apparmor
- Add update-samba-bgqd.diff to add new rule to fix 'DENIED' open on
  /proc/{pid}/fd for samba-bgqd (bnc#1196850).
- Add update-usr-sbin-smbd.diff to add new rule to allow reading of
  openssl.cnf (bnc#1195463).
bind
- Security Fixes:
  * Previously, there was no limit to the number of database lookups
  performed while processing large delegations, which could be abused
  to severely impact the performance of named running as a recursive
  resolver. This has been fixed.
  [bsc#1203614, CVE-2022-2795, bind-CVE-2022-2795.patch]
  * A memory leak was fixed that could be externally triggered in the
  DNSSEC verification code for the ECDSA algorithm.
  [bsc#1203619, CVE-2022-38177, bind-CVE-2022-38177.patch]
  * Memory leaks were fixed that could be externally triggered in the
  DNSSEC verification code for the EdDSA algorithm.
  [bsc#1203620, CVE-2022-38178, bind-CVE-2022-38178.patch]
ca-certificates-mozilla
- Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)
  Added:
  - Certainly Root E1
  - Certainly Root R1
  - DigiCert SMIME ECC P384 Root G5
  - DigiCert SMIME RSA4096 Root G5
  - DigiCert TLS ECC P384 Root G5
  - DigiCert TLS RSA4096 Root G5
  - E-Tugra Global Root CA ECC v3
  - E-Tugra Global Root CA RSA v3
  Removed:
  - Hellenic Academic and Research Institutions RootCA 2011
- Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079)
  Added:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - D-TRUST BR Root CA 1 2020
  - D-TRUST EV Root CA 1 2020
  - GlobalSign ECC Root CA R4
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
  - HiPKI Root CA - G1
  - ISRG Root X2
  - Telia Root CA v2
  - vTrus ECC Root CA
  - vTrus Root CA
  Removed:
  - Cybertrust Global Root
  - DST Root CA X3
  - DigiNotar PKIoverheid CA Organisatie - G2
  - GlobalSign ECC Root CA R4
  - GlobalSign Root CA R2
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
- updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)
- Added CAs:
  + HARICA Client ECC Root CA 2021
  + HARICA Client RSA Root CA 2021
  + HARICA TLS ECC Root CA 2021
  + HARICA TLS RSA Root CA 2021
  + TunTrust Root CA
- Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994)
- Added new root CAs:
  - NAVER Global Root Certification Authority
- Removed old root CA:
  - GeoTrust Global CA
  - GeoTrust Primary Certification Authority
  - GeoTrust Primary Certification Authority - G3
  - GeoTrust Universal CA
  - GeoTrust Universal CA 2
  - thawte Primary Root CA
  - thawte Primary Root CA - G2
  - thawte Primary Root CA - G3
  - VeriSign Class 3 Public Primary Certification Authority - G4
  - VeriSign Class 3 Public Primary Certification Authority - G5
cifs-utils
- CVE-2022-29869: mount.cifs: fix verbose messages on option parsing
  (bsc#1198976, CVE-2022-29869)
  * add cifs-utils-CVE-2022-29869.patch
cloud-regionsrv-client
- Follow up fix to 10.0.4 (bsc#1202706)
  - While the source code was updated to support SLE Micro the spec file
    was not updated for the new locations of the cache and the certs.
    Update the spec file to be consistent with the code implementation.
- Update to version 10.0.5 (bsc#1201612)
  - Handle exception when trying to deregister a system form the server
- Update to version 10.0.4 (bsc#1199668)
  - Store the update server certs in the /etc path instead of /usr to
    accomodate read only setup of SLE-Micro
crash
- Fix lookup of symbol "/linux_banner"/, as in newer kernels the symbol is
  placed in the .init section ('D') as opposed to the read-only section ('R').
  Also make this specific to kernels >= 2.6.11. This fix is a combination of
  upstream commit fce91bec and a chunk from upstream commit 9fab193e.
  (bsc#1195911)
  Added:
    crash-Fix-the-failure-of-reporting-vmcore-and-vmlinux-do-n.patch
  - ------------------------------------------------------------------
cronie
- Allow to define the logger info and warning priority, fixes
  jsc#SLE-24577
  * run-crons
  * sysconfig.cron
curl
- Security fix: [bsc#1202593, CVE-2022-35252]
  * Control codes in cookie denial of service
  * Add curl-CVE-2022-35252.patch
expat
- Security fix:
  * (CVE-2022-40674, bsc#1203438) use-after-free in the doContent
    function in xmlparse.c
  - Added patch expat-CVE-2022-40674.patch
gpg2
- Security fix [CVE-2022-34903, bsc#1201225]
  - Vulnerable to status injection
  - Added patch gnupg-CVE-2022-34903.patch
icu
- Backport icu-CVE-2020-21913.patch: backport commit 727505bdd
  from upstream, use LocalMemory for cmd to prevent use after free
  (bsc#1193951 CVE-2020-21913).
json-c
- Added CVE-2020-12762.patch (bsc#1171479, CVE-2020-12762)
- Added gcc7-fix.patch
- Update to upstream release 0.12.1
- Removed upstream fixed json-c-0.12-unused_variable_size.patch
- Added fix-set-but-not-used.patch
- json-c 0.12
  Fixes for security issues contained in this release have been
  previously patched into this package, but listed for completeness:
  * Address security issues:
  * CVE-2013-6371: hash collision denial of service
  * CVE-2013-6370: buffer overflow if size_t is larger than int
- Further changes:
  * Avoid potential overflow in json_object_get_double
  * Eliminate the mc_abort() function and MC_ABORT macro.
  * Make the json_tokener_errors array local.  It has been deprecated for
    a while, and json_tokener_error_desc() should be used instead.
  * change the floating point output format to %.17g so values with
    more than 6 digits show up in the output.
  * Remove the old libjson.so name compatibility support.  The library is
    only created as libjson-c.so now and headers are only installed
    into the ${prefix}/json-c directory.
  * When supported by the linker, add the -Bsymbolic-functions flag.
  * Make strict mode more strict:
  * number must not start with 0
  * no single-quote strings
  * no comments
  * trailing char not allowed
  * only allow lowercase literals
  * Added a json_object_new_double_s() convenience function to allow
    an exact string representation of a double to be specified when
    creating the object and use it in json_tokener_parse_ex() so
    a re-serialized object more exactly matches the input.
  * Add support NaN and Infinity
- packaging changes:
  * json-c-hash-dos-and-overflow-random-seed-4e.patch is upstream
  * Move from json-c-lfs.patch which removed warning errors and
    autoconf call to json-c-0.12-unused_variable_size.patch from
    upstream which fixes the warning
  * except for SLE 11 where autoreconf call is required
  * add licence file to main package
kernel-azure
- Revert "/sysfb: Enable boot time VESA graphic mode selection (bsc#1129770)"/
  This reverts commit 8d1c33d1ed3d4b198344cf4cf8763447532f6b90
  since it breaks the build
- commit 253e49e
- Add CVE reference on lightnvm removal patch
  modified:
  - patches.drivers/lightnvm-remove-lightnvm-implemenation.patch
- commit 0412b0e
- fbdev: fb_pm2fb: Avoid potential divide by zero error (bsc#1154048)
- commit 0429966
- video: fbdev: s3fb: Check the size of screen before memset_io() (bsc#1154048)
- commit 1828312
- video: fbdev: arkfb: Check the size of screen before memset_io() (bsc#1154048)
- commit 960c031
- video: fbdev: vt8623fb: Check the size of screen before memset_io() (bsc#1154048)
- commit 8e21ba7
- video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock() (bsc#1154048)
- commit 24dad4e
- video: fbdev: sis: fix typos in SiS_GetModeID() (bsc#1154048)
- commit 3b41e99
- video: fbdev: amba-clcd: Fix refcount leak bugs (bsc#1154048)
  Backporting notes:
  * context changes
- commit f023a62
- Revert "/drivers/video/backlight/platform_lcd.c: add support for (bsc#1154048)
- commit 6c2117a
- sysfb: Enable boot time VESA graphic mode selection (bsc#1129770)
  Backporting notes:
  * context changes
  * config update
- commit 8d1c33d
- Revert "/video: imsttfb: fix potential NULL pointer dereferences"/ (bsc#1129770)
- commit 015493e
- Revert "/video: hgafb: fix potential NULL pointer dereference"/ (bsc#1129770)
  Backporting notes:
  * test return value of ioremap() and return an error
- commit dfae32b
- char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops
  (CVE-2022-41848 bsc#1203987).
- commit 4b5f9dc
- Input: melfas_mip4 - fix return value check in mip4_probe()
  (git-fixes).
- commit 327938f
- xhci: bail out early if driver can't accress host in resume
  (git-fixes).
- commit 7b6647e
- blacklist.conf: no gadget mode in SLE12
- commit 4ef9a32
- blacklist.conf: breaks kABI for an issue relevant only in a minor HC
- commit 0686374
- usbnet: Fix memory leak in usbnet_disconnect() (git-fixes).
- commit 6704bc6
- explicit set MODULE_SIG_HASH in azure config (bsc#1203933)
  Setting this option became mandatory in Feb 2022.
  While the lack of this option did not cause issues with automated builds,
  a manual osc build started to fail due to incorrect macro expansion.
- commit 6dde286
- net: mana: Add rmb after checking owner bits (git-fixes).
- commit 0c59466
- net: mana: Add the Linux MANA PF driver (bug#1201309, jsc#PED-529).
- commit 80ea4bf
- scsi: qla2xxx: Remove unused declarations for qla2xxx
  (bsc#1203935).
- scsi: qla2xxx: Drop DID_TARGET_FAILURE use (bsc#1203935).
- scsi: qla2xxx: Update version to 10.02.07.900-k (bsc#1203935).
- scsi: qla2xxx: Add NVMe parameters support in Auxiliary Image
  Status (bsc#1203935).
- scsi: qla2xxx: Add debugfs create/delete helpers (bsc#1203935).
- scsi: qla2xxx: Fix response queue handler reading stale packets
  (bsc#1203935).
- scsi: qla2xxx: Revert "/scsi: qla2xxx: Fix response queue
  handler reading stale packets"/ (bsc#1203935).
- scsi: qla2xxx: Log message "/skipping scsi_scan_host()"/ as
  informational (bsc#1203935).
- scsi: qla2xxx: Avoid flush_scheduled_work() usage (bsc#1203935).
- scsi: qla2xxx: Always wait for qlt_sess_work_fn() from
  qlt_stop_phase1() (bsc#1203935).
- scsi: qla2xxx: Remove unused qlt_tmr_work() (bsc#1203935).
- scsi: qla2xxx: Remove unused del_sess_list field (bsc#1203935).
- commit 6a1070c
- scsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts()
  (bsc#1203935).
- scsi: qla2xxx: Disable ATIO interrupt coalesce for quad port
  ISP27XX (bsc#1203935).
- commit c812e29
- blacklist.conf: Add 1bf4580e00a2 fork,memcg: alloc_thread_stack_node needs to set tsk->stack
- commit 2a37e27
- Input: stop telling users to snail-mail Vojtech (git-fixes).
- commit d956a8c
- Input: iforce - constify usb_device_id and fix space before
  '[' error (git-fixes).
- commit bfb50de
- scsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts()
  (git-fixes).
- scsi: mpt3sas: Fix use-after-free warning (git-fixes).
- scsi: lpfc: Add missing destroy_workqueue() in error path
  (git-fixes).
- commit b282bf7
- USB: serial: ftdi_sio: add Belimo device ids (git-fixes).
- commit f6eaf2e
- USB: serial: option: add Quectel RM500K module support.
- commit 981a205
- USB: serial: option: add Quectel EM05-G modem (git-fixes).
- commit 3376669
- USB: serial: option: add Telit LE910Cx 0x1250 composition
  (git-fixes).
- commit f8d705a
- blacklist.conf: irrelevant in our configurations
- commit c5487ee
- USB: serial: option: add support for Cinterion MV31 with new
  baseline (git-fixes).
- commit ce91afd
- usb: typec: tcpci: Don't skip cleanup in .remove() on error
  (git-fixes).
- commit 2a4a3b7
- usb-storage: Add ignore-residue quirk for NXP PN7462AU
  (git-fixes).
- commit 4e282b8
- usb: typec: altmodes/displayport: correct pin assignment for
  UFP receptacles (git-fixes).
- commit 85d64e6
- usb: dwc2: fix wrong order of phy_power_on and phy_init
  (git-fixes).
- commit 63072dd
- USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020)
  (git-fixes).
- commit 93c7c8f
- blacklist.conf: irrelevant in our configurations
- commit 1ea4ae1
- USB: core: Prevent nested device-reset calls (git-fixes).
- commit fc09d0c
- blacklist.conf: blacklist commit 02c0cab8e734
- commit 07b2c53
- usb.h: struct usb_device: hide new member (git-fixes).
- commit 21400d8
- ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC (CVE-2022-3303
  bsc#1203769).
- Refresh patches.kabi/ALSA-pcm-oss-rw_ref-kabi-fix.patch.
- commit accf4df
- md: call __md_stop_writes in md_stop (git-fixes).
- Revert "/md-raid: destroy the bitmap after destroying the thread"/
  (git-fixes).
- SUNRPC: Reinitialise the backchannel request buffers before
  reuse (git-fixes).
- NFSv4.1: RECLAIM_COMPLETE must handle EACCES (git-fixes).
- md-raid10: fix KASAN warning (git-fixes).
- NFS: LOOKUP_DIRECTORY is also ok with symlinks (git-fixes).
- NFSD: Fix zero-length NFSv3 WRITEs (git-fixes).
- commit ab754e2
- blacklist.conf: 441947019138 Documentation: Add documentation for Processor MMIO Stale Data
- commit a86f7ba
- media: dvb-core: Fix UAF due to refcount races at releasing
  (CVE-2022-41218 bsc#1202960).
- commit 231362a
- blacklist.conf: add several SCSI commits to black list
- commit 82ee683
- blacklist.conf: e9b6013a7ce3 x86/speculation: Update link to AMD speculation whitepaper
- commit b210a45
- media: em28xx: initialize refcount before kref_get
  (CVE-2022-3239 bsc#1203552).
- commit 477c587
- powerpc: Use device_type helpers to access the node type
  (bsc#1203424 ltc#199544).
- Refresh patches.suse/powerpc-numa-remove-unreachable-topology-update-code.patch.
- commit b1e0425
- powerpc/memhotplug: Make lmb size 64bit (bsc#1203424
  ltc#199544).
- powerpc/drmem: Make lmb_size 64 bit (bsc#1203424 ltc#199544).
- commit 5d51965
- dm verity: set DM_TARGET_IMMUTABLE feature flag (CVE-2022-2503,
  bsc#1202677).
- Refresh for the above patch added in,
  blacklist.conf: remove the above patch from blaclist.conf
  patches.suse/0034-dm-verity-add-check_at_most_once-option-to-only-vali.patch.
- commit 1b3d265
- dm verity: set DM_TARGET_IMMUTABLE feature flag (CVE-2022-2503,
  bsc#1202677).
- commit b644c0f
- Update references:
  - patches.kabi/kabi-return-type-change-of-secure_ipv-46-_port_ephem.patch
  - patches.suse/secure_seq-use-the-64-bits-of-the-siphash-for-port-o.patch
  - patches.suse/tcp-add-small-random-increments-to-the-source-port.patch
  - patches.suse/tcp-drop-the-hash_32-part-from-the-index-calculation.patch
  - patches.suse/tcp-dynamically-allocate-the-perturb-table-used-by-s.patch
  - patches.suse/tcp-increase-source-port-perturb-table-to-2-16.patch
  - patches.suse/tcp-resalt-the-secret-every-10-seconds.patch
  - patches.suse/tcp-use-different-parts-of-the-port_offset-for-index.patch
  (add CVE-2022-32296 bsc#1200288)
- commit 97c264a
- x86/bugs: Reenable retbleed=off
  While for older kernels the return thunks are statically built in and
  cannot be dynamically patched out, retbleed=off should still be possible
  to do so that the mitigation can still be disabled on Intel who don't
  use the return thunks but IBRS.
- Refresh
  patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch.
- Refresh patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch.
- commit e330fc7
- dm thin metadata: Fix use-after-free in dm_bm_set_read_only
  (bsc#1203462).
- commit b3b2090
- ppc64/kdump: Limit kdump base to 512MB (bsc#1203410 ltc#199904).
- commit 39653db
- Update
  patches.suse/ch-fixup-refcounting-imbalance-for-SCSI-devices.patch
  (bsc#1124235), adding back Refernces lost in previous update.
- commit 47c6490
- scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure
  (git-fixes).
- Refresh patches.suse/scsi-libfc-handling-of-extra-kref.
- commit 27f7754
- mmc: block: fix read single on recovery logic (CVE-2022-20008
  bsc#1199564).
- commit 1fdd74c
- scsi: ch: Make it possible to open a ch device multiple times
  again (git-fixes).
- Refresh
  patches.suse/ch-add-missing-mutex_lock-mutex_unlock-in-ch_release.patch.
- Replace/Refresh
  patches.suse/ch-fixup-refcounting-imbalance-for-SCSI-devices.patch
  ("/scsi: ch: fixup refcounting imbalance for SCSI devices"/)
  with actual upstream version of this commit, which makes it apply
  correctly (it was just a "/submitted"/ version)
- commit cb2ed7c
- ftrace: Fix NULL pointer dereference in is_ftrace_trampoline
  when ftrace is dead (git-fixes).
- commit 6d3bb9f
- arm64: cpufeature: Allow different PMU versions in ID_DFR0_EL1 (git-fixes)
- commit 85ce439
- blacklist.conf: ("/arm64: fix clang warning about TRAMP_VALIAS"/)
- commit a67ea91
- Refresh
  patches.suse/netfilter-nf_conntrack_irc-Fix-forged-IP-logic.patch.
- commit ed06fa8
- scsi: lpfc: Check the return value of alloc_workqueue()
  (git-fixes).
- scsi: sg: Allow waiting for commands to complete on removed
  device (git-fixes).
- scsi: smartpqi: Fix DMA direction for RAID requests (git-fixes).
- scsi: sd: Fix Opal support (git-fixes).
- scsi: mpt3sas: Fix ioctl timeout (git-fixes).
- scsi: mpt3sas: Fix sync irqs (git-fixes).
- scsi: mpt3sas: Don't call disable_irq from IRQ poll handler
  (git-fixes).
- scsi: sd: enable compat ioctls for sed-opal (git-fixes).
- scsi: sd_zbc: Fix compilation warning (git-fixes).
- Revert "/scsi: sd: Keep disk read-only when re-reading partition"/
  (git-fixes).
- scsi: core: Avoid that a kernel warning appears during system
  resume (git-fixes).
- scsi: core: Avoid that system resume triggers a kernel warning
  (git-fixes).
- commit 2cdb167
- cifs: clean up an inconsistent indenting (bsc#1190317).
- commit 84e7187
- Update
  patches.suse/mm-rmap.c-don-t-reuse-anon_vma-if-we-just-want-a-copy.patch
  (git-fixes, bsc#1203098).
- commit 3881fc3
- mm: Force TLB flush for PFNMAP mappings before unlink_file_vma()
  (CVE-2022-39188, bsc#1203107).
- commit 7df6276
- netfilter: nf_conntrack_irc: Tighten matching on DCC message
  (CVE-2022-2663 bsc#1202097).
- netfilter: nf_conntrack_irc: Fix forged IP logic (CVE-2022-2663
  bsc#1202097).
- commit 7253cd6
- fuse: limit nsec (bsc#1203126).
- commit 4695dc9
- blacklist.conf: add 2fdbb8dd0155 to blacklist
- commit 374db7c
- objtool: Track original function across branches (bsc#1202396).
- Refresh
  patches.suse/objtool-clean-instruction-state-before-each-function-validation.patch.
- Refresh
  patches.suse/objtool-make-bp-scratch-register-warning-more-robust.patch.
- commit d5d2614
- objtool: Don't use ignore flag for fake jumps (bsc#1202396).
- Refresh patches.suse/objtool-add-is_static_jump-helper.patch.
- commit 3c1c10e
- objtool: Add --backtrace support (bsc#1202396).
- Refresh
  patches.suse/objtool-clean-instruction-state-before-each-function-validation.patch.
- commit 59346c1
- objtool: Set insn->func for alternatives (bsc#1202396).
- Refresh patches.suse/objtool-add-is_static_jump-helper.patch.
- Refresh
  patches.suse/objtool-add-relocation-check-for-alternative-sections.patch.
- commit 55a9c4c
- mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
  (git-fixes, bsc#1203098).
  kABI: Fix kABI after "/mm/rmap: Fix anon_vma->degree ambiguity
  leading to double-reuse"/ (git-fixes, bsc#1203098).
- commit 9b79372
- mm/rmap.c: don't reuse anon_vma if we just want a copy
  (git-fixes, bsc#1203098).
- commit d3fffdb
- cifs: fix the cifs_reconnect path for DFS (bsc#1190317).
- commit 8addcab
- blacklist.conf: add c5deb27895e0, as no fix is needed (problem can't occur)
- commit d29d53a
- xen/xenbus: fix return type in xenbus_file_read() (git-fixes).
- commit 7fc364d
- Update
  patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch.
- Update
  patches.suse/x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch.
  Add missing objtool annotations from upstream commits to fix bsc#1202396.
- commit 8f6e21f
- KVM: x86: Set error code to segment selector on LLDT/LTR
  non-canonical #GP (git-fixes).
- commit 3b2de9e
- KVM: x86: Mark TSS busy during LTR emulation _after_ all fault
  checks (git-fixes).
- commit beb4e5a
- objtool: Allow no-op CFI ops in alternatives (bsc#1202396).
- commit df2ab3a
- objtool: Add support for intra-function calls (bsc#1202396).
- commit 72c2448
- objtool: Remove INSN_STACK (bsc#1202396).
- commit df6f4c2
- objtool: Make handle_insn_ops() unconditional (bsc#1202396).
- commit 696a729
- objtool: Rework allocating stack_ops on decode (bsc#1202396).
- commit 9614631
- objtool: Fix ORC vs alternatives (bsc#1202396).
- commit 7725f8e
- objtool: Uniquely identify alternative instruction groups
  (bsc#1202396).
- commit cad8676
- objtool: Remove check preventing branches within alternative
  (bsc#1202396).
- commit f556567
- objtool: Fix !CFI insn_state propagation (bsc#1202396).
- commit 7537bdc
- blacklist.conf: add dbac14a5a05f, as it would break kabi
- commit b0b1864
- objtool: Rename struct cfi_state (bsc#1202396).
- commit f1ccddb
- objtool: Support multiple stack_op per instruction
  (bsc#1202396).
- commit bd1355d
- objtool: Support conditional retpolines (bsc#1202396).
- commit 7d5809e
- objtool: Convert insn type to enum (bsc#1202396).
- commit 1160056
- objtool: Rename elf_open() to prevent conflict with libelf
  from elftoolchain (bsc#1202396).
- commit c167b3d
- objtool: Use Elf_Scn typedef instead of assuming struct name
  (bsc#1202396).
- commit fc37030
- squashfs: fix xattr id and id lookup sanity checks
  (bsc#1203013).
- commit e118d89
- squashfs: fix inode lookup sanity checks (bsc#1203013).
- commit 6748621
- rpm/kernel-source.spec.in: simplify finding of broken symlinks
  "/find -xtype l"/ will report them, so use that to make the search a bit
  faster (without using shell).
- commit 13bbc51
- cifs: move from strlcpy with unused retval to strscpy
  (bsc#1190317).
- commit bb4c21d
- cifs: remove useless parameter 'is_fsctl' from SMB2_ioctl()
  (bsc#1190317).
- commit f2b9741
- cifs: remove unused server parameter from calc_smb_size()
  (bsc#1190317).
- commit c52dabc
- cifs: Do not use tcon->cfid directly, use the cfid we get from
  open_cached_dir (bsc#1190317).
- commit ed7d7cd
- cifs: fix lock length calculation (bsc#1190317).
- commit 704a256
- cifs: alloc_mid function should be marked as static
  (bsc#1190317).
- commit 1cd087c
- cifs: remove "/cifs_"/ prefix from init/destroy mids functions
  (bsc#1190317).
- commit 7d1a646
- cifs: remove useless DeleteMidQEntry() (bsc#1190317).
- commit 39cdb6e
- cifs: remove remaining build warnings (bsc#1190317).
- commit bb9d34f
- smb2: small refactor in smb2_check_message() (bsc#1190317).
- commit 36dc5c1
- cifs: remove minor build warning (bsc#1190317).
- commit 99f07da
- cifs: remove some camelCase and also some static build warnings
  (bsc#1190317).
- commit 12a6e0e
- cifs: remove unnecessary (void*) conversions (bsc#1190317).
- commit 042656d
- cifs: remove redundant initialization to variable
  mnt_sign_enabled (bsc#1190317).
- commit 5f2fe58
- smb3: check xattr value length earlier (bsc#1190317).
- commit 420acb4
- mkspec: eliminate @NOSOURCE@ macro
  This should be alsways used with @SOURCES@, just include the content
  there.
- commit 403d89f
- kernel-source: include the kernel signature file
  We assume that the upstream tarball is used for released kernels.
  Then we can also include the signature file and keyring in the
  kernel-source src.rpm.
  Because of mkspec code limitation exclude the signature and keyring from
  binary packages always - mkspec does not parse spec conditionals.
- commit e76c4ca
- kernel-binary: move @NOSOURCE@ to @SOURCES@ as in other packages
- commit 4b42fb2
- dtb: Do not include sources in src.rpm - refer to kernel-source
  Same as other kernel binary packages there is no need to carry duplicate
  sources in dtb packages.
- commit 1bd288c
- smb3: add trace point for SMB2_set_eof (bsc#1190317).
- commit cc50c41
- cifs: return errors during session setup during reconnects
  (bsc#1190317).
- commit f26e757
- cifs: fix uninitialized pointer in error case in
  dfs_cache_get_tgt_share (bsc#1190317).
- commit 2cd67ba
- cifs: skip trailing separators of prefix paths (bsc#1190317).
- commit 6ad2a16
- cifs: version operations for smb20 unneeded when legacy support
  disabled (bsc#1190317).
- commit c14744a
- cifs: when extending a file with falloc we should make files
  not-sparse (bsc#1190317).
- commit 722a067
- smb3: check for null tcon (bsc#1190317).
- commit 19827ce
- cifs: return the more nuanced writeback error on close()
  (bsc#1190317).
- commit 21102b1
- cifs: remove repeated debug message on cifs_put_smb_ses()
  (bsc#1190317).
- commit 55e93f1
- smb3: don't set rc when used and unneeded in query_info_compound
  (bsc#1190317).
- commit b7a8710
- cifs: smbd: fix typo in comment (bsc#1190317).
- commit 0fd8d36
- cifs: set the CREATE_NOT_FILE when opening the directory in
  use_cached_dir() (bsc#1190317).
- commit 18a7023
- cifs: check for smb1 in open_cached_dir() (bsc#1190317).
- commit cebd44b
- cifs: move definition of cifs_fattr earlier in cifsglob.h
  (bsc#1190317).
- commit de5bdb2
- objtool: Fix sibling call detection (bsc#1202396).
- commit 7a3804d
- objtool: Rewrite alt->skip_orig (bsc#1202396).
- commit 34b4ec9
- af_key: Do not call xfrm_probe_algs in parallel (bsc#1202898
  CVE-2022-3028).
- commit e68eb5b
- Update patch reference for net rds fix (CVE-2022-21385 bsc#1202897)
- commit c9ac9a2
- Update patch reference for net rds fix (CVE-2022-21385 bsc#1202897)
- commit d995183
- usbnet: Fix linkwatch use-after-free on disconnect (git-fixes).
- commit cbbd572
- powerpc/perf: Add privileged access check for thread_imc
  (FATE#322448, bsc#1054914, git-fixes).
- powerpc/perf: Fix loop exit condition in nest_imc_event_init
  (FATE#322448, bsc#1054914, git-fixes).
- powerpc/perf: Return accordingly on invalid chip-id in
  (FATE#322448, bsc#1054914, git-fixes).
- powerpc: Use sizeof(*foo) rather than sizeof(struct foo)
  (FATE#322448, bsc#1054914, git-fixes).
  - Refresh patches.suse/powerpc-powernv-Return-for-invalid-IMC-domain.patch
- commit 0095cdd
- cifs: fix signed integer overflow when fl_end is OFFSET_MAX
  (bsc#1190317).
- commit ef2c03a
- SMB3: EBADF/EIO errors in rename/open caused by race condition
  in smb2_compound_op (bsc#1190317).
- commit 1850f8f
- cifs: use correct lock type in cifs_reconnect() (bsc#1190317).
- commit a9f06fa
- cifs: fix NULL ptr dereference in refresh_mounts()
  (bsc#1190317).
- commit 67eb87c
- cifs: Use kzalloc instead of kmalloc/memset (bsc#1190317).
- commit 60e64c6
- cifs: verify that tcon is valid before dereference in
  cifs_kill_sb (bsc#1190317).
- commit 2548aaa
- cifs: potential buffer overflow in handling symlinks
  (bsc#1190317).
- commit 4a3401c
- cifs: Split the smb3_add_credits tracepoint (bsc#1190317).
- commit a7766a9
- cifs: release cached dentries only if mount is complete
  (bsc#1190317).
- commit 0e4cc46
- cifs: Check the IOCB_DIRECT flag, not O_DIRECT (bsc#1190317).
- commit 396d99d
- cifs: remove check of list iterator against head past the loop
  body (bsc#1190317).
- commit 53771a6
- cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
  (bsc#1190317).
- commit 4dc7010
- cifs: prevent bad output lengths in smb2_ioctl_query_info()
  (bsc#1190317).
- commit d9eafa4
- ceph: don't truncate file in atomic_open (bsc#1202830).
- commit 5d95105
- cifs: change smb2_query_info_compound to use a cached fid,
  if available (bsc#1190317).
- commit 8153d9b
- cifs: convert the path to utf16 in smb2_query_info_compound
  (bsc#1190317).
- commit feab50e
- cifs: we do not need a spinlock around the tree access during
  umount (bsc#1190317).
- commit 3cf620b
- cifs: fix handlecache and multiuser (bsc#1190317).
- commit 61380d0
- Backport causes crashes on all arches so revert the patch until
  I find the root cause
- commit 83c44b2
- cifs: modefromsids must add an ACE for authenticated users
  (bsc#1190317).
- commit 33643f3
- cifs: fix double free race when mount fails in cifs_get_root()
  (bsc#1190317).
- commit 96ae468
- cifs: do not use uninitialized data in the owner/group sid
  (bsc#1190317).
- commit dd406c0
- cifs: fix set of group SID via NTSD xattrs (bsc#1190317).
- commit 063a3b9
- cifs: mark sessions for reconnection in helper function
  (bsc#1190317).
- commit 145a355
- Fix a warning about a malformed kernel doc comment in cifs
  (bsc#1190317).
- commit 5777710
- check sk_peer_cred pointer before put_cred() call
- commit 78087f4
- cifs: alloc_path_with_tree_prefix: do not append sep. if the
  path is empty (bsc#1190317).
- commit 11e7725
- tpm: fix reference counting for struct tpm_chip (CVE-2022-2977
  bsc#1202672).
- commit 743f12e
- net: handle kABI change in struct sock (bsc#1194535
  CVE-2021-4203).
- commit c37013b
- Drop the unused function after porting on 4.12
- commit a8cf8a3
- spmi: trace: fix stack-out-of-bound access in SPMI tracing
  functions (git-fixes).
- commit 977d6ab
- blacklist.conf: update blacklist
- commit 185c40c
- mvpp2: fix panic on module removal (git-fixes).
- commit 7f3079c
- mvpp2: refactor the HW checksum setup (git-fixes).
- commit 8ea5b04
- net/mlx5: Imply MLXFW in mlx5_core (git-fixes).
- commit 10e6082
- net/mlx5e: Use the inner headers to determine tc/pedit offload
  limitation on decap flows (git-fixes).
- commit 9697304
- blacklist.conf: update blacklist
- commit 46ff3d0
- fuse: handle kABI change in struct sock (bsc#1194535
  CVE-2021-4203).
- commit cb0be42
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
  (bsc#1194535 CVE-2021-4203).
- commit cfbed38
- SUNRPC: Fix the svc_deferred_event trace class (git-fixes).
- commit 851ec16
- tracing/uprobes: Check the return value of kstrdup() for
  tu->filename (git-fixes).
- commit 8dca833
- tracepoint: Add tracepoint_probe_register_may_exist() for BPF
  tracing (git-fixes).
- commit 7aa1321
- xprtrdma: Fix trace point use-after-free race (git-fixes).
- commit a8b511a
- tracing: Fix race in perf_trace_buf initialization (git-fixes).
- commit 2512414
- tracing/perf: Use strndup_user() instead of buggy open-coded
  version (git-fixes).
- commit f7c4f1b
- cifs: fix FILE_BOTH_DIRECTORY_INFO definition (bsc#1190317).
- commit 2dd27f0
- cifs: move superblock magic defitions to magic.h (bsc#1190317).
- commit ec6873e
- cifs: Fix smb311_update_preauth_hash() kernel-doc comment
  (bsc#1190317).
- commit c2c268e
- cifs: sanitize multiple delimiters in prepath (bsc#1190317).
- commit f5d8a69
- cifs: fix ntlmssp auth when there is no key exchange
  (bsc#1190317).
- commit 0965ebd
- USB: serial: io_ti: add Agilent E5805A support (git-fixes).
- commit ea690c7
- USB: new quirk for Dell Gen 2 devices (git-fixes).
- commit 73ad842
- usb: misc: fix improper handling of refcount in uss720_probe()
  (git-fixes).
- commit 7d782ba
- Revert "/USB: xhci: fix U1/U2 handling for hardware with
  XHCI_INTEL_HOST quirk set"/ (git-fixes).
- commit 7bb63b3
- add Kirk Allan as branch maintainer
- commit 9600c20
- blacklist.conf: cleanup designed to break kABI
- commit d77a5a8
- blacklist.conf: cleanup on a minor driver that would require a kABI fixup
- commit 4b84bde
- blacklist.conf: optimization on a minor driver that would require a kABI fixup
- commit ab46ac0
- blacklist.conf: driver only introduced in v4.14
- commit c8efaee
- blacklist.conf: for an architecture unsupported on SLE12
- commit e27f3be
- blacklist.conf: irrelevant in our config
- commit cca8fdf
- blacklist.conf: subsystem the patch is for is introduced only in v4.13
- commit 94d5cd2
- squashfs: add more sanity checks in id lookup (git-fixes).
- commit 0993c72
- squashfs: add more sanity checks in inode lookup (git-fixes).
- commit 5e5b6f8
- squashfs: add more sanity checks in xattr id lookup (git-fixes).
- commit acc3d9a
- phy: tegra: fix device-tree node lookups (git-fixes).
- commit 8650336
- squashfs: fix divide error in calculate_skip() (git-fixes).
- commit f2d03b6
- blacklist.conf: very likely to cause regressions
- commit 857d8cc
- powerpc/xive: Fix refcount leak in xive_get_max_prio
  (fate#322438 git-fixess).
- commit 6f2e0e1
- powerpc: Enable execve syscall exit tracepoint (bsc#1065729).
- commit ccc3683
- powerpc: define get_cycles macro for arch-override
  (bsc#1065729).
- commit db10d90
- blacklist.conf: Add 235cee162459 KVM: PPC: Tick accounting should defer vtime accounting 'til after IRQ handling
- commit c398028
- net_sched: cls_route: disallow handle of 0 (bsc#1202393).
- net_sched: cls_route: remove from list when handle is 0
  (CVE-2022-2588 bsc#1202096).
- commit 05c19f7
- KVM: PPC: Book3S HV: Context tracking exit guest context before
  enabling irqs (bsc#1065729).
- commit d7f9277
- usbnet: smsc95xx: Fix deadlock on runtime resume (git-fixes).
- commit 2e356ce
- blacklist.conf: later reverted upstream
- commit a099951
- ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback (git-fixes).
- commit 202a421
- Revert "/r8152: adjust the settings about MAC clock speed down
  for RTL8153"/ (git-fixes).
- commit 893a9a7
- net: usb: lan78xx: Connect PHY before registering MAC
  (git-fixes).
- commit d406530
- blacklist.conf: misattributed
- commit 113cb73
- lightnvm: Remove lightnvm implemenation (bsc#1191881 bsc#1201420
  ZDI-CAN-17325).
- commit 30cd9be
- xfs: check sb_meta_uuid for dabuf buffer recovery (bsc#1202577).
- commit ea9c6cd
- ext4: make sure ext4_append() always allocates new block
  (bsc#1198577 CVE-2022-1184).
- commit bc8c541
- ext4: check if directory block is within i_size (bsc#1198577
  CVE-2022-1184).
- commit b9efa04
- ext4: Fix check for block being out of directory size
  (bsc#1198577 CVE-2022-1184).
- commit be40637
- btrfs: do not do preemptive flushing if the majority is global rsv (bsc#1202528).
- commit e115339
- btrfs: reduce the preemptive flushing threshold to 90% (bsc#1202528).
- commit f4a62aa
- 9p: migrate from sync_inode to filemap_fdatawrite_wbc (bsc#1202528).
- commit bfdf1f9
- btrfs: use the filemap_fdatawrite_wbc helper for delalloc shrinking (bsc#1202528).
- commit a4caa5b
- fs: add a filemap_fdatawrite_wbc helper (bsc#1202528).
- commit eedfc1d
- btrfs: wait on async extents when flushing delalloc (bsc#1202528).
- commit 0d074a5
- btrfs: use delalloc_bytes to determine flush amount for shrink_delalloc (bsc#1202528).
- commit 83cf4e8
- btrfs: enable a tracepoint when we fail tickets (bsc#1202528).
- commit b1b7482
- Fix releasing of old bundles in xfrm_bundle_lookup()
  (bsc#1201264 bsc#1190397 bsc#1199617).
- commit bc50d6c
- btrfs: include delalloc related info in dump space info tracepoint (bsc#1202528).
- commit 41ed5ae
- btrfs: wake up async_delalloc_pages waiters after submit (bsc#1202528).
- commit 7ff1a2f
- cxgb4vf: update kernel-doc line comments (git-fixes).
- commit 86bb074
- cxgb4: update kernel-doc line comments (git-fixes).
- commit 54c720b
- cxgb4: fix endian conversions for L4 ports in filters
  (git-fixes).
- commit aa42e53
- cxgb4: parse TC-U32 key values and masks natively (git-fixes).
- commit dc23e3b
- cxgb4: move handling L2T ARP failures to caller (git-fixes).
- commit b83d2bf
- blacklist.conf: update blacklist
- commit 8032df7
- blacklist.conf: update blacklist
- commit aea5602
- btrfs: rip out btrfs_space_info::total_bytes_pinned  (bsc#1202528).
- Delete
  patches.suse/btrfs-dump_space_info-when-encountering-total_bytes_pinned-0-at-umount.patch.
- commit 354153b
- qed: fix kABI in qed_rdma_create_qp_in_params (git-fixes).
- commit 68811a9
- btrfs: rip the first_ticket_bytes logic from fail_all_tickets (bsc#1202528).
- commit d9b864b
- qed: Add EDPM mode type for user-fw compatibility (git-fixes).
- commit a73dbd4
- btrfs: remove FLUSH_DELAYED_REFS from data ENOSPC flushing (bsc#1202528).
- commit 60db43c
- btrfs: rip out may_commit_transaction (bsc#1202528).
- Refresh
  patches.suse/btrfs-handle-preemptive-delalloc-flushing-slightly-differently.patch.
- commit c5ab5f9
- btrfs: use percpu_read_positive instead of sum_positive for need_preempt (bsc#1202528).
- Refresh
  patches.suse/btrfs-only-ignore-delalloc-if-delalloc-is-much-smaller-than-ordered.patch.
- commit 59f31f6
- btrfs: handle preemptive delalloc flushing slightly differently (bsc#1202528).
- commit f7a119e
- btrfs: only ignore delalloc if delalloc is much smaller than ordered (bsc#1202528).
- commit 9a30ad9
- btrfs: don't include the global rsv size in the preemptive used amount (bsc#1202528).
- commit a265556
- btrfs: use the global rsv size in the preemptive thresh calculation (bsc#1202528).
- commit b31d6c3
- btrfs: take into account global rsv in need_preemptive_reclaim (bsc#1202528).
- commit fbc80a6
- btrfs: only clamp the first time we have to start flushing (bsc#1202528).
- commit db608fb
- btrfs: check worker before need_preemptive_reclaim (bsc#1202528).
- commit 8aab0b2
- btrfs: Convert fs_info->free_chunk_space to atomic64_t  (bsc#1202528).
- Refresh
  patches.suse/0006-btrfs-move-and-export-can_overcommit.patch.
- Refresh
  patches.suse/0020-btrfs-do-not-account-global-reserve-in-can_overcommit.patch.
- Refresh
  patches.suse/Btrfs-fix-race-between-adding-and-putting-tree-mod-s.patch.
- Refresh
  patches.suse/btrfs-ensure-replaced-device-doesn-t-have-pending-chunk-allocation.patch.
- Refresh
  patches.suse/btrfs-fix-btrfs_calc_reclaim_metadata_size-calculation.patch.
- commit f88ccad
- net/mlx5: Clear LAG notifier pointer after unregister
  (git-fixes).
- commit d878d7c
- net: dsa: mt7530: Change the LINK bit to reflect the link status
  (git-fixes).
- commit ece75a8
- net: ll_temac: Fix RX buffer descriptor handling on GFP_ATOMIC
  pressure (git-fixes).
- commit 8794a66
- net: ll_temac: Fix iommu/swiotlb leak (git-fixes).
- commit 9d72e43
- net: ll_temac: Enable DMA when ready, not before (git-fixes).
- commit 3faa94c
- btrfs: add a trace class for dumping the current ENOSPC state (bsc#1202528).
- commit 9bb464a
- btrfs: adjust the flush trace point to include the source (bsc#1202528).
- commit dfed983
- btrfs: implement space clamping for preemptive flushing (bsc#1202528).
- commit fa5b783
- btrfs: simplify the logic in need_preemptive_flushing (bsc#1202528).
- commit ed57e7f
- btrfs: rework btrfs_calc_reclaim_metadata_size (bsc#1202528).
- commit 99a8046
- btrfs: check reclaim_size in need_preemptive_reclaim (bsc#1202528).
- commit efb656d
- btrfs: rename need_do_async_reclaim (bsc#1202528).
- commit f95c0ae
- btrfs: improve preemptive background space flushing (bsc#1202528).
- commit 951dafe
- btrfs: introduce a FORCE_COMMIT_TRANS flush operation (bsc#1202528).
- commit f16f950
- btrfs: add a trace point for reserve tickets (bsc#1202528).
- commit ac2920d
- btrfs: make flush_space take a enum btrfs_flush_state instead of int (bsc#1202528).
- commit 5a1a4e8
- ata: libata: add qc->flags in ata_qc_complete_template
  tracepoint (git-fixes).
- commit 8897145
- blacklist.conf: not-relevant cleanups for drivers/char/random
- commit 4551df9
- net: sock: tracing: Fix sock_exceed_buf_limit not to dereference
  stale pointer (git-fixes).
- commit 8449873
- PCI: dwc: Deallocate EPC memory on dw_pcie_ep_init() errors
  (git-fixes).
- crypto: inside-secure - Add missing MODULE_DEVICE_TABLE for of
  (git-fixes).
- crypto: arm64/gcm - Select AEAD for GHASH_ARM64_CE (git-fixes).
- ACPI: CPPC: Do not prevent CPPC from working in the future
  (git-fixes).
- drivers/perf: arm_spe: Fix consistency of SYS_PMSCR_EL1.CX
  (git-fixes).
- commit ce1e4d8
- kabi/severities: add mlx5 internal symbols
- commit 8c6dd4b
- net: ll_temac: Add more error handling of dma_map_single()
  calls (git-fixes).
- commit af7573f
- net: ll_temac: Fix support for little-endian platforms
  (git-fixes).
- Refresh
  patches.suse/net-ll_temac-Fix-race-condition-causing-TX-hang.patch.
- commit 12402e7
- net: ll_temac: Fix typo bug for 32-bit (git-fixes).
- commit 5bf9adc
- net: ll_temac: Fix support for 64-bit platforms (git-fixes).
- commit 5222049
- net: xilinx: replace dev_kfree_skb_irq by dev_consume_skb_irq
  for drop profiles (git-fixes).
- commit e2d5d61
- net: emaclite: Simplify if-else statements (git-fixes).
- commit 43fe9bd
- net/mlx5: Fix auto group size calculation (git-fixes).
- commit f65c99f
- net: stmmac: gmac4: bitrev32 returns u32 (git-fixes).
- commit 717b8ab
- rpm/kernel-binary.spec.in: move vdso to a separate package (bsc#1202385)
  We do the move only on 15.5+.
- commit 9c7ade3
- rpm/kernel-binary.spec.in: simplify find for usrmerged
  The type test and print line are the same for both cases. The usrmerged
  case only ignores more, so refactor it to make it more obvious.
- commit 583c9be
- xfrm: xfrm_policy: fix a possible double xfrm_pols_put()
  in xfrm_bundle_lookup() (bsc#1201948 CVE-2022-36879).
- commit 6a240fe
- net/packet: fix slab-out-of-bounds access in packet_recvmsg()
  (CVE-2022-20368 bsc#1202346).
- commit bcc8988
- media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers
  across ioctls (bsc#1202347 CVE-2022-20369).
- commit 0cf8c8f
- iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) (git-fixes).
- commit 832ae90
- scsi: smartpqi: set force_blk_mq=1.(bsc#1179310)
- commit 10f3936
- Update metadata references
- commit 7183678
- md/bitmap: don't set sb values if can't pass sanity check
  (bsc#1197158).
- commit 34e4bcc
- x86/speculation: Add LFENCE to RSB fill sequence (bsc#1201726
  CVE-2022-26373).
- commit a207cec
- x86/speculation: Add RSB VM Exit protections (bsc#1201726
  CVE-2022-26373).
- commit 30ef9f9
- Move kABI patches to kABI section.
- commit a80bab0
- powerpc: powernv: kABI: add back powernv_get_random_long
  (bsc#1065729).
- commit 3080872
- powerpc/powernv: rename remaining rng powernv_ functions to pnv_
  (bsc#1065729).
- powerpc/powernv: delay rng platform device creation until
  later in boot (bsc#1065729).
- commit 869d405
- md-raid: destroy the bitmap after destroying the thread
  (git-fixes).
- SUNRPC: Fix READ_PLUS crasher (git-fixes).
- dm raid: fix KASAN warning in raid5_add_disks (git-fixes).
- pNFS: Don't keep retrying if the server replied
  NFS4ERR_LAYOUTUNAVAILABLE (git-fixes).
- commit 3bc259d
- powerpc/powernv/kvm: Use darn for H_RANDOM on Power9
  (bsc#1065729).
- powerpc/powernv: Avoid crashing if rng is NULL (bsc#1065729).
- commit 42e06ba
- KVM: nVMX: Set UMIP bit CR4_FIXED1 MSR when emulating UMIP
  (bsc#1120716).
- commit ce36184
- powerpc/powernv: wire up rng during setup_arch (bsc#1065729).
- powerpc/pseries: wire up rng during setup_arch() (bsc#1065729).
- Refresh patches.suse/powerpc-64s-rename-pnv-pseries_setup_rfi_flush-to-_s.patch
- powerpc/powernv: Staticify functions without prototypes
  (bsc#1065729).
- powerpc/powernv: Use darn instruction for get_random_seed()
  on Power9 (bsc#1065729).
- commit 4e67aee
- xfs: fix NULL pointer dereference in xfs_getbmap() (git-fixes).
- commit 9ad699f
- KVM: arm64: Avoid setting the upper 32 bits of TCR_EL2 and CPTR_EL2 (bsc#1201442)
- commit a44d410
- x86/speculation: Fill RSB on vmexit for IBRS (bsc#1201726
  CVE-2022-26373).
- commit 8e898cd
- x86/speculation: Change FILL_RETURN_BUFFER to work with objtool
  (bsc#1201726 CVE-2022-26373).
- commit 9388584
- net/sched: cls_u32: fix netns refcount changes in u32_change()
  (CVE-2022-29581 bsc#1199665).
- commit 944805b
- openvswitch: fix OOB access in reserve_sfa_size() (CVE-2022-2639
  bsc#1202154).
- commit 0d36370
- ipv4: avoid using shared IP generator for connected sockets
  (CVE-2020-36516 bsc#1196616).
- ipv4: tcp: send zero IPID in SYNACK messages (CVE-2020-36516
  bsc#1196616).
- commit df5e606
- blacklist.conf: Relatively high risk of unexpected performance change
- commit 58f819d
- blacklist.conf: Many dependencies with relatively high risk of unexpected performance change
- commit 56dc959
- Fix parsing of rpm/macros.kernel-source on SLE12 (bsc#1201019).
- commit 9816878
- xfs: always free inline data before resetting inode fork during
  ifree (bsc#1202017).
- commit 89a46fc
- blacklist.conf: remove 98c4f78dcdd8 from blacklist
  This is a required fix, as 43518812d2 was backported.
- commit 62ac6c4
- blacklist.conf: Add fadump commits introducing boot_mem_top
  bec53196adf4 powerpc/fadump: add support to preserve crash data on FADUMP disabled kernel
  7dee93a9a880 powerpc/fadump: support holes in kernel boot memory area
  The current fadump code in 4.12 kernel does not support bootmem holes.
  If these commits are backported the current backports need review for
  use of boot_memory_size instead of boot_mem_top
- commit 66afc75
- powerpc/fadump: fix PT_LOAD segment for boot memory area
  (bsc#1103269 ltc#169948 git-fixes).
- powerpc/fadump: make crash memory ranges array allocation
  generic (bsc#1103269 ltc#169948 git-fixes).
- Refresh patches.suse/powerpc-fadump-fix-race-between-pstore-write-and-fad.patch
- commit 2607c5c
- blacklist.conf: Append 'drm/amdgpu/acp: Make PM domain really work'
- commit 5d0cbbf
- blacklist.conf: Append 'drm: mxsfb: Clear FIFO_CLEAR bit'
- commit a9d2273
- blacklist.conf: Append 'drm: mxsfb: Increase number of outstanding requests on V4 and newer HW'
- commit eb95663
- blacklist.conf: Append 'drm: mxsfb: Enable recovery on underflow'
- commit 5c872c1
- blacklist.conf: Append 'drm/i915/display: Fix the 12 BPC bits for PIPE_MISC reg'
- commit 9af6ddf
- blacklist.conf: Append 'drm/radeon: Fix off-by-one power_state index heap overwrite'
- commit 0f57ec5
- blacklist.conf: Append 'drm/radeon: Avoid power table parsing memory leaks'
- commit 2212d5c
- blacklist.conf: Append 'amdgpu: fix GEM obj leak in amdgpu_display_user_framebuffer_create'
- commit 6d1e3d5
- blacklist.conf: Append 'drm/radeon: Fix a missing check bug in radeon_dp_mst_detect()'
- commit 5ae4891
- blacklist.conf: Append 'Fix misc new gcc warnings'
- commit ba680f8
- blacklist.conf: Append 'drm/vc4: crtc: Reduce PV fifo threshold on hvs4'
- commit 6465ff9
- blacklist.conf: Append 'drm/amdgpu: check alignment on CPU page for bo map'
- commit 11881ba
- blacklist.conf: Append 'drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings()'
- commit 06bd647
- blacklist.conf: Append 'drm/i915: Fix the GT fence revocation runtime PM logic'
- commit 278dbb6
- blacklist.conf: Append 'drm/i915/dsi: Use unconditional msleep for the panel_on_delay when there is no reset-deassert MIPI-sequence'
- commit 46e7a2f
- blacklist.conf: Append 'drm/i915/dp: Track pm_qos per connector'
- commit 1a3ef34
- blacklist.conf: Append 'drm/i915: Avoid mixing integer types during batch copies'
- commit e361acc
- blacklist.conf: Append 'drm/i915/gem: Avoid implicit vmap for highmem on x86-32'
- commit f730816
- blacklist.conf: Append 'drm/dp_mst: Kill the second sideband tx slot, save the world'
- commit ee6a373
- blacklist.conf: Append 'drm: mst: Fix query_payload ack reply struct'
- commit 9b06dd2
- blacklist.conf: Append 'drm/i915/gen8+: Add RC6 CTX corruption WA'
- commit 7617aa6
- blacklist.conf: Append 'make 'user_access_begin()' do 'access_ok()''
- commit 36185b4
- lkdtm: Disable return thunks in rodata.c (bsc#1114648).
- commit 1db863b
- x86/retbleed: Add fine grained Kconfig knobs (bsc#1114648).
- commit c693b03
- blacklist.conf: Add ppc numa commits
  e75130f20b1f powerpc/numa: Offline memoryless cpuless node 0
  10f78fd0dabb powerpc/numa: Fix a regression on memoryless node 0
- commit f94fd1c
- KVM: emulate: do not adjust size of fastop and setcc subroutines
  (bsc#1201930).
- commit 7c39b90
- kvm/emulate: Fix SETcc emulation function offsets with SLS
  (bsc#1201930).
- commit 0c004d2
- netfilter: nf_queue: do not allow packet truncation below
  transport header offset (bsc#1201940 CVE-2022-36946).
- commit 06aa700
- latent_entropy: avoid build error when plugin cflags are not
  set (git-fixes).
- Refresh patches.suse/fdt-add-support-for-rng-seed.patch.
- commit 66e3bae
- block: drbd: drbd_nl: Make conversion to 'enum drbd_ret_code'
  explicit (git-fixes).
- linux/random.h: Mark CONFIG_ARCH_RANDOM functions __must_check
  (git-fixes).
- linux/random.h: Use false with bool (git-fixes).
- linux/random.h: Remove arch_has_random, arch_has_random_seed
  (git-fixes).
- random: always fill buffer in get_random_bytes_wait (git-fixes).
- commit 4bf323f
- scsi: qla2xxx: Update version to 10.02.07.800-k (bsc#1201958).
- scsi: qla2xxx: Update manufacturer details (bsc#1201958).
- scsi: qla2xxx: Fix sparse warning for dport_data (bsc#1201651).
- scsi: qla2xxx: Fix discovery issues in FC-AL topology
  (bsc#1201651).
- scsi: qla2xxx: Fix imbalance vha->vref_count (bsc#1201651).
- scsi: qla2xxx: edif: Fix dropped IKE message (bsc#1201651).
- scsi: qla2xxx: Fix response queue handler reading stale packets
  (bsc#1201651).
- scsi: qla2xxx: Zero undefined mailbox IN registers
  (bsc#1201651).
- scsi: qla2xxx: Fix incorrect display of max frame size
  (bsc#1201958).
- scsi: qla2xxx: Check correct variable in qla24xx_async_gffid()
  (bsc#1201958).
- scsi: qla2xxx: Update version to 10.02.07.700-k (bsc#1201958).
- scsi: qla2xxx: Fix erroneous mailbox timeout after PCI error
  injection (bsc#1201958).
- scsi: qla2xxx: Fix losing FCP-2 targets on long port disable
  with I/Os (bsc#1201958).
  Refresh:
  - patches.suse/revert-scsi-qla2xxx-Changes-to-support-FCP2-Target.patch
- scsi: qla2xxx: Add debug prints in the device remove path
  (bsc#1201958).
- scsi: qla2xxx: Fix losing target when it reappears during delete
  (bsc#1201958).
- scsi: qla2xxx: Fix losing FCP-2 targets during port perturbation
  tests (bsc#1201958).
- scsi: qla2xxx: Fix crash due to stale SRB access around I/O
  timeouts (bsc#1201958).
- scsi: qla2xxx: Turn off multi-queue for 8G adapters
  (bsc#1201958).
- scsi: qla2xxx: Wind down adapter after PCIe error (bsc#1201958).
- scsi: qla2xxx: Add a new v2 dport diagnostic feature
  (bsc#1201958).
- scsi: qla2xxx: Fix excessive I/O error messages by default
  (bsc#1201958).
- scsi: qla2xxx: Update version to 10.02.07.600-k (bsc#1201958).
- scsi: qla2xxx: edif: Fix slow session teardown (bsc#1201958).
- scsi: qla2xxx: edif: Reduce N2N thrashing at app_start time
  (bsc#1201958).
- scsi: qla2xxx: edif: Fix no logout on delete for N2N
  (bsc#1201958).
- scsi: qla2xxx: edif: Fix session thrash (bsc#1201958).
- scsi: qla2xxx: edif: Tear down session if keys have been removed
  (bsc#1201958).
- scsi: qla2xxx: edif: Fix no login after app start (bsc#1201958).
- scsi: qla2xxx: edif: Reduce disruption due to multiple app start
  (bsc#1201958).
- scsi: qla2xxx: edif: Send LOGO for unexpected IKE message
  (bsc#1201958).
- scsi: qla2xxx: edif: Fix I/O timeout due to over-subscription
  (bsc#1201958).
- scsi: qla2xxx: Update version to 10.02.07.500-k (bsc#1201958).
- scsi: qla2xxx: edif: Fix n2n login retry for secure device
  (bsc#1201958).
- scsi: qla2xxx: edif: Fix n2n discovery issue with secure target
  (bsc#1201958).
- scsi: qla2xxx: edif: Remove old doorbell interface
  (bsc#1201958).
- scsi: qla2xxx: edif: Add retry for ELS passthrough
  (bsc#1201958).
- scsi: qla2xxx: edif: Synchronize NPIV deletion with
  authentication application (bsc#1201958).
- scsi: qla2xxx: edif: Fix potential stuck session in sa update
  (bsc#1201958).
- scsi: qla2xxx: edif: Add bsg interface to read doorbell events
  (bsc#1201958).
- scsi: qla2xxx: edif: Wait for app to ack on sess down
  (bsc#1201958).
- scsi: qla2xxx: edif: bsg refactor (bsc#1201958).
- scsi: qla2xxx: edif: Reduce Initiator-Initiator thrashing
  (bsc#1201958).
- scsi: qla2xxx: Remove unused 'ql_dm_tgt_ex_pct' parameter
  (bsc#1201958).
- scsi: qla2xxx: Remove setting of 'req' and 'rsp' parameters
  (bsc#1201958).
- commit a8936d6
- Drop qla2xxx patch which prevented nvme port discovery
  (bsc#1200651 bsc#1200644 bsc#1201954 bsc#1201958)
  Upstream fixed the problem by reverting the offending commit.
  Delete:
  - patches.suse/scsi-qla2xxx-Fix-disk-failure-to-rediscover.patch.
- commit 452db23
- scsi: lpfc: Address NULL pointer dereference after
  starget_to_rport() (git-fixes).
- commit 996de99
- net: ethernet: aeroflex: fix UAF in greth_of_remove (git-fixes).
- commit 5f1b81f
- ehea: fix error return code in ehea_restart_qps() (git-fixes).
- commit 8656e81
- net: xilinx_emaclite: Do not print real IOMEM pointer
  (git-fixes).
- commit 1032862
- mvpp2: suppress warning (git-fixes).
- commit 163d5b9
- net: ethernet: fix potential use-after-free in ec_bhf_remove
  (git-fixes).
- commit 08e620e
- net: hamradio: fix memory leak in mkiss_close (git-fixes).
- commit d5b5550
- net: fec_ptp: add clock rate zero check (git-fixes).
- commit 4e39a7a
- netxen_nic: Fix an error handling path in 'netxen_nic_probe()'
  (git-fixes).
- commit 5a1c833
- qlcnic: Fix an error handling path in 'qlcnic_probe()'
  (git-fixes).
- commit 70491b7
- net: stmmac: dwmac1000: Fix extended MAC address registers
  definition (git-fixes).
- commit 0a365bd
- net: mdio: octeon: Fix some double free issues (git-fixes).
- commit 770566f
- net: mdio: thunder: Fix a double free issue in the .remove
  function (git-fixes).
- commit 77a03ff
- net: fec: fix the potential memory leak in fec_enet_init()
  (git-fixes).
- commit 3c37ef9
- net: fec: check DMA addressing limitations (git-fixes).
- commit 994eea1
- net: dsa: bcm_sf2: Qualify phydev->dev_flags based on port
  (git-fixes).
- commit c9228da
- net: stmmac: fix incorrect DMA channel intr enable setting of
  EQoS v4.10 (git-fixes).
- commit 2b936dd
- Refresh
  patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch.
- commit c149c1b
- Remove our homegrown IBRS implementation
  ... now that there's an upstream version.
- x86/entry: Add kernel IBRS implementation (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- Refresh
  patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch.
- Refresh
  patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch.
- Refresh
  patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch.
- Delete
  patches.suse/x86-enter-Create-macros-to-restrict-unrestrict-Indir.patch.
- Delete
  patches.suse/x86-enter-Use-IBRS-on-syscall-and-interrupts.patch.
- Delete
  patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- Delete
  patches.suse/x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Delete
  patches.suse/x86-speculation-Add-inlines-to-control-Indirect-Bran.patch.
- commit 7278759
- media: saa7146: mxb: Fix a NULL pointer dereference in
  mxb_attach() (git-fixes).
- commit d6ee03c
- media: dib8000: Fix a memleak in dib8000_init() (git-fixes).
- commit 2128de3
- media: uvcvideo: fix division by zero at stream start
  (git-fixes).
- commit 24c7763
- blacklist.conf: cleanup breaking kABI by renames
- commit 112598f
- blacklist.conf: cleanup breaking kABI by renames
- commit 25ac149
- Bluetooth: hci_qca: Use del_timer_sync() before freeing
  (git-fixes).
- commit 945069e
- blacklist.conf: misattributed patch
- commit 379c546
- bnxt_en: Re-write PCI BARs after PCI fatal error (git-fixes).
- commit 3e6c035
- net: korina: fix kfree of rx/tx descriptor array (git-fixes).
- commit acd09d7
- net: macb: mark device wake capable when "/magic-packet"/
  property present (git-fixes).
- commit 674240e
- net/sonic: Fix a resource leak in an error handling path in
  'jazz_sonic_probe()' (git-fixes).
- commit 0674aaf
- vrf: Fix IPv6 with qdisc and xfrm (git-fixes).
- commit 0a2458c
- net: stmmac: dwmac1000: Disable ACS if enhanced descs are not
  used (git-fixes).
- commit 2e76107
- net: stmmac: Fix misuses of GENMASK macro (git-fixes).
- commit fc6700d
- kABI workaround for including mm.h in fs/sysfs/file.c
  (bsc#1200598 CVE-2022-20166).
- commit fe1fe6b
- blacklist.conf: update blacklist
- commit ae741a4
- mm: and drivers core: Convert hugetlb_report_node_meminfo to
  sysfs_emit (bsc#1200598 CVE-2022-20166).
- commit 3d23964
- drivers core: Miscellaneous changes for sysfs_emit (bsc#1200598
  CVE-2022-20166).
- commit c8e2e5b
- drivers core: Remove strcat uses around sysfs_emit and neaten
  (bsc#1200598 CVE-2022-20166).
- commit 5cd9512
- drivers core: Use sysfs_emit and sysfs_emit_at for show(device
  * ...) functions (bsc#1200598 CVE-2022-20166).
- commit 7554520
- sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output
  (bsc#1200598 CVE-2022-20166).
- commit c5a70d7
- cxgb3/l2t: Fix undefined behaviour (git-fixes).
- commit 8076d39
- kabi/severities: add cxgb3 network driver
- commit 3a6a137
- x86/entry: Remove skip_r11rcx (bsc#1201644).
- Refresh
  patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- commit 5efdb64
- Sort in RETbleed backport into the sorted section
  Now that it is upstream...
- Refresh
  patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch.
- Refresh
  patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch.
- Refresh
  patches.suse/sched-topology-Improve-load-balancing-on-AMD-EPYC.patch.
- Refresh patches.suse/x86-Add-magic-AMD-return-thunk.patch.
- Refresh patches.suse/x86-Undo-return-thunk-damage.patch.
- Refresh patches.suse/x86-Use-return-thunk-in-asm-code.patch.
- Refresh
  patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch.
- Refresh patches.suse/x86-bugs-Add-retbleed-ibpb.patch.
- Refresh
  patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch.
- Refresh
  patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch.
- Refresh patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch.
- Refresh
  patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch.
- Refresh
  patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch.
- Refresh
  patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch.
- Refresh
  patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch.
- Refresh
  patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch.
- Refresh
  patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch.
- Refresh
  patches.suse/x86-common-Stamp-out-the-stepping-madness.patch.
- Refresh
  patches.suse/x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch.
- Refresh
  patches.suse/x86-cpu-add-table-argument-to-cpu_matches.patch.
- Refresh patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch.
- Refresh patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch.
- Refresh
  patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch.
- Refresh
  patches.suse/x86-enter-Use-IBRS-on-syscall-and-interrupts.patch.
- Refresh
  patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- Refresh
  patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch.
- Refresh
  patches.suse/x86-microcode-amd-increase-microcode-patch_max_size.patch.
- Refresh patches.suse/x86-retpoline-Use-mfunction-return.patch.
- Refresh
  patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch.
- Refresh
  patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch.
- Refresh
  patches.suse/x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Refresh
  patches.suse/x86-speculation-Add-inlines-to-control-Indirect-Bran.patch.
- Refresh
  patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch.
- Refresh
  patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch.
- Refresh
  patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch.
- Refresh
  patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch.
- Refresh
  patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch.
- Refresh
  patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch.
- Refresh
  patches.suse/x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch.
- Refresh
  patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch.
- Refresh
  patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch.
- Refresh
  patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch.
- Refresh
  patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch.
- commit d06c642
- KABI: cgroup: Restore KABI of css_set (bsc#1201610).
- cgroup: Use separate src/dst nodes when preloading css_sets
  for migration (bsc#1201610).
- commit 674875f
- random: fix crash on multiple early calls to (git-fixes)
- commit cf465a0
- vt: vt_ioctl: fix race in VT_RESIZEX (bsc#1200910
  CVE-2020-36558).
- commit 3c76a1f
- vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
  (bsc#1201429 CVE-2020-36557).
- commit f15e18d
- Refresh
  patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch.
- commit 7e31757
- kernel-obs-build: include qemu_fw_cfg (boo#1201705)
- commit e2263d4
- vt: drop old FONT ioctls (bsc#1201636 CVE-2021-33656).
- commit 704434f
- Refresh patches.suse/fbcon-Prevent-that-screen-size-is-smaller-than-font-.patch
  Fix the build error due to missing is_console_locked()
- commit 39e2064
- Delete patches.suse/IBRS-forbid-shooting-in-foot.patch.
  Backported upstream commit
  7c693f54c873 ("/x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS"/)
  already takes care of that.
- commit e4bbbc2
- fbmem: Check virtual screen sizes in fb_set_var()
  (CVE-2021-33655 bsc#1201635).
- fbcon: Prevent that screen size is smaller than font size
  (CVE-2021-33655 bsc#1201635).
- fbcon: Disallow setting font bigger than screen size
  (CVE-2021-33655 bsc#1201635).
- commit c1a0922
- Delete patches.suse/x86-idle-Control-Indirect-Branch-Speculation-in-idle.patch.
  Superceded by the upstream version
  patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch
- commit 5309cbd
- blacklist.conf: add a few patches
- commit cf91d33
- serial: mvebu-uart: correctly report configured baudrate value
  (git-fixes).
- tty: serial: fsl_lpuart: fix potential bug when using both
  of_alias_get_id and ida_simple_get (git-fixes).
- PCI: qcom: Fix runtime PM imbalance on probe errors (git-fixes).
- irqchip/exiu: Fix acknowledgment of edge triggered interrupts
  (git-fixes).
- fsl_lpuart: Don't enable interrupts too early (git-fixes).
- arch_topology: Do not set llc_sibling if llc_id is invalid
  (git-fixes).
- net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove
  (git-fixes).
- commit 4567918
- net: usb: qmi_wwan: add Telit 0x1070 composition (git-fixes).
- commit c9dc552
- net: usb: qmi_wwan: add Telit 0x1060 composition (git-fixes).
- commit 08341d7
- blacklist.conf: cosmetic fix
- commit 5ba3d81
- net: usb: ax88179_178a: Fix packet receiving (git-fixes).
- commit 346b0d8
- blacklist.conf: adds an uevent user space is not ready for
- commit 6ac2a70
- usbnet: fix memory leak in error case (git-fixes).
- commit f3b6abf
- usbnet: fix memory allocation in helpers.
- commit 9363858
- xen/netback: avoid entering xenvif_rx_next_skb() with an empty
  rx queue (bsc#1201381).
- commit 334fe0b
- Refresh
  patches.suse/crypto-qat-remove-dma_free_coherent-for-DH.patch.
  revert the effect of mainline 453431a54934d917153 on patch.
- Refresh
  patches.suse/crypto-qat-remove-dma_free_coherent-for-RSA.patch.
  revert the effect of mainline 453431a54934d917153 on patch.
- commit 6824fa5
- crypto: qat - remove dma_free_coherent() for DH (git-fixes).
- crypto: qat - remove dma_free_coherent() for RSA (git-fixes).
- crypto: qat - fix memory leak in RSA (git-fixes).
- crypto: qat - set to zero DH parameters before free (git-fixes).
- crypto: qat - disable registration of algorithms (git-fixes).
- commit 1dda89e
- rpm/kernel-binary.spec.in: Require dwarves >= 1.22 on SLE15-SP3 or newer
  Dwarves 1.22 or newer is required to build kernels with BTF information
  embedded in modules.
- commit ee19e9d
- pty: do tty_flip_buffer_push without port->lock in pty_write
  (bsc#1198829 CVE-2022-1462).
- commit c0b9f34
- tty: use new tty_insert_flip_string_and_push_buffer() in
  pty_write() (bsc#1198829 CVE-2022-1462).
- tty: extract tty_flip_buffer_commit() from
  tty_flip_buffer_push() (bsc#1198829 CVE-2022-1462).
- commit 1b70eb4
- dm mirror log: round up region bitmap size to BITS_PER_LONG
  (git-fixes).
- dm crypt: make printing of the key constant-time (git-fixes).
- dm integrity: fix error code in dm_integrity_ctr() (git-fixes).
- dm stats: add cond_resched when looping over entries
  (git-fixes).
- hex2bin: fix access beyond string end (git-fixes).
- hex2bin: make the function hex_to_bin constant-time (git-fixes).
- dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS
  (git-fixes).
- dm btree remove: fix use after free in rebalance_children()
  (git-fixes).
- blk-cgroup: synchronize blkg creation against policy
  deactivation (git-fixes).
- dm: fix mempool NULL pointer race when completing IO
  (git-fixes).
- blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN
  (git-fixes).
- blk-zoned: allow zone management send operations without
  CAP_SYS_ADMIN (git-fixes).
- lib/hexdump.c: return -EINVAL in case of error in hex2bin()
  (git-fixes).
- commit 4cd1fd7
- blacklist.conf: Update for git-fixes
- commit e740cc0
- net: ll_temac: Fix TX BD buffer overwrite (git-fixes).
- commit 1ff015f
- net: ll_temac: Fix race condition causing TX hang (git-fixes).
- commit 0c73d92
- net: ll_temac: Fix bug causing buffer descriptor overrun
  (git-fixes).
- commit 2fe2e0f
- net: stmmac: fix missing IFF_MULTICAST check in
  dwmac4_set_filter (git-fixes).
- commit 075d2fd
- bnxt_en: Remove the setting of dev_port (git-fixes).
- commit 1fccfbd
- blacklist.conf: update
- commit d2fcee3
- Refresh
  patches.suse/v5-0001-crypto-DRBG-add-FIPS-140-2-CTRNG-for-noise-source.patch.
  A modified version of the patch did make it mainline. Detected by git-fixes.
- commit 9eec360
- don't call utsname() after ->nsproxy is NULL (bsc#1201196).
- commit 2a23102
- Refresh
  patches.suse/msft-hv-2588-PCI-hv-Do-not-set-PCI_COMMAND_MEMORY-to-reduce-VM-bo.patch.
  Fix a build warning.
- commit 539b424
- rpm/check-for-config-changes: ignore GCC12/CC_NO_ARRAY_BOUNDS
  Upstream commit f0be87c42cbd (gcc-12: disable '-Warray-bounds'
  universally for now) added two new compiler-dependent configs:
  * CC_NO_ARRAY_BOUNDS
  * GCC12_NO_ARRAY_BOUNDS
  Ignore them -- they are unset by dummy tools (they depend on gcc version
  == 12), but set as needed during real compilation.
- commit a14607c
- blacklist.conf: Add 6a2d90ba027a ptrace: Reimplement PTRACE_KILL by always sending SIGKILL
- commit 22a9ddc
- kernel-binary.spec: check s390x vmlinux location
  As a side effect of mainline commit edd4a8667355 ("/s390/boot: get rid of
  startup archive"/), vmlinux on s390x moved from "/compressed"/ subdirectory
  directly into arch/s390/boot. As the specfile is shared among branches,
  check both locations and let objcopy use one that exists.
- commit cd15543
- Add missing recommends of kernel-install-tools to kernel-source-vanilla (bsc#1200442)
- commit 93b1375
- kernel-binary.spec: Support radio selection for debuginfo.
  To disable debuginfo on 5.18 kernel a radio selection needs to be
  switched to a different selection. This requires disabling the currently
  active option and selecting NONE as debuginfo type.
- commit 43b5dd3
- Add dtb-starfive
- commit 85335b1
- blacklist.conf: Add e7f7c99ba911 signal: In get_signal test for signal_group_exit every time through the loop
- commit a90bbcf
- rpm/kernel-obs-build.spec.in: Also depend on dracut-systemd (bsc#1195775)
- commit 5d4e32c
- pahole 1.22 required for full BTF features.
  also recommend pahole for kernel-source to make the kernel buildable
  with standard config
- commit 364f54b
- use jobs not processors in the constraints
  jobs is the number of vcpus available to the build, while processors
  is the total processor count of the machine the VM is running on.
- commit a6e141d
- rpm/constraints.in: skip SLOW_DISK workers for kernel-source
- commit e84694f
- rpm/*.spec.in: remove backtick usage
- commit 87ca1fb
- rpm/kernel-obs-build.spec.in: add systemd-initrd and terminfo dracut module (bsc#1195775)
- commit d9a821b
- powerpc: Set crashkernel offset to mid of RMA region
  (bsc#1190812).
- powerpc/64: Move paca allocation later in boot (bsc#1190812).
- commit b6d78fb
- rpm/kernel-obs-build.spec.in: use default dracut modules (bsc#1195926,
  bsc#1198484)
  Let's iron out the reduced initrd optimisation in Tumbleweed.
  Build full blown dracut initrd with systemd for SLE15 SP4.
- commit ea76821
- Add dtb-microchip
- commit c797107
- rpm/kernel-source.spec.in: temporary workaround for a build failure
  Upstream c6x architecture removal left a dangling link behind which
  triggers openSUSE post-build check in kernel-source, failing
  kernel-source build.
  A fix deleting the danglink link has been submitted but it did not make
  it into 5.12-rc1. Unfortunately we cannot add it as a patch as patch
  utility does not handle symlink removal. Add a temporary band-aid which
  deletes all dangling symlinks after unpacking the kernel source tarball.
  [jslaby] It's not that temporary as we are dragging this for quite some
  time in master. The reason is that this can happen any time again, so
  let's have this in packaging instead.
- commit 52a1ad7
keyutils
- Apply default TTL to DNS records from getaddrinfo() (upstream):
  * dns-Apply-a-default-TTL-to-records-obtained-from-get.patch
less
- Fix Startup terminal initialization, bsc#1200738
  * bsc1200738.patch
libcroco
- Add libcroco-CVE-2020-12825.patch: limit recursion in block and
  any productions (boo#1171685 CVE-2020-12825).
libgcrypt
- FIPS: Auto-initialize drbg if needed. [bsc#1200095]
  * Add a _gcry_drbg_init() to _gcry_drbg_randomize() and to
    _gcry_drbg_add_bytes() to fix a crash in FIPS mode.
  * Add libgcrypt-FIPS-Autoinitialize-drbg-if-needed.patch
libnl-1_1
- Fix elevation of privilege vulnerability (bsc#1020123, CVE-2017-0386).
  Add: libnl-1_1-fix-elevation-of-privilege-vulnerability.patch
libnl3
- Fix elevation of privilege vulnerability (bsc#1020123, CVE-2017-0386).
  Add: libnl3-fix-elevation-of-privilege-vulnerability.patch
logrotate
- Security fix: (bsc#1192449) related to (bsc#1191281, CVE-2021-3864)
  * enforce stricter parsing to avoid CVE-2021-3864
  * Added patch logrotate-enforce-stricter-parsing-and-extra-tests.patch
- Fix "/logrotate emits unintended warning: keyword size not properly
  separated, found 0x3d"/ (bsc#1200278, bsc#1200802):
  * Added patch logrotate-dont_warn_on_size=_syntax.patch
mozilla-nspr
- update to version 4.34
  * add an API that returns a preferred loopback IP on hosts that
    have two IP stacks available.
- update to 4.33:
  * fixes to build system and export of private symbols
mozilla-nss
- update to NSS 3.79.1 (bsc#1202645)
  * bmo#1366464 - compare signature and signatureAlgorithm fields in legacy certificate verifier.
  * bmo#1771498 - Uninitialized value in cert_ComputeCertType.
  * bmo#1759794 - protect SFTKSlot needLogin with slotLock.
  * bmo#1760998 - avoid data race on primary password change.
  * bmo#1330271 - check for null template in sec_asn1{d,e}_push_state.
- Update nss-fips-approved-crypto-non-ec.patch to unapprove the
  rest of the DSA ciphers, keeping signature verification only
  (bsc#1201298).
- Update nss-fips-constructor-self-tests.patch to fix compiler
  warning.
- Update nss-fips-constructor-self-tests.patch to add on-demand
  integrity tests through sftk_FIPSRepeatIntegrityCheck()
  (bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to mark algorithms
  as approved/non-approved according to security policy
  (bsc#1191546, bsc#1201298).
- Update nss-fips-approved-crypto-non-ec.patch to remove hard
  disabling of unapproved algorithms. This requirement is now
  fulfilled by the service level indicator (bsc#1200325).
- Remove nss-fips-tls-allow-md5-prf.patch, since we no longer need
  the workaround in FIPS mode (bsc#1200325).
- Remove nss-fips-tests-skip.patch. This is no longer needed since
  we removed the code to short-circuit broken hashes and moved to
  using the SLI.
- Remove upstreamed patches:
  * nss-fips-version-indicators.patch
  * nss-fips-tests-pin-paypalee-cert.patch
- update to NSS 3.79
  - bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
  - bmo#1766907 - Update mercurial in clang-format docker image.
  - bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail.
  - bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
  - bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
  - bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
  - bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
  - bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
  - bmo#1764788 - Correct invalid record inner and outer content type alerts.
  - bmo#1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
  - bmo#1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle.
  - bmo#1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
  - bmo#1769302 - NSS 3.79 should depend on NSPR 4.34
- update to NSS 3.78.1
  * bmo#1767590 - Initialize pointers passed to
    NSS_CMSDigestContext_FinishMultiple
- update to NSS 3.78
    bmo#1755264 - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
    bmo#1294978 - Reworked overlong record size checks and added TLS1.3 specific boundaries.
    bmo#1763120 - Add ECH Grease Support to tstclnt
    bmo#1765003 - Add a strict variant of moz::pkix::CheckCertHostname.
    bmo#1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
    bmo#1760813 - Make SEC_PKCS12EnableCipher succeed
    bmo#1762489 - Update zlib in NSS to 1.2.12.
- update to NSS 3.77
  * Bug 1762244 - resolve mpitests build failure on Windows.
  * bmo#1761779 - Fix link to TLS page on wireshark wiki
  * bmo#1754890 - Add two D-TRUST 2020 root certificates.
  * bmo#1751298 - Add Telia Root CA v2 root certificate.
  * bmo#1751305 - Remove expired explicitly distrusted certificates
    from certdata.txt.
  * bmo#1005084 - support specific RSA-PSS parameters in mozilla::pkix
  * bmo#1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
  * bmo#1756271 - Remove token member from NSSSlot struct.
  * bmo#1602379 - Provide secure variants of mpp_pprime and mpp_make_prime.
  * bmo#1757279 - Support UTF-8 library path in the module spec string.
  * bmo#1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
  * bmo#1760827 - Add a CI Target for gcc-11.
  * bmo#1760828 - Change to makefiles for gcc-4.8.
  * bmo#1741688 - Update googletest to 1.11.0
  * bmo#1759525 - Add SetTls13GreaseEchSize to experimental API.
  * bmo#1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
  * bmo#1755904 - Fix calculation of ECH HRR Transcript.
  * bmo#1758741 - Allow ld path to be set as environment variable.
  * bmo#1760653 - Ensure we don't read uninitialized memory in ssl gtests.
  * bmo#1758478 - Fix DataBuffer Move Assignment.
  * bmo#1552254 - internal_error alert on Certificate Request with
    sha1+ecdsa in TLS 1.3
  * bmo#1755092 - rework signature verification in mozilla::pkix
- Require nss-util in nss.pc and subsequently remove -lnssutil3
- update to NSS 3.76.1
  NSS 3.76.1
  * bmo#1756271 - Remove token member from NSSSlot struct.
  NSS 3.76
  * bmo#1755555 - Hold tokensLock through nssToken_GetSlot calls in
    nssTrustDomain_GetActiveSlots.
  * bmo#1370866 - Check return value of PK11Slot_GetNSSToken.
  * bmo#1747957 - Use Wycheproof JSON for RSASSA-PSS
  * bmo#1679803 - Add SHA256 fingerprint comments to old
    certdata.txt entries.
  * bmo#1753505 - Avoid truncating files in nss-release-helper.py.
  * bmo#1751157 - Throw illegal_parameter alert for illegal extensions
    in handshake message.
- Add nss-util pkgconfig and config files (copied from RH/Fedora)
- update to NSS 3.75
  * bmo#1749030 - This patch adds gcc-9 and gcc-10 to the CI.
  * bmo#1749794 - Make DottedOIDToCode.py compatible with python3.
  * bmo#1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
  * bmo#1748386 - Remove redundant key type check.
  * bmo#1749869 - Update ABI expectations to match ECH changes.
  * bmo#1748386 - Enable CKM_CHACHA20.
  * bmo#1747327 - check return on NSS_NoDB_Init and NSS_Shutdown.
  * bmo#1747310 - real move assignment operator.
  * bmo#1748245 - Run ECDSA test vectors from bltest as part of the CI tests.
  * bmo#1743302 - Add ECDSA test vectors to the bltest command line tool.
  * bmo#1747772 - Allow to build using clang's integrated assembler.
  * bmo#1321398 - Allow to override python for the build.
  * bmo#1747317 - test HKDF output rather than input.
  * bmo#1747316 - Use ASSERT macros to end failed tests early.
  * bmo#1747310 - move assignment operator for DataBuffer.
  * bmo#1712879 - Add test cases for ECH compression and unexpected
    extensions in SH.
  * bmo#1725938 - Update tests for ECH-13.
  * bmo#1725938 - Tidy up error handling.
  * bmo#1728281 - Add tests for ECH HRR Changes.
  * bmo#1728281 - Server only sends GREASE HRR extension if enabled
    by preference.
  * bmo#1725938 - Update generation of the Associated Data for ECH-13.
  * bmo#1712879 - When ECH is accepted, reject extensions which were
    only advertised in the Outer Client Hello.
  * bmo#1712879 - Allow for compressed, non-contiguous, extensions.
  * bmo#1712879 - Scramble the PSK extension in CHOuter.
  * bmo#1712647 - Split custom extension handling for ECH.
  * bmo#1728281 - Add ECH-13 HRR Handling.
  * bmo#1677181 - Client side ECH padding.
  * bmo#1725938 - Stricter ClientHelloInner Decompression.
  * bmo#1725938 - Remove ECH_inner extension, use new enum format.
  * bmo#1725938 - Update the version number for ECH-13 and adjust
    the ECHConfig size.
- update to NSS 3.74
  * bmo#966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in
    OCSP responses
  * bmo#1553612 - Ensure clients offer consistent ciphersuites after HRR
  * bmo#1721426 - NSS does not properly restrict server keys based on policy
  * bmo#1733003 - Set nssckbi version number to 2.54
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate
  * bmo#1735407 - Replace GlobalSign ECC Root CA R4
  * bmo#1733560 - Remove Expired Root Certificates - DST Root CA X3
  * bmo#1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root
    certificates
  * bmo#1741930 - Add renewed Autoridad de Certificacion Firmaprofesional
    CIF A62634068 root certificate
  * bmo#1740095 - Add iTrusChina ECC root certificate
  * bmo#1740095 - Add iTrusChina RSA root certificate
  * bmo#1738805 - Add ISRG Root X2 root certificate
  * bmo#1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
  * bmo#1738028 - Avoid a clang 13 unused variable warning in opt build
  * bmo#1735028 - Check for missing signedData field
  * bmo#1737470 - Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
- update to NSS 3.73.1:
  * Add SHA-2 support to mozilla::pkix's OSCP implementation
- update to NSS 3.73
  * bmo#1735028 - check for missing signedData field.
  * bmo#1737470 - Ensure DER encoded signatures are within size limits.
  * bmo#1729550 - NSS needs FiPS 140-3 version indicators.
  * bmo#1692132 - pkix_CacheCert_Lookup doesn't return cached certs
  * bmo#1738600 - sunset Coverity from NSS
  MFSA 2021-51 (bsc#1193170)
  * CVE-2021-43527 (bmo#1737470)
    Memory corruption via DER-encoded DSA and RSA-PSS signatures
- update to NSS 3.72
  * Remove newline at the end of coreconf.dep
  * bmo#1731911 - Fix nsinstall parallel failure.
  * bmo#1729930 - Increase KDF cache size to mitigate perf
    regression in about:logins
- update to NSS 3.71
  * bmo#1717716 - Set nssckbi version number to 2.52.
  * bmo#1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
  * bmo#1373716 - Import of PKCS#12 files with Camellia encryption is not supported
  * bmo#1717707 - Add HARICA Client ECC Root CA 2021.
  * bmo#1717707 - Add HARICA Client RSA Root CA 2021.
  * bmo#1717707 - Add HARICA TLS ECC Root CA 2021.
  * bmo#1717707 - Add HARICA TLS RSA Root CA 2021.
  * bmo#1728394 - Add TunTrust Root CA certificate to NSS.
- update to NSS 3.70
  * bmo#1726022 - Update test case to verify fix.
  * bmo#1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
  * bmo#1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
  * bmo#1681975 - Avoid using a lookup table in nssb64d.
  * bmo#1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
  * bmo#1714579 - Change default value of enableHelloDowngradeCheck to true.
  * bmo#1726022 - Cache additional PBE entries.
  * bmo#1709750 - Read HPKE vectors from official JSON.
- Update to NSS 3.69.1
  * bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
  * bmo#1720226 (Backout) - integrity checks in key4.db not happening
    on private components with AES_CBC
  NSS 3.69
  * bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again)
  * bmo#1720226 - integrity checks in key4.db not happening on private
    components with AES_CBC (backed out again)
  * bmo#1720235 - SSL handling of signature algorithms ignores
    environmental invalid algorithms.
  * bmo#1721476 - sqlite 3.34 changed it's open semantics, causing
    nss failures.
    (removed obsolete nss-btrfs-sqlite.patch)
  * bmo#1720230 - Gtest update changed the gtest reports, losing gtest
    details in all.sh reports.
  * bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
  * bmo#1720232 - SQLite calls could timeout in starvation situations.
  * bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67
  * bmo#1709817 - Import the NSS documentation from MDN in nss/doc.
  * bmo#1720227 - NSS using a tempdir to measure sql performance not active
- add nss-fips-stricter-dh.patch
- updated existing patches with latest SLE
- Update nss-fips-constructor-self-tests.patch to scan
  LD_LIBRARY_PATH for external libraries to be checksummed.
- Run test suite at build time, and make it pass (bsc#1198486).
  Based on work by Marcus Meissner.
- Add nss-fips-tests-skip.patch to skip algorithms that are hard
  disabled in FIPS mode.
- Add nss-fips-tests-pin-paypalee-cert.patch to prevent expired
  PayPalEE cert from failing the tests.
- Add nss-fips-tests-enable-fips.patch, which enables FIPS during
  test certificate creation and disables the library checksum
  validation during same.
- Update nss-fips-constructor-self-tests.patch to allow
  checksumming to be disabled, but only if we entered FIPS mode
  due to NSS_FIPS being set, not if it came from /proc.
- Add nss-fips-pbkdf-kat-compliance.patch (bsc#1192079). This
  makes the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- Update nss-fips-approved-crypto-non-ec.patch to remove XCBC MAC
  from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
  for build.
- Update nss-fips-approved-crypto-non-ec.patch to claim 3DES
  unapproved in FIPS mode (bsc#1192080).
- Update nss-fips-constructor-self-tests.patch to allow testing
  of unapproved algorithms (bsc#1192228).
- Add nss-fips-version-indicators.patch (bmo#1729550, bsc#1192086).
  This adds FIPS version indicators.
- Add nss-fips-180-3-csp-clearing.patch (bmo#1697303, bsc#1192087).
  Most of the relevant changes are already upstream since NSS 3.60.
ncurses
- Add patch ncurses-bnc1198627.patch
  * Fix bsc#1198627: CVE-2022-29458: ncurses: segfaulting OOB read
openldap2
- bsc#1198341 - Prevent memory reuse which may lead to instability
  * 0226-Change-malloc-to-use-calloc-to-prevent-memory-reuse-.patch
p11-kit
- Conflict with ca-certificates < 1_201403302107-15.6.2 to make sure
  update-ca-certifictes calls trust export with --format=pem-directory-hash
  (bsc#1201985)
- CVE-2020-29362: Fixed a 4 byte overread (bsc#1180065)
  Added p11-kit-CVE-2020-29362.patch:
permissions
  * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)
  * add capability for prometheus-blackbox_exporter (bsc#1191194)
  * make btmp root:utmp (bsc#1050467)
  * pcp: remove no longer needed / conflicting entries
- Update to version 20170707:
python
- Add patch CVE-2021-28861-double-slash-path.patch:
  * BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
python-M2Crypto
- Add CVE-2020-25657-Bleichenbacher-attack.patch (CVE-2020-25657,
  bsc#1178829), which mitigates the Bleichenbacher timing attacks
  in the RSA decryption API.
- Add python-M2Crypto.keyring to verify GPG signature of tarball.
python-PyJWT
- Add CVE-2022-29217-non-blocked-pubkeys.patch fixing
  CVE-2022-29217 (bsc#1199756), which disallows use of blocked
  pubkeys (heavily modified from upstream).
python-azure-core
- Add az-core-py2-syntx-bsc1202024.patch (bsc#1202024)
  + Fix syntax error in Python2
python-base
- Add patch CVE-2021-28861-double-slash-path.patch:
  * BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
python-paramiko
- Add patch BZ-1199454-Fix-Deprecation-Warnings.patch from upstream pull
  request https://github.com/paramiko/paramiko/pull/1379 to fix deprecation
  warnings. NOTE: the .travis changes were excluded as the file doesn't
  exist in the tarball as it was used by upstream CI only. bsc#1199454
python3
- Add patch CVE-2021-28861-double-slash-path.patch:
  * http.server: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
python3-base
- Add patch CVE-2021-28861-double-slash-path.patch:
  * http.server: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
python3-lxml
- Add patch CVE-2020-27783.patch to fix CVE-2020-27783 mXSS due to the use of
  improper parser
  Fix bsc#1179534
python36
- Add patch CVE-2021-28861-double-slash-path.patch:
  * http.server: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
release-notes-sles
- 12.5.20220718 (tracked in bsc#933411)
- Added note about Samba 4.15 (jsc#SLE-23330)
  (bsc#1196097)
- Added note about DFS share failover (jsc#SLE-20041)
- Added note about Xenstore stubdom (bsc#1185196)
- Added note about CONFIG_NUMA_EMU (jsc#SLE-11600)
- Removed LibreOffice and MariaDB from requiring specific contracts
rsync
- Apply "/rsync-CVE-2022-29154.patch"/ to fix a security vulnerability
  in the do_server_recv() function. [bsc#1201840, CVE-2022-29154]
rsyslog
- add Requires for latest lbfastjsion version (bsc#1202243)
- fix segfault in qDeqLinkedList during shutdown (bsc#1199283)
  * add 0001-queue-Add-NULL-check-in-qDeqLinkedList.patch
samba
- CVE-2022-1615: Do not ignore errors in random number generation;
  (bso#15103); (bsc#1202976);
- Fix Use after free when iterating
  smbd_server_connection->connections after tree disconnect
  failure; (bso#15128); (bsc#1200102).
- CVE-2022-32746: samba: Use-after-free occurring in database
  audit logging; (bso#15009); (bso#15096); (bsc#1201490).
- CVE-2022-32745: samba: ldb: AD users can crash the server
  process with an LDAP add or modify request; (bso#15008);
  (bso#15096); (bsc#1201492).
- CVE-2022-2031: samba, ldb: AD users can bypass certain
  restrictions associated with changing passwords; (bso#15047);
  (bsc#1201495);
- CVE-2022-32742:SMB1 code does not correct verify SMB1write,
  SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085);
  (bsc#1201496).
- CVE-2022-32744: samba, ldb: AD users can forge password change
  requests for any user; (bso#15074); (bso#15047); (bsc#1201493).
- Update to 4.15.8
  * Use pathref fd instead of io fd in vfs_default_durable_cookie;
    (bso#15042).
  * Setting fruit:resource = stream in vfs_fruit causes a panic;
    (bso#15099).
  * Add support for bind 9.18; (bso#14986).
  * logging dsdb audit to specific files does not work;
    (bso#15076).
  * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
    file had been deleted; (bso#15069)
  * netgroups support removed; (bso#15087); (bsc#1199247).
  * net ads info shows LDAP Server: 0.0.0.0 depending on contacted
    server; (bso#14674); (bsc#1199734).
  * waf produces incorrect names for python extensions with Python
    3.11; (bso#15071).
  * smbclient commands del & deltree fail with
    NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100);
    (bsc#1200556).
  * vfs_gpfs recalls=no option prevents listing files; (bso#15055).
  * waf produces incorrect names for python extensions with Python
    3.11; (bso#15071).
  * Compile error in source3/utils/regedit_hexedit.c; (bso#15091).
  * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link;
    (bso#15108).
  * smbd doesn't handle UPNs for looking up names; (bso#15054).
  * Out-by-4 error in smbd read reply max_send clamp; (bso#14443).
- Move pdb backends from package samba-libs to package
  samba-client-libs and remove samba-libs requirement from
  samba-winbind; (bsc#1200964); (bsc#1198255);
sqlite3
- update to 3.39.3:
  * Use a statement journal on DML statement affecting two or more
    database rows if the statement makes use of a SQL functions
    that might abort.
  * Use a mutex to protect the PRAGMA temp_store_directory and
    PRAGMA data_store_directory statements, even though they are
    decremented and documented as not being threadsafe.
- update to 3.39.2:
  * Fix a performance regression in the query planner associated
    with rearranging the order of FROM clause terms in the
    presences of a LEFT JOIN.
  * Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and
    1345947, forum post 3607259d3c, and other minor problems
    discovered by internal testing. [boo#1201783]
- update to 3.39.1:
  * Fix an incorrect result from a query that uses a view that
    contains a compound SELECT in which only one arm contains a
    RIGHT JOIN and where the view is not the first FROM clause term
    of the query that contains the view
  * Fix a long-standing problem with ALTER TABLE RENAME that can
    only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set
    to a very small value.
  * Fix a long-standing problem in FTS3 that can only arise when
    compiled with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time
    option.
  * Fix the initial-prefix optimization for the REGEXP extension so
    that it works correctly even if the prefix contains characters
    that require a 3-byte UTF8 encoding.
  * Enhance the sqlite_stmt virtual table so that it buffers all of
    its output.
- update to 3.39.0:
  * Add (long overdue) support for RIGHT and FULL OUTER JOIN
  * Add new binary comparison operators IS NOT DISTINCT FROM and
    IS DISTINCT FROM that are equivalent to IS and IS NOT,
    respective, for compatibility with PostgreSQL and SQL standards
  * Add a new return code (value "/3"/) from the sqlite3_vtab_distinct()
    interface that indicates a query that has both DISTINCT and
    ORDER BY clauses
  * Added the sqlite3_db_name() interface
  * The unix os interface resolves all symbolic links in database
    filenames to create a canonical name for the database before
    the file is opened
  * Defer materializing views until the materialization is actually
    needed, thus avoiding unnecessary work if the materialization
    turns out to never be used
  * The HAVING clause of a SELECT statement is now allowed on any
    aggregate query, even queries that do not have a GROUP BY
    clause
  * Many microoptimizations collectively reduce CPU cycles by about
    2.3%.
- drop sqlite-src-3380100-atof1.patch, included upstream
- add sqlite-src-3390000-func7-pg-181.patch to skip float precision
  related test failures on 32 bit
- update to 3.38.5:
  * Fix a blunder in the CLI of the 3.38.4 release
- includes changes from 3.38.4:
  * fix a byte-code problem in the Bloom filter pull-down
    optimization added by release 3.38.0 in which an error in the
    byte code causes the byte code engine to enter an infinite loop
    when the pull-down optimization encounters a NULL key
- update to 3.38.3:
  * Fix a case of the query planner be overly aggressive with
    optimizing automatic-index and Bloom-filter construction,
    using inappropriate ON clause terms to restrict the size of the
    automatic-index or Bloom filter, and resulting in missing rows
    in the output.
  * Other minor patches. See the timeline for details.
- update to 3.38.2:
  * Fix a problem with the Bloom filter optimization that might
    cause an incorrect answer when doing a LEFT JOIN with a WHERE
    clause constraint that says that one of the columns on the
    right table of the LEFT JOIN is NULL.
  * Other minor patches.
- Remove obsolete configure flags
- Package the Tcl bindings here again so that we only ship one copy
  of SQLite (bsc#1195773).
- update to 3.38.1:
  * Fix problems with the new Bloom filter optimization that might
    cause some obscure queries to get an incorrect answer.
  * Fix the localtime modifier of the date and time functions so
    that it preserves fractional seconds.
  * Fix the sqlite_offset SQL function so that it works correctly
    even in corner cases such as when the argument is a virtual
    column or the column of a view.
  * Fix row value IN operator constraints on virtual tables so that
    they work correctly even if the virtual table implementation
    relies on bytecode to filter rows that do not satisfy the
    constraint.
  * Other minor fixes to assert() statements, test cases, and
    documentation. See the source code timeline for details.
- add upstream patch to run atof1 tests only on x86_64
  sqlite-src-3380100-atof1.patch
- update to 3.38.0
  * Add the -> and ->> operators for easier processing of JSON
  * The JSON functions are now built-ins
  * Enhancements to date and time functions
  * Rename the printf() SQL function to format() for better
    compatibility, with alias for backwards compatibility.
  * Add the sqlite3_error_offset() interface for helping localize
    an SQL error to a specific character in the input SQL text
  * Enhance the interface to virtual tables
  * CLI columnar output modes are enhanced to correctly handle tabs
    and newlines embedded in text, and add options like "/--wrap N"/,
    "/--wordwrap on"/, and "/--quote"/ to the columnar output modes.
  * Query planner enhancements using a Bloom filter to speed up
    large analytic queries, and a balanced merge tree to evaluate
    UNION or UNION ALL compound SELECT statements that have an
    ORDER BY clause.
  * The ALTER TABLE statement is changed to silently ignores
    entries in the sqlite_schema table that do not parse when
    PRAGMA writable_schema=ON
- update to 3.37.2:
  * Fix a bug introduced in version 3.35.0 (2021-03-12) that can
    cause database corruption if a SAVEPOINT is rolled back while
    in PRAGMA temp_store=MEMORY mode, and other changes are made,
    and then the outer transaction commits
  * Fix a long-standing problem with ON DELETE CASCADE and ON
    UPDATE CASCADE in which a cache of the bytecode used to
    implement the cascading change was not being reset following a
    local DDL change
- update to 3.37.1:
  * Fix a bug introduced by the UPSERT enhancements of version
    3.35.0 that can cause incorrect byte-code to be generated for
    some obscure but valid SQL, possibly resulting in a NULL-
    pointer dereference.
  * Fix an OOB read that can occur in FTS5 when reading corrupt
    database files.
  * Improved robustness of the --safe option in the CLI.
  * Other minor fixes to assert() statements and test cases.
- SQLite3 3.37.0:
  * STRICT tables provide a prescriptive style of data type
    management, for developers who prefer that kind of thing.
  * When adding columns that contain a CHECK constraint or a
    generated column containing a NOT NULL constraint, the
    ALTER TABLE ADD COLUMN now checks new constraints against
    preexisting rows in the database and will only proceed if no
    constraints are violated.
  * Added the PRAGMA table_list statement.
  * Add the .connection command, allowing the CLI to keep multiple
    database connections open at the same time.
  * Add the --safe command-line option that disables dot-commands
    and SQL statements that might cause side-effects that extend
    beyond the single database file named on the command-line.
  * CLI: Performance improvements when reading SQL statements that
    span many lines.
  * Added the sqlite3_autovacuum_pages() interface.
  * The sqlite3_deserialize() does not and has never worked
    for the TEMP database. That limitation is now noted in the
    documentation.
  * The query planner now omits ORDER BY clauses on subqueries and
    views if removing those clauses does not change the semantics
    of the query.
  * The generate_series table-valued function extension is modified
    so that the first parameter ("/START"/) is now required. This is
    done as a way to demonstrate how to write table-valued
    functions with required parameters. The legacy behavior is
    available using the -DZERO_ARGUMENT_GENERATE_SERIES
    compile-time option.
  * Added new sqlite3_changes64() and sqlite3_total_changes64()
    interfaces.
  * Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
  * Use less memory to hold the database schema.
  * bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert
    extension when a column has no collating sequence.
systemd-presets-branding-SLE
- Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)
timezone
- Update to reflect new Chile DST change, bsc#1202310
  * bsc1202310.patch
unzip
- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string
  to a local string (CVE-2022-0530, bsc#1196177)
  * CVE-2022-0530.patch
- Fix CVE-2022-0529, Heap out-of-bound writes and reads during
  conversion of wide string to local string (CVE-2022-0529, bsc#1196180)
  * CVE-2022-0529.patch
update-alternatives

      
util-linux
- su: Change owner and mode for pty (bsc#1200842,
  util-linux-login-move-generic-setting-to-ttyutils.patch,
  util-linux-su-change-owner-and-mode-for-pty.patch).
- mesg: use only stat() to get the current terminal status
  (bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
  util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
  in utab (bsc#1198731,
  util-linux-libmount-moving-mount-point-sub-mounts.patch,
  util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
util-linux-systemd
- su: Change owner and mode for pty (bsc#1200842,
  util-linux-login-move-generic-setting-to-ttyutils.patch,
  util-linux-su-change-owner-and-mode-for-pty.patch).
- mesg: use only stat() to get the current terminal status
  (bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
  util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
  in utab (bsc#1198731,
  util-linux-libmount-moving-mount-point-sub-mounts.patch,
  util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
which
- https urls, added signature (but did not find the public key)
- Use %license instead of %doc [bsc#1082318]
- Move installinfo scriptlet to preun so it won't fail
- Cleanup spec file with spec-cleaner
- Correct usage of info scriplets
- GNU which 2.21:
  * Upgraded code from bash to version 4.3 (now uses eaccess).
  * Fixed a bug related to getgroups / sysconfig that caused Which
    not to see more than 64 groups for a single user
  * Build system maintenance.
- Update project and source URL to GNU project
xfsprogs
- mkfs: validate extent size hint parameters (bsc#1138247)
  - add xfsprogs-xfs-move-inode-extent-size-hint-validation-to-libxfs.patch
  - add xfsprogs-xfs_repair-use-libxfs-extsize-cowextsize-validation-.patch
  - add xfsprogs-mkfs-validate-extent-size-hint-parameters.patch
- xfs_repair: Fix root inode's parent when it's bogus for sf directory
  (bsc#1138227)
  - add xfsprogs-xfs_repair-Fix-root-inode-s-parent-when-it-s-bogus-f.patch
yast2-storage
- Partitioner: PVs are not wrongly removed when resizing a VG
  (bsc#1197208).
- 3.2.23
zlib
- Fix heap-based buffer over-read or buffer overflow in inflate via
  large gzip header extra field (bsc#1202175, CVE-2022-37434,
  CVE-2022-37434-extra-header-1.patch,
  CVE-2022-37434-extra-header-2.patch).