ca-certificates-mozilla
- Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525)
  - Added: FIRMAPROFESIONAL CA ROOT-A WEB
  - Distrust: GLOBALTRUST 2020

- Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356)
  Added:
  - CommScope Public Trust ECC Root-01
  - CommScope Public Trust ECC Root-02
  - CommScope Public Trust RSA Root-01
  - CommScope Public Trust RSA Root-02
  - D-Trust SBR Root CA 1 2022
  - D-Trust SBR Root CA 2 2022
  - Telekom Security SMIME ECC Root 2021
  - Telekom Security SMIME RSA Root 2023
  - Telekom Security TLS ECC Root 2020
  - Telekom Security TLS RSA Root 2023
  - TrustAsia Global Root CA G3
  - TrustAsia Global Root CA G4
  Removed:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - Chambers of Commerce Root - 2008
  - Global Chambersign Root - 2008
  - Security Communication Root CA
  - Symantec Class 1 Public Primary Certification Authority - G6
  - Symantec Class 2 Public Primary Certification Authority - G6
  - TrustCor ECA-1
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - VeriSign Class 1 Public Primary Certification Authority - G3
  - VeriSign Class 2 Public Primary Certification Authority - G3
- remove-trustcor.patch: removed, now upstream
- do a versioned obsoletes of "openssl-certs".
containerd
- Update to containerd v1.7.21. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.21>
  Fixes CVE-2023-47108. bsc#1217070
  Fixes CVE-2023-45142. bsc#1228553
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
cups
- cups-branch-2.2-commit-b643d6ba92f00752aa5e74ff86ad3974334914c1.diff
  is https://github.com/OpenPrinting/cups/commit/b643d6ba92f00752aa5e74ff86ad3974334914c1
  which was added in CUPS 2.2.8 that
  fixed a parsing bug in cups_auth_find() in cups/auth.c
  which lead to cupsd failing to authenticate users
  when group membership is required by cupsd configuration
  like 'Require user @GROUP' which lead to CUPS related commands
  requesting password from group users even if it is not needed
  (bsc#1226227)
- In cups.changes replaced one place where UTF-8 characters
  were used in the entry dated "Sat Sep 30 08:52:42 UTC 2017"
  for what should be ' - ' by ASCII to avoid RPMLINT warning
  about 'non-break-space' which "can lead to obscure errors".
curl
- Security fix: [bsc#1230093, CVE-2024-8096]
  * curl: OCSP stapling bypass with GnuTLS
  * Add curl-CVE-2024-8096.patch

- Security fix: [bsc#1228535, CVE-2024-7264]
  * curl: ASN.1 date parser overread
  * Add curl-CVE-2024-7264.patch
dmidecode
- Update to upstream version 3.6 (jsc#PED-8574):
  * Support for SMBIOS 3.6.0. This includes new memory device types, new
    processor upgrades, and Loongarch support.
  * Support for SMBIOS 3.7.0. This includes new port types, new processor
    upgrades, new slot characteristics and new fields for memory modules.
  * Add bash completion.
  * Decode HPE OEM records 197, 216, 224, 230, 238, 239, 242 and 245.
  * Implement options --list-strings and --list-types.
  * Update HPE OEM records 203, 212, 216, 221, 233 and 236.
  * Update Redfish support.
  * Bug fixes:
    Fix enabled slot characteristics not being printed
  * Minor improvements:
    Print slot width on its own line
    Use standard strings for slot width
  * Add a --no-quirks option.
  * Drop the CPUID exception list.
  * Obsoletes dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch,
    dmidecode-fortify-entry-point-length-checks.patch,
    dmidecode-split-table-fetching-from-decoding.patch,
    dmidecode-write-the-whole-dump-file-at-once.patch,
    dmioem-fix-segmentation-fault-in-dmi_hp_240_attr.patch,
    dmioem-hpe-oem-record-237-firmware-change.patch,
    dmioem-typo-fix-virutal-virtual.patch,
    ensure-dev-mem-is-a-character-device-file.patch,
    news-fix-typo.patch and
    use-read_file-to-read-from-dump.patch.
  Update for HPE servers from upstream:
- dmioem-update-hpe-oem-type-238.patch: Decode PCI bus segment in
  HPE type 238 records.
dracut
- Update to version 055+suse.359.geb85610b:
  * fix(convertfs): error in conditional expressions (bsc#1228847)
glibc
- s390x-wcsncmp.patch: s390x: Fix segfault in wcsncmp (bsc#1228043, BZ
  [#31934])
grub2
- Fix btrfs subvolume for platform modules not mounting at runtime when the
  default subvolume is the topmost root tree (bsc#1228124)
  * grub2-btrfs-06-subvol-mount.patch
- Rediff
  * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch

- Fix error in grub-install when root is on tmpfs (bsc#1226100)
  * 0001-grub-install-bailout-root-device-probing.patch

- Fix input handling in ppc64le grub2 has high latency (bsc#1223535)
  * 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch

- Fix PowerPC grub loads 5 to 10 minutes slower on SLE-15-SP5 compared to
  SLE-15-SP2 (bsc#1217102)
  * add 0001-ofdisk-enhance-boot-time-by-focusing-on-boot-disk-re.patch
  * add 0002-ofdisk-add-early_log-support.patch

- Enhancement to PPC secure boot's root device discovery config (bsc#1207230)
- Fix regex for Open Firmware device specifier with encoded commas
  * 0002-prep_loadenv-Fix-regex-for-Open-Firmware-device-spec.patch
- Fix regular expression in PPC secure boot config to prevent escaped commas
  from being treated as delimiters when retrieving partition substrings.
- Use prep_load_env in PPC secure boot config to handle unset host-specific
  environment variables and ensure successful command execution.
  * 0004-Introduce-prep_load_env-command.patch
- Refreshed
  * 0005-export-environment-at-start-up.patch
kernel-default
- btrfs: sysfs: update fs features directory asynchronously
  (bsc#1226168).
- commit 97cd90c

- ima: Fix use-after-free on a dentry's dname.name (bsc#1227716
  CVE-2024-39494).
- commit 81484ec

- ASoC: topology: Fix route memory corruption (CVE-2024-41069
  bsc#1228644).
- commit 586db1a

- net: do not leave a dangling sk pointer, when socket creation fails (CVE-2024-40954 bsc#1227808)
- commit 8f44f81

- check-for-config-changes: ignore also GCC_ASM_GOTO_OUTPUT_BROKEN
  Mainline commit f2f6a8e88717 ("init/Kconfig: remove
  CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND") replaced
  GCC_ASM_GOTO_OUTPUT_WORKAROUND with GCC_ASM_GOTO_OUTPUT_BROKEN. Ignore both
  when checking config changes.
- commit b60be3e

- IB/core: Implement a limit on UMAD receive List (bsc#1228743 CVE-2024-42145)
- commit 810053d

- ptp: fix integer overflow in max_vclocks_store (bsc#1227829
  CVE-2024-40994).
- commit 205cc4c

- filelock: Remove locks reliably when fcntl/close race is
  detected (CVE-2024-41012 bsc#1228247).
- commit e2c5917

- Update
  patches.suse/KVM-Always-flush-async-PF-workqueue-when-vCPU-is-being-des.patch
  (bsc#1223635 (CVE-2024-26976) CVE-2024-26976).
- Update
  patches.suse/jfs-xattr-fix-buffer-overflow-for-invalid-xattr.patch
  (bsc#1227383 CVE-2024-40902 bsc#1227764).
- Update
  patches.suse/vfio-fsl-mc-Block-calling-interrupt-handler-without-trigge.patch
  (bsc#1222810 (CVE-2024-26814) CVE-2024-26814).
- Update
  patches.suse/vfio-platform-Create-persistent-IRQ-handlers.patch
  (bsc#1222809 (CVE-2024-26813) CVE-2024-26813).
- commit 39eeeb9

- Update
  patches.suse/SUNRPC-Fix-UAF-in-svc_tcp_listen_data_ready.patch
  (git-fixes CVE-2023-52885 bsc#1227750).
- Update
  patches.suse/USB-core-Fix-race-by-not-overwriting-udev-descriptor.patch
  (bsc#1213123 CVE-2023-37453 CVE-2023-52886 bsc#1227981).
- Update
  patches.suse/virtio-blk-fix-implicit-overflow-on-virtio_max_dma_size.patch
  (bsc#1225573 (CVE-2023-52762) CVE-2023-52762).
- commit 3784f34

- Update
  patches.suse/HID-hid-thrustmaster-fix-OOB-read-in-thrustmaster_in.patch
  (git-fixes CVE-2022-48866 bsc#1228014).
- Update
  patches.suse/Input-aiptek-properly-check-endpoint-type.patch
  (git-fixes CVE-2022-48836 bsc#1227989).
- Update
  patches.suse/KVM-x86-nSVM-fix-potential-NULL-derefernce-on-nested.patch
  (git-fixes CVE-2022-48793 bsc#1228019).
- Update
  patches.suse/NFC-port100-fix-use-after-free-in-port100_send_compl.patch
  (git-fixes CVE-2022-48857 bsc#1228005).
- Update
  patches.suse/NFSD-Fix-NFSv3-SETATTR-CREATE-s-handling-of-large-fi.patch
  (git-fixes CVE-2022-48829 bsc#1228055).
- Update patches.suse/NFSD-Fix-ia_size-underflow.patch (git-fixes
  CVE-2022-48828 bsc#1228054).
- Update
  patches.suse/NFSD-Fix-the-behavior-of-READ-near-OFFSET_MAX.patch
  (bsc#1195957 CVE-2022-48827 bsc#1228037).
- Update
  patches.suse/SUNRPC-lock-against-sock-changing-during-sysfs-read.patch
  (bsc#1194324 CVE-2022-48816 bsc#1228038).
- Update
  patches.suse/can-isotp-fix-potential-CAN-frame-reception-race-in-.patch
  (git-fixes CVE-2022-48830 bsc#1227982).
- Update
  patches.suse/cfg80211-fix-race-in-netlink-owner-interface-destruc.patch
  (git-fixes CVE-2022-48784 bsc#1227938).
- Update
  patches.suse/dmaengine-ptdma-Fix-the-error-handling-path-in-pt_co.patch
  (git-fixes CVE-2022-48774 bsc#1227923).
- Update
  patches.suse/drm-amdgpu-bypass-tiling-flag-check-in-virtual-displ.patch
  (git-fixes CVE-2022-48849 bsc#1228061).
- Update
  patches.suse/drm-vc4-Fix-deadlock-on-DSI-device-attach-error.patch
  (git-fixes CVE-2022-48826 bsc#1227975).
- Update
  patches.suse/drm-vrr-Set-VRR-capable-prop-only-if-it-is-attached-.patch
  (git-fixes CVE-2022-48843 bsc#1228066).
- Update
  patches.suse/eeprom-ee1004-limit-i2c-reads-to-I2C_SMBUS_BLOCK_MAX.patch
  (git-fixes CVE-2022-48806 bsc#1227948).
- Update
  patches.suse/ethernet-Fix-error-handling-in-xemaclite_of_probe.patch
  (git-fixes CVE-2022-48860 bsc#1228008).
- Update
  patches.suse/fs-proc-task_mmu.c-don-t-read-mapcount-for-migration-entry.patch
  (CVE-2023-1582 bsc#1209636 CVE-2022-48802 bsc#1227942).
- Update
  patches.suse/gianfar-ethtool-Fix-refcount-leak-in-gfar_get_ts_inf.patch
  (git-fixes CVE-2022-48856 bsc#1228004).
- Update patches.suse/iavf-Fix-hang-during-reboot-shutdown.patch
  (jsc#SLE-18385 CVE-2022-48840 bsc#1227990).
- Update
  patches.suse/ibmvnic-don-t-release-napi-in-__ibmvnic_open.patch
  (bsc#1195668 ltc#195811 CVE-2022-48811 bsc#1227928).
- Update
  patches.suse/ice-Fix-KASAN-error-in-LAG-NETDEV_UNREGISTER-handler.patch
  (git-fixes CVE-2022-48807 bsc#1227970).
- Update
  patches.suse/ice-Fix-race-condition-during-interface-enslave.patch
  (git-fixes CVE-2022-48842 bsc#1228064).
- Update
  patches.suse/ice-fix-NULL-pointer-dereference-in-ice_update_vsi_t.patch
  (jsc#SLE-18375 CVE-2022-48841 bsc#1227991).
- Update
  patches.suse/iio-buffer-Fix-file-related-error-handling-in-IIO_BU.patch
  (git-fixes CVE-2022-48801 bsc#1227956).
- Update
  patches.suse/ima-fix-reference-leak-in-asymmetric_verify.patch
  (git-fixes CVE-2022-48831 bsc#1227986).
- Update
  patches.suse/iommu-Fix-potential-use-after-free-during-probe
  (git-fixes CVE-2022-48796 bsc#1228028).
- Update patches.suse/iwlwifi-fix-use-after-free.patch
  (bsc#1197762 git-fixes CVE-2022-48787 bsc#1227932).
- Update
  patches.suse/mISDN-Fix-memory-leak-in-dsp_pipeline_build.patch
  (git-fixes CVE-2022-48863 bsc#1228063).
- Update
  patches.suse/misc-fastrpc-avoid-double-fput-on-failed-usercopy.patch
  (git-fixes CVE-2022-48821 bsc#1227976).
- Update
  patches.suse/mm-don-t-try-to-NUMA-migrate-COW-pages-that-have-other-uses.patch
  (git fixes (mm/numa) CVE-2022-48797 bsc#1228035).
- Update
  patches.suse/mm-vmscan-remove-deadlock-due-to-throttling.patch
  (bsc#1195357 CVE-2022-48800 bsc#1227954).
- Update
  patches.suse/msft-hv-2515-Drivers-hv-vmbus-Fix-memory-leak-in-vmbus_add_channe.patch
  (git-fixes CVE-2022-48775 bsc#1227924).
- Update
  patches.suse/mtd-parsers-qcom-Fix-kernel-panic-on-skipped-partiti.patch
  (git-fixes CVE-2022-48777 bsc#1227922).
- Update
  patches.suse/mtd-parsers-qcom-Fix-missing-free-for-pparts-in-clea.patch
  (git-fixes CVE-2022-48776 bsc#1227925).
- Update
  patches.suse/mtd-rawnand-gpmi-don-t-leak-PM-reference-in-error-pa.patch
  (git-fixes CVE-2022-48778 bsc#1227935).
- Update
  patches.suse/net-dsa-ar9331-register-the-mdiobus-under-devres.patch
  (git-fixes CVE-2022-48817 bsc#1227931).
- Update
  patches.suse/net-dsa-bcm_sf2-don-t-use-devres-for-mdiobus.patch
  (git-fixes CVE-2022-48815 bsc#1227933).
- Update
  patches.suse/net-dsa-felix-don-t-use-devres-for-mdiobus.patch
  (git-fixes CVE-2022-48813 bsc#1227963).
- Update
  patches.suse/net-dsa-lantiq_gswip-don-t-use-devres-for-mdiobus.patch
  (git-fixes CVE-2022-48812 bsc#1227971).
- Update
  patches.suse/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_rem.patch
  (git-fixes CVE-2022-48783 bsc#1227949).
- Update
  patches.suse/net-dsa-mv88e6xxx-don-t-use-devres-for-mdiobus.patch
  (git-fixes CVE-2022-48818 bsc#1228039).
- Update
  patches.suse/net-dsa-seville-register-the-mdiobus-under-devres.patch
  (git-fixes CVE-2022-48814 bsc#1227944).
- Update
  patches.suse/net-ieee802154-at86rf230-Stop-leaking-skb-s.patch
  (git-fixes CVE-2022-48794 bsc#1228025).
- Update
  patches.suse/net-marvell-prestera-Add-missing-of_node_put-in-pres.patch
  (git-fixes CVE-2022-48859 bsc#1228007).
- Update
  patches.suse/net-mlx5-Fix-a-race-on-command-flush-flow.patch
  (git-fixes CVE-2022-48858 bsc#1228006).
- Update
  patches.suse/net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch
  (CVE-2022-20368 bsc#1202346 CVE-2022-48839 bsc#1227985).
- Update
  patches.suse/net-smc-Avoid-overwriting-the-copies-of-clcsock-callback-functions
  (git-fixes CVE-2022-48780 bsc#1227995).
- Update
  patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch
  (bsc#1196018 CVE-2022-28748 bsc#1202686 CVE-2022-2964
  CVE-2022-48805 bsc#1227969).
- Update
  patches.suse/nvme-fix-a-possible-use-after-free-in-controller-res.patch
  (bsc#1193787 bsc#1197146 bsc#1193554 CVE-2022-48790
  bsc#1227941).
- Update
  patches.suse/nvme-rdma-fix-possible-use-after-free-in-transport-e.patch
  (bsc#1193787 bsc#1197146 bsc#1193554 CVE-2022-48788
  bsc#1227952).
- Update
  patches.suse/nvme-tcp-fix-possible-use-after-free-in-transport-er.patch
  (bsc#1193787 bsc#1197146 bsc#1193554 CVE-2022-48789
  bsc#1228000).
- Update
  patches.suse/perf-Fix-list-corruption-in-perf_cgroup_switch.patch
  (git fixes CVE-2022-48799 bsc#1227953).
- Update
  patches.suse/phy-stm32-fix-a-refcount-leak-in-stm32_usbphyc_pll_e.patch
  (git-fixes CVE-2022-48820 bsc#1227972).
- Update
  patches.suse/phy-ti-Fix-missing-sentinel-for-clk_div_table.patch
  (git-fixes CVE-2022-48803 bsc#1227965).
- Update
  patches.suse/s390-cio-verify-the-driver-availability-for-path_event-call
  (bsc#1195927 LTC#196420 CVE-2022-48798 bsc#1227945).
- Update
  patches.suse/scsi-mpt3sas-Page-fault-in-reply-q-processing.patch
  (git-fixes CVE-2022-48835 bsc#1228060).
- Update patches.suse/scsi-myrs-Fix-crash-in-error-case.patch
  (git-fixes CVE-2022-48824 bsc#1227964).
- Update
  patches.suse/scsi-pm8001-Fix-use-after-free-for-aborted-SSP-STP-sas_task.patch
  (git-fixes CVE-2022-48792 bsc#1228013).
- Update
  patches.suse/scsi-pm8001-Fix-use-after-free-for-aborted-TMF-sas_task.patch
  (git-fixes CVE-2022-48791 bsc#1228002).
- Update
  patches.suse/scsi-qedf-Add-stag_work-to-all-the-vports.patch
  (git-fixes CVE-2022-48825 bsc#1228056).
- Update
  patches.suse/scsi-qedf-Fix-refcount-issue-when-LOGO-is-received-during-TMF.patch
  (git-fixes CVE-2022-48823 bsc#1228045).
- Update
  patches.suse/staging-gdm724x-fix-use-after-free-in-gdm_lte_rx.patch
  (git-fixes CVE-2022-48851 bsc#1227997).
- Update
  patches.suse/swiotlb-fix-info-leak-with-DMA_FROM_DEVICE.patch
  (CVE-2022-0854 bsc#1196823 CVE-2022-48853 bsc#1228015).
- Update patches.suse/usb-f_fs-Fix-use-after-free-for-epfile.patch
  (git-fixes CVE-2022-48822 bsc#1228040).
- Update
  patches.suse/usb-gadget-Fix-use-after-free-bug-by-not-setting-udc.patch
  (git-fixes CVE-2022-48838 bsc#1227988).
- Update
  patches.suse/usb-gadget-rndis-prevent-integer-overflow-in-rndis_s.patch
  (git-fixes CVE-2022-48837 bsc#1227987).
- Update
  patches.suse/usb-usbtmc-Fix-bug-in-pipe-direction-for-control-tra.patch
  (git-fixes CVE-2022-48834 bsc#1228062).
- Update
  patches.suse/vdpa-fix-use-after-free-on-vp_vdpa_remove.patch
  (git-fixes CVE-2022-48861 bsc#1228009).
- Update
  patches.suse/vhost-fix-hung-thread-due-to-erroneous-iotlb-entries.patch
  (git-fixes CVE-2022-48862 bsc#1228010).
- Update
  patches.suse/vsock-remove-vsock-from-connected-table-when-connect.patch
  (git-fixes CVE-2022-48786 bsc#1227996).
- Update
  patches.suse/vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch
  (git-fixes CVE-2022-48804 bsc#1227968).
- Update patches.suse/watch_queue-Fix-filter-limit-check.patch
  (CVE-2022-0995 bsc#1197246 CVE-2022-48847 bsc#1227993).
- Update
  patches.suse/xprtrdma-fix-pointer-derefs-in-error-cases-of-rpcrdm.patch
  (git-fixes CVE-2022-48773 bsc#1227921).
- commit e328ee7

- Update
  patches.suse/net-sunrpc-fix-reference-count-leaks-in-rpc_sysfs_xp.patch
  (git-fixes CVE-2021-47624 bsc#1227920).
- Update
  patches.suse/scsi-ufs-Fix-a-deadlock-in-the-error-handler.patch
  (git-fixes CVE-2021-47622 bsc#1227917).
- commit f2d923e

- cgroup/cpuset: Prevent UAF in proc_cpuset_show() (bsc#1228801).
- commit 8837200

- net/dpaa2: Avoid explicit cpumask var allocation on stack
  (CVE-2024-42093 bsc#1228680).
- commit e2a1614

- workqueue: Improve scalability of workqueue watchdog touch
  (bsc#1193454).
- commit 51a7eb4

- workqueue: wq_watchdog_touch is always called with valid CPU
  (bsc#1193454).
- commit 10bbd80

- KVM: arm64: Disassociate vcpus from redistributor region on
  teardown (CVE-2024-40989 bsc#1227823).
- commit 724dd5c

- ASoC: topology: Fix references to freed memory (CVE-2024-41069
  bsc#1228644).
- commit 44dd0c7

- Update
  patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch
  (bsc#1221044 CVE-2023-52591 bsc#1228440).
- commit d21f810

- hfsplus: fix uninit-value in copy_name (bsc#1228561
  CVE-2024-41059).
- commit cfc2db1

- dmaengine: idxd: Fix possible Use-After-Free in
  irq_process_work_list (CVE-2024-40956 bsc#1227810).
- commit 3632d87

- ocfs2: fix DIO failure due to insufficient transaction credits
  (bsc#1216834).
- commit edabc6f

- tap: add missing verification for short frame (CVE-2024-41090
  bsc#1228328).
- commit e64bcfc

- rpm/guards: fix precedence issue with control flow operator
  With perl 5.40 it report the following error on rpm/guards script:
  Possible precedence issue with control flow operator (exit) at scripts/guards line 208.
  Fix the issue by adding parenthesis around ternary operator.
- commit 07b8b4e

- drm/amdkfd: don't allow mapping the MMIO HDP page with large
  pages (CVE-2024-41011 bsc#1228115).
- commit ff8f843

- 9p: add missing locking around taking dentry fid list (bsc#1227090, CVE-2024-39463).
- commit c58a66f

- sch_cake: do not call cake_destroy() from cake_init()
  (CVE-2021-47598 bsc#1226574).
- commit d533b8e

- gve: Clear napi->skb before dev_kfree_skb_any() (CVE-2024-40937
  bsc#1227836).
- commit 610d469

- Update
  patches.suse/powerpc-pseries-iommu-LPAR-panics-during-boot-up-wit.patch
  (bsc#1222011 ltc#205900 CVE-2024-36926 bsc#1225829).
- commit 1ec0d1e

- Update
  patches.suse/perf-x86-intel-pt-Fix-crash-with-stop-filters-in-single-range-mode.patch
  (git fixes CVE-2022-48713 bsc#1227549).
- Update
  patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch
  (bsc#1226758 CVE-2024-38559 bsc#1226785).
- Update
  patches.suse/tls-fix-use-after-free-on-failed-backlog-decryption.patch
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186
  CVE-2024-26800 bsc#1222728).
- commit 329a684

- vfio/fsl-mc: Block calling interrupt handler without trigger
  (bsc#1222810 CVE-2024-26814).
- commit 520ae3c

- KVM: Always flush async #PF workqueue when vCPU is being
  destroyed (bsc#1223635 CVE-2024-26976).
- commit c5ed396

- virtio-blk: fix implicit overflow on virtio_max_dma_size
  (bsc#1225573 CVE-2023-52762).
- commit 4296dc1

- vfio/platform: Create persistent IRQ handlers (bsc#1222809
  CVE-2024-26813).
- commit a8290e8

- net: mana: Fix Rx DMA datasize and skb_over_panic (git-fixes CVE-2024-35901 bsc#1224495).
- commit 9db7ad0

- Update patches.suse/net-tls-factor-out-tls_-crypt_async_wait.patch.
- fix build warning
- commit 01715f7

- powerpc/pseries: Fix scv instruction crash with kexec
  (bsc#1194869 CVE-2024-42230).
- powerpc/kasan: Disable address sanitization in kexec paths
  (bsc#1194869 CVE-2024-42230).
- commit c9d175f

- kernel-binary: vdso: Own module_dir
- commit ff69986

- Update
  patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch
  (bsc#1226785 CVE-2024-38559).
  Fixed incorrect bug reference.
- commit e3b8fb6

- net/dcb: check for detached device before executing callbacks
  (bsc#1215587).
- commit 9c27e1c

- kABI: rtas: Workaround false positive due to lost definition
  (bsc#1227487).
- commit fb8a8f3

- powerpc/rtas: Prevent Spectre v1 gadget construction in
  sys_rtas() (bsc#1227487).
- commit 9648fb4

- tls: fix use-after-free on failed backlog decryption
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: separate no-async decryption request handling from async
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: decrement decrypt_pending if no async completion will be
  called (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- net: tls: handle backlogging of crypto requests (CVE-2024-26584
  bsc#1220186).
- tls: fix race between tx work scheduling and socket close
  (CVE-2024-26585 bsc#1220187).
- tls: fix race between async notify and socket close
  (CVE-2024-26583 bsc#1220185).
- net: tls: factor out tls_*crypt_async_wait() (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- net: tls: fix async vs NIC crypto offload (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: use async as an in-out argument (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: assume crypto always calls our callback (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: don't track the async count (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: simplify async wait (CVE-2024-26583 CVE-2024-26584
  bsc#1220185 bsc#1220186).
- tls: rx: wrap decryption arguments in a structure
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: don't report text length from the bowels of decrypt
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: drop unnecessary arguments from tls_setup_from_iter()
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- commit 63dd4a4

- Delete
  patches.suse/tls-fix-race-between-tx-work-scheduling-and-socket-c.patch.
  Will be replaced with a refreshed version once all conflicting new patches are in.
- commit a0fa0a3

- NFS: Reduce use of uncached readdir (bsc#1226662).
- NFS: Don't re-read the entire page cache to find the next cookie
  (bsc#1226662).
- commit a10cc0e

- jfs: xattr: fix buffer overflow for invalid xattr
  (bsc#1227383).
- commit 33e2d96
util-linux
- agetty: Prevent login cursor escape (bsc#1194818,
  util-linux-agetty-prevent-cursor-escape.patch).
expat
- Security fix (bsc#1229932, CVE-2024-45492): detect integer
  overflow in function nextScaffoldPart
  * Added expat-CVE-2024-45492.patch
- Security fix (bsc#1229931, CVE-2024-45491): detect integer
  overflow in dtdCopy
  * Added expat-CVE-2024-45491.patch
- Security fix (bsc#1229930, CVE-2024-45490): reject negative
  len for XML_ParseBuffer
  * Added expat-CVE-2024-45490.patch
glib2
- Add glib2-gdbusmessage-cache-arg0.patch: cache the arg0 value in
  a dbus message. Fixes a possible use after free (boo#1224044).
openssl-1_1
- Build with no-afalgeng [bsc#1226463]

- Security fix: [bsc#1227138, CVE-2024-5535]
  * SSL_select_next_proto buffer overread
  * Add openssl-CVE-2024-5535.patch
libpcap
- Security fix: [bsc#1230034, CVE-2024-8006]
  * libpcap: NULL pointer derefence in pcap_findalldevs_ex()
  * Add libpcap-CVE-2024-8006.patch

- Security fix: [bsc#1230020, CVE-2023-7256]
  * libpcap: double free via addrinfo in sock_initaddress()
  * Add libpcap-CVE-2023-7256.patch
libsolv
- removed dependency on external find program in the repo2solv tool
- bindings: fix return value of repodata.add_solv()
- new SOLVER_FLAG_FOCUS_NEW flag
- bump version to 0.7.30
systemd
- Import commit a57a6d239c5d6b91fb3dcd269705e60804a03ae1
  cd0c9ac4f4 unit: drop ProtectClock=yes from systemd-udevd.service (bsc#1226414)
  e1eaa86a49 udev: do not set ID_PATH and by-path symlink for nvmf disks
  a85d211874 man: Document ranges for distributions config files and local config files

- Don't mention any rpm macros inside comments, even if escaped (bsc#1228091)
  Otherwise pesign-obs-integration ends up re-packaging systemd with all macros
  inside comments unescaped leading to unpredictable behavior. Now why rpm
  expands rpm macros inside comments is the question...

- Update 1011-sysv-generator-add-back-support-for-SysV-scripts-for.patch
  Really skip redundant dependencies specified the LSB description that
  references the file name of the service itself for early boot scripts (noticed
  in bsc#1221479).
libzypp
- Make sure not to statically linked installed tools (bsc#1228787)
- version 17.35.8 (35)

- MediaPluginType must be resolved to a valid MediaHandler
  (bsc#1228208)
- version 17.35.7 (35)

- Export CredentialManager for legacy YAST versions (bsc#1228420)
- version 17.35.6 (35)

- Export asSolvable for YAST (bsc#1228420)
- Fix 4 typos in zypp.conf.
- version 17.35.5 (35)

- Fix typo in the geoip update pipeline (bsc#1228206)
- Export RepoVariablesStringReplacer for yast2 (bsc#1228138)
- version 17.35.4 (35)

- Translation: updated .pot file.
- Conflict with python zypp-plugin < 0.6.4 (bsc#1227793)
  Older zypp-plugins reject stomp headers including a '-'. Like the
  'content-length' header we may send.
- Fix int overflow in Provider (fixes #559)
  This patch fixes an issue in safe_strtonum which caused
  timestamps to overflow in the Provider message parser.
- Fix error reporting on repoindex.xml parse error (bsc#1227625)
- version 17.35.3 (35)

- Keep UrlResolverPlugin API public (fixes #560)
- Blacklist /snap executables for 'zypper ps' (bsc#1226014)
- Fix handling of buddies when applying locks (bsc#1225267)
  Buddy pairs (like -release package and product) internally share
  the same status object. When applying locks from query results
  the locked bit must be set if either item is locked.
- version 17.35.2 (35)

- Install zypp/APIConfig.h legacy include (fixes #557)
- version 17.35.1 (35)

- Update soname due to RepoManager refactoring and cleanup.
- version 17.35.0 (35)

- Workaround broken libsolv-tools-base requirements (fixes
  openSUSE/zypper#551)
- Strip ssl_clientkey from repo urls (bsc#1226030)
- Remove protobuf build dependency.
- Lazily attach medium during refresh workflows (bsc#1223094)
- Refactor RepoManager and add Service workflows.
- version 17.34.2 (34)
pam
- Prevent cursor escape from the login prompt [bsc#1194818]
  * Added: pam-bsc1194818-cursor-escape.patch
python-azure-agent
- Restart the agent (bsc#1227600)
  + The agent service gets restarted in post but may fail due to a missing
    config file. config files were split into their own package previously.
    When we detect that we have to restore a config file we also need
    to restart the agent again.
python-PyYAML
- reenable the cython yaml loader (bsc#1225641)
python3-setuptools
- Add patch CVE-2024-6345-code-execution-via-download-funcs.patch:
  * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105)
runc
[ This was only ever released for SLES and Leap. ]
- Update to runc v1.1.14. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.14>.
  Includes the patch for CVE-2024-45310. bsc#1230092
- Rebase patches:
  * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
  * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
  * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
  * 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch
000release-packages:sle-module-basesystem-release
n/a
000release-packages:sle-module-containers-release
n/a
000release-packages:sle-module-public-cloud-release
n/a
000release-packages:sle-module-server-applications-release
n/a
SLES-release
- Update codestream lifecycle
supportutils
- Changes to version 3.2.8
  + Avoid getting duplicate kernel verifications in boot.text (pr#190)
  + lvm: suppress file descriptor leak warnings from lvm commands (pr#191)
  + docker_info: Add timestamps to container logs (pr#196)
  + Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198)
  + Update supportconfig get pam.d sorted (pr#199)
  + yast_files: Exclude .zcat (pr#201)
  + Sanitize grub bootloader (bsc#1227127, pr#203)
  + Sanitize regcodes (pr#204)
  + Improve product detection (pr#205)
  + Add read_values for s390x (bsc#1228265, pr#206)
  + hardware_info: Remove old alsa ver check (pr#209)
  + drbd_info: Fix incorrect escape of quotes (pr#210)
suse-build-key
- extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339)
  - gpg-pubkey-39db7c82-5f68629b.asc
  + gpg-pubkey-39db7c82-66c5d91a.asc
util-linux-systemd
- agetty: Prevent login cursor escape (bsc#1194818,
  util-linux-agetty-prevent-cursor-escape.patch).
zypper
- Show rpm install size before installing (bsc#1224771)
  If filesystem snapshots are taken before the installation (e.g.
  by snapper) no disk space is freed by removing old packages. In
  this case the install size of all packages is a hint how much
  additional disk space is needed by the new packages static
  content.
- version 1.14.76

- Fix readline setup to handle Ctrl-C and Ctrl-D corrrectly
  (bsc#1227205)
- version 1.14.75

- Let_readline_abort_on_Ctrl-C (bsc#1226493)
- packages: add '--system' to show @System packages (bsc#222971)
- version 1.14.74