avahi
- Update avahi-daemon-check-dns.sh from Debian. Our previous
  version relied on ifconfig, route, and init.d.
- Rebase avahi-daemon-check-dns-suse.patch, and drop privileges
  when invoking avahi-daemon-check-dns.sh (boo#1180827
  CVE-2021-26720).
- Add sudo to requires: used to drop privileges.
bind
- dnssec-keygen can no longer generate HMAC keys.
  Use tsig-keygen instead.
  modified genDDNSkey script to reflect this.
  [vendor-files/tools/bind.genDDNSkey, bsc#1180933]
- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
  negotiation can be targeted by a buffer overflow attack
  [bsc#1182246, CVE-2020-8625, bind-CVE-2020-8625.patch]
cloud-init
- Update cloud-init-write-routes.patch (bsc#1180176)
  + Follow up to previous changes. Fix order of operations
    error to make gateway comparison between subnet configuration and
    route configuration valuable rather than self-comparing.
- Add cloud-init-sle12-compat.patch (jsc#PM-2335)
  - Python 3.4 compatibility in setup.py
  - Disable some test for mock version compatibility
docker
- It turns out the boo#1178801 libnetwork patch is also broken on Leap, so drop
  the patch entirely. bsc#1180401 bsc#1182168
  - boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
[NOTE: This update was only ever released in SLES and Leap.]
dracut
- Update to version 049.1+suse.185.g9324648a:
  * 90kernel-modules: arm/arm64: Add reset controllers (bsc#1180336)
  * Prevent creating unexpected files on the host when running dracut (bsc#1176171)
glibc
- euc-kr-overrun.patch: Fix buffer overrun in EUC-KR conversion module
  (CVE-2019-25013, bsc#1182117, BZ #24973)
- gconv-assertion-iso-2022-jp.patch: gconv: Fix assertion failure in
  ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
- iconv-redundant-shift.patch: iconv: Accept redundant shift sequences in
  IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
- iconv-ucs4-loop-bounds.patch: iconv: Fix incorrect UCS4 inner loop
  bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
- printf-long-double-non-normal.patch: x86: Harden printf against
  non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
- get-nprocs-cpu-online-parsing.patch: Fix parsing of
  /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)
golang-github-docker-libnetwork
- It turns out the boo#1178801 libnetwork patch is also broken on Leap, so drop
  the patch entirely. bsc#1180401 bsc#1182168
  - boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
[NOTE: This update was only ever released in SLES and Leap.]
grub2
- VUL-0: grub2,shim: implement new SBAT method (bsc#1182057)
  * 0031-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
  * 0032-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
  * 0033-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
  * 0034-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
  * 0035-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
  * 0036-util-mkimage-Improve-data_size-value-calculation.patch
  * 0037-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
  * 0038-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
  * 0039-grub-install-common-Add-sbat-option.patch
- Fix CVE-2021-20225 (bsc#1182262)
  * 0022-lib-arg-Block-repeated-short-options-that-require-an.patch
- Fix CVE-2020-27749 (bsc#1179264)
  * 0024-kern-parser-Fix-resource-leak-if-argc-0.patch
  * 0025-kern-parser-Fix-a-memory-leak.patch
  * 0026-kern-parser-Introduce-process_char-helper.patch
  * 0027-kern-parser-Introduce-terminate_arg-helper.patch
  * 0028-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
  * 0029-kern-buffer-Add-variable-sized-heap-buffer.patch
  * 0030-kern-parser-Fix-a-stack-buffer-overflow.patch
- Fix CVE-2021-20233 (bsc#1182263)
  * 0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
- Fix CVE-2020-25647 (bsc#1177883)
  * 0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
- Fix CVE-2020-25632 (bsc#1176711)
  * 0020-dl-Only-allow-unloading-modules-that-are-not-depende.patch
- Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970)
  * 0001-include-grub-i386-linux.h-Include-missing-grub-types.patch
  * 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
  * 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch
  * 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch
  * 0005-efi-Add-secure-boot-detection.patch
  * 0006-efi-Only-register-shim_lock-verifier-if-shim_lock-pr.patch
  * 0007-verifiers-Move-verifiers-API-to-kernel-image.patch
  * 0008-efi-Move-the-shim_lock-verifier-to-the-GRUB-core.patch
  * 0009-kern-Add-lockdown-support.patch
  * 0010-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
  * 0011-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
  * 0012-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
  * 0013-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
  * 0014-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
  * 0015-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
  * 0016-commands-setpci-Restrict-setpci-command-when-locked-.patch
  * 0017-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
  * 0018-gdb-Restrict-GDB-access-when-locked-down.patch
  * 0019-loader-xnu-Don-t-allow-loading-extension-and-package.patch
  * 0040-shim_lock-Only-skip-loading-shim_lock-verifier-with-.patch
  * 0041-squash-Add-secureboot-support-on-efi-chainloader.patch
  * 0042-squash-grub2-efi-chainload-harder.patch
  * 0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
  * 0044-squash-kern-Add-lockdown-support.patch
  * 0045-squash-verifiers-Move-verifiers-API-to-kernel-image.patch
- Drop patch supersceded by the new backport
  * 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
  * 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch
- Add SBAT metadata section to grub.efi
- Drop shim_lock module as it is part of core of grub.efi
  * grub2.spec
openssh
- Update openssh-8.1p1-audit.patch (bsc#1180501). This fixes
  occasional crashes on connection termination caused by accessing
  freed memory.
python-Jinja2
- Fixed IndentationError in CVE-2020-28493.patch (bsc#1182244)
- CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have
  been called with untrusted user data (bsc#1181944).
  Added CVE-2020-28493.patch
python-cryptography
- Add patch CVE-2020-36242-buffer-overflow.patch (bsc#1182066, CVE-2020-36242)
  * Using the Fernet class to symmetrically encrypt multi gigabyte values
    could result in an integer overflow and buffer overflow.
python-distro
- %python3_only -> %python_alternative
- Update to 1.5.0:
  * Backward Compatibility:
    + Keep output as native string so we can compatible with python2 interface
  * Bug Fixes:
    + Fix detection of RHEL 6 ComputeNode [#255]
    + Fix Oracle 4/5 lsb_release id and names [#250]
    + Ignore /etc/plesk-release file while parsing distribution
- Update to version 1.4.0:
  * Backward Compatibility:
  * Prefer the VERSION_CODENAME field of os-release to parsing it from VERSION [[#230](https://github.com/nir0s/distro/pull/230)]
  * Bug Fixes:
  * Return _uname_info from the uname_info() method [[#233](https://github.com/nir0s/distro/pull/233)]
  * Fixed CloudLinux id discovery [[#234](https://github.com/nir0s/distro/pull/234)]
  * Update Oracle matching [[#224](https://github.com/nir0s/distro/pull/224)]
  * Docs:
  * Distro is the recommended replacement for platform.linux_distribution [[#220](https://github.com/nir0s/distro/pull/220)]
  * Release:
  * Use Markdown for long description in setup.py [[#219](https://github.com/nir0s/distro/pull/219)]
- Drop useless BuildRequires of python-flake8 and python-pytest-cov
- Add assert_locale.patch to warn about wrong locale.
- Enable tests properly (this is pytest, not unittest),
  it is necessary to explicitly set locale to an Unicode one
  (https://github.com/nir0s/distro/issues/223)
- update to version 1.3.0:
  * improvements for other operating systems
  * documentation:
  * Add Ansible reference implementation and fix arch-linux link (#213)
  * Add facter reference implementation (#213)
python3
- Resync with python36 Factory package.
- Make this %primary_interpreter
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
- Change setuptools and pip version numbers according to new
  wheels (bsc#1179756).
release-notes-sles
- 15.2.20210217 (tracked in bsc#1182359)
- Added note about Idaville uncore support (jsc#SLE-7957)
- Added note about removal of software scrollback (bsc#1176235)
- Added note about AutoYaST profile changes (bsc#1178261)
- Added note about exception to recommending TLS 1.3 (bsc#1181043)
- Added note about deprecating LXC containers (jsc#SLE-16660)
salt
- Fix regression on cmd.run when passing tuples as cmd (bsc#1182740)
- Added:
  * fix_regression_in_cmd_run_after_cve.patch
- Allow extra_filerefs as sanitized kwargs for SSH client
- Added:
  * allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch
- Fix errors with virt.update
- Added:
  * backport-commit-1b16478c51fb75c25cd8d217c80955feefb6.patch
- Fix for multiple for security issues
  (CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144)
  (CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197)
  (bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560)
  (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565)
- Added:
  * fix-for-some-cves-bsc1181550.patch
- virt: search for grub.xen path
- Xen spicevmc, DNS SRV records backports:
  Fix virtual network generated DNS XML for SRV records
  Don't add spicevmc channel to xen VMs
- virt UEFI fix: virt.update when efi=True
- Added:
  * open-suse-3002.2-xen-grub-316.patch
  * virt-uefi-fix-backport-312.patch
  * 3002.2-xen-spicevmc-dns-srv-records-backports-314.patch
screen
- Fix double width combining char handling that could lead
  to a segfault [bnc#1182092] [CVE-2021-26937]
  new patch: combchar.diff
tcl
- bsc#1181840: Same fix as for tclConfig.sh is needed for tcl.pc.
yast2
- Do not use the 'installation-helper' binary to create snapshots
  during installation or offline upgrade (bsc#1180142).
- Add a new exception to properly handle exceptions
  when reading/writing snapshots numbers (related to bsc#1180142).
- 4.2.92
yast2-firewall
- Add to firewall/security proposal option to setup selinux if
  given product require it. (jsc#SLE-17427)
- 4.2.6
yast2-installation
- Do not crash when it is not possible to create a snapshot after
  installing or upgrading the system (bsc#1180142).
- 4.2.49
yast2-network
- Improve the AutoYaST interfaces reader handling better the IP
  Addresses configuration. (bsc#1174353, bsc#1178107)
- 4.2.91
yast2-packager
- Show correct number of downloaded packages in log (bsc#1180278)
- 4.2.69
- Fix crash when installation proposal require pattern and such
  pattern is not available in any repository (found during testing
  jsc#SLE-17427)
- 4.2.68
yast2-security
- Move SELinux .autorelabel file from / to /etc/selinux if root
  filesystem will be mounted as read only (jsc#SLE-17307).
- 4.2.19
- AutoYaST: add support for SELinux configuration (jsc#SMO-20,
  jsc#SLE-17342).
- 4.2.18
- Avoid crashing when the SELinux configuration file does not
  exist yet (jsc#SMO-20, jsc#SLE-17342).
- 4.2.17
- Improve the class for handling the SELinux configuration.
- Saves the SELinux mode in the configuration file (jsc#SMO-20,
  jsc#SLE-17342).
- 4.2.16
- Add class for managing SELinux configuration at boot time
  (jsc#SMO-20, jsc#SLE-17342).
- 4.2.15
yast2-update
- Do not rely on the 'installation-helper' binary to create
  snapshots after installation or offline upgrade (bsc#1180142).
- Do not crash when it is not possible to create a snapshot before
  upgrading the system (related to bsc#1180142).
- 4.2.21