cloud-regionsrv-client
- Update -addon-azure to 1.0.2 (bsc#1196305)
  + The is-registered() function expects a string of the update server FQDN.
    The regionsrv-enabler-azure passed an Object of type SMT. Fix the call
    in regionsrv-enabler-azure.
- Update -plugin-azure to 2.0.0 (bsc#1196146)
  + Lower case the region hint to reduce issues with Azure region name
    case inconsistencies
- Update to version 10.0.0 (bsc#1195414, bsc#1195564)
  + Refactor removes check_registration() function in utils implementation
  + Only start the registration service for PAYG images
  - addon-azure sub-package to version 1.0.1
- Follow up changes to (jsc#PCT-130, bsc#1182026)
  + Fix executable name for AHB service/timer
  + Update manpage for BYOS instance registration
coreutils
- Add coreutils-du-fts-xfs-noleaf.patch to remove problematic
  special leaf optimization cases for XFS that can lead to du
  crashes.  (bsc#1190354)
cyrus-sasl
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
  in plugins/sql.c (bsc#1196036)
  o add upstream patch:
    0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
expat
- Security fixes:
  * (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows
    attackers to insert namespace-separator characters into
    namespace URIs
  - Added expat-CVE-2022-25236.patch
  * (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before
    2.4.5 does not check whether a UTF-8 character is valid in a
    certain context.
  - Added expat-CVE-2022-25235.patch
  * (CVE-2022-25313, bsc#1196168) Stack exhaustion in
    build_model() via uncontrolled recursion
  - Added expat-CVE-2022-25313.patch
  - The fix upstream introduced a regression that was later
    amended in 2.4.6 version
    + Added expat-CVE-2022-25313-fix-regression.patch
  * (CVE-2022-25314, bsc#1196169) Integer overflow in copyString
  - Added expat-CVE-2022-25314-before.patch
  - Added expat-CVE-2022-25314.patch
  * (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames
  - Added expat-CVE-2022-25315.patch
- Security fix (CVE-2022-23852, bsc#1195054)
  * Expat (aka libexpat) before 2.4.4 has a signed integer overflow
    in XML_GetBuffer, for configurations with a nonzero
    XML_CONTEXT_BYTES
  * Add tests for CVE-2022-23852.
  * Added expat-CVE-2022-23852.patch
- Security fix (CVE-2022-23990, bsc#1195217)
  * Fix unsigned integer overflow in function doProlog triggered
    by large content in element type declarations when there is
    an element declaration handler present (from a prior call to
    XML_SetElementDeclHandler).
  * Add expat-CVE-2022-23990.patch
  * Added expat-CVE-2022-22827.patch
kernel-default
- Bluetooth: fix the erroneous flush_work() order (CVE-2021-3564
  bsc#1186207).
- commit 6b62fb2
- moxart: fix potential use-after-free on remove path
  (bsc1194516).
- commit 5c87126
- memstick: rtsx_usb_ms: fix UAF
- commit 9dca558
- phonet: refcount leak in pep_sock_accep (bsc#1193867,
  CVE-2021-45095).
- commit f8aba64
- net: mana: Add RX fencing (bsc#1193507).
- net: mana: Fix spelling mistake "/calledd"/ -> "/called"/
  (bsc#1193507).
- net: mana: Support hibernation and kexec (bsc#1193507).
- net: mana: Improve the HWC error handling (bsc#1193507).
- net: mana: Fix the netdev_err()'s vPort argument in
  mana_init_port() (bsc#1193507).
- net: mana: Allow setting the number of queues while the NIC
  is down (bsc#1193507).
- net: mana: Use kcalloc() instead of kzalloc() (bsc#1193507).
- hv_netvsc: Set needed_headroom according to VF (bsc#1193507).
- hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit()
  (bsc#1193507).
- commit b86c625
- scsi: ufs: Correct the LUN used in eh_device_reset_handler()
  callback (bsc#1193864 CVE-2021-39657).
- commit 5bf6fe1
- usb: gadget: configfs: Fix use-after-free issue with udc_name
  (bsc#1193861 CVE-2021-39648).
- commit 57b5f12
- fget: clarify and improve __fget_files() implementation
  (bsc#1193727).
- commit 696ea54
- drm/i915: Flush TLBs before releasing backing store
  (CVE-2022-0330 bsc#1194880).
- commit 68b92fb
- ipv6: use prandom_u32() for ID generation (CVE-2021-45485
  bsc#1194094).
- Refresh
  patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch.
- commit 7a68b0c
- cgroup: Use open-time credentials for process migraton perm
  checks (bsc#1194302 CVE-2021-4197).
- commit eda1a06
- NFC: add NCI_UNREG flag to eliminate the race (CVE-2021-4202
  bsc#1194529).
- NFC: reorder the logic in nfc_{un,}register_device
  (CVE-2021-4202 bsc#1194529).
- NFC: reorganize the functions in nci_request (CVE-2021-4202
  bsc#1194529).
- commit ce69894
- kprobes: Limit max data_size of the kretprobe instances
  (bsc#1193669).
- commit c7e4a69
- xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like
  fallocate (bsc#1194272 CVE-2021-4155).
- commit c94e1fd
- fget: check that the fd still exists after getting a ref to it
  (bsc#1193727 CVE-2021-4083).
- commit e9025bf
- btrfs: unlock newly allocated extent buffer after error (bsc#1194001, CVE-2021-4149).
- commit 04a66fc
- inet: use bigger hash table for IP ID generation (CVE-2021-45486
  bsc#1194087).
- commit b355639
- recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
- commit e48d1db
- recordmcount.pl: look for jgnop instruction as well as bcrl
  on s390 (bsc#1192267).
- Delete patches.suse/ftrace-recordmcount-binutils.patch.
- commit 6347684
- xen/netback: don't queue unlimited number of packages
  (CVE-2021-28715 XSA-392 bsc#1193442).
- commit a531529
- xen/console: harden hvc_xen against event channel storms
  (CVE-2021-28713 XSA-391 bsc#1193440).
- commit 58dceb5
- xen/netfront: harden netfront against event channel storms
  (CVE-2021-28712 XSA-391 bsc#1193440).
- commit 8877609
- xen-netfront: do not use ~0U as error return value for
  xennet_fill_frags() (git-fixes).
- commit 6d6d065
- xen-netfront: do not assume sk_buff_head list is empty in
  error handling (git-fixes).
- commit 28eaccf
- xen/netfront: don't bug in case of too many frags (bnc#1012382).
- commit 9558b52
- xen/netfront: don't cache skb_shinfo() (bnc#1012382).
- commit 009fd8c
- xen/blkfront: harden blkfront against event channel storms
  (CVE-2021-28711 XSA-391 bsc#1193440).
- commit 4e5bb56
- tty: hvc: replace BUG_ON() with negative return value
  (git-fixes).
- commit c255786
- xen/netfront: don't trust the backend response data blindly
  (git-fixes).
- commit b986b56
- xen/netfront: disentangle tx_skb_freelist (git-fixes).
- commit 6944250
- xen/netfront: don't read data from request on the ring page
  (git-fixes).
- commit ab5b1b6
- xen/netfront: read response from backend only once (git-fixes).
- commit ef6e21b
- xen/blkfront: don't trust the backend response data blindly
  (git-fixes).
- commit d0c7fcb
- xen/blkfront: don't take local copy of a request from the ring
  page (git-fixes).
- commit 8786833
- xen/blkfront: read response from backend only once (git-fixes).
- commit 766a2af
- xen: sync include/xen/interface/io/ring.h with Xen's newest
  version (git-fixes).
- commit 586947d
- Update
  patches.suse/ring-buffer-Protect-ring_buffer_reset-from-reentrancy.patch
  (CVE-2020-27825 bsc#1179960).
- commit 6d2a553
- bpf: fix truncated jump targets on heavy expansions (bsc#1193575
  CVE-2018-25020).
- commit 64cd10a
- ring-buffer: Protect ring_buffer_reset() from reentrancy
  (bsc#1179960).
- commit 7a1c06f
- kABI compatibility for struct l2tp_tunnel (bsc#1192032
  CVE-2021-0935).
- commit 0642c93
- l2tp: fix races with ipv4-mapped ipv6 addresses (bsc#1192032
  CVE-2021-0935).
- Refresh
  patches.kabi/kabi-preserve-struct-l2tp_tunnel-layout-after-adding.patch.
- commit 9536429
- net/x25: prevent a couple of overflows (bsc#1178590
  CVE-2020-35519 bsc#1183696).
- commit 8ed397f
- ixgbe: fix large MTU request from VF (bsc#1192877
  CVE-2021-33098).
- commit 8a7b6d5
- mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
  (CVE-2021-43976 bsc#1192847).
- commit 4d86fa1
- mac80211: drop robust management frames from unknown TA
  (CVE-2019-0136 bsc#1193157).
- mac80211: handle deauthentication/disassociation from TDLS peer
  (CVE-2019-0136 bsc#1193157).
- commit 159b426
- hugetlbfs: flush TLBs correctly after huge_pmd_unshare
  (bsc#1192946 (CVE-2021-4002)).
- commit b430748
- constraints: Build aarch64 on recent ARMv8.1 builders.
  Request asimdrdm feature which is available only on recent ARMv8.1 CPUs.
  This should prevent scheduling the kernel on an older slower builder.
- commit 1742151
- Revert "/header.py: Reject Patch-mainline: No"/
  Allow Patch-mainline: No on historical branch.
- commit 1d03b44
- net/x25: fix a race in x25_bind() (networking-stable-19_03_15).
- commit 14e51bf
nfs-utils
- Add 0200-mountd-Initialize-logging-early.patch
  If an error or warning message is produced before
  closeall() is called, mountd gets confused and doesn't work.
  (bsc#1194661)
- 0191-mount-don-t-bind-a-socket-needlessly.patch
  Don't bind() a non-priv socket immediately before connecting,
  as this wastes port numbers.
  (bsc#1187922)
polkit
- CVE-2021-4115: fixed a denial of service via file descriptor leak (bsc#1195542)
  added CVE-2021-4115.patch
psmisc
  * Determine the namespace of a process only once to speed
    up the parsing of fdinfo (bsc#1194172).
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
samba
- CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
  module; (bsc#1194859); (bso#14914).
supportutils-plugin-suse-public-cloud
- Update to version 1.0.6 (bsc#1195095, bsc#1195096)
  + Include cloud-init logs whenever they are present
  + Update the packages we track in AWS, Azure, and Google
  + Include the ecs logs for AWS ECS instances
tcpdump
- Security fix: [bsc#1195825, CVE-2018-16301]
  * Fix segfault when handling large files
  * Add tcpdump-CVE-2018-16301.patch
wicked
- fsm: fix device rename via yast (bsc#1194392)
  Reset worker config instead to reject a NULL/empty config
  xml node -- introduced in wicked 0.6.67 by commit c2a0385.
  [+ 0001-fsm-fix-device-rename-via-yast-bsc-1194392.patch]
- version 0.6.68
- sysctl: process sysctl.d directories as in sysctl --system
- sysctl: fix sysctl values for loopback device (bsc#1181163, bsc#1178357)
- dhcp4: add option to set route pref-src to dhcp IP (bsc#1192353)
- cleanup: warnings, time calculations and dhcp fixes (bsc#1188019)
- wireless: reconnect on unexpected wpa_supplicant restart (bsc#1183495)
- tuntap: avoid sysfs attr read error (bsc#1192311)
- ifstatus: fix warning of unexpected interface flag combination (bsc#1192164)
- dbus: config files in /usr shouldn't be marked as config in spec
- version 0.6.67
- dbus: install bus config in /usr (bsc#1183407,jsc#SLE-9750)
- logging: log reaped sub-process command and as debug, not error
- ifstatus: Don't show link as "/up"/ without RUNNING flag set
- firewalld: Make the zone assignment permanent (boo#1189560)
- fsm: cleanup and improve ifconfig and ifpolicy access utils
- dbus: cleanup the dbus-service.h file and unused property makros
- cleanup: applied code-spell run typo corrections
- dracut: initial fixes and improved option handling (boo#1182227)
- version 0.6.66
- wireless: migrate to wpa-supplicant v1 DBus interface (bsc#1156920)
  - support multiple networks configurations per interface
  - show connection status and scan-results (bsc#1160654)
  - corrected eap-tls,ttls cetificate handling and open vs. shared
    wep,open,psk,eap-tls,ttls,peap parsing from ifcfg (bsc#1057592)
  - cleanups and several other improvements, see changes
  - updated man ifcfg-wireless manual pages
- nanny: fix identify node owner exit condition
- schema: several xml-schema and dbus/property improvements
- utils: format/parse bitmap to array and string alternatives
- client: expose ethtool --get-permanent-address option
- removed sle15-sp3 patches included in the master sources (bsc#1181812)
  [- 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
  [- 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- dhcp4: discover on reboot timeout after start-delay (bsc#1181812)
  [+ 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
- dhcp6: request nis options on sle15 by default (bsc#1181812)
  [+ 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- version 0.6.65
- ifconfig: differentiate if to re-trigger dad on address updates (bsc#1177215)
- client: parse sysctl files in the correct order (bsc#1181186)
- ifup: fix for set up with unenslave from unconfigured master (boo#954329)
- rpm: prepare for new builds using usrmerged rpm macro (boo#1029961)
- rpm: Let wicked-service also provide service(network)
- cleanup: remove obsolete use-nanny=false (gh#openSUSE/wicked#815)
- dbus: add variant container, generic object-path and uint32 array macros
zsh
- Added CVE-2019-20044.patch: fixes insecure dropping of privileges when
  unsetting PRIVILEGED option (CVE-2019-20044 bsc#1163882)
- Add CVE-2018-1100.patch: it fixes buffer overflow in utils.c:checkmailpath()
  can lead to local arbitrary code execution (CVE-2018-1100 bsc#1089030)
- Added CVE-2021-45444.patch: fixes a vulnerability in prompt expansion which
  could be exploited through e.g.  VCS_Info to execute arbitrary shell
  commands (CVE-2021-45444 bsc#1196435)