- python3-base
-
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
gh#python/cpython#108310, backport from upstream patch
gh#python/cpython#108315
(bsc#1214692, CVE-2023-40217)
- (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
gh#python/cpython!99930) fixing symlink bug in cleanup of
tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
which fails on slow machines in IBS (s390x).
- Refresh CVE-2023-27043-email-parsing-errors.patch from
gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- python
-
- Add CVE-2023-27043-email-parsing-errors.patch to
gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- libssh
-
- Update to 0.9.8: [jsc#PED-7719, bsc#1218126, CVE-2023-48795]
* Rebase 0001-disable-timeout-test-on-slow-buildsystems.patch
* Remove patches fixed in the update:
- CVE-2019-14889.patch
- 0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-A.patch
- Update to version 0.9.8
* Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209)
* Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126)
* Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186)
* Allow @ in usernames when parsing from URI composes
- Update to version 0.9.7
* Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm
guessing (bsc#1211188)
* Fix CVE-2023-2283: a possible authorization bypass in
pki_verify_data_signature under low-memory conditions (bsc#1211190)
* Fix several memory leaks in GSSAPI handling code
- Update to version 0.9.6 (bsc#1189608, CVE-2021-3634)
* https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6
- Add missing BR for openssh needed for tests
- update to 0.9.5 (bsc#1174713, CVE-2020-16135):
* CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
* Improve handling of library initialization (T222)
* Fix parsing of subsecond times in SFTP (T219)
* Make the documentation reproducible
* Remove deprecated API usage in OpenSSL
* Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
* Define version in one place (T226)
* Prevent invalid free when using different C runtimes than OpenSSL (T229)
* Compatibility improvements to testsuite
- Update to version 0.9.4
* https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
* Fix possible Denial of Service attack when using AES-CTR-ciphers
CVE-2020-1730 (bsc#1168699)
- timezone
-
- update to 2024a:
* Kazakhstan unifies on UTC+5. This affects Asia/Almaty and
Asia/Qostanay which together represent the eastern portion of the
country that will transition from UTC+6 on 2024-03-01 at 00:00 to
join the western portion. (Thanks to Zhanbolat Raimbekov.)
* Palestine springs forward a week later than previously predicted
in 2024 and 2025. (Thanks to Heba Hamad.) Change spring-forward
predictions to the second Saturday after Ramadan, not the first;
this also affects other predictions starting in 2039.
* Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00
not 00:00. (Thanks to Đoàn Trần Công Danh.)
* From 1947 through 1949, Toronto's transitions occurred at 02:00
not 00:00. (Thanks to Chris Walton.)
* In 1911 Miquelon adopted standard time on June 15, not May 15.
* The FROM and TO columns of Rule lines can no longer be "minimum"
or an abbreviation of "minimum", because TZif files do not support
DST rules that extend into the indefinite past - although these
rules were supported when TZif files had only 32-bit data, this
stopped working when 64-bit TZif files were introduced in 1995.
This should not be a problem for realistic data, since DST was
first used in the 20th century. As a transition aid, FROM columns
like "minimum" are now diagnosed and then treated as if they were
the year 1900; this should suffice for TZif files on old systems
with only 32-bit time_t, and it is more compatible with bugs in
2023c-and-earlier localtime.c. (Problem reported by Yoshito
Umaoka.)
* localtime and related functions no longer mishandle some
timestamps that occur about 400 years after a switch to a time
zone with a DST schedule. In 2023d data this problem was visible
for some timestamps in November 2422, November 2822, etc. in
America/Ciudad_Juarez. (Problem reported by Gilmore Davidson.)
* strftime %s now uses tm_gmtoff if available. (Problem and draft
patch reported by Dag-Erling Smørgrav.)
* The strftime man page documents which struct tm members affect
which conversion specs, and that tzset is called. (Problems
reported by Robert Elz and Steve Summit.)
- update to 2023d:
* Ittoqqortoormiit, Greenland changes time zones on
2024-03-31.
* Vostok, Antarctica changed time zones on 2023-12-18.
* Casey, Antarctica changed time zones five times since
2020.
* Code and data fixes for Palestine timestamps starting in
2072.
* A new data file zonenow.tab for timestamps starting now.
* Fix predictions for DST transitions in Palestine in
2072-2075, correcting a typo introduced in 2023a.
* Vostok, Antarctica changed to +05 on 2023-12-18. It had
been at +07 (not +06) for years.
* Change data for Casey, Antarctica to agree with
timeanddate.com, by adding five time zone changes since 2020.
Casey is now at +08 instead of +11.
* Much of Greenland, represented by America/Nuuk, changed
its standard time from -03 to -02 on 2023-03-25, not on
2023-10-28.
* localtime.c no longer mishandles TZif files that contain
a single transition into a DST regime. Previously,
it incorrectly assumed DST was in effect before the transition
too.
* tzselect no longer creates temporary files.
* tzselect no longer mishandles the following:
* Spaces and most other special characters in BUGEMAIL,
PACKAGE, TZDIR, and VERSION.
* TZ strings when using mawk 1.4.3, which mishandles
regular expressions of the form /X{2,}/.
* ISO 6709 coordinates when using an awk that lacks the
GNU extension of newlines in -v option-arguments.
* Non UTF-8 locales when using an iconv command that
lacks the GNU //TRANSLIT extension.
* zic no longer mishandles data for Palestine after the
year 2075.
- Refresh tzdata-china.diff
- cloud-regionsrv-client
-
- Update to version 10.1.7 (bsc#1220164, bsc#1220165)
+ Fix the failover path to a new target update server. At present a new
server is not found since credential validation fails. We targeted
the server detected in down condition to verify the credentials instead
of the replacement server.
- Update EC2 plugin to 1.0.4 (bsc#1219156, bsc#1219159)
+ Fix the algorithm to determine the region from the availability zone
information retrieved from IMDS.
- Update to version 10.1.6
+ Support specifying an IPv6 address for a manually configured target
update server.
- cpio
-
- Fix CVE-2023-7207, path traversal vulnerability (bsc#1218571)
* fix-CVE-2023-7207.patch
- runc
-
- Update to runc v1.1.12. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.12>. bsc#1218894
* This release fixes a container breakout vulnerability (CVE-2024-21626). For
more details, see the upstream security advisory:
<https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
* Remove upstreamed patches:
- CVE-2024-21626.patch
* Update runc.keyring to match upstream changes.
[ This was only ever released for SLES. ]
- Add upstream patch to fix embargoed issue CVE-2024-21626. bsc#1218894
<https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
+ CVE-2024-21626.patch
- Update to runc v1.1.11. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.11>.
- vim
-
- Updated to version 9.1 with patch level 0111, fixes the following security problems
* Fixing bsc#1217316 (CVE-2023-48231) - VUL-0: CVE-2023-48231: vim: Use-After-Free in win_close()
* Fixing bsc#1217320 (CVE-2023-48232) - VUL-0: CVE-2023-48232: vim: Floating point Exception in adjust_plines_for_skipcol()
* Fixing bsc#1217321 (CVE-2023-48233) - VUL-0: CVE-2023-48233: vim: overflow with count for :s command
* Fixing bsc#1217324 (CVE-2023-48234) - VUL-0: CVE-2023-48234: vim: overflow in nv_z_get_count
* Fixing bsc#1217326 (CVE-2023-48235) - VUL-0: CVE-2023-48235: vim: overflow in ex address parsing
* Fixing bsc#1217329 (CVE-2023-48236) - VUL-0: CVE-2023-48236: vim: overflow in get_number
* Fixing bsc#1217330 (CVE-2023-48237) - VUL-0: CVE-2023-48237: vim: overflow in shift_line
* Fixing bsc#1217432 (CVE-2023-48706) - VUL-0: CVE-2023-48706: vim: heap-use-after-free in ex_substitute
* Fixing bsc#1219581 (CVE-2024-22667) - VUL-0: CVE-2024-22667: vim: stack-based buffer overflow in did_set_langmap function in map.c
* Fixing bsc#1215005 (CVE-2023-4750) - VUL-0: CVE-2023-4750: vim: Heap use-after-free in function bt_quickfix
- Revert the patch which caused GTK incompatibility problem
* Add: vim-9.1-revert-v9.1.86.patch
* This reverts commit 725c7c31a4c7603e688511d769b0addaab442d07
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111
- kernel-azure
-
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
Simple arithmetic fix.
- commit df1ea97
- vhost: use kzalloc() instead of kmalloc() followed by memset()
(CVE-2024-0340, bsc#1218689).
- commit 265772f
- blacklist.conf: add Korina ethernet controleer
- commit 754d7b6
- blacklist.conf: update blacklist
- commit 65ec0f0
- mlx4: handle non-napi callers to napi_poll (git-fixes).
- commit 13aca9d
- bnxt_en: Log unknown link speed appropriately (git-fixes).
- commit cab91f3
- net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow (git-fixes).
- commit 30b8d5c
- net: mvneta: fix double free of txq->buf (git-fixes).
- commit abfb85a
- r8169: fix data corruption issue on RTL8402 (git-fixes).
- commit a389731
- net: stmmac: dwmac1000: fix out-of-bounds mac address reg
setting (git-fixes).
- commit 51f13e8
- net: fec: Do not use netdev messages too early (git-fixes).
- commit 24b07f8
- net: stmmac: dwmac4/5: Clear unused address entries (git-fixes).
- commit 156e8fc
- net: stmmac: dwmac1000: Clear unused address entries
(git-fixed).
- commit b89c3f6
- blacklist.conf: add mediatek ethernet
- commit ed969c9
- net: dsa: mv88e6xxx: avoid error message on remove from VLAN 0
(git-fixed).
- commit 63f7ed7
- blacklist.conf: update blacklist
- commit ba8fcb7
- net: xilinx: fix possible object reference leak (git-fixed).
- commit 0884dff
- net: macb: Add null check for PCLK and HCLK (git-fixed).
- Refresh
patches.suse/0006-net-macb-fix-error-format-in-dev_err.patch.
- commit 1fdfc75
- netfilter: nf_tables: reject QUEUE/DROP verdict parameters
(CVE-2024-1086 bsc#1219434).
- commit 1f42903
- configfs: fix a use-after-free in __configfs_open_file
(git-fixes).
- commit 839bbef
- chardev: fix error handling in cdev_device_add() (git-fixes).
- commit 76071ad
- fs: don't audit the capability check in simple_xattr_list()
(git-fixes).
- commit 32c621d
- pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
(git-fixes).
- commit 165619a
- pstore/ram: Fix error return code in ramoops_probe()
(git-fixes).
- commit 6c26e9c
- kernfs: fix use-after-free in __kernfs_remove (git-fixes).
- commit 1e4394d
- kernfs: Separate kernfs_pr_cont_buf and rename_lock (git-fixes).
- commit 302cbf3
- configfs: fix a race in configfs_{,un}register_subsystem()
(git-fixes).
- commit ff1ac8a
- vfs: make freeze_super abort when sync_filesystem returns error
(git-fixes).
- commit a0e15ea
- fs: orangefs: fix error return code of
orangefs_revalidate_lookup() (git-fixes).
- commit 05692b2
- fs: warn about impending deprecation of mandatory locks
(git-fixes).
- commit d313c61
- configfs: fix memleak in configfs_release_bin_file (git-fixes).
- commit e182771
- 9p: missing chunk of "fs/9p: Don't update file type when
updating file attributes" (git-fixes).
- commit d7f7957
- kernfs: bring names in comments in line with code (git-fixes).
- commit b2412a4
- configfs: fix config_item refcnt leak in configfs_rmdir()
(git-fixes).
- commit a4e6173
- help_next should increase position index (git-fixes).
- commit a734d52
- configfs: fix a deadlock in configfs_symlink() (git-fixes).
- commit 31f30f9
- locks: print a warning when mount fails due to lack of "mand"
support (git-fixes).
- commit 4a54942
- configfs: provide exclusion between IO and removals (git-fixes).
- commit be9e3af
- configfs: new object reprsenting tree fragments (git-fixes).
- commit 727fecd
- configfs: stash the data we need into configfs_buffer at open
time (git-fixes).
- commit 57d5998
- pstore/ram: Run without kernel crash dump region (git-fixes).
- Refresh patches.suse/pstore-backend-autoaction.
- commit 27a20a7
- fs/file.c: initialize init_files.resize_wait (git-fixes).
- commit 4e99111
- fs: ratelimit __find_get_block_slow() failure message
(git-fixes).
- commit 066abb3
- iomap: sub-block dio needs to zeroout beyond EOF (git-fixes).
- commit c176969
- fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
(git-fixes).
- commit 97bf06c
- proc: fix /proc/*/map_files lookup (git-fixes).
- commit 66524a9
- pstore: ram_core: fix possible overflow in
persistent_ram_init_ecc() (git-fixes).
- commit 3b8a874
- pstore/ram: Check start of empty przs during init (git-fixes).
- commit 86b8610
- statfs: enforce statfs[64] structure initialization (git-fixes).
- commit e9ab62b
- aio: fix mremap after fork null-deref (git-fixes).
- commit f633071
- drm/amdgpu: Fix potential fence use-after-free v2 (bsc#1219128
CVE-2023-51042).
- commit 78c123f
- nvmet-tcp: fix a crash in nvmet_req_complete() (git-fixes).
- commit 45b3590
- scsi: qla0xxx: Fix system crash due to bad pointer access
(git-fixes).
- commit 9c33792
- atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780
bsc#1218730).
- commit 42f1cd3
- mm,mremap: bail out earlier in mremap_to under map pressure
(bsc#1123986).
- commit d63623c
- xen-netback: don't produce zero-size SKB frags (CVE-2023-46838,
XSA-448, bsc#1218836).
- commit 6d25bad
- USB: serial: option: fix FM101R-GL defines (git-fixes).
- commit c34221c
- blacklist.conf: Add baa9be4ffb55 sched/fair: Fix throttle_list starvation with low CFS quota
- commit f2444c0
- libceph: use kernel_connect() (bsc#1219446).
- ceph: fix incorrect revoked caps assert in ceph_fill_file_size()
(bsc#1219445).
- commit 92ba85d
- USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
(git-fixes).
- commit 9c63fba
- USB: serial: option: add entry for Sierra EM9191 with new
firmware (git-fixes).
- commit e18b083
- USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
(git-fixes).
- commit 3c25206
- ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
(CVE-2021-33631 bsc#1219412).
- commit 019d3a9
- blacklist.conf: remove a merge relic
Remove a merge relic introduced in 44aaf966aab ("Merge remote-tracking
branch 'origin/SLE12-SP4' into SLE12-SP5-UPDATE").
- commit 78c957f
- blacklist.conf: add a not-relevant jump_label commit
- commit 7bff5db
- tracing/trigger: Fix to return error if failed to alloc snapshot
(git-fixes).
- commit 57e8982
- blacklist.conf: Blacklist 447ae316670230d7d29430e2cbf1f5db4f49d14c
It reworks header inclusion to no real benefit for out kernel and
results in massive kABI breakage. Just blacklist it.
- commit 879fd91
- wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
(CVE-2023-47233 bsc#1216702).
- commit d2e0155
- net: stmmac: don't overwrite discard_frame status (git-fixes).
- commit af86f48
- net: ethernet: ti: fix possible object reference leak
(git-fixes).
- commit 8292c78
- blacklist.conf: update blacklist
- commit 3ec6d28
- blacklist.conf: update blacklist
- commit b305f8c
- net: ks8851: Set initial carrier state to down (git-fixes).
- commit 667be0a
- net: ks8851: Delay requesting IRQ until opened (git-fixes).
- commit 605f94a
- net: ks8851: Reassert reset pin if chip ID check fails
(git-fixes).
- commit 93e9e83
- net: dsa: qca8k: Enable delay for RGMII_ID mode (git-fixes).
- commit 94c1dc4
- net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing
MII_PHYSID2 (git-fixes).
- commit d97991c
- blacklist.conf: update blacklist
- commit 23ba946
- blacklist.conf: Black unapplicable patch
This one requires 45b575c00d8e72d69d75dd8c112f044b7b01b069 which is
blacklisted. So black list this one as well.
- commit 8ad7e95
- Restore "Limit kernel-source build to architectures for which the kernel binary"
- commit 98e23ef
- x86/unwind/orc: Fix unreliable stack dump with gcov (git-fixes).
- commit db29225
- x86/pm: Add enumeration check before spec MSRs save/restore setup (git-fixes).
- commit 0b71917
- x86/kvm/lapic: always disable MMIO interface in x2APIC mode (git-fixes).
- commit 42aa4b1
- x86/purgatory: Don't generate debug info for purgatory.ro (git-fixes).
- commit ad7d236
- x86/cpu: Add another Alder Lake CPU to the Intel family (git-fixes).
- commit 5e43536
- x86/build: Turn off -fcf-protection for realmode targets (git-fixes).
- commit 06f5589
- x86/build: Treat R_386_PLT32 relocation as R_386_PC32 (git-fixes).
- commit c5cf689
- x86/lib: Fix overflow when counting digits (git-fixes).
- commit 0070bad
- x86/asm: Ensure asm/proto.h can be included stand-alone (git-fixes).
- commit b6c5df9
- x86: __always_inline __{rd,wr}msr() (git-fixes).
- commit 8507f62
- x86: Mark stop_this_cpu() __noreturn (git-fixes).
- commit 47a8413
- x86: Clear .brk area at early boot (git-fixes).
- commit 63c0fc3
- rpm/constraints.in: add static multibuild packages
Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for
constraints on multibuild) added "kernel-source:" prefix to the
dynamically generated kernels. But there are also static ones like
kernel-docs. Those fail to build as the constraints are still not
applied.
So add the prefix also to the static ones.
Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it
will ever be multibuilt...
- commit c2e0681
- drm/atomic: Fix potential use-after-free in nonblocking commits
(bsc#1219120 CVE-2023-51043).
- commit a69e3d8
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
Adjust the cpuid check when applying alternatives. Fixes false BUG_ON
in the presence of extra bugints/capints.
- commit 48af78f
- Revert "Limit kernel-source build to architectures for which the kernel binary"
This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132.
The fix for bsc#1108281 directly causes bsc#1218768, revert.
- commit 2943b8a
- mkspec: Include constraints for both multibuild and plain package always
There is no need to check for multibuild flag, the constraints can be
always generated for both cases.
- commit 308ea09
- rpm/mkspec: use kernel-source: prefix for constraints on multibuild
Otherwise the constraints are not applied with multibuild enabled.
- commit 841012b
- rpm/kernel-source.rpmlintrc: add action-ebpf
Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf
plugin) added this precompiled binary blob. Adapt rpmlintrc for
kernel-source.
- commit b5ccb33
- Refresh patches.suse/mce-fix-set_mce_nospec-to-always-unmap-the-whole-page.patch.
- commit 97df026
- usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer
(git-fixes).
- commit f9ab50f
- blacklist.conf: not a bug fix
- commit 89a46f3
- blacklist.conf: driver not compiled
- commit e4d38bb
- blacklist.conf: false positive
- commit be0a82f
- blacklist.conf: not a bug fix
- commit 3adfd09
- blacklist.conf: false positive
- commit 9076062
- scsi: qedf: fc_rport_priv reference counting fixes
(bsc#1212152).
Refresh:
- patches.suse/scsi-qedf-correctly-handle-refcounting-of-rdata
- patches.suse/scsi-qedf-print-message-during-bailout-conditions
- patches.suse/scsi-qedf-print-scsi_cmd-backpointer-in-good-completion-path-if-the-command-is-still-being-used
- commit e171158
- ext4: silence the warning when evicting inode with
dioread_nolock (bsc#1206889).
- commit 3433e7a
- writeback: Export inode_io_list_del() (bsc#1216989).
patches/patches.suse/writeback-Protect-inode-i_io_list-with-inode-i_lock.patch:
Refresh
- commit c969261
- ext4: improve error recovery code paths in __ext4_remount()
(bsc#1213017 bsc#1219053 CVE-2024-0775).
- commit 3bb0d48
- Update
patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch
(bsc#1213017 bsc#1219053 CVE-2024-0775).
- commit a5b396b
- scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old
The previous change added the manual entry from kernel-sources.change.old
to old_changelog.txt unnecessarily. Let's fix it.
- commit fb033e8
- Refresh
patches.suse/ipmi-Cleanup-oops-on-initialization-failure.patch.
Alt-commit added
- commit 5093b56
- x86: Pin task-stack in __get_wchan() (git-fixes).
- commit 96f1d7b
- rpm/kernel-docs.spec.in: fix build with 6.8
Since upstream commit f061c9f7d058 (Documentation: Document each netlink
family), the build needs python yaml.
- commit 6a7ece3
- x86: Fix __get_wchan() for !STACKTRACE (git-fixes).
- commit 23a1a0e
- asix: Add check for usbnet_get_endpoints (git-fixes).
- commit d1fcea8
- x86/mce: relocate set{clear}_mce_nospec() functions (git-fixes).
- commit d9f49bd
- x86/CPU/AMD: Check vendor in the AMD microcode callback (git-fixes).
- commit 79b1f36
- mce: fix set_mce_nospec to always unmap the whole page (git-fixes).
- commit 2dcf8c9
- x86/alternatives: Sync core before enabling interrupts (git-fixes).
- commit d500914
- x86/cpu/hygon: Fix the CPU topology evaluation for real (git-fixes).
- commit 01e7093
- x86/kvm: Do not try to disable kvmclock if it was not enabled (git-fixes).
- commit 293b127
- x86: Fix get_wchan() to support the ORC unwinder (git-fixes).
- commit 1693c4c
- x86/pat: Pass valid address to sanitize_phys() (git-fixes).
- commit 9776480
- x86/pat: Fix x86_has_pat_wp() (git-fixes).
- blacklist.conf:
- commit 0a8ce61
- x86/mm: Add a x86_has_pat_wp() helper (git-fixes).
- commit 794f377
- veth: Fixing transmit return status for dropped packets
(git-fixes).
- commit c39655b
- preserve KABI for struct sfp_socket_ops (git-fixes).
- commit 58a9bc4
- blacklist.conf:
- Delete
patches.suse/NFSD-Fix-possible-sleep-during-nfsd4_release_lockown.patch.
This patch is harmful on all kernels, and irrelevant on kernels before
v5.4
bsc#1218968
- commit 5365a0a
- KVM: s390: vsie: Fix STFLE interpretive execution identification
(git-fixes bsc#1219022).
- commit 16098a4
- net: phylink: avoid resolving link state too early (git-fixes).
- commit 67b00b5
- gtp: change NET_UDP_TUNNEL dependency to select (git-fixes).
- commit dd6be0d
- mlxsw: spectrum: Avoid -Wformat-truncation warnings (git-fixes).
- commit bd062d1
- mlxsw: spectrum: Set LAG port collector only when active (git-fixes).
- commit 42cb04e
- net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() (git-fixes).
- commit 5db0cbe
- net: systemport: Fix reception of BPDUs (git-fixes).
- commit 54f0189
- sfc: initialise found bitmap in efx_ef10_mtd_probe (git-fixes).
- commit 36c912f
- net: sfp: do not probe SFP module before we're attached (git-fixes).
- commit b335b5c
- net: phy: sfp: warn the user when no tx_disable pin is available (git-fixes).
- commit 921c51c
- blacklist.conf: update blacklist
- commit 0fefc1a
- net: stmmac: Disable EEE mode earlier in XMIT callback
(git-fixes).
- commit 42ea2f4
- blacklist.conf: update blacklist
- commit 16074da
- preserve KABI for struct plat_stmmacenet_data (git-fixes).
- commit be0b5cc
- net: stmmac: Fallback to Platform Data clock in Watchdog
conversion (git-fixes).
- commit c0e8ae4
- net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup()
(git-fixes).
- commit 1f97aba
- blacklist.conf: update blacklist
- commit 160c442
- net: dsa: bcm_sf2: Propagate error value from mdio_write
(git-fixes).
- commit 042ff8c
- net: (cpts) fix a missing check of clk_prepare (git-fixes).
- commit a0511a4
- blacklist.conf: update blacklist
- commit 778d638
- mlxsw: spectrum: Properly cleanup LAG uppers when removing
port from LAG (git-fixes).
- commit 65b3a7e
- blacklist.conf: update blacklist
- commit 72f91b3
- nfsd: drop st_mutex and rp_mutex before calling
move_to_close_lru() (bsc#1217525).
- commit d08e536
- blacklist.conf: add wont-backport commit
- commit 65861c5
- libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and
check its return value (git-fixes).
- nvdimm: Fix badblocks clear off-by-one error (git-fixes).
- nvdimm: Allow overwrite in the presence of disabled dimms
(git-fixes).
- nvdimm/btt: do not call del_gendisk() if not needed (git-fixes).
- libnvdimm/region: Fix label activation vs errors (git-fixes).
- commit dc5bee2
- libnvdimm: cover up changes in struct nvdimm_bus_descriptor
(git-fixes).
- libnvdimm: Validate command family indices (git-fixes).
- commit 27f581b
- libnvdimm: Out of bounds read in __nd_ioctl() (git-fixes).
- acpi/nfit: improve bounds checking for 'func' (git-fixes).
- libnvdimm/btt: fix variable 'rc' set but not used (git-fixes).
- libnvdimm/pmem: Delete include of nd-core.h (git-fixes).
- =?UTF-8?q?libnvdimm:=20Fix=20endian=20conversion=20issues?=
=?UTF-8?q?=C2=A0?= (git-fixes).
- libnvdimm: Fix compilation warnings with W=1 (git-fixes).
- libnvdimm/pmem: fix a possible OOB access when read and write
pmem (git-fixes).
- libnvdimm/btt: Fix a kmemdup failure check (git-fixes).
- libnvdimm/namespace: Fix a potential NULL pointer dereference
(git-fixes).
- libnvdimm/btt: Fix LBA masking during 'free list' population
(git-fixes).
- libnvdimm/btt: Remove unnecessary code in btt_freelist_init
(git-fixes).
- acpi/nfit: Require opt-in for read-only label configurations
(git-fixes).
- UAPI: ndctl: Fix g++-unsupported initialisation in headers
(git-fixes).
- commit e6b26fa
- blacklist.conf: false positive
- commit de6f57b
- blacklist.conf: blacklist Huawei HiNIC
- commit d68e629
- s390/dasd: fix double module refcount decrement (bsc#1141539).
- commit 1d573b9
- netfilter: nf_tables: Reject tables of unsupported family
(CVE-2023-6040 bsc#1218752).
- commit 9e6d9d4
- net/rose: Fix Use-After-Free in rose_ioctl (CVE-2023-51782
bsc#1218757).
- commit 5e6770d
- powerpc/pseries/memhotplug: Quieten some DLPAR operations
(bsc#1065729).
- commit 4d451a9
- powerpc/powernv: Add a null pointer check in
opal_powercap_init() (bsc#1181674 ltc#189159 git-fixes).
- powerpc/powernv: Add a null pointer check in opal_event_init()
(bsc#1065729).
- powerpc/pseries/memhp: Fix access beyond end of drmem array
(bsc#1065729).
- powerpc: Don't clobber f0/vs0 during fp|altivec register save
(bsc#1065729).
- commit d5de04b
- Store the old kernel changelog entries in kernel-docs package (bsc#1218713)
The old entries are found in kernel-docs/old_changelog.txt in docdir.
rpm/old_changelog.txt can be an optional file that stores the similar
info like rpm/kernel-sources.changes.old. It can specify the commit
range that have been truncated. scripts/tar-up.sh expands from the
git log accordingly.
- commit c9a2566
- fs: ocfs2: namei: check return value of ocfs2_add_entry()
(git-fixes).
- commit 37053b5
- orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
(git-fixes).
- commit 22c7474
- orangefs: Fix sysfs not cleanup when dev init failed
(git-fixes).
- commit 3dc6f72
- fat: add ratelimit to fat*_ent_bread() (git-fixes).
- commit 2e4dd8d
- orangefs: fix orangefs df output (git-fixes).
- commit 14af1e9
- fs/fat/file.c: issue flush after the writeback of FAT
(git-fixes).
- commit 4b5cf8c
- fs/exofs: fix potential memory leak in mount option parsing
(git-fixes).
- commit c3e2f19
- orangefs: rate limit the client not running info message
(git-fixes).
- commit 9ffd7ce
- gfs2: ignore negated quota changes (git-fixes).
- commit 65c2047
- gfs2: Fix possible data races in gfs2_show_options()
(git-fixes).
- commit 57d66df
- gfs2: Fix inode height consistency check (git-fixes).
- commit d7ee5ae
- gfs2: Check sb_bsize_shift after reading superblock (git-fixes).
- commit 381ce29
- gfs2: Make sure FITRIM minlen is rounded up to fs block size
(git-fixes).
- commit 59f59dc
- gfs2: assign rgrp glock before compute_bitstructs (git-fixes).
- commit 8e79a5c
- gfs2: Don't call dlm after protocol is unmounted (git-fixes).
- commit 0e0a651
- gfs2: Fix use-after-free in gfs2_glock_shrink_scan (git-fixes).
- commit 4dff329
- gfs2: report "already frozen/thawed" errors (git-fixes).
- commit e5108bb
- gfs2: Don't skip dlm unlock if glock has an lvb (git-fixes).
- commit 38230f9
- gfs2: check for empty rgrp tree in gfs2_ri_update (git-fixes).
- commit 3484422
- gfs2: Wake up when sd_glock_disposal becomes zero (git-fixes).
- commit 6e96bc8
- gfs2: check for live vs. read-only file system in gfs2_fitrim
(git-fixes).
- commit dece8b9
- gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix
use-after-free (git-fixes).
- commit 5f11647
- gfs2: add validation checks for size of superblock (git-fixes).
- commit 4bfdec0
- gfs2: fix use-after-free on transaction ail lists (git-fixes).
- commit 3c0934a
- gfs2: initialize transaction tr_ailX_lists earlier (git-fixes).
- commit a3dcb8b
- gfs2: Allow lock_nolock mount to specify jid=X (git-fixes).
- commit c3d10eb
- gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache
(git-fixes).
- commit 50b2782
- gfs2: clear buf_in_tr when ending a transaction in
sweep_bh_for_rgrps (git-fixes).
- commit 0638ce6
- gfs2: Fix sign extension bug in gfs2_update_stats (git-fixes).
- commit 6905d0e
- gfs2: Fix lru_count going negative (git-fixes).
- commit 22c6d6f
- gfs2: take jdata unstuff into account in do_grow (git-fixes).
- commit f6cafad
- gfs2: Fix marking bitmaps non-full (git-fixes).
- commit 27f21b4
- GFS2: Flush the GFS2 delete workqueue before stopping the
kernel threads (git-fixes).
- commit c0d61c2
- gfs2: Don't set GFS2_RDF_UPTODATE when the lvb is updated
(git-fixes).
- commit ca05c1f
- gfs2: Special-case rindex for gfs2_grow (git-fixes).
- commit 77ffe3d
- reiserfs: Replace 1-element array with C99 style flex-array
(git-fixes).
- commit ed361ae
- reiserfs: Check the return value from __getblk() (git-fixes).
- commit c984c17
- affs: fix basic permission bits to actually work (git-fixes).
- commit 6abe668
- libxml2
-
- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader
* Added libxml2-CVE-2024-25062.patch
- suseconnect-ng
-
- Update to version 1.7.0~git0.5338270
* Allow SUSEConnect on read write transactional systems (bsc#1219425)
- mozilla-nss
-
- update to NSS 3.90.2
* bmo#1780432 - (CVE-2023-5388) Timing attack against RSA
decryption in TLS. (bsc#1216198)
* bmo#1867408 - add a defensive check for large ssl_DefSend
return values.
- python3-azuremetadata
-
- Version 5.1.6
Fix empty list attributes (bsc#1214930)
- Version 5.1.5 (bsc#1194663)
+ Handle lsblk output format change. The json data now contains
"mountpoints" instead of "mountpoint"
- python3
-
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
gh#python/cpython#108310, backport from upstream patch
gh#python/cpython#108315
(bsc#1214692, CVE-2023-40217)
- (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
gh#python/cpython!99930) fixing symlink bug in cleanup of
tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
which fails on slow machines in IBS (s390x).
- Refresh CVE-2023-27043-email-parsing-errors.patch from
gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- python-instance-billing-flavor-check
-
- Version 0.0.6 (bsc#1218561)
Support proxy setup on the client to access the update infrastructure
API
- Version 0.0.5
Add IPv6 support (bsc#1218739)
- python36
-
- Refresh CVE-2023-27043-email-parsing-errors.patch to
gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- _product:sle-sdk-release
-
n/a
- supportutils-plugin-suse-public-cloud
-
- Update to version 1.0.9 (bsc#1218762, bsc#1218763)
+ Remove duplicate data collection for the plugin itself
+ Collect archive metering data when available
+ Query billing flavor status
- sudo
-
- Security fix: [bsc#1219026, bsc#1220389, CVE-2023-42465]
* Try to make sudo less vulnerable to ROWHAMMER attacks.
* Add sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
- grub2
-
- Make consistent check to enable relative path on btrfs (bsc#1174567) (bsc#1216912)
* 0001-Unify-the-check-to-enable-btrfs-relative-path.patch
- openssh
-
- remember the enabled state of sshd state, so openssh8,4 can pick it
up. bsc#1220110
- Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385).
This limits the use of shell metacharacters in host- and
user names.
- docker
-
- Vendor latest buildkit v0.11:
Add patch 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch that
vendors in the latest v0.11 buildkit branch including bugfixes for the following:
* bsc#1219438: CVE-2024-23653
* bsc#1219268: CVE-2024-23652
* bsc#1219267: CVE-2024-23651
- rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- switch from %patchN to %patch -PN syntax
- remove unused rpmlint filters and add filters to silence pointless bash & zsh
completion warnings
- _product:SLES-release
-
n/a
- python-base
-
- Add CVE-2023-27043-email-parsing-errors.patch to
gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).