes).
- commit 5b87500
- net: linkwatch: use system_unbound_wq (git-fixes).
- commit 34d590e
- net: page_pool: fix warning code (git-fixes).
- commit 0d77245
- net: give more chances to rcu in netdev_wait_allrefs_any()
(git-fixes).
- commit a1b1859
- tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog
(git-fixes).
- commit b96b4a8
- tcp/dccp: bypass empty buckets in inet_twsk_purge() (git-fixes).
- commit afdb9bb
- udp: preserve the connected status if only UDP cmsg (git-fixes).
- commit 8714e3a
- udp: fix incorrect parameter validation in the
udp_lib_getsockopt() function (git-fixes).
- commit 34a2994
- ipmr: fix incorrect parameter validation in the
ip_mroute_getsockopt() function (git-fixes).
- commit f23f4c9
- ip_tunnel: annotate data-races around t->parms.link (git-fixes).
- commit 765e083
- net: add rcu safety to rtnl_prop_list_size() (git-fixes).
- commit 1e0fceb
- net: ipv4: fix a memleak in ip_setup_cork (git-fixes).
- commit 935ac41
- udp: annotate data-races around up->pending (git-fixes).
- commit 72fda93
- ipv4: Correct/silence an endian warning in __ip_do_redirect
(git-fixes).
- commit 011b9c9
- driver core: fix potential NULL pointer dereference in
dev_uevent() (CVE-2025-37800 bsc#1242849).
- driver core: introduce device_set_driver() helper
(CVE-2025-37800 bsc#1242849).
- commit 3aecdc2
- soc: qcom: smp2p: Fix fallback to qcom,ipc parse (git-fixes).
- commit a145886
- wifi: mt76: mt7996: fix RX buffer size of MCU event (git-fixes).
- wifi: mt76: mt7996: set EHT max ampdu length capability
(git-fixes).
- wifi: mt76: mt7925: ensure all MCU commands wait for response
(git-fixes).
- wifi: mt76: mt7925: refine the sniffer commnad (git-fixes).
- wifi: mt76: mt7925: prevent multiple scan commands (git-fixes).
- wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()
(git-fixes).
- wifi: mt76: mt7925: fix host interrupt register initialization
(git-fixes).
- Revert "wifi: mt76: mt7996: fill txd by host driver"
(stable-fixes).
- wifi: ath9k_htc: Abort software beacon handling if disabled
(git-fixes).
- wifi: ath12k: fix ring-buffer corruption (git-fixes).
- wifi: ath11k: fix rx completion meta data corruption
(git-fixes).
- wifi: ath11k: fix ring-buffer corruption (git-fixes).
- wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()
(git-fixes).
- wifi: rtw88: fix the 'para' buffer size to avoid reading out
of bounds (git-fixes).
- wifi: rtw88: usb: Reduce control message timeout to 500 ms
(git-fixes).
- wifi: rtw89: pci: enlarge retry times of RX tag to 1000
(git-fixes).
- wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID
11ad:1723 (git-fixes).
- wifi: rtw88: do not ignore hardware read error during DPK
(git-fixes).
- wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status
unconditionally (git-fixes).
- wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT
(git-fixes).
- wifi: iwlfiwi: mvm: Fix the rate reporting (git-fixes).
- wifi: ath12k: fix node corruption in ar->arvifs list
(git-fixes).
- wifi: ath12k: Fix the QoS control field offset to build QoS
header (git-fixes).
- commit 3f5d0e4
- wifi: mt76: only mark tx-status-failed frames as ACKed on
mt76x0/2 (stable-fixes).
- commit 0de0b80
- wifi: ath12k: Add MSDU length validation for TKIP MIC error
(git-fixes).
- wifi: ath12k: fix invalid access to memory (git-fixes).
- wifi: ath12k: Fix WMI tag for EHT rate in peer assoc
(git-fixes).
- wifi: ath12k: fix cleanup path after mhi init (git-fixes).
- wifi: ath12k: Fix invalid memory access while forming 802.11
header (git-fixes).
- wifi: ath12k: Fix memory leak during vdev_id mismatch
(git-fixes).
- wifi: ath11k: fix node corruption in ar->arvifs list
(git-fixes).
- watchdog: exar: Shorten identity name to fit correctly
(git-fixes).
- wifi: iwlwifi: add support for Killer on MTL (stable-fixes).
- wifi: mt76: mt7996: revise TXS size (stable-fixes).
- wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU
(stable-fixes).
- wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (stable-fixes).
- wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31
(stable-fixes).
- wifi: rtw89: fw: propagate error code from rtw89_h2c_tx()
(stable-fixes).
- wifi: iwlwifi: fix debug actions order (stable-fixes).
- wifi: ath12k: Report proper tx completion status to mac80211
(stable-fixes).
- wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz
band (stable-fixes).
- wifi: ath12k: Avoid napi_sync() before napi_enable()
(stable-fixes).
- wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1
override (stable-fixes).
- wifi: ath9k: return by of_get_mac_address (stable-fixes).
- wifi: ath12k: Fix end offset bit definition in monitor ring
descriptor (stable-fixes).
- wifi: rtw88: Fix download_firmware_validate() for RTL8814AU
(stable-fixes).
- wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU
(stable-fixes).
- wifi: rtw88: Don't use static local variable in
rtw8822b_set_tx_power_index_by_rate (stable-fixes).
- wifi: rtw89: add wiphy_lock() to work that isn't held
wiphy_lock() yet (stable-fixes).
- wifi: mac80211: don't unconditionally call drv_mgd_complete_tx()
(stable-fixes).
- wifi: mac80211: remove misplaced drv_mgd_complete_tx() call
(stable-fixes).
- commit 9963350
- vgacon: Add check for vc_origin address range in vgacon_scroll()
(git-fixes).
- soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()
(git-fixes).
- soc: aspeed: lpc: Fix impossible judgment condition (git-fixes).
- spi: sh-msiof: Fix maximum DMA transfer size (git-fixes).
- spi: tegra210-quad: modify chip select (CS) deactivation
(git-fixes).
- spi: tegra210-quad: remove redundant error handling code
(git-fixes).
- spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4
transfers (git-fixes).
- spi: spi-sun4i: fix early activation (stable-fixes).
- spi-rockchip: Fix register out of bounds access (stable-fixes).
- thunderbolt: Do not add non-active NVM if NVM upgrade is
disabled for retimer (stable-fixes).
- usb: xhci: Don't change the status of stalled TDs on failed
Stop EP (stable-fixes).
- serial: sh-sci: Save and restore more registers (git-fixes).
- serial: sh-sci: Update the suspend/resume support
(stable-fixes).
- thermal/drivers/qoriq: Power down TMU on system suspend
(stable-fixes).
- soundwire: amd: change the soundwire wake enable/disable
sequence (stable-fixes).
- soc: ti: k3-socinfo: Do not use syscon helper to build regmap
(stable-fixes).
- spi: zynqmp-gqspi: Always acknowledge interrupts (stable-fixes).
- commit 38d0a8f
- PM: sleep: Print PM debug messages during hibernation
(git-fixes).
- commit 96179c7
- PCI: dw-rockchip: Fix PHY function call sequence in
rockchip_pcie_phy_deinit() (git-fixes).
- PCI: cadence: Fix runtime atomic count underflow (git-fixes).
- PCI: apple: Use gpiod_set_value_cansleep in probe flow
(git-fixes).
- PCI: cadence-ep: Correct PBA offset in .set_msix() callback
(git-fixes).
- PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes).
- PCI: Explicitly put devices into D0 when initializing
(git-fixes).
- PCI/DPC: Initialize aer_err_info before using it (git-fixes).
- selftests/mm: restore default nr_hugepages value during cleanup
in hugetlb_reparenting_test.sh (git-fixes).
- pinctrl: armada-37xx: set GPIO output value before setting
direction (git-fixes).
- pinctrl: armada-37xx: use correct OUTPUT_VAL register for
GPIOs > 31 (git-fixes).
- pinctrl: at91: Fix possible out-of-boundary access (git-fixes).
- selftests/bpf: Fix bpf_nf selftest failure (git-fixes).
- selftests/seccomp: fix syscall_restart test for arm compat
(git-fixes).
- PM: wakeup: Delete space in the end of string shown by
pm_show_wakelocks() (git-fixes).
- power: reset: at91-reset: Optimize at91_reset() (git-fixes).
- regulator: max20086: Change enable gpio to optional (git-fixes).
- regulator: max20086: Fix MAX200086 chip id (git-fixes).
- platform/x86: thinkpad_acpi: Ignore battery threshold change
event notification (stable-fixes).
- platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys
(stable-fixes).
- phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off
(git-fixes).
- phy: renesas: rcar-gen3-usb2: Lock around hardware registers
and driver data (git-fixes).
- phy: renesas: rcar-gen3-usb2: Move IRQ request in probe
(stable-fixes).
- platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS
(stable-fixes).
- pinctrl: meson: define the pull up/down resistor value as 60
kOhm (stable-fixes).
- rtc: rv3032: fix EERD location (stable-fixes).
- rtc: ds1307: stop disabling alarms on probe (stable-fixes).
- phy: core: don't require set_mode() callback for phy_get_mode()
to work (stable-fixes).
- pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group()
(git-fixes).
- pinctrl-tegra: Restore SFSEL bit when freeing pins
(stable-fixes).
- pinctrl: bcm281xx: Use "unsigned int" instead of bare "unsigned"
(stable-fixes).
- pinctrl: devicetree: do not goto err when probing hogs in
pinctrl_dt_to_map (stable-fixes).
- PCI: dwc: ep: Ensure proper iteration over outbound map windows
(stable-fixes).
- PCI: brcmstb: Expand inbound window size up to 64GB
(stable-fixes).
- PCI: brcmstb: Add a softdep to MIP MSI-X driver (stable-fixes).
- PCI: Fix old_size lower bound in calculate_iosize() too
(stable-fixes).
- selftests/net: have `gro.sh -t` return a correct exit code
(stable-fixes).
- regulator: ad5398: Add device tree support (stable-fixes).
- PCI: vmd: Disable MSI remapping bypass under Xen (stable-fixes).
- phy: renesas: rcar-gen3-usb2: Add support to initialize the bus
(stable-fixes).
- commit 32a9142
- tcp_metrics: optimize tcp_metrics_flush_all() (git-fixes).
- commit 2a9c7bb
- mtd: rawnand: sunxi: Add randomizer configuration in
sunxi_nfc_hw_ecc_write_chunk (git-fixes).
- mtd: nand: sunxi: Add randomizer configuration before randomizer
enable (git-fixes).
- mtd: nand: ecc-mxic: Fix use of uninitialized variable ret
(git-fixes).
- net: phy: mscc: Stop clearing the the UDPv4 checksum for L2
frames (git-fixes).
- net: phy: mscc: Fix memory leak when using one step timestamping
(git-fixes).
- net: phy: clear phydev->devlink when the link is deleted
(git-fixes).
- net: phy: fix up const issues in to_mdio_device() and
to_phy_device() (git-fixes).
- net: usb: aqc111: fix error handling of usbnet read calls
(git-fixes).
- mmc: host: Wait for Vdd to settle on card power off
(stable-fixes).
- mmc: dw_mmc: add exynos7870 DW MMC support (stable-fixes).
- commit eedda90
- mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE
(git-fixes).
- mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice
in exynos_lpass_remove() (git-fixes).
- media: uvcvideo: Fix deferred probing error (git-fixes).
- media: uvcvideo: Return the number of processed controls
(git-fixes).
- media: omap3isp: use sgtable-based scatterlist wrappers
(git-fixes).
- media: videobuf2: use sgtable-based scatterlist wrappers
(git-fixes).
- media: v4l2-dev: fix error handling in __video_register_device()
(git-fixes).
- media: ov8856: suppress probe deferral errors (git-fixes).
- media: ov5675: suppress probe deferral errors (git-fixes).
- media: nxp: imx8-isi: better handle the m2m usage_count
(git-fixes).
- media: gspca: Add error handling for stv06xx_read_sensor()
(git-fixes).
- media: davinci: vpif: Fix memory leak in probe error path
(git-fixes).
- media: vivid: Change the siize of the composing (git-fixes).
- media: cxusb: no longer judge rbuf when the write fails
(git-fixes).
- media: vidtv: Terminating the subsequent process of
initialization failure (git-fixes).
- media: ccs-pll: Correct the upper limit of maximum
op_pre_pll_clk_div (git-fixes).
- media: ccs-pll: Check for too high VT PLL multiplier in dual
PLL case (git-fixes).
- media: ccs-pll: Start VT pre-PLL multiplier search from correct
value (git-fixes).
- media: ccs-pll: Start OP pre-PLL multiplier search from correct
value (git-fixes).
- media: imx-jpeg: Cleanup after an allocation error (git-fixes).
- media: imx-jpeg: Reset slot data pointers when freed
(git-fixes).
- media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead
(git-fixes).
- media: imx-jpeg: Drop the first error frames (git-fixes).
- media: venus: Fix probe error handling (git-fixes).
- media: rkvdec: Fix frame size enumeration (git-fixes).
- mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check
(stable-fixes).
- media: c8sectpfe: Call of_node_put(i2c_bus) only once in
c8sectpfe_probe() (stable-fixes).
- media: cx231xx: set device_caps for 417 (stable-fixes).
- media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map
(stable-fixes).
- media: uvcvideo: Handle uvc menu translation inside
uvc_get_le_value (stable-fixes).
- media: adv7180: Disable test-pattern control on adv7180
(stable-fixes).
- media: tc358746: improve calculation of the D-PHY timing
registers (stable-fixes).
- media: test-drivers: vivid: don't call schedule in loop
(stable-fixes).
- media: i2c: imx219: Correct the minimum vblanking value
(stable-fixes).
- media: v4l: Memset argument to 0 before calling get_mbus_config
pad op (stable-fixes).
- media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware
is available (stable-fixes).
- mmc: sdhci: Disable SD card clock before changing parameters
(stable-fixes).
- commit de6c9a2
- Input: gpio-keys - fix possible concurrent access in
gpio_keys_irq_timer() (git-fixes).
- commit e29f865
- hwmon: (asus-ec-sensors) check sensor index in read_string()
(git-fixes).
- Input: ims-pcu - check record size in ims_pcu_flash_firmware()
(git-fixes).
- firmware: psci: Fix refcount leak in psci_dt_init (git-fixes).
- gpiolib: Revert "Don't WARN on gpiod_put() for optional GPIO"
(stable-fixes).
- Input: xpad - add more controllers (stable-fixes).
- gpio: pca953x: fix IRQ storm on system wake up (git-fixes).
- HID: quirks: Add ADATA XPG alpha wireless mouse support
(stable-fixes).
- intel_th: avoid using deprecated page->mapping, index fields
(stable-fixes).
- ima: process_measurement() needlessly takes inode_lock()
on MAY_READ (stable-fixes).
- i3c: master: svc: Fix implicit fallthrough in
svc_i3c_master_ibi_work() (git-fixes).
- i3c: master: svc: Fix missing STOP for master request
(stable-fixes).
- i3c: master: svc: Flush FIFO before sending Dynamic Address
Assignment(DAA) (stable-fixes).
- i2c: qup: Vote for interconnect bandwidth to DRAM
(stable-fixes).
- i2c: pxa: fix call balance of i2c->clk handling routines
(stable-fixes).
- fpga: altera-cvp: Increase credit timeout (stable-fixes).
- mailbox: use error ret code of of_parse_phandle_with_args()
(stable-fixes).
- leds: pwm-multicolor: Add check for fwnode_property_read_u32
(stable-fixes).
- firmware: arm_ffa: Set dma_mask for ffa devices (stable-fixes).
- firmware: arm_ffa: Reject higher major version as incompatible
(stable-fixes).
- ieee802154: ca8210: Use proper setters and getters for bitwise
types (stable-fixes).
- HID: usbkbd: Fix the bit shift number for LED_KANA
(stable-fixes).
- hwmon: (dell-smm) Increment the number of fans (stable-fixes).
- hwmon: (gpio-fan) Add missing mutex locks (stable-fixes).
- hwmon: (xgene-hwmon) use appropriate type for the latency value
(stable-fixes).
- gpio: pca953x: Simplify code with cleanup helpers
(stable-fixes).
- gpio: pca953x: Split pca953x_restore_context() and
pca953x_save_context() (stable-fixes).
- commit 50f84af
- fbdev: Fix fb_set_var to prevent null-ptr-deref in
fb_videomode_to_var (git-fixes).
- fbdev: Fix do_register_framebuffer to prevent null-ptr-deref
in fb_videomode_to_var (git-fixes).
- fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()
(git-fixes).
- drm/msm/gpu: Fix crash when throttling GPU immediately during
boot (git-fixes).
- drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components
on err (git-fixes).
- drm/mediatek: Fix kobject put for component sub-drivers
(git-fixes).
- drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device
ptr (git-fixes).
- Revert "drm/amdgpu: don't allow userspace to create a doorbell
BO" (stable-fixes).
- drm/amd/pp: Fix potential NULL pointer dereference in
atomctrl_initialize_mc_reg_table (git-fixes).
- drm/tegra: Fix a possible null pointer dereference (git-fixes).
- drm/tegra: rgb: Fix the unbound reference count (git-fixes).
- drm/tegra: Assign plane type before registration (git-fixes).
- drm/vkms: Adjust vkms_state->active_planes allocation type
(git-fixes).
- drm: rcar-du: Fix memory leak in rcar_du_vsps_init()
(git-fixes).
- drm/bridge: lt9611uxc: Fix an error handling path in
lt9611uxc_probe() (git-fixes).
- drm/panel: samsung-sofef00: Drop s6e3fc2x01 support (git-fixes).
- drm/ast: Fix comment on modeset lock (git-fixes).
- drm/vc4: tests: Use return instead of assert (git-fixes).
- drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready
(git-fixes).
- drm/bridge: cdns-dsi: Check return value when getting default
PHY config (git-fixes).
- drm/bridge: cdns-dsi: Fix the clock variable for mode_valid()
(git-fixes).
- drm/bridge: cdns-dsi: Fix phy de-init and flag it so
(git-fixes).
- drm/bridge: cdns-dsi: Fix connecting to next bridge (git-fixes).
- drm/udl: Unregister device before cleaning up on disconnect
(git-fixes).
- drm/vmwgfx: Add seqno waiter for sync_files (git-fixes).
- Documentation/rtla: Fix typo in common_timerlat_description.rst
(git-fixes).
- Documentation/rtla: Fix typo in rtla-timerlat.rst (git-fixes).
- drm/amd/display: fix link_set_dpms_off multi-display MST corner
case (stable-fixes).
- drm/amd/display: Guard against setting dispclk low for dcn31x
(stable-fixes).
- drm/amdgpu: Update SRIOV video codec caps (stable-fixes).
- drm/amd/display: remove minimum Dispclk and apply oem panel
timing (stable-fixes).
- drm/amd/display: Fix incorrect DPCD configs while Replay/PSR
switch (stable-fixes).
- drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence
(stable-fixes).
- drm/amdkfd: Set per-process flags only once cik/vi
(stable-fixes).
- drm/amdgpu: Do not program AGP BAR regs under SRIOV in
gfxhub_v1_0.c (stable-fixes).
- drm/amd/display: Skip checking FRL_MODE bit for PCON BW
determination (stable-fixes).
- drm/amdkfd: KFD release_work possible circular locking
(stable-fixes).
- drm/rockchip: vop2: Add uv swap for cluster window
(stable-fixes).
- drm/amdgpu: Set snoop bit for SDMA for MI series (stable-fixes).
- drm/amd/display: Don't try AUX transactions on disconnected link
(stable-fixes).
- drm/amdgpu: reset psp->cmd to NULL after releasing the buffer
(stable-fixes).
- drm/amd/display: Update CR AUX RD interval interpretation
(stable-fixes).
- drm/amd/display: Initial psr_version with correct setting
(stable-fixes).
- drm/amd/display: Increase block_sequence array size
(stable-fixes).
- drm/amdgpu: enlarge the VBIOS binary size limit (stable-fixes).
- drm/amd/display/dm: drop hw_support check in
amdgpu_dm_i2c_xfer() (stable-fixes).
- drm/v3d: Add clock handling (stable-fixes).
- drm/ast: Find VBIOS mode from regular display size
(stable-fixes).
- drm: bridge: adv7511: fill stream capabilities (stable-fixes).
- drm/atomic: clarify the rules around
drm_atomic_state->allow_modeset (stable-fixes).
- drm/panel-edp: Add Starry 116KHD024006 (stable-fixes).
- drm: Add valid clones check (stable-fixes).
- fbdev: fsl-diu-fb: add missing device_remove_file()
(stable-fixes).
- fbcon: Use correct erase colour for clearing in fbcon
(stable-fixes).
- fbdev: core: tileblit: Implement missing margin clearing for
tileblit (stable-fixes).
- firmware: arm_scmi: Relax duplicate name constraint across
protocol ids (stable-fixes).
- commit 0574d41
- Documentation/rtla: Fix duplicate text about timerlat tracer
(git-fixes).
- crypto: marvell/cesa - Do not chain submitted requests
(git-fixes).
- crypto: sun8i-ce - move fallback ahash_request to the end of
the struct (git-fixes).
- crypto: xts - Only add ecb if it is not already there
(git-fixes).
- crypto: lrw - Only add ecb if it is not already there
(git-fixes).
- crypto: marvell/cesa - Avoid empty transfer descriptor
(git-fixes).
- crypto: marvell/cesa - Handle zero-length skcipher requests
(git-fixes).
- crypto: sun8i-ss - do not use sg_dma_len before calling DMA
functions (git-fixes).
- Documentation: fix typo in root= kernel parameter description
(git-fixes).
- dmaengine: idxd: cdev: Fix uninitialized use of sva in
idxd_cdev_open (stable-fixes).
- commit 8e41cce
- backlight: pm8941: Add NULL check in wled_configure()
(git-fixes).
- bus: fsl-mc: fix GET/SET_TAILDROP command ids (git-fixes).
- bus: fsl-mc: do not add a device-link for the UAPI used DPMCP
device (git-fixes).
- bus: fsl-mc: fix double-free on mc_dev (git-fixes).
- Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect
devices first" (stable-fixes).
- Bluetooth: MGMT: iterate over mesh commands in
mgmt_mesh_foreach() (git-fixes).
- ASoC: qcom: sdm845: Add error handling in
sdm845_slim_snd_hw_params() (git-fixes).
- ASoC: apple: mca: Constrain channels according to TDM mask
(git-fixes).
- ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation
type (git-fixes).
- crypto: sun8i-ce-cipher - fix error handling in
sun8i_ce_cipher_prepare() (git-fixes).
- crypto: qat - add shutdown handler to qat_420xx (git-fixes).
- crypto: qat - add shutdown handler to qat_4xxx (git-fixes).
- crypto: octeontx2 - suppress auth failure screaming due to
negative tests (stable-fixes).
- crypto: lzo - Fix compression buffer overrun (stable-fixes).
- crypto: skcipher - Zap type in crypto_alloc_sync_skcipher
(stable-fixes).
- can: c_can: Use of_property_present() to test existence of DT
property (stable-fixes).
- commit 595e083
- ASoC: meson: meson-card-utils: use of_property_present()
for DT parsing (git-fixes).
- ASoC: tas2764: Enable main IRQs (git-fixes).
- ASoC: tas2764: Reinit cache on part reset (git-fixes).
- ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013
(stable-fixes).
- ASoC: imx-card: Adjust over allocation of memory in
imx_card_parse_of() (stable-fixes).
- ASoC: mediatek: mt6359: Add stub for
mt6359_accdet_enable_jack_detect (stable-fixes).
- ASoC: sun4i-codec: support hp-det-gpios property (stable-fixes).
- ASoC: qcom: sm8250: explicitly set format in
sm8250_be_hw_params_fixup() (stable-fixes).
- ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile
(stable-fixes).
- ASoC: mediatek: mt8188: Add reference for dmic clocks
(stable-fixes).
- commit 255f2cb
- ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10
(stable-fixes).
- ALSA: pcm: Fix race of buffer access at PCM OSS layer
(stable-fixes).
- ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx
(stable-fixes).
- ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot()
(stable-fixes).
- ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG
(stable-fixes).
- ASoC: tas2764: Mark SW_RESET as volatile (stable-fixes).
- ASoC: tas2764: Power up/down amp on mute ops (stable-fixes).
- ASoC: ops: Enforce platform maximum on initial value
(stable-fixes).
- ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode
(stable-fixes).
- ASoC: rt722-sdca: Add some missing readable registers
(stable-fixes).
- commit ab5fcf6
- kABI workaround for hda_codec.beep_just_power_on flag
(git-fixes).
- commit 11aaa35
- acpi-cpufreq: Fix nominal_freq units to KHz in
get_max_boost_ratio() (git-fixes).
- ACPICA: Utilities: Fix spelling mistake "Incremement" ->
"Increment" (git-fixes).
- ACPICA: exserial: don't forget to handle FFixedHW opregions
for reading (git-fixes).
- ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions"
(git-fixes).
- ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list
(stable-fixes).
- accel/qaic: Mask out SR-IOV PCI resources (stable-fixes).
- ALSA: seq: Improve data consistency at polling (stable-fixes).
- ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook
855 G7 (stable-fixes).
- ACPI: HED: Always initialize before evged (stable-fixes).
- commit 6ebe577
- net: ethernet: mtk-star-emac: fix spinlock recursion issues
on rx/tx poll (CVE-2025-37917 bsc#1243475).
- commit 0f659f2
- usb: typec: ucsi: limit the UCSI_NO_PARTNER_PDOS even further
(git-fixes).
- commit bae0091
- usb: typec: ucsi: allow non-partner GET_PDOS for Qualcomm
devices (git-fixes).
- commit a0506dd
- usb: typec: ucsi: Only enable supported notifications
(git-fixes).
- commit 3a52706
- usb: typec: ucsi: fix UCSI on buggy Qualcomm devices
(git-fixes).
- commit 5ca6578
- platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys
(git-fixes).
- commit 1564858
- platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS
(git-fixes).
- commit 2bfd2a7
- pstore: Change kmsg_bytes storage size to u32 (git-fixes).
- commit c964f36
- orangefs: Do not truncate file size (git-fixes).
- commit 9fbe3ae
- NFSv4: Check for delegation validity in
nfs_start_delegation_return_locked() (git-fixes).
- commit a689f10
- NFS: Don't allow waiting for exiting tasks (git-fixes).
- Refresh
patches.suse/nfs-add-missing-selections-of-CONFIG_CRC32.patch.
- commit 899f47c
- SUNRPC: Don't allow waiting for exiting tasks (git-fixes).
- commit 8b942ca
- NFSv4: Treat ENETUNREACH errors as fatal for state recovery
(git-fixes).
- commit 9139fd5
- SUNRPC: rpc_clnt_set_transport() must not change the autobind
setting (git-fixes).
- commit e2112a4
- SUNRPC: rpcbind should never reset the port to the value '0'
(git-fixes).
- commit f49c9db
- pNFS/flexfiles: Report ENETDOWN as a connection error
(git-fixes).
- commit 39e7a29
- iommu: Protect against overflow in iommu_pgsize() (git-fixes).
- commit 6adbec5
- ext4: define ext4_journal_destroy wrapper (CVE-2025-22113
bsc#1241617).
- commit 8dddf47
- ext4: ignore xattrs past end (bsc#1242846 CVE-2025-37738).
- commit 2a74454
- ext4: avoid journaling sb update on error if journal is
destroying (bsc#1241617 CVE-2025-22113).
- commit 0445179
- net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving
proposal msg (CVE-2024-49568 bsc#1235728).
- commit a7c2f15
- i2c: tegra: check msg length in SMBUS block read (bsc#1242086)
- commit 625407a
- iio: light: opt3001: fix deadlock due to concurrent flag access (CVE-2025-37968 bsc#1243571)
- commit 0e5e655
- perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value (CVE-2025-37936 bsc#1243537)
- commit 2e13950
- net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (CVE-2025-37945 bsc#1243538)
- commit efc17f3
- pds_core: Prevent possible adminq overflow/stuck condition (CVE-2025-37987 bsc#1243542)
- commit ba1ea39
- SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls
(git-fixes).
- commit dc6e86f
- Refresh
patches.suse/nfs-ignore-SB_RDONLY-when-remounting-nfs.patch.
- commit 359f356
- Refresh
patches.suse/nfs-clear-SB_RDONLY-before-getting-superblock.patch.
- commit 2697e51
- fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio()
(git-fixes).
- commit fcf1703
- powerpc/pseries/msi: Avoid reading PCI device registers in
reduced power states (bsc#1215199).
- KVM: powerpc: Enable commented out BUILD_BUG_ON() assertion
(bsc#1215199).
- commit 2d2709b
- Update patches.suse/nfsd-Fix-race-to-FREE_STATEID-and-cl_revoked.patch
(bsc#1012628 CVE-2024-50106 bsc#1232882).
- commit a87a308
- net: ngbe: fix memory leak in ngbe_probe() error path (CVE-2025-37874 bsc#1242940)
- commit bc2e64d
- smb: client: fix hang in wait_for_response() for negproto
(bsc#1242709).
- commit 709cb2e
- net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported (CVE-2025-37865 bsc#1242954)
- commit 885d04c
- HID: pidff: Fix null pointer dereference in pidff_find_fields (CVE-2025-37862 bsc#1242982)
- commit f9d615e
- usb: chipidea: ci_hdrc_imx: fix usbmisc handling (CVE-2025-37811 bsc#1242907)
- commit 1f2ed79
- mptcp: fix 'scheduling while atomic' in
mptcp_pm_nl_append_new_local_addr (git-fixes CVE-2025-21938
bsc#1240723).
- commit 02ff1ac
- usb: typec: ucsi: displayport: Fix deadlock (bsc#1243572
CVE-2025-37967).
- commit 59ea04d
- kABI workaround for adding an header (CVE-2025-21868
bsc#1240180).
- commit 8687a45
- cifs: avoid NULL pointer dereference in dbg call (CVE-2025-37844 bsc#1242946)
- commit 031bdce
- Update
patches.suse/ALSA-ump-Fix-buffer-overflow-at-UMP-SysEx-message-co.patch
(bsc#1242044 CVE-2025-37891 bsc#1243589).
- Update
patches.suse/ASoC-Intel-avs-Fix-null-ptr-deref-in-avs_component_p.patch
(git-fixes CVE-2025-37793 bsc#1242584).
- Update
patches.suse/ASoC-imx-card-Add-NULL-check-in-imx_card_probe.patch
(git-fixes CVE-2025-22066 bsc#1241340).
- Update
patches.suse/ASoC-ops-Consistently-treat-platform_max-as-control-.patch
(git-fixes CVE-2025-37889 bsc#1242945).
- Update
patches.suse/ASoC-qcom-Fix-sc7280-lpass-potential-buffer-overflow.patch
(git-fixes CVE-2025-37979 bsc#1243545).
- Update
patches.suse/Bluetooth-btrtl-Prevent-potential-NULL-dereference.patch
(git-fixes CVE-2025-37792 bsc#1242591).
- Update
patches.suse/Bluetooth-btusb-avoid-NULL-pointer-dereference-in-sk.patch
(git-fixes CVE-2025-37918 bsc#1243476).
- Update
patches.suse/Input-mtk-pmic-keys-fix-possible-null-pointer-derefe.patch
(git-fixes CVE-2025-37972 bsc#1243573).
- Update
patches.suse/KVM-arm64-Tear-down-vGIC-on-failed-vCPU-creation.patch
(git-fixes CVE-2025-37849 bsc#1243000).
- Update
patches.suse/KVM-x86-Acquire-SRCU-in-KVM_GET_MP_STATE-to-protect-.patch
(git-fixes CVE-2025-23141 bsc#1242782).
- Update
patches.suse/PCI-Fix-reference-leak-in-pci_register_host_bridge.patch
(git-fixes CVE-2025-37836 bsc#1242957).
- Update
patches.suse/PCI-brcmstb-Fix-error-path-after-a-call-to-regulator.patch
(git-fixes CVE-2025-22095 bsc#1241519).
- Update
patches.suse/PCI-vmd-Make-vmd_dev-cfg_lock-a-raw_spinlock_t-type.patch
(stable-fixes CVE-2025-23161 bsc#1242792).
- Update
patches.suse/RDMA-cma-Fix-workqueue-crash-in-cma_netevent_work_ha.patch
(git-fixes CVE-2025-37772 bsc#1242563).
- Update
patches.suse/RDMA-core-Don-t-expose-hw_counters-outside-of-init-n.patch
(git-fixes bsc#1239925 CVE-2025-22089 bsc#1241538).
- Update
patches.suse/RDMA-core-Silence-oversized-kvmalloc-warning.patch
(git-fixes CVE-2025-37867 bsc#1242948).
- Update
patches.suse/USB-wdm-close-race-between-wdm_open-and-wdm_wwan_por.patch
(git-fixes CVE-2025-37985 bsc#1243529).
- Update
patches.suse/arm64-bpf-Add-BHB-mitigation-to-the-epilogue-for-cBPF-prog.patch
(git-fixes CVE-2025-37948 bsc#1243649).
- Update
patches.suse/arm64-bpf-Only-mitigate-cBPF-programs-loaded-by-unprivileg.patch
(git-fixes CVE-2025-37963 bsc#1243660).
- Update
patches.suse/arm64-errata-Add-missing-sentinels-to-Spectre-BHB-MIDR-arr.patch
(git-fixes CVE-2025-37929 bsc#1243624).
- Update
patches.suse/ata-pata_pxa-Fix-potential-NULL-pointer-dereference-.patch
(git-fixes CVE-2025-37758 bsc#1242514).
- Update
patches.suse/backlight-led_bl-Hold-led_access-lock-when-calling-l.patch
(git-fixes CVE-2025-23144 bsc#1242568).
- Update
patches.suse/block-fix-resource-leak-in-blk_register_queue-error-path.patch
(git-fixes CVE-2025-37980 bsc#1243522).
- Update
patches.suse/block-integrity-Do-not-call-set_page_dirty_lock.patch
(git-fixes CVE-2025-37978 bsc#1243516).
- Update
patches.suse/bnxt_en-Fix-out-of-bound-memcpy-during-ethtool-w.patch
(git-fixes CVE-2025-37911 bsc#1243469).
- Update patches.suse/bpf-Scrub-packet-on-bpf_redirect_peer.patch
(git-fixes CVE-2025-37959 bsc#1243517).
- Update
patches.suse/bpf-check-changes_pkt_data-property-for-extension-pr.patch
(bsc#1241590 CVE-2024-58100 bsc#1242564).
- Update
patches.suse/bpf-consider-that-tail-calls-invalidate-packet-point.patch
(bsc#1241590 CVE-2024-58237 bsc#1242574).
- Update
patches.suse/bpf-track-changes_pkt_data-property-for-global-funct.patch
(bsc#1241590 CVE-2024-58098 bsc#1242565).
- Update
patches.suse/btrfs-adjust-subpage-bit-start-based-on-sectorsize.patch
(bsc#1241492 CVE-2025-37931 bsc#1243626).
- Update
patches.suse/bus-mhi-host-Fix-race-between-unprepare-and-queue_bu.patch
(git-fixes CVE-2025-23151 bsc#1242512).
- Update
patches.suse/cxgb4-fix-memory-leak-in-cxgb4_init_ethtool_filters-.patch
(git-fixes CVE-2025-37788 bsc#1242766).
- Update
patches.suse/dm-bufio-don-t-schedule-in-atomic-context.patch
(git-fixes CVE-2025-37928 bsc#1243621).
- Update
patches.suse/drm-amd-display-Fix-slab-use-after-free-in-hdcp.patch
(git-fixes CVE-2025-37903 bsc#1243562).
- Update
patches.suse/drm-amd-pm-Prevent-division-by-zero-4b8c3c0.patch
(git-fixes CVE-2025-37770 bsc#1242764).
- Update
patches.suse/drm-amd-pm-Prevent-division-by-zero-4e3d950.patch
(git-fixes CVE-2025-37766 bsc#1242785).
- Update
patches.suse/drm-amd-pm-Prevent-division-by-zero-7c246a0.patch
(git-fixes CVE-2025-37768 bsc#1242567).
- Update
patches.suse/drm-amd-pm-Prevent-division-by-zero-7d641c2.patch
(git-fixes CVE-2025-37771 bsc#1242781).
- Update patches.suse/drm-amd-pm-Prevent-division-by-zero.patch
(git-fixes CVE-2025-37767 bsc#1242501).
- Update
patches.suse/drm-amd-pm-smu11-Prevent-division-by-zero.patch
(git-fixes CVE-2025-37769 bsc#1242587).
- Update
patches.suse/drm-amdgpu-Replace-Mutex-with-Spinlock-for-RLCG-regi.patch
(git-fixes CVE-2025-38104 bsc#1241635).
- Update
patches.suse/drm-amdgpu-handle-amdgpu_cgs_create_device-errors-in.patch
(stable-fixes CVE-2025-37852 bsc#1243074).
- Update patches.suse/drm-amdkfd-Fix-mode1-reset-crash-issue.patch
(stable-fixes CVE-2025-37854 bsc#1243082).
- Update
patches.suse/drm-amdkfd-debugfs-hang_hws-skip-GPU-with-MES.patch
(stable-fixes CVE-2025-37853 bsc#1243076).
- Update
patches.suse/drm-i915-huc-Fix-fence-not-released-on-early-probe-e.patch
(git-fixes CVE-2025-37754 bsc#1242524).
- Update
patches.suse/drm-mediatek-dp-drm_err-dev_err-in-HPD-path-to-avoid.patch
(git-fixes CVE-2025-38240 bsc#1241457).
- Update
patches.suse/drm-nouveau-Fix-WARN_ON-in-nouveau_fence_context_kil.patch
(git-fixes CVE-2025-37930 bsc#1243625).
- Update
patches.suse/drm-nouveau-prime-fix-ttm_bo_delayed_delete-oops.patch
(git-fixes CVE-2025-37765 bsc#1242761).
- Update
patches.suse/drm-v3d-Add-job-to-pending-list-if-the-reset-was-ski.patch
(stable-fixes CVE-2025-37951 bsc#1243659).
- Update
patches.suse/eth-bnxt-fix-missing-ring-index-trim-on-error-path.patch
(git-fixes CVE-2025-37873 bsc#1242961).
- Update patches.suse/fbdev-omapfb-Add-plane-value-check.patch
(stable-fixes CVE-2025-37851 bsc#1242977).
- Update
patches.suse/firmware-arm_scmi-Balance-device-refcount-when-destr.patch
(git-fixes CVE-2025-37905 bsc#1243456).
- Update
patches.suse/fs-jfs-Prevent-integer-overflow-in-AG-size-calculation.patch
(git-fixes CVE-2025-37858 bsc#1243049).
- Update
patches.suse/hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch
(git-fixes CVE-2025-37782 bsc#1242770).
- Update
patches.suse/i2c-cros-ec-tunnel-defer-probe-if-parent-EC-is-not-p.patch
(git-fixes CVE-2025-37781 bsc#1242575).
- Update
patches.suse/i3c-Add-NULL-pointer-check-in-i3c_master_queue_ibi.patch
(git-fixes CVE-2025-23147 bsc#1242530).
- Update
patches.suse/ice-Check-VF-VSI-Pointer-Value-in-ice_vc_add_fdir_fl.patch
(git-fixes CVE-2025-37912 bsc#1243470).
- Update patches.suse/igc-fix-PTM-cycle-trigger-logic.patch
(git-fixes CVE-2025-37875 bsc#1242959).
- Update
patches.suse/iio-imu-st_lsm6dsx-fix-possible-lockup-in-st_lsm6dsx-8114ef8.patch
(git-fixes CVE-2025-37969 bsc#1243574).
- Update
patches.suse/iio-imu-st_lsm6dsx-fix-possible-lockup-in-st_lsm6dsx.patch
(git-fixes CVE-2025-37970 bsc#1243575).
- Update
patches.suse/iommu-Fix-two-issues-in-iommu_copy_struct_from_user.patch
(git-fixes CVE-2025-37900 bsc#1243560).
- Update
patches.suse/ipv6-Fix-memleak-of-nhc_pcpu_rth_output-in-fib_check_nh_v6_gw.patch
(git-fixes CVE-2025-22005 bsc#1240866).
- Update
patches.suse/irqchip-gic-v2m-Prevent-use-after-free-of-gicv2m_get.patch
(git-fixes CVE-2025-37819 bsc#1242873).
- Update
patches.suse/irqchip-qcom-mpm-Prevent-crash-when-trying-to-handle.patch
(git-fixes CVE-2025-37901 bsc#1243559).
- Update patches.suse/jbd2-remove-wrong-sb-s_sequence-check.patch
(bsc#1242343 CVE-2025-37839 bsc#1242990).
- Update
patches.suse/jfs-Fix-uninit-value-access-of-imap-allocated-in-the-diMount-function.patch
(git-fixes CVE-2025-37742 bsc#1243011).
- Update
patches.suse/jfs-Prevent-copying-of-nlink-with-value-0-from-disk-inode.patch
(git-fixes CVE-2025-37741 bsc#1243015).
- Update
patches.suse/jfs-add-sanity-check-for-agwidth-in-dbMount.patch
(git-fixes CVE-2025-37740 bsc#1243006).
- Update
patches.suse/jfs-fix-slab-out-of-bounds-read-in-ea_get.patch
(git-fixes CVE-2025-39735 bsc#1241625).
- Update
patches.suse/jfs-reject-on-disk-inodes-of-an-unsupported-type.patch
(git-fixes CVE-2025-37925 bsc#1241654).
- Update
patches.suse/md-md-bitmap-fix-wrong-bitmap_limit-for-clustermd-wh.patch
(bsc#1238212 CVE-2025-22124 bsc#1241595).
- Update
patches.suse/media-dw2102-Fix-null-ptr-deref-in-dw2102_i2c_transf.patch
(git-fixes CVE-2023-53146 bsc#1220112).
- Update
patches.suse/media-venus-hfi-add-a-check-to-handle-OOB-in-sfr-reg.patch
(git-fixes CVE-2025-23159 bsc#1242529).
- Update
patches.suse/media-venus-hfi-add-check-to-handle-incorrect-queue-.patch
(git-fixes CVE-2025-23158 bsc#1242531).
- Update
patches.suse/media-venus-hfi_parser-add-check-to-avoid-out-of-bou.patch
(git-fixes CVE-2025-23157 bsc#1242532).
- Update
patches.suse/media-venus-hfi_parser-refactor-hfi-packet-parsing-l.patch
(git-fixes CVE-2025-23156 bsc#1242569).
- Update
patches.suse/mfd-ene-kb3930-Fix-a-potential-NULL-pointer-derefere.patch
(git-fixes CVE-2025-23146 bsc#1242559).
- Update
patches.suse/misc-microchip-pci1xxxx-Fix-Kernel-panic-during-IRQ-.patch
(git-fixes CVE-2025-37815 bsc#1242871).
- Update
patches.suse/mtd-inftlcore-Add-error-check-for-inftl_read_oob.patch
(git-fixes CVE-2025-37892 bsc#1243536).
- Update
patches.suse/mtd-rawnand-brcmnand-fix-PM-resume-warning.patch
(git-fixes CVE-2025-37840 bsc#1242953).
- Update patches.suse/net-phy-leds-fix-memory-leak.patch
(git-fixes CVE-2025-37989 bsc#1243511).
- Update
patches.suse/net-reenable-NETIF_F_IPV6_CSUM-offload-for-BIG-TCP-p.patch
(git-fixes CVE-2025-21629 bsc#1235968).
- Update
patches.suse/net_sched-drr-Fix-double-list-add-in-class-with-nete.patch
(git-fixes CVE-2025-37915 bsc#1243473).
- Update
patches.suse/net_sched-ets-Fix-double-list-add-in-class-with-nete.patch
(git-fixes CVE-2025-37914 bsc#1243472).
- Update
patches.suse/net_sched-hfsc-Fix-a-UAF-vulnerability-in-class-with.patch
(git-fixes CVE-2025-37890 bsc#1243330).
- Update
patches.suse/net_sched-qfq-Fix-double-list-add-in-class-with-nete.patch
(git-fixes CVE-2025-37913 bsc#1243471).
- Update
patches.suse/nfsd-decrease-sc_count-directly-if-fail-to-queue-dl_recall.patch
(git-fixes CVE-2025-37871 bsc#1242949).
- Update
patches.suse/objtool-media-dib8000-Prevent-divide-by-zero-in-dib8.patch
(git-fixes CVE-2025-37937 bsc#1243540).
- Update
patches.suse/objtool-spi-amd-Fix-out-of-bounds-stack-access-in-am.patch
(git-fixes CVE-2025-40014 bsc#1241644).
- Update
patches.suse/perf-Fix-hang-while-freeing-sigtrap-event.patch
(bsc#1229491 CVE-2024-43869 CVE-2025-37747 bsc#1242520).
- Update
patches.suse/pm-cpupower-bench-Prevent-NULL-dereference-on-malloc.patch
(stable-fixes CVE-2025-37841 bsc#1242974).
- Update
patches.suse/pwm-mediatek-Prevent-divide-by-zero-in-pwm_mediatek_.patch
(git-fixes CVE-2025-37850 bsc#1242955).
- Update patches.suse/qibfs-fix-_another_-leak.patch (git-fixes
CVE-2025-37983 bsc#1243567).
- Update patches.suse/sch_htb-make-htb_deactivate-idempotent.patch
(CVE-2025-37798 bsc#1242414 CVE-2025-37953 bsc#1243543).
- Update
patches.suse/sch_htb-make-htb_qlen_notify-idempotent.patch
(CVE-2025-37798 bsc#1242414 CVE-2025-37932 bsc#1243627).
- Update
patches.suse/sctp-detect-and-prevent-references-to-a-freed-transp.patch
(git-fixes CVE-2025-23142 bsc#1242760).
- Update
patches.suse/soc-samsung-exynos-chipid-Add-NULL-pointer-check-in-.patch
(git-fixes CVE-2025-23148 bsc#1242578).
- Update
patches.suse/sound-virtio-Fix-cancel_sync-warnings-on-uninitializ.patch
(stable-fixes CVE-2025-37805 bsc#1242930).
- Update patches.suse/tpm-do-not-start-chip-while-suspended.patch
(git-fixes CVE-2025-23149 bsc#1242758).
- Update
patches.suse/usb-cdns3-Fix-deadlock-when-using-NCM-gadget.patch
(git-fixes CVE-2025-37812 bsc#1242908).
- Update
patches.suse/usb-dwc3-gadget-check-that-event-count-does-not-exce.patch
(git-fixes CVE-2025-37810 bsc#1242906).
- Update
patches.suse/usb-gadget-aspeed-Add-NULL-pointer-check-in-ast_vhub.patch
(stable-fixes CVE-2025-37881 bsc#1242973).
- Update
patches.suse/usb-typec-class-Invalidate-USB-device-pointers-on-pa.patch
(git-fixes CVE-2025-37986 bsc#1243515).
- Update
patches.suse/vmxnet3-Fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch
(bsc#1226498 CVE-2024-58099 bsc#1242035).
- Update
patches.suse/wifi-at76c50x-fix-use-after-free-access-in-at76_disc.patch
(git-fixes CVE-2025-37796 bsc#1242727).
- Update
patches.suse/wifi-ath12k-Fix-invalid-data-access-in-ath12k_dp_rx_.patch
(stable-fixes CVE-2025-37943 bsc#1243509).
- Update
patches.suse/wifi-ath12k-Fix-invalid-entry-fetch-in-ath12k_dp_mon.patch
(stable-fixes CVE-2025-37944 bsc#1243530).
- Update
patches.suse/wifi-brcm80211-fmac-Add-error-handling-for-brcmf_usb.patch
(git-fixes CVE-2025-37990 bsc#1243528).
- Update
patches.suse/wifi-cfg80211-init-wiphy_work-before-allocating-rfki.patch
(git-fixes CVE-2025-22119 bsc#1241576).
- Update
patches.suse/wifi-mac80211-Purge-vif-txq-in-ieee80211_do_stop.patch
(git-fixes CVE-2025-37794 bsc#1242566).
- Update
patches.suse/wifi-plfxlc-Remove-erroneous-assert-in-plfxlc_mac_re.patch
(git-fixes CVE-2025-37897 bsc#1243534).
- Update
patches.suse/wifi-wl1251-fix-memory-leak-in-wl1251_tx_work.patch
(git-fixes CVE-2025-37982 bsc#1243524).
- commit 4bd69e5
- blacklist.conf: add 75ad02318af2 ("Xen/swiotlb: mark xen_swiotlb_fixup() __init")
- Delete patches.suse/Xen-swiotlb-mark-xen_swiotlb_fixup-__init.patch.
- commit c256f05
- smb: client: Avoid race in open_cached_dir with lease breaks
(CVE-2025-37954 bsc#1243664).
- commit 366c4d0
- smb: client: change return value in open_cached_dir_by_dentry()
if !cfids (git-fixes).
- commit ec272a8
- smb: client: remove unnecessary checks in open_cached_dir()
(git-fixes).
- commit 31b534b
- Delete
patches.suse/smb-client-fix-open_cached_dir-retries-with-hard.patch.
- Delete
patches.suse/smb-client-properly-close-cfids-on-umount.patch.
[hcarvalho: these were SUSE-only fixes and now we have more suitable
fixes upstream for the same issues]
- commit fb12426
- smb3: fix Open files on server counter going negative
(git-fixes).
- commit 6a0a87a
- memblock: Accept allocated memory before use in
memblock_double_array() (CVE-2025-37960 bsc#1243519).
- commit 7257498
- mm/huge_memory: fix dereferencing invalid pmd migration entry
(CVE-2025-37958 bsc#1243539).
- commit 49bf8b8
- objtool, panic: Disable SMAP in __stack_chk_fail()
(bsc#1243963).
- commit 3d95273
- net: stmmac: Fix accessing freed irq affinity_hint (CVE-2025-23155 bsc#1242573)
- commit 1bacbdd
- net_sched: sch_sfq: move the limit validation (CVE-2025-37752 bsc#1242504)
- commit 8b36a9a
- net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504)
- commit 49233c3
- Refresh
patches.kabi/icmp-prevent-possible-NULL-dereferences-from-icmp_bu.patch.
It turns out we don't need the kABI workaround for
patches.suse/ipv4-icmp-Unmask-upper-DSCP-bits-in-icmp_route_looku.patch,
just need to simply refresh the patch context. Thus we take
> #include <net/inet_dscp.h>
out of the __GENKSYMS__ ifndef.
- Refresh
patches.kabi/icmp-prevent-possible-NULL-dereferences-from-icmp_bu.patch.
- commit b6ed857
- nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable
(git-fixes bsc#1223096).
- nvme-pci: make nvme_pci_npages_prp() __always_inline
(git-fixes).
- commit 71f2996
- rpm/check-for-config-changes: add more to IGNORED_CONFIGS_RE
Useful when someone tries (needs) to build the kernel with clang.
- commit 06918e3
- nilfs2: do not propagate ENOENT error from
nilfs_btree_propagate() (git-fixes).
- commit 5591e0d
- nilfs2: add pointer check for nilfs_direct_propagate()
(git-fixes).
- commit eac8f96
- afs: Fix the server_list to unuse a displaced server rather
than putting it (git-fixes).
- commit d3c390a
- afs: Make it possible to find the volumes that are using a
server (git-fixes).
- commit 7d8a054
- Squashfs: check return result of sb_min_blocksize (git-fixes).
- commit 6d6e8d7
- xenbus: Use kref to track req lifetime (bsc#1243541
CVE-2025-37949).
- commit 0928f39
- 9p/net: fix improper handling of bogus negative read/write
replies (bsc#1243077 CVE-2025-37879).
- commit ac0ef56
- RDMA/rxe: Fix "trying to register non-static key in rxe_qp_do_cleanup" bug (git-fixes)
- commit 40421b4
- RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes)
- commit 5748d8f
- RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes)
- commit 0defb73
- RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes)
- commit af712e0
- RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes)
- commit fe91579
- IB/cm: use rwlock for MAD agent lock (git-fixes)
- commit 7a0e4f4
- loop: don't require ->write_iter for writable files in
loop_configure (git-fixes).
- commit 7e4c4c7
- iommu/mediatek: Fix NULL pointer deference in
mtk_iommu_device_group (CVE-2025-37748 bsc#1242523).
- commit 4d05234
- net: allow small head cache usage with large MAX_SKB_FRAGS
values (CVE-2025-21868 bsc#1240180).
- commit b5e965a
- loop: Add sanity check for read/write_iter (git-fixes).
- scsi: Improve CDL control (git-fixes).
- md/raid1: Add check for missing source disk in process_checks()
(git-fixes).
- loop: Add sanity check for read/write_iter (git-fixes).
- scsi: Improve CDL control (git-fixes).
- md/raid1: Add check for missing source disk in process_checks()
(git-fixes).
- commit 494aacb
- cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate()
(bsc#1242875 CVE-2025-37829).
- commit e728de0
- cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()
(bsc#1242860 CVE-2025-37830).
- commit 8f43c34
- loop: aio inherit the ioprio of original request (git-fixes).
- Refresh
patches.suse/loop-stop-using-vfs_iter_-read-write-for-buffered-I-O.patch.
- commit ff7ab20
- io_uring: always do atomic put from iowq (CVE-2025-37804
bsc#1242854).
- commit 06f910a
- s390/bpf: Store backchain even for leaf progs (git-fixes
bsc#1243805).
- commit ded8083
- cpufreq: apple-soc: Fix null-ptr-deref in
apple_soc_cpufreq_get_rate() (bsc#1242861 CVE-2025-37831).
- commit ce0d3b2
- kabi: fix kABI for ITS (bsc#1242006 CVE-2024-28956).
- commit 1a3ff17
- mtd: phram: Add the kernel lock down check (bsc#1232649).
- commit 0294b02
- scsi: megaraid_sas: Block zero-length ATA VPD inquiry
(git-fixes).
- scsi: pm80xx: Set phy_attached to zero when device is gone
(git-fixes).
- scsi: hisi_sas: Fix I/O errors caused by hardware port ID
changes (git-fixes).
- scsi: megaraid_sas: Block zero-length ATA VPD inquiry
(git-fixes).
- scsi: pm80xx: Set phy_attached to zero when device is gone
(git-fixes).
- scsi: hisi_sas: Fix I/O errors caused by hardware port ID
changes (git-fixes).
- commit 2f69ac7
- isofs: Prevent the use of too small fid (CVE-2025-37780 bsc#1242786)
- commit 2176e55
- ext4: fix off-by-one error in do_split (CVE-2025-23150 bsc#1242513)
- commit 06dc18f
- net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (CVE-2025-37787 bsc#1242585)
- commit 91a15e6
- Refresh fixes for cBPF issue (bsc#1242778)
- Update metadata and put them into the sorted part of the series
- Refresh
patches.suse/x86-bhi-do-not-set-BHI_DIS_S-in-32-bit-mode.patch.
- Refresh
patches.suse/x86-bpf-add-IBHF-call-at-end-of-classic-BPF.patch.
- Refresh
patches.suse/x86-bpf-call-branch-history-clearing-sequence-on-exit.patch.
- commit d024c0d
- media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (CVE-2025-23160 bsc#1242507)
- commit ec39280
- net: libwx: handle page_pool_dev_alloc_pages error (CVE-2025-37755 bsc#1242506)
- commit 218edf9
- virtiofs: add filesystem context source name check (CVE-2025-37773 bsc#1242502)
- commit c58895d
- remoteproc: core: Clear table_sz when rproc_shutdown (CVE-2025-38152 bsc#1241627)
- commit a7f4be3
- net_sched: skbprio: Remove overly strict queue assertions (CVE-2025-38637 bsc#1241657)
- commit 6c0dd03
- fs/9p: fix NULL pointer dereference on mkdir (CVE-2025-22070 bsc#1241305)
- commit 7cd6fd1
- KVM: VMX: Bury Intel PT virtualization (guest/host mode)
behind CONFIG_BROKEN (CVE-2024-53135 bsc#1234154).
- commit 09b2398
- KVM: x86: Make x2APIC ID 100% readonly (git-fixes).
- Refresh
patches.suse/KVM-x86-Re-split-x2APIC-ICR-into-ICR-ICR2-for-AMD-x2.patch.
- commit d85d7a2
- net: fix NULL pointer dereference in l3mdev_l3_rcv (CVE-2025-22103 bsc#1241448)
- commit da134b6
- udmabuf: fix a buf size overflow issue during udmabuf creation (CVE-2025-37803 bsc#1242852)
- commit 34e7f3d
- add bug reference for an existing hv_netvsc change (bsc#1243737).
- commit e38784d
- kabi fix for perf/aux: Fix AUX buffer serialization
(bsc#1230581, CVE-2024-46713).
- perf/aux: Fix AUX buffer serialization (bsc#1230581,
CVE-2024-46713).
- commit 1405e0e
- Update
patches.suse/NFSv3-only-use-NFS-timeout-for-MOUNT-when-protocols-.patch
(bsc#1231016).
Remove the reference to CVE-2024-50106 bsc#1232882, this was added
automatically by 8258b9d331fb as it matched the Git-commit 8dd91e8d31fe
which was erroneously added in 4b11aedcc3c0, and later corrected in
a5cceab88022 (which did not also take care of removing the erroneous
references).
- commit 4e82942
- usb: typec: class: Unlocked on error in typec_register_partner()
(bsc#1242856 CVE-2025-37809).
- commit 8ae2608
- struct typec_port: move nre mutex to end (bsc#1242856
CVE-2025-37809).
- commit b5f6426
- usb: typec: class: Fix NULL pointer access (bsc#1242856
CVE-2025-37809).
- Refresh
patches.suse/usb-typec-class-Invalidate-USB-device-pointers-on-pa.patch.
- commit 3add668
- team: better TEAM_OPTION_TYPE_STRING validation (CVE-2025-21787 bsc#1238774)
- commit bda544d
- scsi: ufs: bsg: Set bsg_queue to NULL after removal (CVE-2024-54458 bsc#1238992)
- commit 0e36a45
- xen-netfront: handle NULL returned by
xdp_convert_buff_to_frame() (bsc#1242866 CVE-2025-37820).
- commit 39f3e10
- xen: Change xen-acpi-processor dom0 dependency (git-fixes).
- commit 0babbb9
- xenfs/xensyms: respect hypervisor's "next" indication
(git-fixes).
- commit 911043b
- xen/mcelog: Add __nonstring annotations for unterminated strings
(git-fixes).
- commit 29addb9
- Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes).
- commit 8db2d18
- x86/xen: move xen_reserve_extra_memory() (git-fixes).
- commit 46ca212
- virtio_console: fix missing byte order handling for cols and
rows (git-fixes).
- commit 241fde6
- vhost-scsi: Fix handling of multiple calls to
vhost_scsi_set_endpoint (git-fixes).
- commit b42c56f
- KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields
(git-fixes).
- commit 38764b5
- KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception
(bsc#1243513 CVE-2025-37957).
- commit d959965
- KVM: x86: Explicitly treat routing entry type changes as changes
(git-fixes).
- commit 3d9ce0f
- dm-integrity: fix a warning on invalid table line (git-fixes).
- commit d3c6b81
- KVM: SVM: Allocate IR data using atomic allocation (git-fixes).
- commit b2174da
- KVM: x86: Explicitly zero-initialize on-stack CPUID unions
(git-fixes).
- commit 70f24b1
- KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest
memory accesses (git-fixes).
- commit 6edee17
- KVM: x86/xen: Use guest's copy of pvclock when starting timer
(git-fixes).
- commit b26e547
- KVM: x86: Don't take kvm->lock when iterating over vCPUs in
suspend notifier (git-fixes).
- commit c3ff5ce
- pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (CVE-2025-21702 bsc#1237312)
- commit 9693f33
- KVM: VMX: Don't modify guest XFD_ERR if CR0.TS=1 (git-fixes).
- commit 7004205
- KVM: x86: Remove the unreachable case for 0x80000022 leaf in
__do_cpuid_func() (git-fixes).
- commit 61712af
- KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes).
- commit c1930b5
- KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit
on emulation (git-fixes).
- commit 8202eda
- ptp: Ensure info->enable callback is always set (CVE-2025-21814 bsc#1238473)
- commit f7aafc6
- KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on
PAUSE emulation (git-fixes).
- commit e0c3862
- KVM: x86: Wake vCPU for PIC interrupt injection iff a valid
IRQ was found (git-fixes).
- commit a4e6b2d
- KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't
supported by KVM (git-fixes).
- commit 224ac97
- KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes).
- commit cbffadd
- KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value
(git-fixes).
- commit 7de7eaf
- KVM: x86: Reject disabling of MWAIT/HLT interception when not
allowed (git-fixes).
- commit 6f261b9
- KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes).
- commit a8fc9b5
- xhci: Add helper to set an interrupters interrupt moderation
interval (git-fixes).
- commit 552ff9a
- xhci: split free interrupter into separate remove and free parts
(git-fixes).
- commit b6b40d2
- KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI
not found (git-fixes).
- commit 30abdad
- KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs
(git-fixes).
- commit fa068c2
- rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes)
- commit 9e674eb
- rcu/tasks: Handle new PF_IDLE semantics (git-fixes)
- commit dc44560
- rcu: Introduce rcu_cpu_online() (git-fixes)
- commit 1b93211
- rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes)
- commit 37d6fe5
- KVM: arm64: Mark some header functions as inline (git-fixes).
- commit 1cf34cd
- KVM: arm64: timer: Always evaluate the need for a soft timer
(git-fixes).
- commit 2c68f44
- KVM: arm64: Fix RAS trapping in pKVM for protected VMs
(git-fixes).
- commit 4af64c7
- KVM: s390: Don't use %pK through debug printing (git-fixes
bsc#1243657).
- KVM: s390: Don't use %pK through tracepoints (git-fixes
bsc#1243658).
- commit 784e519
- s390/pci: Fix missing check for zpci_create_device() error
return (git-fixes CVE-2025-37974 bsc#1243547).
- commit fe0123d
- KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow
status (git-fixes).
- commit 861b970
- KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE
(git-fixes).
- commit cae4119
- KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device
(git-fixes).
- commit c87dcd2
- KVM: arm64: vgic-its: Add a data length check in vgic_its_save_*
(git-fixes).
- commit fb99ec6
- drm/amd/display: prevent hang on link training fail (bsc#1243056 CVE-2025-37870)
- commit 368bb8e
- Input: synaptics-rmi - fix crash with unsupported versions of
F34 (git-fixes).
- spi: spi-fsl-dspi: Reset SR flags before sending a new message
(git-fixes).
- spi: spi-fsl-dspi: Halt the module after a new message transfer
(git-fixes).
- spi: spi-fsl-dspi: restrict register range for regmap access
(git-fixes).
- commit b0b7b4d
- Revert "drm/amd: Keep display off while going into S4"
(git-fixes).
- drm/edid: fixed the bug that hdr metadata was not reset
(git-fixes).
- thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature
(git-fixes).
- platform/x86: dell-wmi-sysman: Avoid buffer overflow in
current_password_store() (git-fixes).
- commit 2a12a0d
- x86/speculation: Remove the extra #ifdef around CALL_NOSPEC (bsc#1242006 CVE-2024-28956).
- commit 02d5249
- x86/speculation: Add a conditional CS prefix to CALL_NOSPEC (bsc#1242006 CVE-2024-28956).
- commit e6e328e
- x86/speculation: Simplify and make CALL_NOSPEC consistent (bsc#1242006 CVE-2024-28956).
- commit 4f55697
- drm/amd: Add Suspend/Hibernate notification callback support
(stable-fixes).
- Refresh
patches.suse/drm-amd-Keep-display-off-while-going-into-S4.patch.
- commit 8fc5efa
- can: slcan: allow reception of short error messages (git-fixes).
- can: bcm: add missing rcu read protection for procfs content
(git-fixes).
- can: bcm: add locking for bcm_op runtime updates (git-fixes).
- Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA
dump handling (git-fixes).
- Bluetooth: L2CAP: Fix not checking l2cap_chan security level
(git-fixes).
- ASoc: SOF: topology: connect DAI to a single DAI link
(git-fixes).
- ASoC: SOF: ipc4-pcm: Delay reporting is only supported for
playback direction (git-fixes).
- ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for
bytes_ext (git-fixes).
- drm/amd/display: Avoid flooding unnecessary info messages
(git-fixes).
- drm/amd/display: Correct the reply value when AUX write
incomplete (git-fixes).
- ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB
Camera (stable-fixes).
- HID: uclogic: Add NULL check in uclogic_input_configured()
(git-fixes).
- HID: thrustmaster: fix memory leak in thrustmaster_interrupts()
(git-fixes).
- wifi: mt76: disable napi on driver removal (git-fixes).
- wifi: mac80211: Set n_channels after allocating struct
cfg80211_scan_request (git-fixes).
- Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags
(git-fixes).
- drm/amdgpu: fix pm notifier handling (git-fixes).
- Revert "drm/amd: Stop evicting resources on APUs in suspend"
(stable-fixes).
- drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes).
- drm/amdgpu: trigger flr_work if reading pf2vf data failed
(stable-fixes).
- commit 26616bd
- net/niu: Niu requires MSIX ENTRY_DATA fields touch before
entry reads (CVE-2025-37833 bsc#1242868).
- commit 6ef582b
- smb: client: fix potential race in cifs_put_tcon() (git-fixes).
- commit 19f09de
- smb: client: don't retry DFS targets on server shutdown
(git-fixes).
- commit 1f292e5
- smb: client: fix return value of parse_dfs_referrals()
(git-fixes).
- commit 4a3af29
- smb: client: parse DNS domain name from domain= option
(git-fixes).
- commit a71bddc
- smb: client: parse av pair type 4 in CHALLENGE_MESSAGE
(git-fixes).
- commit 06ad34c
- smb: client: introduce av_for_each_entry() helper (git-fixes).
- commit b221e20
- smb: client: get rid of kstrdup() in get_ses_refpath()
(git-fixes).
- commit 820766b
- smb: client: don't trust DFSREF_STORAGE_SERVER bit (git-fixes).
- commit e375375
- smb: client: get rid of TCP_Server_Info::refpath_lock
(git-fixes).
- commit a1e1a18
- smb: client: optimize referral walk on failed link targets
(git-fixes).
- commit dc0ea15
- smb: client: provide dns_resolve_{unc,name} helpers (git-fixes).
- commit 823244a
- smb: client: fix DFS mount against old servers with NTLMSSP
(git-fixes).
- commit 9bdc840
- smb: client: don't try following DFS links in
cifs_tree_connect() (git-fixes).
- commit faa5ddf
- btrfs: fix a leaked chunk map issue in read_one_chunk()
(git-fixes).
- btrfs: avoid monopolizing a core when activating a swap file
(git-fixes).
- btrfs: don't loop for nowait writes when checking for cross
references (git-fixes).
- commit 55fbee8
- smb: client: get rid of @nlsc param in cifs_tree_connect()
(git-fixes).
- commit a37d55b
- smb: client: allow more DFS referrals to be cached (git-fixes).
- commit 0672bc5
- smb: client: Use str_yes_no() helper function (git-fixes).
- commit 45cd31b
- smb: client: fix DFS interlink failover (git-fixes).
- commit 0e64ad0
- smb: client: improve purging of cached referrals (git-fixes).
- commit 91096d5
- smb: client: avoid unnecessary reconnects when refreshing
referrals (git-fixes).
- commit f39d027
- smb: client: refresh referral without acquiring refpath_lock
(git-fixes).
- commit a3174a3
- cifs: change tcon status when need_reconnect is set on it
(git-fixes).
- commit 3ba9ec1
- perf: Fix hang while freeing sigtrap event (bsc#1229491 CVE-2024-43869)
- commit ea46d36
- perf: Fix event leak upon exec and file release (bsc#1229491 CVE-2024-43869)
- commit 2306ed7
- task_work: Introduce task_work_cancel() again (bsc#1229491 CVE-2024-43869)
- commit fcc1a13
- task_work: s/task_work_cancel()/task_work_cancel_func()/ (bsc#1229491 CVE-2024-43869)
- commit 737f43d
- sched/numa: Fix the potential null pointer dereference in (bsc#1233192 CVE-2024-50223)
- commit 00ab70f
- arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes)
- commit 7e8bd78
- arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes)
- commit 19938ce
- arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes)
- commit 9d5f7df
- arm64: proton-pack: Expose whether the branchy loop k value (git-fixes)
- commit ae499ae
- arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes)
- commit 204dc95
- arm64: insn: Add support for encoding DSB (git-fixes)
- commit 6b6fa36
- crypto: algif_hash - fix double free in hash_accept (git-fixes).
- padata: do not leak refcount in reorder_work (git-fixes).
- commit 891cb3d
- btrfs: fix non-empty delayed iputs list on unmount due to
compressed write workers (git-fixes).
- commit f1d5e24
- btrfs: fix discard worker infinite loop after disabling discard
(bsc#1242012).
- commit 37021c3
- exfat: fix potential wrong error return from get_block
(git-fixes).
- commit 7a3ae68
- hv_netvsc: Remove rmsg_pgcnt (git-fixes).
- hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes).
- hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes).
- Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes).
- commit cc27aab
- Refresh
patches.suse/NFSv3-only-use-NFS-timeout-for-MOUNT-when-protocols-.patch.
- commit a5cceab
- nfsd: add list_head nf_gc to struct nfsd_file (git-fixes).
- commit 619e51a
- NFSv4: Don't trigger uneccessary scans for return-on-close
delegations (git-fixes).
- commit 7a38fa2
- NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up
(git-fixes).
- commit ab2a57c
- NFS: O_DIRECT writes must check and adjust the file length
(git-fixes).
- commit f49be34
- btrfs: avoid NULL pointer dereference if no valid csum tree
(bsc#1243342).
- commit 4a016a5
- btrfs: avoid NULL pointer dereference if no valid extent tree
(bsc#1236208).
- commit 3a3390f
- btrfs: adjust subpage bit start based on sectorsize
(bsc#1241492).
- commit b1923a6
- nfs: handle failure of nfs_get_lock_context in unlock path
(git-fixes).
- commit fc76265
- NFSv4/pnfs: Reset the layout state after a layoutreturn
(git-fixes).
- commit bfc4dcb
- Input: xpad - fix Share button on Xbox One controllers
(stable-fixes).
- Input: synaptics - enable InterTouch on Dell Precision M3800
(stable-fixes).
- Input: synaptics - enable InterTouch on TUXEDO InfinityBook
Pro 14 v5 (stable-fixes).
- Input: synaptics - enable InterTouch on Dynabook Portege X30L-G
(stable-fixes).
- Input: synaptics - enable InterTouch on Dynabook Portege X30-D
(stable-fixes).
- Input: synaptics - enable SMBus for HP Elitebook 850 G1
(stable-fixes).
- Input: xpad - add support for 8BitDo Ultimate 2 Wireless
Controller (stable-fixes).
- drm/amd/display: Fix the checking condition in dmub aux handling
(stable-fixes).
- drm/amd/display: more liberal vmin/vmax update for freesync
(stable-fixes).
- drm/v3d: Add job to pending list if the reset was skipped
(stable-fixes).
- commit 9301e6f
- update metatdata
- Update
patches.suse/nvme-fixup-scan-failure-for-non-ANA-multipath-contro.patch
(git-fixes bsc#1235149).
- Update
patches.suse/nvme-re-read-ANA-log-page-after-ns-scan-completes.patch
(git-fixes bsc#1235149).
- commit 34602b4
- net/handshake: Fix handshake_req_destroy_test1 (git-fixes).
- commit 2e22868
- net/mlx5e: Disable MACsec offload for uplink representor profile
(git-fixes).
- net: qede: Initialize qede_ll_ops with designated initializer
(git-fixes).
- igc: fix lock order in igc_ptp_reset (git-fixes).
- idpf: protect shutdown from reset (git-fixes).
- idpf: fix potential memory leak on kcalloc() failure
(git-fixes).
- bnxt_en: Fix ethtool -d byte order for 32-bit values
(git-fixes).
- bnxt_en: Fix out-of-bound memcpy() during ethtool -w
(git-fixes).
- bnxt_en: Fix coredump logic to free allocated buffer
(git-fixes).
- bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan()
(git-fixes).
- idpf: fix offloads support for encapsulated packets (git-fixes).
- ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()
(git-fixes).
- net/mlx5: E-switch, Fix error handling for enabling roce
(git-fixes).
- net/mlx5: E-Switch, Initialize MAC Address for Default GID
(git-fixes).
- pds_core: make wait_context part of q_info (CVE-2025-37886
bsc#1242944).
- pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result
(CVE-2025-37887 bsc#1242962).
- octeontx2-pf: qos: fix VF root node parent queue index
(git-fixes).
- devlink: fix port new reply cmd type (git-fixes).
- netlink: annotate data-races around sk->sk_err (git-fixes).
- net/handshake: Fix memory leak in __sock_create() and
sock_alloc_file() (git-fixes).
- commit d6dfca7
- net: ppp: Add bound checking for skb data on ppp_sync_txmung (CVE-2025-37749 bsc#1242859)
- commit be85fb7
- netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (CVE-2025-22063 bsc#1241351)
- commit 9ad0b9d
- rpm: Stop using is_kotd_qa macro
This macro is set by bs-upload-kernel, and a conditional in each spec
file is used to determine when to build the spec file.
This logic should not really be in the spec file. Previously this was
done with package links and package meta for the individula links.
However, the use of package links is rejected for packages in git based
release projects (nothing to do with git actually, new policy). An
alternative to package links is multibuild. However, for multibuild
packages package meta cannot be used to set which spec file gets built.
Use prjcon buildflags instead, and remove this conditional. Depends on
bs-upload-kernel adding the build flag.
- commit 9eb8a6f
- kernel-obs-qa: Use srchash for dependency as well
- commit 485ae1d
- x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes).
- commit 2ced030
- ocfs2: fix the issue with discontiguous allocation in the
global_bitmap (git-fixes).
- commit 3a6d567
- dmaengine: mediatek: drop unused variable (git-fixes).
- dmaengine: idxd: Fix ->poll() return value (git-fixes).
- phy: tegra: xusb: remove a stray unlock (git-fixes).
- commit 78d9bf4
- dmaengine: mediatek: Fix a possible deadlock error in
mtk_cqdma_tx_status() (git-fixes).
- dmaengine: idxd: Refactor remove call with idxd_cleanup()
helper (git-fixes).
- dmaengine: idxd: Add missing idxd cleanup to fix memory leak
in remove call (git-fixes).
- dmaengine: idxd: fix memory leak in error handling path of
idxd_pci_probe (git-fixes).
- dmaengine: idxd: fix memory leak in error handling path of
idxd_alloc (git-fixes).
- dmaengine: idxd: Add missing cleanups in cleanup internals
(git-fixes).
- dmaengine: idxd: Add missing cleanup for early error out in
idxd_setup_internals (git-fixes).
- dmaengine: idxd: fix memory leak in error handling path of
idxd_setup_groups (git-fixes).
- dmaengine: idxd: fix memory leak in error handling path of
idxd_setup_engines (git-fixes).
- dmaengine: idxd: fix memory leak in error handling path of
idxd_setup_wqs (git-fixes).
- dmaengine: idxd: Fix allowing write() from different address
spaces (git-fixes).
- dmaengine: ti: k3-udma: Add missing locking (git-fixes).
- dmaengine: ti: k3-udma: Use cap_mask directly from dma_device
structure instead of a local copy (git-fixes).
- dmaengine: Revert "dmaengine: dmatest: Fix dmatest waiting
less when interrupted" (git-fixes).
- phy: Fix error handling in tegra_xusb_port_init (git-fixes).
- phy: renesas: rcar-gen3-usb2: Set timing registers only once
(git-fixes).
- phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind
(git-fixes).
- phy: tegra: xusb: Use a bitmask for UTMI pad power state
tracking (git-fixes).
- i2c: designware: Fix an error handling path in
i2c_dw_pci_probe() (git-fixes).
- commit d7f3f88
- spi: tegra114: Use value to check for invalid delays
(git-fixes).
- spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes).
- commit 455317d
- dma-buf: insert memory barrier before updating num_fences
(git-fixes).
- ACPI: PPTT: Fix processor subtable walk (git-fixes).
- regulator: max20086: fix invalid memory access (git-fixes).
- ALSA: es1968: Add error handling for
snd_pcm_hw_constraint_pow2() (git-fixes).
- ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes).
- ALSA: usb-audio: Add sample rate quirk for Audioengine D1
(git-fixes).
- ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info
(git-fixes).
- ALSA: seq: Fix delivery of UMP events to group ports
(git-fixes).
- commit 6d9d893
- net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too
(CVE-2025-37823 bsc#1242924).
- commit 1471c72
- spi: fsl-qspi: Fix double cleanup in probe error path
(CVE-2025-37842 bsc#1242951).
- commit 24f6262
- spi: fsl-qspi: use devm function instead of driver remove
(CVE-2025-37842 bsc#1242951).
- commit d11d0a5
- tipc: fix NULL pointer dereference in tipc_mon_reinit_self()
(CVE-2025-37824 bsc#1242867).
- commit b6204ae
- netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in
insert_tree() (CVE-2025-21959 bsc#1240814).
- commit 95b2c5e
- RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem (git-fixes)
- commit cf0fc91
- RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes)
- commit 2431d70
- qibfs: fix _another_ leak (git-fixes)
- commit 8fd1fde
- Update
patches.suse/md-raid10-wait-barrier-before-returning-discard-request-wi.patch
(git-fixes CVE-2025-40325 bsc#1241638).
Updated meta-data, adding CVE# and bsc#
- commit 7913a06
- Update
patches.suse/md-fix-mddev-uaf-while-iterating-all_mddevs-list.patch
(git-fixes CVE-2025-22126 bsc#1241597).
Updated meta-data, adding CVE# and bsc#
- commit f259b1e
- Update patches.suse/md-raid1-raid10-don-t-ignore-IO-flags.patch
(git-fixes CVE-2025-22125 bsc#1241596).
Updated meta-data, adding CVE# and bsc#
- commit e5ab0f8
- Move upstreamed tpm patch into sorted section
- commit 4c354fe
- misc: pci_endpoint_test: Avoid issue of interrupts remaining
after request_irq error (CVE-2025-23140 bsc#1242763).
- commit 7ef87ac
- Refresh patches.suse/tpm-tis-Double-the-timeout-B-to-4s.patch.
- commit a661a1f
- Sort ITS patches
- Refresh
patches.suse/Documentation-x86-bugs-its-Add-ITS-documentation.patch.
- Refresh
patches.suse/x86-ibt-Keep-IBT-disabled-during-alternative-patching.patch.
- Refresh
patches.suse/x86-its-Add-support-for-ITS-safe-indirect-thunk.patch.
- Refresh
patches.suse/x86-its-Add-support-for-ITS-safe-return-thunk.patch.
- Refresh
patches.suse/x86-its-Add-support-for-RSB-stuffing-mitigation.patch.
- Refresh
patches.suse/x86-its-Add-vmexit-option-to-skip-mitigation-on-some-CPUs.patch.
- Refresh
patches.suse/x86-its-Align-RETs-in-BHB-clear-sequence-to-avoid-thunking.patch.
- Refresh
patches.suse/x86-its-Enable-Indirect-Target-Selection-mitigation.patch.
- Refresh
patches.suse/x86-its-Enumerate-Indirect-Target-Selection-ITS-bug.patch.
- Refresh
patches.suse/x86-its-Use-dynamic-thunks-for-indirect-branches.patch.
- commit c6710c7
- arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes)
- commit 1edd6ab
- arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes)
- commit 182f118
- arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes)
- commit 0b208b9
- netfilter: conntrack: clamp maximum hashtable size to INT_MAX (CVE-2025-21648 bsc#1236142)
- commit 4d49a39
- smb: client: fix UAF in decryption with multichannel
(bsc#1242510, CVE-2025-37750).
- commit dcd21e8
- cifs: reduce warning log level for server not advertising
interfaces (git-fixes).
- commit d059ffc
- sch_htb: make htb_deactivate() idempotent (CVE-2025-37798
bsc#1242414).
- sch_ets: make est_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_qfq: make qfq_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_hfsc: make hfsc_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_drr: make drr_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_htb: make htb_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- commit ca3d2dc
- KVM: arm64: Change kvm_handle_mmio_return() return polarity
(git-fixes).
- Refresh
patches.suse/KVM-arm64-Don-t-retire-aborted-MMIO-instruction.patch.
- commit 265ba62
- net: openvswitch: fix nested key length validation in the set()
action (CVE-2025-37789 bsc#1242762).
- commit aa0d4ee
- netfilter: nft_tunnel: fix geneve_opt type confusion addition
(CVE-2025-22056 bsc#1241525).
- commit bfce6d7
- nvme-pci: add quirk for Samsung PM173x/PM173xa disk
(bsc#1241148).
- nvme: Add warning when a partiually unique NID is detected
(bsc#1241148).
- nvme: Add 'partial_nid' quirk (bsc#1241148).
- commit 242af03
- x86/its: Use dynamic thunks for indirect branches (bsc#1242006 CVE-2024-28956).
- commit 428e9a8
- selftests/mm: fix incorrect buffer->mirror size in hmm2
double_map test (bsc#1242203).
- commit a065dfc
- mm: zswap: fix crypto_free_acomp() deadlock in
zswap_cpu_comp_dead() (CVE-2025-22030 bsc#1241376).
- commit f3d5b08
- nvme: fixup scan failure for non-ANA multipath controllers
(git-fixes).
- commit fbd0910
- augeas
-
- Add patch, fix for bsc#1239909 / CVE-2025-2588:
* CVE-2025-2588.patch
- libxslt
-
- security update
- added patches
CVE-2025-7424 [bsc#1246360], Type confusion in xmlNode.psvi between stylesheet and source nodes
+ libxslt-CVE-2025-7424.patch
- gcc14
-
- Exclude shared objects present for link editing in the GCC specific
subdirectory from provides processing via __provides_exclude_from.
[bsc#1244050][bsc#1243991]
- Make cross-*-gcc14-bootstrap package conflict with the non-bootstrap
variant conflict with the unversioned cross-*-gcc package.
- Disable build of glibc cross to loongarch64 and hppa in SLFO
and SLE15.
- Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799
- Remove gcc14-pr120061.patch which is now included upstream.
- Add gcc14-pr120061.patch to fix the PR108900 fix instead of
reverting it.
- Remove gcc14-pr108900.patch
- Add gcc14-pr108900.patch to revert it, fixing libqt6webengine build.
- Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702
* Remove gcc14-pr118780.patch now on the upstream branch
- Fix build on s390x [bsc#1241549]
- Make sure link editing is done against our own shared library
copy rather than the installed system runtime. [bsc#1240788]
- Add gcc14-pr119680.patch to fix cross-compiler builds with
- -enable-host-pie.
- libgcrypt
-
- Security fix [bsc#1221107, CVE-2024-2236]
* Add --enable-marvin-workaround to spec to enable workaround
* Fix timing based side-channel in RSA implementation ( Marvin attack )
* Add libgcrypt-CVE-2024-2236_01.patch
* Add libgcrypt-CVE-2024-2236_02.patch
- gnutls
-
- Fix heap buffer overread when handling the CT SCT extension during X.509
certificate parsing [bsc#1246233, CVE-2025-32989]
* Add patch gnutls-CVE-2025-32989.patch
- Fix double-free due to incorrect ownership handling in the export logic of
SAN entries containing an otherName [bsc#1246232, CVE-2025-32988]
* Add patch gnutls-CVE-2025-32988.patch
- Fix 1-byte heap buffer overflow when parsing templates with certtool
[bsc#1246267, CVE-2025-32990]
* Add patch gnutls-CVE-2025-32990.patch
- Fix NULL pointer dereference when 2nd Client Hello omits PSK
[bsc#1246299, CVE-2025-6395]
* Add patch gnutls-CVE-2025-6395.patch
- xz
-
- Fix CVE-2025-31115 (bsc#1240414)
* CVE-2025-31115.patch
- openssl-3
-
- Security fix: [bsc#1240366, CVE-2025-27587]
* Minerva side channel vulnerability in P-384 on PPC arch
* Add openssl-3-p384-minerva-ppc.patch
* Add openssl-3-p384-minerva-ppc-p9.patch
- Security fix: [bsc#1220262, CVE-2023-50782]
* Implicit rejection in PKCS#1 v1.5
* Add openssl-CVE-2023-50782.patch
- polkit
-
- CVE-2025-7519: Fixed that a XML policy file with a large number of
nested elements may lead to out-of-bounds write (bsc#1246472)
added 0001-Nested-.policy-files-cause-xml-parsing-overflow-lead.patch
- python311:base
-
- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
case quadratic complexity when processing certain crafted
malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
- Use one core to build doc. This will make sphinx doc build
reproducible.
bsc#1243155
- Update to 3.11.13:
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar")
to be bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
(gh#135034, bsc#1244061).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134062: ipaddress: fix collisions in __hash__() for
IPv4Network and IPv6Network objects.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- bpo-43633: Improve the textual representation of
IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
in ipaddress. Patch by Oleksandr Pavliuk.
- Remove upstreamed patches:
- gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
- CVE-2025-4516-DecodeError-handler.patch
- Add CVE-2025-4516-DecodeError-handler.patch fixing
CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
vulnerability, which could lead to DoS.
- Use extended %autopatch.
- Remove python-3.3.0b1-test-posix_fadvise.patch (not needed
since kernel 3.6-rc1)
- Update to 3.11.12:
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject domain
names containing square brackets ([ and ]). Square brackets
are only valid for IPv6 and IPvFuture hosts according to RFC
3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
gh#python/cpython#105704).
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using a
carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so that
it spanned more than one line, the surrounding quotes and
internal escapes would be omitted. This could theoretically
be used to spoof header lines using a carefully constructed
quoted string if the resulting rendered email was transmitted
or re-parsed.
- gh-119511: Fix a potential denial of service in the imaplib
module. When connecting to a malicious server, it could
cause an arbitrary amount of memory to be allocated. On many
systems this is harmless as unused virtual memory is only
a mapping, but if this hit a virtual address size limit
it could lead to a MemoryError or other process crash. On
unusual systems or builds where all allocated memory is
touched and backed by actual ram or storage it could’ve
consumed resources doing so until similarly crashing.
- gh-127257: In ssl, system call failures that OpenSSL reports
using ERR_LIB_SYS are now raised as OSError.
- gh-121277: Writers of CPython’s documentation can now use
next as the version for the versionchanged, versionadded,
deprecated directives.
- gh-106883: Disable GC during the _PyThread_CurrentFrames()
and _PyThread_CurrentExceptions() calls to avoid the
interpreter to deadlock.
- Remove upstreamed patch:
- CVE-2025-0938-sq-brackets-domain-names.patch
- Add gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
which makes test_ssl not to stop ThreadedEchoServer on OSError,
which makes test_ssl pass with OpenSSL 3.5 (bsc#1241067,
gh#python/cpython!126572)
- Allow to disable PGO
- Skip PGO with %want_reproducible_builds (bsc#1239210)
- Add CVE-2025-0938-sq-brackets-domain-names.patch which
disallows square brackets ([ and ]) in domain names for parsed
URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
- Configure externally_managed with a bcond
https://en.opensuse.org/openSUSE:Python:Externally_managed
bsc#1228165
- Update to 3.11.11:
- Tools/Demos
- gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15
and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
- Tests
- gh-125041: Re-enable skipped tests for zlib on the
s390x architecture: only skip checks of the compressed
bytes, which can be different between zlib’s software
implementation and the hardware-accelerated implementation.
- Security
- gh-126623: Upgrade libexpat to 2.6.4
- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.
- Library
- gh-124651: Properly quote template strings in venv
activation scripts (bsc#1232241, CVE-2024-9287).
- Removed upstreamed patches:
- CVE-2024-9287-venv_path_unquoted.patch
- Add add-loongarch64-support.patch to support loongarch64
- rpm
-
- fix --runposttrans not working correctly with the --root
option [bnc#1216091]
* updated patch: posttrans.diff
* added "rpm_fixed_runposttrans" provides for libzypp
- print scriptlet messages in --runposttrans
* needed to fix leaking tmp files [bsc#1218459]
* updated patch: posttrans.diff
- fix memory leak in str2locale [bsc#1241052]
* updated patch: localetag.diff
- libsolv
-
- add support for product-obsoletes() provides in the product
autopackage generation code
- bump version to 0.7.34
- improve transaction ordering by allowing more uninst->uninst
edges [bsc#1243457]
- implement color filtering when adding update targets
- support orderwithrequires dependencies in susedata.xml
- bump version to 0.7.33
- build both static and dynamic libraries on new suse distros
- support the apk package and repository format (both v2 and v3)
- new dataiterator_final_{repo,solvable} functions
- bump version to 0.7.32
- Provide a symbol specific for the ruby-version
so yast does not break across updates (boo#1235598)
- fix replaces_installed_package using the wrong solvable id
when checking the noupdate map
- make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard
- add rpm_query_idarray query function
- support rpm's "orderwithrequires" dependency
- bump version to 0.7.31
- sqlite3
-
- Mark build recipe as POSIX-sh-incompatible
- Run mkdir/rm with verbose mode for the build log
- Update to release 3.49.1:
* Improve portability of makefiles and configure scripts.
* CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws()
function, introduced in version 3.44.0, that could lead to a
memory error if the separator string is very large (hundreds
of megabytes).
* CVE-2025-29088, bsc#1241078: Enhanced the
SQLITE_DBCONFIG_LOOKASIDE interface to make it more robust
against misuse.
- Update to release 3.49.0:
* Enhancements to the query planner:
- Improve the query-time index optimization so that it works on
WITHOUT ROWID tables.
- Better query plans for large star-query joins. This fixes
three different performance regressions that were reported
on the SQLite Forum.
- When two or more queries have the same estimated cost, use
the one with the fewer bytes per row.
* Enhance the iif() SQL function so that it can accept any number
of arguments greater than or equal to two.
* Enhance the session extension so that it works on databases
that make use of generated columns.
* Omit the SQLITE_USE_STDIO_FOR_CONSOLE compile-time option which
was not implemented correctly and never worked right. In its place
add the SQLITE_USE_W32_FOR_CONSOLE_IO compile-time option. This
option applies to command-line tools like the CLI only, not to the
SQLite core. It causes Win32 APIs to be used for console I/O
instead of stdio. This option affects Windows builds only.
* Three new options to sqlite3_db_config(). All default "on".
SQLITE_DBCONFIG_ENABLE_ATTACH_CREATE
SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE
SQLITE_DBCONFIG_ENABLE_COMMENTS
- Re-enable SONAME which got disabled by default in 3.48.0.
* https://www.sqlite.org/src/forumpost/5a3b44f510df8ded
* https://sqlite.org/forum/forumpost/ab8f15697a
- Update to release 3.48.0:
* Improved EXPLAIN QUERY PLAN output for covering indexes.
* Allow a two-argument version of the iif() SQL function.
* Also allow if() as an alternative spelling for iif().
* Add the ".dbtotxt" command to the CLI.
* Add the SQLITE_IOCAP_SUBPAGE_READ property to the
xDeviceCharacteristics method of the sqlite3_io_methods object.
* Add the SQLITE_PREPARE_DONT_LOG option to sqlite3_prepare_v3()
that prevents warning messages being sent to the error log if
the SQL is ill-formed. This allows sqlite3_prepare_v3() to be
used to do test compiles of SQL to check for validity without
polluting the error log with false messages.
* Increase the minimum allowed value of SQLITE_LIMIT_LENGTH from
1 to 30.
* Added the SQLITE_FCNTL_NULL_IO file control.
* Extend the FTS5 auxiliary API xInstToken() to work with prefix
queries via the insttoken configuration option and the
fts5_insttoken() SQL function.
* Increase the maximum number of arguments to an SQL function
from 127 to 1000.
* Obsoletes sqlite3-6216bfcb.patch .
- Add sqlite3-6216bfcb.patch to fix a test suite regression in
3.47.0 on s390x. Only the test was broken, not the code itself.
https://sqlite.org/forum/forumpost/7b2bab04c5
- Update to release 3.47.2:
* Fix a problem in text-to-floating-point conversion that affects
text values where the first 16 significant digits are
'1844674407370955'. This issue was introduced in 3.47.0 and
only arises on x64 and i386 hardware.
* Other minor bug fixes.
- Enable the session extension, because NodeJS 22 needs it.
- Update to release 3.47.1:
* Fix the makefiles so that they once again honored DESTDIR for
the "install" target.
* Add the SQLITE_IOCAP_SUBPAGE_READ capability to the VFS, to
work around issues on some non-standard VFSes caused by making
SQLITE_DIRECT_OVERFLOW_READ the default in version 3.45.0.
* Fix incorrect answers to certain obscure IN queries caused by
new query optimizations added in the 3.47.0 release.
* Other minor bug fixes.
- Update to release 3.47.0:
* Allow arbitrary expressions in the second argument to the RAISE
function.
* If the RHS of the ->> operator is negative, then access array
elements counting from the right.
* Fix a problem with rolling back hot journal files in the
seldom-used unix-dotfile VFS.
* FTS5 tables can now be dropped even if they use a non-standard
tokenizer that has not been registered.
* Fix the group_concat() aggregate function so that it returns an
empty string, not a NULL, if it receives a single input value
which is an empty string.
* Enhance the generate_series() table-valued function so that it
is able to recognize and use constraints on its output value.
Preupdate hooks now recognize when a column added by ALTER
TABLE ADD COLUMN has a non-null default value.
* Improved reuse of subqueries associated with the IN operator,
especially when the IN operator has been duplicated due to
predicate push-down.
* Use a Bloom filter on subqueries on the right-hand side of the
IN operator, in cases where that seems likely to improve
performance.
* Ensure that queries like "SELECT func(a) FROM tab GROUP BY 1"
only invoke the func() function once per row.
* No attempt is made to create automatic indexes on a column
that is known to be non-selective because of its use in other
indexes that have been analyzed.
* Adjustments to the query planner so that it produces better
plans for star queries with a large number of dimension
tables.
* Add the "order-by-subquery" optimization, that seeks to
disable sort operations in outer queries if the desired order
is obtained naturally due to ORDER BY clauses in subqueries.
* The "indexed-subtype-expr" optimization strives to use
expressions that are part of an index rather than recomputing
the expression based on table values, as long as the query
planner can prove that the subtype of the expression will
never be used.
* Miscellaneous coding tweaks for faster runtimes.
* Add the experimental sqlite3_rsync program.
* Add extension functions median(), percentile(),
percentile_cont(), and percentile_disc() to the CLI.
* Add the .www dot-command to the CLI.
* The sqlite3_analyzer utility now provides a break-out of
statistics for WITHOUT ROWID tables.
* The sqldiff utility avoids creating an empty database if its
second argument does not exist.
* Enhance the sqlite_dbpage table-valued function such that
INSERT can be used to increase or decrease the size of the
database file.
* SQLite no longer makes any use of the "long double" data type,
as hardware support for long double is becoming less common
and long double creates challenges for some compiler tool
chains. Instead, SQLite uses Dekker's algorithm when extended
precision is needed.
* The TCL Interface for SQLite supports TCL9. Everything
probably still works for TCL 8.5 and later, though this is not
guaranteed. Users are encouraged to upgrade to TCL9.
* Fix a corruption-causing bug in the JavaScript "opfs" VFS.
Correct "mode=ro" handling for the "opfs" VFS. Work around a
couple of browser-specific OPFS quirks.
* Add the fts5_tokenizer_v2 API and the locale=1 option, for
creating custom locale-aware tokenizers and fts5 tables that
may take advantage of them.
* Add the contentless_unindexed=1 option, for creating
contentless fts5 tables that store the values of any UNINDEXED
columns persistently in the database.
* Allow an FTS5 table to be dropped even if it uses a custom
tokenizer whose implementation is not available.
- Update to release 3.46.1:
* Improved robustness while parsing the tokenize= arguments in
FTS5.
* Enhancements to covering index prediction in the query planner.
* Do not let the number of terms on a VALUES clause be limited by
SQLITE_LIMIT_COMPOUND_SELECT, even if the VALUES clause
contains elements that appear to be variables due to
double-quoted string literals.
* Fix the window function version of group_concat() so that it
returns an empty string if it has one or more empty string
inputs.
* In FTS5 secure-delete mode, fix false-positive integrity-check
reports about corrupt indexes.
* Syntax errors in ALTER TABLE should always return SQLITE_ERROR.
In some cases, they were formerly returning SQLITE_INTERNAL.
* Other minor fixes.
- Update to release 3.46.0:
* https://sqlite.org/releaselog/3_46_0.html
* Enhance PRAGMA optimize in multiple ways.
* Enhancements to the date and time functions.
* Add support for underscore ("_") characters between digits in
numeric literals.
* Add the json_pretty() SQL function.
* Query planner improvements.
* Allocate additional memory from the heap for the SQL parser
stack if that stack overflows, rather than reporting a "parser
stack overflow" error.
* Allow ASCII control characters within JSON5 string literals.
* Fix the -> and ->> JSON operators so that when the right-hand
side operand is a string that looks like an integer it is still
treated as a string, because that is what PostgreSQL does.
* Obsoletes sqlite3-float-i586.patch.
- Update to release 3.45.3:
* Fix a long-standing bug (going back to version 3.24.0) that
might (rarely) cause the "old.*" values of an UPDATE trigger
to be incorrect if that trigger fires in response to an UPSERT.
* Reduce the scope of the NOT NULL strength reduction
optimization that was added as item 8e in version 3.35.0. The
optimization was being attempted in some contexts where it did
not work, resulting in incorrect query results.
- Add SQLITE_STRICT_SUBTYPE=1 as recommended by upstream.
- Update to release 3.45.2:
* Added the SQLITE_RESULT_SUBTYPE property for application-
defined SQL functions.
* Enhancements to the JSON SQL functions
* Add the FTS5 tokendata option to the FTS5 virtual table.
* The SQLITE_DIRECT_OVERFLOW_READ optimization is now enabled by
default.
* Query planner improvements
* Increase the default value for SQLITE_MAX_PAGE_COUNT from
1073741824 to 4294967294.
* Enhancements to the CLI
* Restore the JSON BLOB input bug, and promise to support the
anomaly in subsequent releases, for backward compatibility.
* Fix the PRAGMA integrity_check command so that it works on
read-only databases that contain FTS3 and FTS5 tables.
* Fix issues associated with processing corrupt JSONB inputs.
* Fix a long-standing bug in which a read of a few bytes past the
end of a memory-mapped segment might occur when accessing a
craftily corrupted database using memory-mapped database.
* Fix a long-standing bug in which a NULL pointer dereference
might occur in the bytecode engine due to incorrect bytecode
being generated for a class of SQL statements that are
deliberately designed to stress the query planner but which
are otherwise pointless.
* Fix an error in UPSERT, introduced in version 3.35.0.
* Reduce the scope of the NOT NULL strength reduction
optimization that was added in version 3.35.0.
- Add sqlite3-float-i586.patch to fix build on i586.
- sqlite3-rtree-i686.patch is not needed anymore.
- Abort build when %version and %tarversion don't match.
- libssh
-
- Fix CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314)
* Add patch libssh-CVE-2025-5372.patch
- Fix CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL backend (bsc#1245317)
* Add patch libssh-CVE-2025-5987.patch
- Fix CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309)
* Add patch libssh-CVE-2025-4877.patch
- Fix CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310)
* Add patches:
- libssh-CVE-2025-4878-1.patch
- libssh-CVE-2025-4878-2.patch
- Fix CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311)
* Add patch libssh-CVE-2025-5318.patch
- Fix CVE-2025-5351: Double free in functions exporting keys (bsc#1245312)
* Add patch libssh-CVE-2025-5351.patch
- systemd
-
- Remove the script used to help migrating the language and locale settings
located in /etc/sysconfig/language on old systems to the systemd default
locations (bsc#1247074)
The script was introduced more than 7 years ago and all systems running TW
should have been migrated since then. Moreover the installer supports the
systemd default locations since approximately SLE15.
- triggers.systemd: skip update of hwdb, journal-catalog if executed during an
offline update.
- Import commit 247091bc99ba506cee501b520d1d0a11d772fc13 (merge of v254.27)
For a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/aa12f501ae4749c542a091028d848796da4ef51b...247091bc99ba506cee501b520d1d0a11d772fc13
- Import commit aa12f501ae4749c542a091028d848796da4ef51b
aa12f501ae logs-show: get timestamp and boot ID only when necessary (bsc#1242827)
e8b17d11bc sd-journal: drop to use Hashmap to manage journal files per boot ID
ea80273738 tree-wide: set SD_JOURNAL_ASSUME_IMMUTABLE where appropriate
a5b3b5344f sd-journal: introduce SD_JOURNAL_ASSUME_IMMUTABLE flag
5fa0600b34 sd-journal: make journal_file_read_tail_timestamp() notify to the caller that some new journal entries added
737e8193e7 sd-journal: cache last entry offset and journal file state
057dca426f sd-journal: fix typo in function name
- Import commit 656494acfaf4b7ac5f3137c09b96b8c4bf08f7d0 (merge of v254.25)
This merge includes the following fix:
7fc7aa5a4d coredump: use %d in kernel core pattern (bsc#1243935 CVE-2025-4598)
For a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/41d2be2fb502e62e671db2b22ee330af8fade7e2...656494acfaf4b7ac5f3137c09b96b8c4bf08f7d0
- Import commit 41d2be2fb502e62e671db2b22ee330af8fade7e2
41d2be2fb5 Revert "macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel" (SUSE specific)
- Import commit 806c21e22ba4e3038817c20da19633b483b3ee80
806c21e22b umount: do not move busy network mounts (bsc#1236177)
- Import commit ebdfa3e44e0c85febfa3b35fc8843f8db6f3fb10
ebdfa3e44e man/pstore.conf: pstore.conf template is not always installed in /etc
304ed20aab man: coredump.conf template is not always installed in /etc (bsc#1237496)
- Add 1003-journal-again-create-user-journals-for-users-with-hi.patch (bsc#1242938)
Don't write messages sent from users with UID falling into the container UID
range to the system journal. Daemons in the container don't talk to the
outside journald as they talk to the inner one directly, which does its
journal splitting based on shifted uids.
- Add 1002-udev-persistent-net-rule-generator-support.patch (bsc#1241190)
This re-adds back the support for the persistent net name rules as well as
their generator since predictable naming scheme is still disabled by default
on Micro (via the `net.ifnames=0` boot option).
- tpm2.0-abrmd
-
- sync with Factory package to fix SELinux issues in SLE Micro 6.1 (bsc#1246460)
- also enable SELinux features for SLE-16 (bsc#1240070). On SLE-16 abrmd does
not work, because the SELinux configuration is missing and thus its
operations are denied. Include SLE-16 to fix this.
- Drop rcFOO symlinks for CODE16 (PED-266).
- Fix SELinux sbin/bin merge (bsc#1229047)
1229047-fix-bin-sbin-selinux.patch
Can be dropped once https://github.com/tpm2-software/tpm2-abrmd/pull/846
is merged upstream
- libxml2
-
- security update
- added patches
CVE-2025-7425 [bsc#1246296], Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr
+ libxml2-CVE-2025-7425.patch
- security update
- added patches
CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS)
CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS)
+ libxml2-CVE-2025-49794,49796.patch
CVE-2025-49795 [bsc#1244555], null pointer dereference may lead to Denial of service (DoS)
+ libxml2-CVE-2025-49795.patch
- security update
- added patches
CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2
CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash
+ libxml2-CVE-2025-6170,6021.patch
- security update
- added patches
CVE-2024-40896 [bsc#1234812], XXE vulnerability
+ libxml2-CVE-2024-40896.patch
- security update
- added patches
CVE-2025-32414 [bsc#1241551], out-of-bounds read when parsing text via the Python API
+ libxml2-CVE-2025-32414.patch
CVE-2025-32415 [bsc#1241453], a crafted XML document may lead to a heap-based buffer under-read
+ libxml2-CVE-2025-32415.patch
- libzypp
-
- Make ld.so ignore the subarch packages during install
(bsc#1246912)
- version 17.37.17 (35)
- Fix evaluation of libproxy results (bsc#1247690)
- Replace URL variables inside mirrorlist/metalink files
(fixes #667)
- version 17.37.16 (35)
- Append RepoInfo::path() to the mirror URLs in Preloader
(bsc#1247054)
- version 17.37.15 (35)
- During installation indicate the backend being used (bsc#1246038)
If some package actually needs to know, it should test for
ZYPP_CLASSIC_RPMTRANS being set in the environment.
Otherwise the transaction is driven by librpm.
- version 17.37.14 (35)
- Workaround 'rpm -vv' leaving scriptlets /var/tmp (bsc#1218459)
- Verbose log libproxy results if PX_DEBUG=1 is set.
- BuildRequires: cmake >= 3.17.
- version 17.37.13 (35)
- Allow explicit request to probe an added repo's URL
(bsc#1246466)
- Fix tests with -DISABLE_MEDIABACKEND_TESTS=1 (fixes #661)
- version 17.37.12 (35)
- Add runtime check for a broken rpm-4.18.0 --runpostrans
(bsc#1246149)
- Add regression test for bsc#1245220 and some other filesize
related tests.
- version 17.37.11 (35)
- BuildRequires: %{libsolv_devel_package} >= 0.7.34 (bsc#1243486)
Newer rpm versions no longer allow a ':' in rpm package names or
obsoletes. So injecting an
Obsoletes: product:oldproductname < oldproductversion
into the -release package to indicate a product rename is no longer
possible.
Since libsolv-0.7.34 you can and should use:
Provides: product-obsoletes(oldproductname) < oldproductversion
in the -release package. libsolv will then inject the appropriate
Obsoletes into the Product.
- version 17.37.10 (35)
- Ignore DeltaRpm download errors (bsc#1245672)
DeltaRpms are in fact optional resources. In case of a failure
the full rpm is downloaded.
- Improve fix for incorrect filesize handling (bsc#1245220)
- version 17.37.9 (35)
- Do not trigger download data exceeded errors on HTTP non data
responses (bsc#1245220)
In some cases a HTTP 401 or 407 did trigger a "filesize exceeded"
error, because the response payload size was compared against the
expected filesize. This patch adds some checks if the response
code is in the success range and only then takes expected
filesize into account. Otherwise the response content-length is
used or a fallback of 2Mb if no content-length is known.
- version 17.37.8 (35)
- Fix SEGV in MediaDISK handler (bsc#1245452)
- Explicitly selecting DownloadAsNeeded also selects the
classic_rpmtrans backend.
DownloadAsNeeded can not be combined with the rpm singletrans
installer backend because a rpm transaction requires all package
headers to be available the the beginning of the transaction. So
explicitly selecting this mode also turns on the classic_rpmtrans
backend.
- Fix evaluation of libproxy results (bsc#1244710)
- version 17.37.7 (35)
- Enhancements regarding mirror handling during repo refresh.
Added means to disable the use of mirrors when downloading
security relevant files. Requires updaing zypper to 1.14.91.
- Fix autotestcase writer if ZYPP_FULLLOG=1 (bsc#1244042)
If ZYPP_FULLLOG=1 a solver testcase to
"/var/log/YaST2/autoTestcase" should be written for each solver
run. There was no testcase written for the very first solver run.
This is now fixed.
- Pass $1==2 to %posttrans script if it's an update (bsc#1243279)
- version 17.37.6 (35)
- Fix credential handling in HEAD requests (bsc#1244105)
- version 17.37.5 (35)
- RepoInfo: use pathNameSetTrailingSlash (fixes #643)
- Fix wrong userdata parameter type when running zypp with debug
verbosity (bsc#1239012)
- version 17.37.4 (35)
- Do not warn about no mirrors if mirrorlist was switched on
automatically. (bsc#1243901)
- Relax permission of cached packages to 0644 & ~umask
(bsc#1243887)
- version 17.37.3 (35)
- Add a note to service maintained .repo file entries (fixes #638)
- Support using %{url} variable in a RIS service's repo section.
- version 17.37.2 (35)
- Use a cookie file to validate mirrorlist cache.
This patch extends the mirrorlist code to use a cookie file to
validate the contents of the cache against the source URL, making
sure that we do not accidentially use a old cache when the
mirrorlist url was changed. For example when migrating a system
from one release to the next where the same repo alias might just
have a different URL.
- Let Service define and update gpgkey, mirrorlist and metalink.
- Preserve a mirrorlist file in the raw cache during refresh.
- version 17.37.1 (35)
- Code16: Enable curl2 backend and parallel package download by
default. In Code15 it's optional.
Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1>
can be used to turn the features on or off.
- Make gpgKeyUrl the default source for gpg keys.
When refreshing zypp now primarily uses gpgKeyUrl information
from the repo files and only falls back to a automatically
generated key Url if a gpgKeyUrl was not specified.
- Introduce mirrors into the Media backends (bsc#1240132)
- Drop MediaMultiCurl backend.
- Throttle progress updates when preloading packages (bsc#1239543)
- Check if request is in valid state in CURL callbacks (fixes
openSUSE/zypper#605)
- spec/CMake: add conditional build
'--with[out] classic_rpmtrans_as_default'.
classic_rpmtrans is the current builtin default for SUSE,
otherwise it's single_rpmtrans.
The `enable_preview_single_rpmtrans_as_default_for_zypper` switch
was removed from the spec file. Accordingly the CMake option
ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed.
- version 17.37.0 (35)
- fixed build with boost 1.88.
- XmlReader: Fix detection of bad input streams (fixes #635)
libxml2 2.14 potentially reads the complete stream, so it may
have the 'eof' bit set. Which is not 'good' but also not 'bad'.
- rpm: Fix detection of %triggerscript starts (bsc#1222044)
- RepoindexFileReader: add more <repo> related attributes a
service may set.
Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck,
keeppackages, gpgkey, mirrorlist, and metalink with the same
semantic as in a .repo file.
- version 17.36.7 (35)
- Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172)
- BuildRequires: %{libsolv_devel_package} >= 0.7.32.
Code16 moved static libs to libsolv-devel-static.
- Drop usage of SHA1 hash algorithm because it will become
unavailable in FIPS mode (bsc#1240529)
- Fix zypp.conf dupAllowVendorChange to reflect the correct
default (false).
The default was true in Code12 (libzypp-16.x) and changed to
false with Code15 (libzypp-17.x). Unfortunately this was done by
shipping a modified zypp.conf file rather than fixing the code.
- zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809)
- version 17.36.6 (35)
- Fix computation of RepStatus if Repo URLs change.
- Fix lost double slash when appending to an absolute FTP url
(bsc#1238315)
Ftp actually differs between absolute and relative URL paths.
Absolute path names begin with a double slash encoded as '/%2F'.
This must be preserved when manipulating the path.
- version 17.36.5 (35)
- Add a transaction package preloader (fixes openSUSE/zypper#104)
This patch adds a preloader that concurrently downloads files
during a transaction commit. It's not yet enabled per default.
To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1
in the environment.
- RpmPkgSigCheck_test: Exchange the test package signingkey
(fixes #622)
- Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626)
- Strip a mediahandler tag from baseUrl querystrings.
- version 17.36.4 (35)
- Disable zypp.conf:download.use_deltarpm by default (fixes #620)
Measurements show that you don't benefit from using deltarpms
unless your network connection is very slow. That's why most
distributions even stop offering deltarpms. The default remains
unchanged on SUSE-15.6 and older.
- Make sure repo variables are evaluated in the right context
(bsc#1237044)
- Introducing MediaCurl2 a alternative HTTP backend.
This patch adds MediaCurl2 as a testbed for experimenting with a
more simple way to download files. Set ZYPP_CURL2=1 in the
environment to use it.
- version 17.36.3 (35)
- Filesystem usrmerge must not be done in singletrans mode
(bsc#1236481, bsc#1189788)
Commit will amend the backend in case the transaction would
perform a filesystem usrmerge.
- Workaround bsc#1216091 on Code16.
- version 17.36.2 (35)
- Don't issue deprecated warnings if -DNDEBUG is set (bsc#1236983)
Released libyui packages compile with -Werror=deprecated-declarations
so we can't add deprecated warnings without breaking them.
- make gcc15 happy (fixes #613)
- version 17.36.1 (35)
- Drop zypp-CheckAccessDeleted in favor of 'zypper ps'.
- Fix Repoverification plugin not being executed (fixes #614)
- Refresh: Fetch the master index file before key and signature
(bsc#1236820)
- Allow libzypp to compile with C++20.
- Deprecate RepoReports we do not trigger.
- version 17.36.0 (35)
- Create '.keep_packages' in the package cache dir to enforce
keeping downloaded packages of all repos cahed there (bsc#1232458)
- version 17.35.19 (35)
- Fix missing UID checks in repomanager workflow (fixes #603)
- version 17.35.18 (35)
- Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp (fixes #28)
- Fix 'zypper ps' when running in incus container (bsc#1229106)
Should apply to lxc and lxd containers as well.
- Re-enable 'rpm --runposttrans' usage for chrooted systems
(bsc#1216091)
- version 17.35.17 (35)
- lsof
-
- Update to version 4.99.4:
* In lsof manpage: mention /etc/services for -P option
* Fix typos in docs
* Linux 6.9 changed the pidfs appearence in procfs. Try to
maintain original output in lsof (bsc#1224285)
* closefrom_shim: Add optimized fallback for platforms without
closefrom or close_range
* fix build against -std=c23 (`void (*)()`) changed the meaning)
- Drop obsolete lsof-4.99.3-fix-version-in-configure-ac.patch,
0001-tests-eliminate-use-of-fgrep.patch and
0002-linux-Maintain-original-output-for-pidfd-in-linux-6..patch.
- Add reproducible.patch to not store build host kernel version (boo#1232425)
- replace:
0002-tests-fix-for-kernel-6.9.patch
by upstream proposed:
0002-linux-Maintain-original-output-for-pidfd-in-linux-6..patch
- add (bsc#1224285):
* 0001-tests-eliminate-use-of-fgrep.patch
* 0002-tests-fix-for-kernel-6.9.patch
- lsof 4.99.3:
* Fix compilation error when HASIPv6 is not defined
* Add configure option --disable-liblsof to disable installation
of liblsof
- add lsof-4.99.3-fix-version-in-configure-ac.patch
- Skip tests that are difficult to emulate by qemu
- lsof 4.99.0:
* Do not hard-code fd numbers in epoll test
* --with-selinux configure option.
* Improve performance by using closefrom()
* Introduce liblsof for programmatic access over spawning lsof
in a subprocess
- build with libtirpc
- switch to upstream tarball again as it dropped proprietary code
- pam-config
-
- Stop adding pam_env in AUTH stack, and be sure to put this module at the
really end of the SESSION stack.
[bsc#1243226, CVE-2025-6018, remove-pam_env-from-auth-stack.patch]
- pam
-
- pam_namespace: convert functions that may operate on a user-controlled path
to operate on file descriptors instead of absolute path. And keep the
bind-mount protection from protect_mount() as a defense in depthmeasure.
[bsc#1244509, CVE-2025-6020,
pam_inline-introduce-pam_asprintf-pam_snprintf-and-p.patch,
pam_namespace-fix-potential-privilege-escalation.patch,
pam_namespace-add-flags-to-indicate-path-safety.patch,
pam_namespace-secure_opendir-do-not-look-at-the-grou.patch]
- pam_namespace-fix-potential-privilege-escalation.patch adapted and includes
changes from upstream commits: ds6242a, bc856cd.
* pam_namespace fix logic in return value handling
* pam_namespace move functions around
- perl
-
- do not change the current directory when cloning an open
directory handle [bnc#1244079] [CVE-2025-40909]
new patch: perl-dirdup.diff
- fix heap buffer overflow with tr// [bsc#1241083] [CVE-2024-56406]
new patch: perl-pmtrans.diff
- python-instance-billing-flavor-check
-
- Update to version 1.0.1
+ Fix infinite loop (bsc#1242064)
+ Fix bug in update infrastructure request (bsc#1242064)
- python-cryptography
-
- Update vendor tarball to fix CVE-2025-3416 (bsc#1242631)
- libxml2:python
-
- security update
- added patches
CVE-2025-7425 [bsc#1246296], Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr
+ libxml2-CVE-2025-7425.patch
- security update
- added patches
CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS)
CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS)
+ libxml2-CVE-2025-49794,49796.patch
CVE-2025-49795 [bsc#1244555], null pointer dereference may lead to Denial of service (DoS)
+ libxml2-CVE-2025-49795.patch
- security update
- added patches
CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2
CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash
+ libxml2-CVE-2025-6170,6021.patch
- security update
- added patches
CVE-2024-40896 [bsc#1234812], XXE vulnerability
+ libxml2-CVE-2024-40896.patch
- security update
- added patches
CVE-2025-32414 [bsc#1241551], out-of-bounds read when parsing text via the Python API
+ libxml2-CVE-2025-32414.patch
CVE-2025-32415 [bsc#1241453], a crafted XML document may lead to a heap-based buffer under-read
+ libxml2-CVE-2025-32415.patch
- python-requests
-
- Add revert-caching-default-sslcontext.patch upstream patch to avoid
problems with certificate caching in sslcontext.
bsc#1246104, gh#psf/requests#6767
- update to 2.32.4:
* CVE-2024-47081 Fixed an issue where a maliciously crafted URL
and trusted environment will retrieve credentials for the wrong
hostname/machine from a netrc file
* Numerous documentation improvements
* Added support for pypy 3.11 for Linux and macOS.
* Dropped support for pypy 3.9 following its end of support.
- drop CVE-2024-47081.patch (merged upstream)
- Add CVE-2024-47081.patch upstream patch, fixes netrc credential leak
(gh#psf/requests#6965, CVE-2024-47081, bsc#1244039)
- Switch to pyproject macros.
- python-setuptools
-
- Add patch CVE-2025-47273.patch to fix A path traversal
vulnerability.
(bsc#1243313, CVE-2025-47273, gh#pypa/setuptools@250a6d17978f)
- python311
-
- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
case quadratic complexity when processing certain crafted
malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
- Use one core to build doc. This will make sphinx doc build
reproducible.
bsc#1243155
- Update to 3.11.13:
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar")
to be bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
(gh#135034, bsc#1244061).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134062: ipaddress: fix collisions in __hash__() for
IPv4Network and IPv6Network objects.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- bpo-43633: Improve the textual representation of
IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
in ipaddress. Patch by Oleksandr Pavliuk.
- Remove upstreamed patches:
- gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
- CVE-2025-4516-DecodeError-handler.patch
- Add CVE-2025-4516-DecodeError-handler.patch fixing
CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
vulnerability, which could lead to DoS.
- Use extended %autopatch.
- Remove python-3.3.0b1-test-posix_fadvise.patch (not needed
since kernel 3.6-rc1)
- Update to 3.11.12:
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject domain
names containing square brackets ([ and ]). Square brackets
are only valid for IPv6 and IPvFuture hosts according to RFC
3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
gh#python/cpython#105704).
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using a
carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so that
it spanned more than one line, the surrounding quotes and
internal escapes would be omitted. This could theoretically
be used to spoof header lines using a carefully constructed
quoted string if the resulting rendered email was transmitted
or re-parsed.
- gh-119511: Fix a potential denial of service in the imaplib
module. When connecting to a malicious server, it could
cause an arbitrary amount of memory to be allocated. On many
systems this is harmless as unused virtual memory is only
a mapping, but if this hit a virtual address size limit
it could lead to a MemoryError or other process crash. On
unusual systems or builds where all allocated memory is
touched and backed by actual ram or storage it could’ve
consumed resources doing so until similarly crashing.
- gh-127257: In ssl, system call failures that OpenSSL reports
using ERR_LIB_SYS are now raised as OSError.
- gh-121277: Writers of CPython’s documentation can now use
next as the version for the versionchanged, versionadded,
deprecated directives.
- gh-106883: Disable GC during the _PyThread_CurrentFrames()
and _PyThread_CurrentExceptions() calls to avoid the
interpreter to deadlock.
- Remove upstreamed patch:
- CVE-2025-0938-sq-brackets-domain-names.patch
- Add gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
which makes test_ssl not to stop ThreadedEchoServer on OSError,
which makes test_ssl pass with OpenSSL 3.5 (bsc#1241067,
gh#python/cpython!126572)
- Allow to disable PGO
- Skip PGO with %want_reproducible_builds (bsc#1239210)
- Add CVE-2025-0938-sq-brackets-domain-names.patch which
disallows square brackets ([ and ]) in domain names for parsed
URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
- Configure externally_managed with a bcond
https://en.opensuse.org/openSUSE:Python:Externally_managed
bsc#1228165
- Update to 3.11.11:
- Tools/Demos
- gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15
and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
- Tests
- gh-125041: Re-enable skipped tests for zlib on the
s390x architecture: only skip checks of the compressed
bytes, which can be different between zlib’s software
implementation and the hardware-accelerated implementation.
- Security
- gh-126623: Upgrade libexpat to 2.6.4
- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.
- Library
- gh-124651: Properly quote template strings in venv
activation scripts (bsc#1232241, CVE-2024-9287).
- Removed upstreamed patches:
- CVE-2024-9287-venv_path_unquoted.patch
- Add add-loongarch64-support.patch to support loongarch64
- selinux-policy
-
- Update to version 20241031+git8.1f94e96d:
* Revert downstream fix for bsc#1199630 due to regression (bsc#1243242)
- sudo
-
- Fix a possible local privilege escalation via the --host option
[bsc#1245274, CVE-2025-32462]
* fix-CVE-2025-32462.patch
- Fix a possible local privilege Escalation via chroot option
[bsc#1245275, CVE-2025-32463]
* fix-CVE-2025-32463.patch
- supportutils
-
- Changes to version 3.2.10
+ network.txt collect all firewalld zones (pr#233)
+ Collects gfs2 info (PED-11853, pr#235, pr#236)
+ Ignore tasks/threads to prevent collecting duplicate fd data in open_files (bsc#1230371, pr#237)
+ Added openldap2_5 support for SLES (pr#238)
+ Collects additional hawk details (pr#239)
+ Optimized filtering D/Z processes (pr#241)
+ Collect firewalld permanent configuration (pr#243)
+ ldap_info: support for multiple DBs and sanitize olcRootPW (bsc#1231838, pr#247)
+ Added dbus_info for dbus.txt (bsc#1222650, pr#248)
- zypper
-
- Fix addrepo to handle explicit --check and --no-check requests
(bsc#1246466)
- Accept "show" as alias for "info" (bsc#1245985)
- version 1.14.93
- sh: Reset solver options after command (bsc#1245496)
- Explicitly selecting DownloadAsNeeded also selects the
classic_rpmtrans backend.
- version 1.14.92
- BuildRequires: libzypp-devel >= 17.37.6.
Enhancements regarding mirror handling during repo refresh. Adapt
to libzypp API changes. (bsc#1230267)
- version 1.14.91
- BuildRequires: libzypp-devel >= 17.37.0.
- Use libzypp improvements for preload and mirror handling.
- xmlout.rnc: Update repo-element (bsc#1241463)
Add the "metalink" attribute and reflect that the "url" elements
list may in fact be empty, if no baseurls are defined in the
.repo files.
- man: update --allow-unsigned-rpm description.
Explain how to achieve the same for packages provided by
repositories.
- version 1.14.90
- Updated translations (bsc#1230267)
- version 1.14.89
- Do not double encode URL strings passed on the commandline
(bsc#1237587)
URLs passed on the commandline must have their special chars
encoded already. We just want to check and encode forgotten
unsafe chars like a blank. A '%' however must not be encoded
again.
- version 1.14.88
- Package preloader that concurrently downloads files. It's not yet
enabled per default. To enable the preview set ZYPP_CURL2=1 and
ZYPP_PCK_PRELOAD=1 in the environment. (#104)
- BuildRequires: libzypp-devel >= 17.36.4.
- version 1.14.87
- refresh: add --include-all-archs (fixes #598)
Future multi-arch repos may allow to download only those metadata
which refer to packages actually compatible with the systems
architecture. Some tools however want zypp to provide the full
metadata of a repository without filtering incompatible
architectures.
- info,search: add option to search and list Enhances
(bsc#1237949)
- version 1.14.86
- Annonunce --root in commands not launching a Target
(bsc#1237044)
- BuildRequires: libzypp-devel >= 17.36.3.
- version 1.14.85
- Let zypper dup fail in case of (temporarily) unaccessible repos
(bsc#1228434, bsc#1236939, fixes #446)
- version 1.14.84
- New system-architecture command (bsc#1236384)
Prints the detected system architecture.
- version 1.14.83
- requires: libzypp >= 17.36.0.
- Change versioncmp command to return exit code according to the
comparison result (#593)
- version 1.14.82
- lr: show the repositories keep-packages flag (bsc#1232458)
It is shown in the details view or by using -k,--keep-packages.
In addition libyzpp supports to enforce keeping downloaded
packages of all repos within a package cache by creating a
'.keep_packages' file there.
- version 1.14.81
- Try to refresh update repos first to have updated GPG keys on
the fly (bsc#1234752)
An update repo may contain a prolonged GPG key for the GA repo.
Refreshing the update repo first updates a trusted key on the fly
and avoids a 'key has expired' warning being issued when
refreshing the GA repo.
- Refresh: restore legacy behavior and suppress Exception
reporting as non-root (bsc#1235636)
- version 1.14.80
- info: Allow to query a specific version (jsc#PED-11268)
To query for a specific version simply append "-<version>" or
"-<version>-<release>" to the "<name>" pattern. Note that the
edition part must always match exactly.
- version 1.14.79
- Don't try to download missing raw metadata if cache is not
writable (bsc#1225451)
- man: Update 'search' command description.
Hint to "se -v" showing the matches within the packages metadata.
Explain that search strings starting with a "/" will implicitly
look into the filelist as well. Otherfise an explicit "-f" is
needed.
- version 1.14.78