python3-base
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
  gh#python/cpython#108310, backport from upstream patch
  gh#python/cpython#108315
  (bsc#1214692, CVE-2023-40217)

- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
  test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
  which fails on slow machines in IBS (s390x).

- Refresh CVE-2023-27043-email-parsing-errors.patch from
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
python
- Add CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
libssh
- Update to 0.9.8: [jsc#PED-7719, bsc#1218126, CVE-2023-48795]
  * Rebase 0001-disable-timeout-test-on-slow-buildsystems.patch
  * Remove patches fixed in the update:
  - CVE-2019-14889.patch
  - 0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-A.patch

- Update to version 0.9.8
  * Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209)
  * Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126)
  * Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186)
  * Allow @ in usernames when parsing from URI composes
- Update to version 0.9.7
  * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm
    guessing (bsc#1211188)
  * Fix CVE-2023-2283: a possible authorization bypass in
    pki_verify_data_signature under low-memory conditions (bsc#1211190)
  * Fix several memory leaks in GSSAPI handling code

- Update to version 0.9.6 (bsc#1189608, CVE-2021-3634)
  * https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6

- Add missing BR for openssh needed for tests

- update to 0.9.5 (bsc#1174713, CVE-2020-16135):
  * CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
  * Improve handling of library initialization (T222)
  * Fix parsing of subsecond times in SFTP (T219)
  * Make the documentation reproducible
  * Remove deprecated API usage in OpenSSL
  * Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
  * Define version in one place (T226)
  * Prevent invalid free when using different C runtimes than OpenSSL (T229)
  * Compatibility improvements to testsuite

- Update to version 0.9.4
  * https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
  * Fix possible Denial of Service attack when using AES-CTR-ciphers
    CVE-2020-1730 (bsc#1168699)
timezone
- update to 2024a:
  * Kazakhstan unifies on UTC+5.  This affects Asia/Almaty and
    Asia/Qostanay which together represent the eastern portion of the
    country that will transition from UTC+6 on 2024-03-01 at 00:00 to
    join the western portion.  (Thanks to Zhanbolat Raimbekov.)
  * Palestine springs forward a week later than previously predicted
    in 2024 and 2025.  (Thanks to Heba Hamad.)  Change spring-forward
    predictions to the second Saturday after Ramadan, not the first;
    this also affects other predictions starting in 2039.
  * Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00
    not 00:00.  (Thanks to Đoàn Trần Công Danh.)
  * From 1947 through 1949, Toronto's transitions occurred at 02:00
    not 00:00.  (Thanks to Chris Walton.)
  * In 1911 Miquelon adopted standard time on June 15, not May 15.
  * The FROM and TO columns of Rule lines can no longer be "minimum"
    or an abbreviation of "minimum", because TZif files do not support
    DST rules that extend into the indefinite past - although these
    rules were supported when TZif files had only 32-bit data, this
    stopped working when 64-bit TZif files were introduced in 1995.
    This should not be a problem for realistic data, since DST was
    first used in the 20th century.  As a transition aid, FROM columns
    like "minimum" are now diagnosed and then treated as if they were
    the year 1900; this should suffice for TZif files on old systems
    with only 32-bit time_t, and it is more compatible with bugs in
    2023c-and-earlier localtime.c.  (Problem reported by Yoshito
    Umaoka.)
  * localtime and related functions no longer mishandle some
    timestamps that occur about 400 years after a switch to a time
    zone with a DST schedule.  In 2023d data this problem was visible
    for some timestamps in November 2422, November 2822, etc. in
    America/Ciudad_Juarez.  (Problem reported by Gilmore Davidson.)
  * strftime %s now uses tm_gmtoff if available.  (Problem and draft
    patch reported by Dag-Erling Smørgrav.)
  * The strftime man page documents which struct tm members affect
    which conversion specs, and that tzset is called.  (Problems
    reported by Robert Elz and Steve Summit.)

- update to 2023d:
  * Ittoqqortoormiit, Greenland changes time zones on
    2024-03-31.
  * Vostok, Antarctica changed time zones on 2023-12-18.
  * Casey, Antarctica changed time zones five times since
    2020.
  * Code and data fixes for Palestine timestamps starting in
    2072.
  * A new data file zonenow.tab for timestamps starting now.
  * Fix predictions for DST transitions in Palestine in
    2072-2075, correcting a typo introduced in 2023a.
  * Vostok, Antarctica changed to +05 on 2023-12-18.  It had
    been at +07 (not +06) for years.
  * Change data for Casey, Antarctica to agree with
    timeanddate.com, by adding five time zone changes since 2020.
    Casey is now at +08 instead of +11.
  * Much of Greenland, represented by America/Nuuk, changed
    its standard time from -03 to -02 on 2023-03-25, not on
    2023-10-28.
  * localtime.c no longer mishandles TZif files that contain
    a single transition into a DST regime.  Previously,
    it incorrectly assumed DST was in effect before the transition
    too.
  * tzselect no longer creates temporary files.
  * tzselect no longer mishandles the following:
  * Spaces and most other special characters in BUGEMAIL,
    PACKAGE, TZDIR, and VERSION.
  * TZ strings when using mawk 1.4.3, which mishandles
    regular expressions of the form /X{2,}/.
  * ISO 6709 coordinates when using an awk that lacks the
    GNU extension of newlines in -v option-arguments.
  * Non UTF-8 locales when using an iconv command that
    lacks the GNU //TRANSLIT extension.
  * zic no longer mishandles data for Palestine after the
    year 2075.
- Refresh tzdata-china.diff
cloud-regionsrv-client
- Update to version 10.1.7 (bsc#1220164, bsc#1220165)
  + Fix the failover path to a new target update server. At present a new
    server is not found since credential validation fails. We targeted
    the server detected in down condition to verify the credentials instead
    of the replacement server.

- Update EC2 plugin to 1.0.4 (bsc#1219156, bsc#1219159)
  + Fix the algorithm to determine the region from the availability zone
    information retrieved from IMDS.
- Update to version 10.1.6
  + Support specifying an IPv6 address for a manually configured target
    update server.
cpio
- Fix CVE-2023-7207, path traversal vulnerability (bsc#1218571)
  * fix-CVE-2023-7207.patch
runc
- Update to runc v1.1.12. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.12>. bsc#1218894
  * This release fixes a container breakout vulnerability (CVE-2024-21626). For
    more details, see the upstream security advisory:
    <https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
  * Remove upstreamed patches:
  - CVE-2024-21626.patch
  * Update runc.keyring to match upstream changes.

[ This was only ever released for SLES. ]
- Add upstream patch to fix embargoed issue CVE-2024-21626. bsc#1218894
  <https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
  + CVE-2024-21626.patch

- Update to runc v1.1.11. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.11>.
vim
- Updated to version 9.1 with patch level 0111, fixes the following security problems
  * Fixing bsc#1217316 (CVE-2023-48231) - VUL-0: CVE-2023-48231: vim: Use-After-Free in win_close()
  * Fixing bsc#1217320 (CVE-2023-48232) - VUL-0: CVE-2023-48232: vim: Floating point Exception in adjust_plines_for_skipcol()
  * Fixing bsc#1217321 (CVE-2023-48233) - VUL-0: CVE-2023-48233: vim: overflow with count for :s command
  * Fixing bsc#1217324 (CVE-2023-48234) - VUL-0: CVE-2023-48234: vim: overflow in nv_z_get_count
  * Fixing bsc#1217326 (CVE-2023-48235) - VUL-0: CVE-2023-48235: vim: overflow in ex address parsing
  * Fixing bsc#1217329 (CVE-2023-48236) - VUL-0: CVE-2023-48236: vim: overflow in get_number
  * Fixing bsc#1217330 (CVE-2023-48237) - VUL-0: CVE-2023-48237: vim: overflow in shift_line
  * Fixing bsc#1217432 (CVE-2023-48706) - VUL-0: CVE-2023-48706: vim: heap-use-after-free in ex_substitute
  * Fixing bsc#1219581 (CVE-2024-22667) - VUL-0: CVE-2024-22667: vim: stack-based buffer overflow in did_set_langmap function in map.c
  * Fixing bsc#1215005 (CVE-2023-4750) - VUL-0: CVE-2023-4750: vim: Heap use-after-free in function bt_quickfix
- Revert the patch which caused GTK incompatibility problem
  * Add: vim-9.1-revert-v9.1.86.patch
  * This reverts commit 725c7c31a4c7603e688511d769b0addaab442d07
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111
kernel-azure
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
  Simple arithmetic fix.
- commit df1ea97

- vhost: use kzalloc() instead of kmalloc() followed by memset()
  (CVE-2024-0340, bsc#1218689).
- commit 265772f

- blacklist.conf: add Korina ethernet controleer
- commit 754d7b6

- blacklist.conf: update blacklist
- commit 65ec0f0

- mlx4: handle non-napi callers to napi_poll (git-fixes).
- commit 13aca9d

- bnxt_en: Log unknown link speed appropriately (git-fixes).
- commit cab91f3

- net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow (git-fixes).
- commit 30b8d5c

- net: mvneta: fix double free of txq->buf (git-fixes).
- commit abfb85a

- r8169: fix data corruption issue on RTL8402 (git-fixes).
- commit a389731

- net: stmmac: dwmac1000: fix out-of-bounds mac address reg
  setting (git-fixes).
- commit 51f13e8

- net: fec: Do not use netdev messages too early (git-fixes).
- commit 24b07f8

- net: stmmac: dwmac4/5: Clear unused address entries (git-fixes).
- commit 156e8fc

- net: stmmac: dwmac1000: Clear unused address entries
  (git-fixed).
- commit b89c3f6

- blacklist.conf: add mediatek ethernet
- commit ed969c9

- net: dsa: mv88e6xxx: avoid error message on remove from VLAN 0
  (git-fixed).
- commit 63f7ed7

- blacklist.conf: update blacklist
- commit ba8fcb7

- net: xilinx: fix possible object reference leak (git-fixed).
- commit 0884dff

- net: macb: Add null check for PCLK and HCLK (git-fixed).
- Refresh
  patches.suse/0006-net-macb-fix-error-format-in-dev_err.patch.
- commit 1fdfc75

- netfilter: nf_tables: reject QUEUE/DROP verdict parameters
  (CVE-2024-1086 bsc#1219434).
- commit 1f42903

- configfs: fix a use-after-free in __configfs_open_file
  (git-fixes).
- commit 839bbef

- chardev: fix error handling in cdev_device_add() (git-fixes).
- commit 76071ad

- fs: don't audit the capability check in simple_xattr_list()
  (git-fixes).
- commit 32c621d

- pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
  (git-fixes).
- commit 165619a

- pstore/ram: Fix error return code in ramoops_probe()
  (git-fixes).
- commit 6c26e9c

- kernfs: fix use-after-free in __kernfs_remove (git-fixes).
- commit 1e4394d

- kernfs: Separate kernfs_pr_cont_buf and rename_lock (git-fixes).
- commit 302cbf3

- configfs: fix a race in configfs_{,un}register_subsystem()
  (git-fixes).
- commit ff1ac8a

- vfs: make freeze_super abort when sync_filesystem returns error
  (git-fixes).
- commit a0e15ea

- fs: orangefs: fix error return code of
  orangefs_revalidate_lookup() (git-fixes).
- commit 05692b2

- fs: warn about impending deprecation of mandatory locks
  (git-fixes).
- commit d313c61

- configfs: fix memleak in configfs_release_bin_file (git-fixes).
- commit e182771

- 9p: missing chunk of "fs/9p: Don't update file type when
  updating file attributes" (git-fixes).
- commit d7f7957

- kernfs: bring names in comments in line with code (git-fixes).
- commit b2412a4

- configfs: fix config_item refcnt leak in configfs_rmdir()
  (git-fixes).
- commit a4e6173

- help_next should increase position index (git-fixes).
- commit a734d52

- configfs: fix a deadlock in configfs_symlink() (git-fixes).
- commit 31f30f9

- locks: print a warning when mount fails due to lack of "mand"
  support (git-fixes).
- commit 4a54942

- configfs: provide exclusion between IO and removals (git-fixes).
- commit be9e3af

- configfs: new object reprsenting tree fragments (git-fixes).
- commit 727fecd

- configfs: stash the data we need into configfs_buffer at open
  time (git-fixes).
- commit 57d5998

- pstore/ram: Run without kernel crash dump region (git-fixes).
- Refresh patches.suse/pstore-backend-autoaction.
- commit 27a20a7

- fs/file.c: initialize init_files.resize_wait (git-fixes).
- commit 4e99111

- fs: ratelimit __find_get_block_slow() failure message
  (git-fixes).
- commit 066abb3

- iomap: sub-block dio needs to zeroout beyond EOF (git-fixes).
- commit c176969

- fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
  (git-fixes).
- commit 97bf06c

- proc: fix /proc/*/map_files lookup (git-fixes).
- commit 66524a9

- pstore: ram_core: fix possible overflow in
  persistent_ram_init_ecc() (git-fixes).
- commit 3b8a874

- pstore/ram: Check start of empty przs during init (git-fixes).
- commit 86b8610

- statfs: enforce statfs[64] structure initialization (git-fixes).
- commit e9ab62b

- aio: fix mremap after fork null-deref (git-fixes).
- commit f633071

- drm/amdgpu: Fix potential fence use-after-free v2 (bsc#1219128
  CVE-2023-51042).
- commit 78c123f

- nvmet-tcp: fix a crash in nvmet_req_complete() (git-fixes).
- commit 45b3590

- scsi: qla0xxx: Fix system crash due to bad pointer access
  (git-fixes).
- commit 9c33792

- atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780
  bsc#1218730).
- commit 42f1cd3

- mm,mremap: bail out earlier in mremap_to under map pressure
  (bsc#1123986).
- commit d63623c

- xen-netback: don't produce zero-size SKB frags (CVE-2023-46838,
  XSA-448, bsc#1218836).
- commit 6d25bad

- USB: serial: option: fix FM101R-GL defines (git-fixes).
- commit c34221c

- blacklist.conf: Add baa9be4ffb55 sched/fair: Fix throttle_list starvation with low CFS quota
- commit f2444c0

- libceph: use kernel_connect() (bsc#1219446).
- ceph: fix incorrect revoked caps assert in ceph_fill_file_size()
  (bsc#1219445).
- commit 92ba85d

- USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
  (git-fixes).
- commit 9c63fba

- USB: serial: option: add entry for Sierra EM9191 with new
  firmware (git-fixes).
- commit e18b083

- USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
  (git-fixes).
- commit 3c25206

- ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
  (CVE-2021-33631 bsc#1219412).
- commit 019d3a9

- blacklist.conf: remove a merge relic
  Remove a merge relic introduced in 44aaf966aab ("Merge remote-tracking
  branch 'origin/SLE12-SP4' into SLE12-SP5-UPDATE").
- commit 78c957f

- blacklist.conf: add a not-relevant jump_label commit
- commit 7bff5db

- tracing/trigger: Fix to return error if failed to alloc snapshot
  (git-fixes).
- commit 57e8982

- blacklist.conf: Blacklist 447ae316670230d7d29430e2cbf1f5db4f49d14c
  It reworks header inclusion to no real benefit for out kernel and
  results in massive kABI breakage. Just blacklist it.
- commit 879fd91

- wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
  (CVE-2023-47233 bsc#1216702).
- commit d2e0155

- net: stmmac: don't overwrite discard_frame status (git-fixes).
- commit af86f48

- net: ethernet: ti: fix possible object reference leak
  (git-fixes).
- commit 8292c78

- blacklist.conf: update blacklist
- commit 3ec6d28

- blacklist.conf: update blacklist
- commit b305f8c

- net: ks8851: Set initial carrier state to down (git-fixes).
- commit 667be0a

- net: ks8851: Delay requesting IRQ until opened (git-fixes).
- commit 605f94a

- net: ks8851: Reassert reset pin if chip ID check fails
  (git-fixes).
- commit 93e9e83

- net: dsa: qca8k: Enable delay for RGMII_ID mode (git-fixes).
- commit 94c1dc4

- net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing
  MII_PHYSID2 (git-fixes).
- commit d97991c

- blacklist.conf: update blacklist
- commit 23ba946

- blacklist.conf: Black  unapplicable patch
  This one requires 45b575c00d8e72d69d75dd8c112f044b7b01b069 which is
  blacklisted. So black list this one as well.
- commit 8ad7e95

- Restore "Limit kernel-source build to architectures for which the kernel binary"
- commit 98e23ef

- x86/unwind/orc: Fix unreliable stack dump with gcov (git-fixes).
- commit db29225

- x86/pm: Add enumeration check before spec MSRs save/restore setup (git-fixes).
- commit 0b71917

- x86/kvm/lapic: always disable MMIO interface in x2APIC mode (git-fixes).
- commit 42aa4b1

- x86/purgatory: Don't generate debug info for purgatory.ro (git-fixes).
- commit ad7d236

- x86/cpu: Add another Alder Lake CPU to the Intel family (git-fixes).
- commit 5e43536

- x86/build: Turn off -fcf-protection for realmode targets (git-fixes).
- commit 06f5589

- x86/build: Treat R_386_PLT32 relocation as R_386_PC32 (git-fixes).
- commit c5cf689

- x86/lib: Fix overflow when counting digits (git-fixes).
- commit 0070bad

- x86/asm: Ensure asm/proto.h can be included stand-alone (git-fixes).
- commit b6c5df9

- x86: __always_inline __{rd,wr}msr() (git-fixes).
- commit 8507f62

- x86: Mark stop_this_cpu() __noreturn (git-fixes).
- commit 47a8413

- x86: Clear .brk area at early boot (git-fixes).
- commit 63c0fc3

- rpm/constraints.in: add static multibuild packages
  Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for
  constraints on multibuild) added "kernel-source:" prefix to the
  dynamically generated kernels. But there are also static ones like
  kernel-docs. Those fail to build as the constraints are still not
  applied.
  So add the prefix also to the static ones.
  Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it
  will ever be multibuilt...
- commit c2e0681

- drm/atomic: Fix potential use-after-free in nonblocking commits
  (bsc#1219120 CVE-2023-51043).
- commit a69e3d8

- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
  Adjust the cpuid check when applying alternatives. Fixes false BUG_ON
  in the presence of extra bugints/capints.
- commit 48af78f

- Revert "Limit kernel-source build to architectures for which the kernel binary"
  This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132.
  The fix for bsc#1108281 directly causes bsc#1218768, revert.
- commit 2943b8a

- mkspec: Include constraints for both multibuild and plain package always
  There is no need to check for multibuild flag, the constraints can be
  always generated for both cases.
- commit 308ea09

- rpm/mkspec: use kernel-source: prefix for constraints on multibuild
  Otherwise the constraints are not applied with multibuild enabled.
- commit 841012b

- rpm/kernel-source.rpmlintrc: add action-ebpf
  Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf
  plugin) added this precompiled binary blob. Adapt rpmlintrc for
  kernel-source.
- commit b5ccb33

- Refresh patches.suse/mce-fix-set_mce_nospec-to-always-unmap-the-whole-page.patch.
- commit 97df026

- usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer
  (git-fixes).
- commit f9ab50f

- blacklist.conf: not a bug fix
- commit 89a46f3

- blacklist.conf: driver not compiled
- commit e4d38bb

- blacklist.conf: false positive
- commit be0a82f

- blacklist.conf: not a bug fix
- commit 3adfd09

- blacklist.conf: false positive
- commit 9076062

- scsi: qedf: fc_rport_priv reference counting fixes
  (bsc#1212152).
  Refresh:
  - patches.suse/scsi-qedf-correctly-handle-refcounting-of-rdata
  - patches.suse/scsi-qedf-print-message-during-bailout-conditions
  - patches.suse/scsi-qedf-print-scsi_cmd-backpointer-in-good-completion-path-if-the-command-is-still-being-used
- commit e171158

- ext4: silence the warning when evicting inode with
  dioread_nolock (bsc#1206889).
- commit 3433e7a

- writeback: Export inode_io_list_del() (bsc#1216989).
  patches/patches.suse/writeback-Protect-inode-i_io_list-with-inode-i_lock.patch:
  Refresh
- commit c969261

- ext4: improve error recovery code paths in __ext4_remount()
  (bsc#1213017 bsc#1219053 CVE-2024-0775).
- commit 3bb0d48

- Update
  patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch
  (bsc#1213017 bsc#1219053 CVE-2024-0775).
- commit a5b396b

- scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old
  The previous change added the manual entry from kernel-sources.change.old
  to old_changelog.txt unnecessarily.  Let's fix it.
- commit fb033e8

- Refresh
  patches.suse/ipmi-Cleanup-oops-on-initialization-failure.patch.
  Alt-commit added
- commit 5093b56

- x86: Pin task-stack in __get_wchan() (git-fixes).
- commit 96f1d7b

- rpm/kernel-docs.spec.in: fix build with 6.8
  Since upstream commit f061c9f7d058 (Documentation: Document each netlink
  family), the build needs python yaml.
- commit 6a7ece3

- x86: Fix __get_wchan() for !STACKTRACE (git-fixes).
- commit 23a1a0e

- asix: Add check for usbnet_get_endpoints (git-fixes).
- commit d1fcea8

- x86/mce: relocate set{clear}_mce_nospec() functions (git-fixes).
- commit d9f49bd

- x86/CPU/AMD: Check vendor in the AMD microcode callback (git-fixes).
- commit 79b1f36

- mce: fix set_mce_nospec to always unmap the whole page (git-fixes).
- commit 2dcf8c9

- x86/alternatives: Sync core before enabling interrupts (git-fixes).
- commit d500914

- x86/cpu/hygon: Fix the CPU topology evaluation for real (git-fixes).
- commit 01e7093

- x86/kvm: Do not try to disable kvmclock if it was not enabled (git-fixes).
- commit 293b127

- x86: Fix get_wchan() to support the ORC unwinder (git-fixes).
- commit 1693c4c

- x86/pat: Pass valid address to sanitize_phys() (git-fixes).
- commit 9776480

- x86/pat: Fix x86_has_pat_wp() (git-fixes).
- blacklist.conf:
- commit 0a8ce61

- x86/mm: Add a x86_has_pat_wp() helper (git-fixes).
- commit 794f377

- veth: Fixing transmit return status for dropped packets
  (git-fixes).
- commit c39655b

- preserve KABI for struct sfp_socket_ops (git-fixes).
- commit 58a9bc4

- blacklist.conf:
- Delete
  patches.suse/NFSD-Fix-possible-sleep-during-nfsd4_release_lockown.patch.
  This patch is harmful on all kernels, and irrelevant on kernels before
  v5.4
  bsc#1218968
- commit 5365a0a

- KVM: s390: vsie: Fix STFLE interpretive execution identification
  (git-fixes bsc#1219022).
- commit 16098a4

- net: phylink: avoid resolving link state too early (git-fixes).
- commit 67b00b5

- gtp: change NET_UDP_TUNNEL dependency to select (git-fixes).
- commit dd6be0d

- mlxsw: spectrum: Avoid -Wformat-truncation warnings (git-fixes).
- commit bd062d1

- mlxsw: spectrum: Set LAG port collector only when active (git-fixes).
- commit 42cb04e

- net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() (git-fixes).
- commit 5db0cbe

- net: systemport: Fix reception of BPDUs (git-fixes).
- commit 54f0189

- sfc: initialise found bitmap in efx_ef10_mtd_probe (git-fixes).
- commit 36c912f

- net: sfp: do not probe SFP module before we're attached (git-fixes).
- commit b335b5c

- net: phy: sfp: warn the user when no tx_disable pin is available (git-fixes).
- commit 921c51c

- blacklist.conf: update blacklist
- commit 0fefc1a

- net: stmmac: Disable EEE mode earlier in XMIT callback
  (git-fixes).
- commit 42ea2f4

- blacklist.conf: update blacklist
- commit 16074da

- preserve KABI for struct plat_stmmacenet_data (git-fixes).
- commit be0b5cc

- net: stmmac: Fallback to Platform Data clock in Watchdog
  conversion (git-fixes).
- commit c0e8ae4

- net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup()
  (git-fixes).
- commit 1f97aba

- blacklist.conf: update blacklist
- commit 160c442

- net: dsa: bcm_sf2: Propagate error value from mdio_write
  (git-fixes).
- commit 042ff8c

- net: (cpts) fix a missing check of clk_prepare (git-fixes).
- commit a0511a4

- blacklist.conf: update blacklist
- commit 778d638

- mlxsw: spectrum: Properly cleanup LAG uppers when removing
  port from LAG (git-fixes).
- commit 65b3a7e

- blacklist.conf: update blacklist
- commit 72f91b3

- nfsd: drop st_mutex and rp_mutex before calling
  move_to_close_lru() (bsc#1217525).
- commit d08e536

- blacklist.conf: add wont-backport commit
- commit 65861c5

- libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and
  check its return value (git-fixes).
- nvdimm: Fix badblocks clear off-by-one error (git-fixes).
- nvdimm: Allow overwrite in the presence of disabled dimms
  (git-fixes).
- nvdimm/btt: do not call del_gendisk() if not needed (git-fixes).
- libnvdimm/region: Fix label activation vs errors (git-fixes).
- commit dc5bee2

- libnvdimm: cover up changes in struct nvdimm_bus_descriptor
  (git-fixes).
- libnvdimm: Validate command family indices (git-fixes).
- commit 27f581b

- libnvdimm: Out of bounds read in __nd_ioctl() (git-fixes).
- acpi/nfit: improve bounds checking for 'func' (git-fixes).
- libnvdimm/btt: fix variable 'rc' set but not used (git-fixes).
- libnvdimm/pmem: Delete include of nd-core.h (git-fixes).
- =?UTF-8?q?libnvdimm:=20Fix=20endian=20conversion=20issues?=
  =?UTF-8?q?=C2=A0?= (git-fixes).
- libnvdimm: Fix compilation warnings with W=1 (git-fixes).
- libnvdimm/pmem: fix a possible OOB access when read and write
  pmem (git-fixes).
- libnvdimm/btt: Fix a kmemdup failure check (git-fixes).
- libnvdimm/namespace: Fix a potential NULL pointer dereference
  (git-fixes).
- libnvdimm/btt: Fix LBA masking during 'free list' population
  (git-fixes).
- libnvdimm/btt: Remove unnecessary code in btt_freelist_init
  (git-fixes).
- acpi/nfit: Require opt-in for read-only label configurations
  (git-fixes).
- UAPI: ndctl: Fix g++-unsupported initialisation in headers
  (git-fixes).
- commit e6b26fa

- blacklist.conf: false positive
- commit de6f57b

- blacklist.conf: blacklist Huawei HiNIC
- commit d68e629

- s390/dasd: fix double module refcount decrement (bsc#1141539).
- commit 1d573b9

- netfilter: nf_tables: Reject tables of unsupported family
  (CVE-2023-6040 bsc#1218752).
- commit 9e6d9d4

- net/rose: Fix Use-After-Free in rose_ioctl (CVE-2023-51782
  bsc#1218757).
- commit 5e6770d

- powerpc/pseries/memhotplug: Quieten some DLPAR operations
  (bsc#1065729).
- commit 4d451a9

- powerpc/powernv: Add a null pointer check in
  opal_powercap_init() (bsc#1181674 ltc#189159 git-fixes).
- powerpc/powernv: Add a null pointer check in opal_event_init()
  (bsc#1065729).
- powerpc/pseries/memhp: Fix access beyond end of drmem array
  (bsc#1065729).
- powerpc: Don't clobber f0/vs0 during fp|altivec register save
  (bsc#1065729).
- commit d5de04b

- Store the old kernel changelog entries in kernel-docs package (bsc#1218713)
  The old entries are found in kernel-docs/old_changelog.txt in docdir.
  rpm/old_changelog.txt can be an optional file that stores the similar
  info like rpm/kernel-sources.changes.old.  It can specify the commit
  range that have been truncated.  scripts/tar-up.sh expands from the
  git log accordingly.
- commit c9a2566

- fs: ocfs2: namei: check return value of ocfs2_add_entry()
  (git-fixes).
- commit 37053b5

- orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
  (git-fixes).
- commit 22c7474

- orangefs: Fix sysfs not cleanup when dev init failed
  (git-fixes).
- commit 3dc6f72

- fat: add ratelimit to fat*_ent_bread() (git-fixes).
- commit 2e4dd8d

- orangefs: fix orangefs df output (git-fixes).
- commit 14af1e9

- fs/fat/file.c: issue flush after the writeback of FAT
  (git-fixes).
- commit 4b5cf8c

- fs/exofs: fix potential memory leak in mount option parsing
  (git-fixes).
- commit c3e2f19

- orangefs: rate limit the client not running info message
  (git-fixes).
- commit 9ffd7ce

- gfs2: ignore negated quota changes (git-fixes).
- commit 65c2047

- gfs2: Fix possible data races in gfs2_show_options()
  (git-fixes).
- commit 57d66df

- gfs2: Fix inode height consistency check (git-fixes).
- commit d7ee5ae

- gfs2: Check sb_bsize_shift after reading superblock (git-fixes).
- commit 381ce29

- gfs2: Make sure FITRIM minlen is rounded up to fs block size
  (git-fixes).
- commit 59f59dc

- gfs2: assign rgrp glock before compute_bitstructs (git-fixes).
- commit 8e79a5c

- gfs2: Don't call dlm after protocol is unmounted (git-fixes).
- commit 0e0a651

- gfs2: Fix use-after-free in gfs2_glock_shrink_scan (git-fixes).
- commit 4dff329

- gfs2: report "already frozen/thawed" errors (git-fixes).
- commit e5108bb

- gfs2: Don't skip dlm unlock if glock has an lvb (git-fixes).
- commit 38230f9

- gfs2: check for empty rgrp tree in gfs2_ri_update (git-fixes).
- commit 3484422

- gfs2: Wake up when sd_glock_disposal becomes zero (git-fixes).
- commit 6e96bc8

- gfs2: check for live vs. read-only file system in gfs2_fitrim
  (git-fixes).
- commit dece8b9

- gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix
  use-after-free (git-fixes).
- commit 5f11647

- gfs2: add validation checks for size of superblock (git-fixes).
- commit 4bfdec0

- gfs2: fix use-after-free on transaction ail lists (git-fixes).
- commit 3c0934a

- gfs2: initialize transaction tr_ailX_lists earlier (git-fixes).
- commit a3dcb8b

- gfs2: Allow lock_nolock mount to specify jid=X (git-fixes).
- commit c3d10eb

- gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache
  (git-fixes).
- commit 50b2782

- gfs2: clear buf_in_tr when ending a transaction in
  sweep_bh_for_rgrps (git-fixes).
- commit 0638ce6

- gfs2: Fix sign extension bug in gfs2_update_stats (git-fixes).
- commit 6905d0e

- gfs2: Fix lru_count going negative (git-fixes).
- commit 22c6d6f

- gfs2: take jdata unstuff into account in do_grow (git-fixes).
- commit f6cafad

- gfs2: Fix marking bitmaps non-full (git-fixes).
- commit 27f21b4

- GFS2: Flush the GFS2 delete workqueue before stopping the
  kernel threads (git-fixes).
- commit c0d61c2

- gfs2: Don't set GFS2_RDF_UPTODATE when the lvb is updated
  (git-fixes).
- commit ca05c1f

- gfs2: Special-case rindex for gfs2_grow (git-fixes).
- commit 77ffe3d

- reiserfs: Replace 1-element array with C99 style flex-array
  (git-fixes).
- commit ed361ae

- reiserfs: Check the return value from __getblk() (git-fixes).
- commit c984c17

- affs: fix basic permission bits to actually work (git-fixes).
- commit 6abe668
libxml2
- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader
  * Added libxml2-CVE-2024-25062.patch
suseconnect-ng
- Update to version 1.7.0~git0.5338270
  * Allow SUSEConnect on read write transactional systems (bsc#1219425)
mozilla-nss
- update to NSS 3.90.2
  * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA
    decryption in TLS. (bsc#1216198)
  * bmo#1867408 - add a defensive check for large ssl_DefSend
    return values.
python3-azuremetadata
- Version 5.1.6
  Fix empty list attributes (bsc#1214930)

- Version 5.1.5 (bsc#1194663)
  + Handle lsblk output format change. The json data now contains
    "mountpoints" instead of "mountpoint"
python3
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
  gh#python/cpython#108310, backport from upstream patch
  gh#python/cpython#108315
  (bsc#1214692, CVE-2023-40217)

- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
  test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
  which fails on slow machines in IBS (s390x).

- Refresh CVE-2023-27043-email-parsing-errors.patch from
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
python-instance-billing-flavor-check
- Version 0.0.6 (bsc#1218561)
  Support proxy setup on the client to access the update infrastructure
  API

- Version 0.0.5
  Add IPv6 support (bsc#1218739)
python36
- Refresh CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
_product:sle-sdk-release
n/a
supportutils-plugin-suse-public-cloud
- Update to version 1.0.9 (bsc#1218762, bsc#1218763)
  + Remove duplicate data collection for the plugin itself
  + Collect archive metering data when available
  + Query billing flavor status
sudo
- Security fix: [bsc#1219026, bsc#1220389, CVE-2023-42465]
  * Try to make sudo less vulnerable to ROWHAMMER attacks.
  * Add sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
grub2
- Make consistent check to enable relative path on btrfs (bsc#1174567) (bsc#1216912)
  * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch
openssh
- remember the enabled state of sshd state, so openssh8,4 can pick it
  up. bsc#1220110

- Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385).
  This limits the use of shell metacharacters in host- and
  user names.
docker
- Vendor latest buildkit v0.11:
  Add patch 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch that
  vendors in the latest v0.11 buildkit branch including bugfixes for the following:
  * bsc#1219438: CVE-2024-23653
  * bsc#1219268: CVE-2024-23652
  * bsc#1219267: CVE-2024-23651
- rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- switch from %patchN to %patch -PN syntax
- remove unused rpmlint filters and add filters to silence pointless bash & zsh
  completion warnings
_product:SLES-release
n/a
python-base
- Add CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).