- Fix the following bugs and CVEs:
  * bsc#1254511 / CVE-2025-55753
  * bsc#1254512 / CVE-2025-58098
  * bsc#1254514 / CVE-2025-65082
  * bsc#1254515 / CVE-2025-66200
- Add patches:
  * CVE-2025-55753.patch
  * CVE-2025-58098.patch
  * CVE-2025-65082.patch
  * CVE-2025-66200.patch

- Fix for bsc#1249359.
- Binary path for Apache's MPM was partially duplicated when it
  can't be invoked/found.

- Add patch bsc1245199.patch
  * Fix histfile missing timestamp for the oldest record (bsc#1245199)

- Security Fixes:
  * Address various spoofing attacks.
    [CVE-2025-40778, bsc#1252379, bind-9.16-CVE-2025-40778.patch]
  * Cache-poisoning due to weak pseudo-random number generator.
    [CVE-2025-40780, bsc#1252380, bind-9.16-CVE-2025-40780.patch]

- Update to current 2.45 branch at 94cb1c075 to include fix
  for PR33584 (a problem related to LTO vs fortran COMMON
  blocks).

- Amend binutils-compat-old-behaviour.diff to not enable
  '-z gcs=implicit' on aarch64 for old codestreams.

- Update to version 2.45:
  * New versioned release of libsframe.so.2
  * s390: tools now support SFrame format 2; recognize "z17" as CPU
    name [bsc#1247105, jsc#IBM-1485]
  * sframe sections are now of ELF section type SHT_GNU_SFRAME.
  * sframe secions generated by the assembler have
    SFRAME_F_FDE_FUNC_START_PCREL set.
  * riscv: Support more extensions: standard: Zicfiss v1.0, Zicfilp v1.0,
    Zcmp v1.0, Zcmt v1.0, Smrnmi v1.0, S[sm]dbltrp v1.0, S[sm]ctr v1.0,
    ssqosid v1.0, ssnpm v1.0, smnpm v1.0, smmpm v1.0, sspm v1.0, supm v1.0,
    sha v1.0, zce v1.0, smcdeleg v1.0, ssccfg v1.0, svvptc v1.0, zilsd v1.0,
    zclsd v1.0, smrnmi v1.0;
    vendor: CORE-V, xcvbitmanip v1.0 and xcvsimd v1.0;
    SiFive, xsfvqmaccdod v1.0, xsfvqmaccqoqv1.0 and xsfvfnrclipxfqf v1.0;
    T-Head: xtheadvdot v1.0;
    MIPS: xmipscbop v1.0, xmipscmov v1.0, xmipsexectl v1.0, xmipslsp v1.0.
  * Support RISC-V privileged version 1.13, profiles 20/22/23, and
    .bfloat16 directive.
  * x86: Add support for these ISAs: Intel Diamond Rapids AMX, MOVRS,
    AVX10.2 (including SM4), MSR_IMM; Zhaoxin PadLock PHE2, RNG2, GMI, XMODX.
    Drop support for  AVX10.2 256 bit rounding.
  * arm: Add support for most of Armv9.6, enabled by -march=armv9.6-a and
    extensions '+cmpbr', '+f8f16mm', '+f8f32mm', '+fprcvt', '+lsfe', '+lsui',
    '+occmo', '+pops', '+sme2p2', '+ssve-aes', '+sve-aes', '+sve-aes2',
    '+sve-bfscale', '+sve-f16f32mm' and '+sve2p2'.
  * Predefined symbols "GAS(version)" and, on non-release builds, "GAS(date)"
    are now being made available.
  * Add .errif and .warnif directives.
  * linker:
  - Add --image-base=<ADDR> option to the ELF linker to behave the same
    as -Ttext-segment for compatibility with LLD.
  - Add support for mixed LTO and non-LTO codes in relocatable output.
  - s390: linker generates .eh_frame and/or .sframe for linker
    generated .plt sections by default (can be disabled
    by --no-ld-generated-unwind-info).
  - riscv: add new PLT formats, and GNU property merge rules for zicfiss
    and zicfilp extensions.
- gold is no longer included
- Contains fixes for these non-CVEs (not security bugs per upstreams
  SECURITY.md):
  * bsc#1236632 aka CVE-2025-0840 aka PR32560
  * bsc#1236977 aka CVE-2025-1149 aka PR32576
  * bsc#1236978 aka CVE-2025-1148 aka PR32576
  * bsc#1236999 aka CVE-2025-1176 aka PR32636
  * bsc#1237000 aka CVE-2025-1153 aka PR32603
  * bsc#1237001 aka CVE-2025-1152 aka PR32576
  * bsc#1237003 aka CVE-2025-1151 aka PR32576
  * bsc#1237005 aka CVE-2025-1150 aka PR32576
  * bsc#1237018 aka CVE-2025-1178 aka PR32638
  * bsc#1237019 aka CVE-2025-1181 aka PR32643
  * bsc#1237020 aka CVE-2025-1180 aka PR32642
  * bsc#1237021 aka CVE-2025-1179 aka PR32640
  * bsc#1237042 aka CVE-2025-1182 aka PR32644
  * bsc#1240870 aka CVE-2025-3198 aka PR32716
  * bsc#1243756 aka CVE-2025-5244 aka PR32858
  * bsc#1243760 aka CVE-2025-5245 aka PR32829
  * bsc#1246481 aka CVE-2025-7545 aka PR33049
  * bsc#1246486 aka CVE-2025-7546 aka PR33050
  * bsc#1247114 aka CVE-2025-8224 aka PR32109
  * bsc#1247117 aka CVE-2025-8225 no PR
- Add these backport patches:
  * pr32556.diff for bsc#1236976 aka CVE-2025-1147 aka PR32556
  * pr33457.diff for bsc#1250632 aka CVE-2025-11083 aka PR33457
  * pr33452.diff for bsc#1251275 aka CVE-2025-11412 aka PR33452
  * pr33456.diff and pr33456-2.diff for bsc#1251276 aka CVE-2025-11413
    aka PR33456
  * pr33450.diff for bsc#1251277 aka CVE-2025-11414 aka PR33450
  * pr33499.diff for bsc#1251794 aka CVE-2025-11494 aka PR33499
  * pr33502.diff for bsc#1251795 aka CVE-2025-11495 aka PR33502
- Adjust binutils-disable-code-arch-error.diff,
  binutils-revert-nm-symversion.diff, binutils-revert-plt32-in-branches.diff,
  binutils-revert-rela.diff, binutils-skip-rpaths.patch
- Remove pr33029.patch (upstreamed), enable-targets-gold.diff (obsolete),
  binutils-2.43.tar.bz2.sig, binutils-2.43.tar.bz2,
  binutils-2.43-branch.diff.gz
- Add binutils-2.45.tar.bz2.sig, binutils-2.45.tar.bz2,
  binutils-2.45-branch.diff.gz
- Rename binutils-fix-branch.diff to binutils-fix-branch.diff.templ
  as long as its empty.

- Skip PGO with %want_reproducible_builds (boo#1040589)

- pr33029.patch: Fix crash in assembler with -gdwarf-5

- Drop aarch64-common-pagesize.patch, aarch64 no longer uses 64K page size

- Add -std=gnu17 to move gcc15 forward, as temporary measure until
  the binutils version can be updated [bsc#1241916].

- Do not build binutils-gold for SLFO.

- Enable multitarget build on loongarch64

- Unset SUSE_ZNOW while running testsuite, many tests cannot cope

- bsc#1246544: Fix racy socket creation
  * Add chrony-unix-socket.patch
  * Add chrony-remove-chmod.patch
- Use make quickcheck to speedup build.

- Add patches:
  * 0001-cifs-utils-Skip-TGT-check-if-valid-service-ticket-is.patch (bsc#1248816)
  * 0001-setcifsacl-fix-memory-allocation-for-struct-cifs_ace.patch
  * 0001-cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch
  * 0001-cifs-utils-avoid-using-mktemp-when-updating-mtab.patch
  * 0001-cifs-utils-add-documentation-for-upcall_target.patch
  * 0001-cifs.upcall-fix-memory-leaks-in-check_service_ticket.patch

- Update to containerd v1.7.29. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.29>
  * CVE-2024-25621 bsc#1253126
  * CVE-2025-64329 bsc#1253132
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- Update to containerd v1.7.28. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.28>

- Adapted cups-2.2.7-CVE-2025-58436.patch according to
  https://github.com/OpenPrinting/cups/pull/1439
  "http.c: Fix infinite loop in GTK apps"
  which fixes the regression boo#1254353
  "Cups version 2.2.7-150000.3.77.1 will hang GTK applications"
  https://github.com/OpenPrinting/cups/issues/1429
  "CUPS 2.4.15 freezes apps requesting the GTK print dialog"

- cups-2.2.7-CVE-2025-61915.patch is based on
  https://github.com/OpenPrinting/cups-ghsa-hxm8-vfpq-jrfc/pull/2
  backported to CUPS 2.2.7 to fix CVE-2025-61915
  "Local denial-of-service via cupsd.conf update
  and related issues"
  https://github.com/OpenPrinting/cups/security/advisories/GHSA-hxm8-vfpq-jrfc
  bsc#1253783
- cups-2.2.7-CVE-2025-58436.patch mitigates CVE-2025-58436
  "Slow client communication leads to a possible DoS attack"
  https://github.com/OpenPrinting/cups/security/advisories/GHSA-8wpw-vfgm-qrrr
  (bsc#1244057)
- cups-2.2.7-bsc1234225c76.patch is from
  https://bugzilla.suse.com/show_bug.cgi?id=1234225#c76
  to fix bsc#1234225 "cupsd stuck in poll() loop"
  see also https://github.com/OpenPrinting/cups/issues/1264
- In general regarding CUPS security issues and/or DoS issues see
  https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings

- Security fix: [bsc#1253757, CVE-2025-11563]
  * curl: wcurl path traversal with percent-encoded slashes
  * Add curl-CVE-2025-11563.patch

- Enable SELinux in default daemon.json config (--selinux-enabled). This has no
  practical impact on non-SELinux systems. bsc#1252290

- Update to Docker 28.5.1-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/28/#2851>
- Rebased patches:
  * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
  * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
  * cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
- Remove upstreamed patch:
  - 0007-Add-back-vendor.sum.patch

- Update to Docker 28.5.0-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/28/#2850>
- Backport <https://github.com/moby/moby/pull/51091> to re-add vendor.sum,
  fixing our builds.
  + 0007-Add-back-vendor.sum.patch
- Rebased patches:
  * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
  * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
  * cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch

- Update to docker-buildx v0.29.0. Upstream changelog:
  <https://github.com/docker/buildx/releases/tag/v0.29.0>

- Remove git-core recommends also on openSUSE: the below argument
  is valid for those users too.

- Remove git-core recommends on SLE. Most SLE systems have
  installRecommends=yes by default and thus end up installing git with Docker.
  bsc#1250508
  This feature is mostly intended for developers ("docker build git://") so
  most users already have the dependency installed, and the error when git is
  missing is fairly straightforward (so they can easily figure out what they
  need to install).

- Update to docker-buildx v0.28.0. Upstream changelog:
  <https://github.com/docker/buildx/releases/tag/v0.28.0>
- Update to Docker 28.4.0-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/28/#2840>
  * Fixes a nil pointer panic in "docker push". bsc#1248373
- Rebased patches:
  * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
  * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
  * cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch

- Update warnings and errors related to "docker buildx ..." so that they
  reference our openSUSE docker-buildx packages.
  + cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
- Enable building docker-buildx for SLE15 systems with SUSEConnect secret
  injection enabled. PED-12534 PED-8905 bsc#1247594
  As docker-buildx does not support our SUSEConnect secret injection (and some
  users depend "docker build" working transparently), patch the docker CLI so
  that "docker build" will no longer automatically call "docker buildx build",
  effectively making DOCKER_BUILDKIT=0 the default configuration. Users can
  manually use "docker buildx ..." commands or set DOCKER_BUILDKIT=1 in order
  to opt-in to using docker-buildx.
  Users can silence the "docker build" warning by setting DOCKER_BUILDKIT=0
  explicitly.
  In order to inject SCC credentials with docker-buildx, users should use
    RUN --mount=type=secret,id=SCCcredentials zypper -n ...
  in their Dockerfiles, and
    docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
  when doing their builds.
  + cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch

- Add elfutils-fix-large-alignment.diff and elfutils-pr28190.diff
  to fix build/testsuite for more recent glibc and kernels.
- Add elfutils-fuzz-1.diff, elfutils-fuzz-2.diff,
  elfutils-fuzz-3.diff, elfutils-fuzz-4.diff [bsc#1237236,
  bsc#1237240, bsc#1237241, bsc#1237242].
- Add elfutils-fix-debuginfod-groom-race.diff to fix a testsuite
  race in run-debuginfod-find.sh.

- package FTL.TXT and GPLv2.TXT as %license [bsc#1252148]

- Add CVE fixes:
  + glib2-CVE-2025-13601-1.patch, glib2-CVE-2025-13601-2.patch
    (bsc#1254297 CVE-2025-13601 glgo#GNOME/glib#3827).
  + glib2-CVE-2025-14087-1.patch, glib2-CVE-2025-14087-2.patch,
    glib2-CVE-2025-14087-3.patch (bsc#1254662 CVE-2025-14087
    glgo#GNOME/glib#3834).
  + glib2-CVE-2025-14512.patch (bsc#1254878 CVE-2025-14512
    glgo#GNOME/glib#3845).

- Add glib2-CVE-2025-7039.patch: fix computation of temporary file
  name (bsc#1249055 CVE-2025-7039 glgo#GNOME/glib#3716).

- Security fix: [bsc#1239119, CVE-2025-30258]
  * gpg: Lookup key for merging/inserting only by primary key.
  * gpg: Remove a signature check function wrapper.
  * gpg2: verification DoS due to a malicious subkey in the keyring
  * gpg: Fix regression for the recent malicious subkey
  * gpg: Fix another regression due to the T7547 fix.
  * gpg: Fix double free of internal data.
  * Add patches:
  - gnupg-CVE-2025-30258-Lookup-key-for-merging-inserting-only-by-primary-key.patch
  - gnupg-CVE-2025-30258-Remove-a-signature-check-function-wrapper.patch
  - gnupg-CVE-2025-30258-Fix-a-verification-DoS-due-to-a-malicious-subkey-in-the-keyring.patch
  - gnupg-CVE-2025-30258-Fix-regression-for-the-recent-malicious-subkey-DoS-fix.patch
  - gnupg-CVE-2025-30258-Fix-another-regression-due-to-the-T7547-fix.patch
  - gnupg-CVE-2025-30258-Fix-double-free-of-internal-data.patch
  * Remove unrecognized configure option: --enable-Werror

- Fix CVE-2025-54771 (bsc#1252931)
  * 0001-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch
- Fix CVE-2025-61662 (bsc#1252933)
  * 0002-gettext-gettext-Unregister-gettext-command-on-module.patch
- Fix CVE-2025-61663 (bsc#1252934)
- Fix CVE-2025-61664 (bsc#1252935)
  * 0003-normal-main-Unregister-commands-on-module-unload.patch
  * 0004-tests-lib-functional_test-Unregister-commands-on-mod.patch
- Fix CVE-2025-61661 (bsc#1252932)
  * 0005-commands-usbtest-Use-correct-string-length-field.patch
  * 0006-commands-usbtest-Ensure-string-length-is-sufficient-.patch
- Bump upstream SBAT generation to 6

- package LICENSE.TXT [bsc#1252151]

- Update to Java 8.0 Service Refresh 8 Fix Pack 55: [bsc#1252758]
  * Oracle October 21 2025 CPU (1.8.0_471):
  * Security fixes:
  - [bsc#1252414, CVE-2025-53057] Unauthenticated attacker can
    achieve unauthorized creation, deletion or modification
    access to critical data
  - [bsc#1252417, CVE-2025-53066] Unauthenticated attacker can
    achieve unauthorized access to critical data or complete access
  - [bsc#1252418, CVE-2025-61748] Unauthenticated attacker can
    achieve unauthorized update, insert or delete access to some
    resources

- Update to Java 8.0 Service Refresh 8 Fix Pack 51:
  * Defect Fixes:
    JIT Compiler: Busy hang in getAndSetObject

- scsi: storvsc: Prefer returning channel with the same CPU as
  on the I/O issuing CPU (bsc#1252267).
- uio_hv_generic: Let userspace take care of interrupt mask
  (CVE-2025-40048 bsc#1252862).
- commit 730af65

- sctp: Fix MAC comparison to be constant-time (CVE-2025-40204
  bsc#1253436).
- commit 7866d14

- ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping
  (CVE-2025-40121 bsc#1253367).
- ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
  (CVE-2025-40154 bsc#1253431).
- commit 39cbf10

- Fix type signess in fbcon_set_font() (bsc#1252033)
  The backport from bsc#1252033 failed because check_mul_overflow()
  did not handle differences in type signs. Use unsigned types for
  all calculations. Input arguments are unsigned anyway.
- commit e09ed3e

- scsi: target: iscsi: Fix buffer overflow in
  lio_target_nacl_info_show() (bsc#1251786 CVE-2023-53676).
- commit 85b8224

- mm/ksm: fix flag-dropping behavior in ksm_madvise
  (CVE-2025-40040 bsc#1252780).
- commit ef78c42

- KVM: arm64: Prevent access to vCPU events before init
  (bsc#1252919 CVE-2025-40102).
- commit 760ca7b

- hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
  (bsc#1252904 CVE-2025-40088).
- commit 438a073

- Fixup build warning
  patches.suse/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch.
  Refresh
  patches.suse/fs-udf-fix-OOB-read-in-lengthAllocDescs-handling.patch
- commit df1ebe7

- kernel-subpackage-spec: Do not doubly-sign modules (bsc#1251930).
- commit 0f034b6

- udf: fix uninit-value use in udf_get_fileshortad (bsc#1252785
  CVE-2025-40044).
- commit 0ec48de

- fs: udf: fix OOB read in lengthAllocDescs handling (bsc#1252785 CVE-2025-40044).
- commit 2bd18d3

- pnode: terminate at peers of source (CVE-2022-50280 bsc#1249806)
- commit e4cf85f

- Update
  patches.suse/0032-blk-throttle-prevent-overflow-while-calculating-wait-time.patch
  (git-fixes CVE-2022-50580 bsc#1252542).
- Update
  patches.suse/0044-dm-thin-Fix-UAF-in-run_timer_softirq.patch
  (git-fixes CVE-2022-50563 bsc#1252480).
- Update
  patches.suse/ACPI-x86-s2idle-Catch-multiple-ACPI_TYPE_PACKAGE-obj.patch
  (git-fixes CVE-2023-53708 bsc#1252537).
- Update
  patches.suse/ASoC-audio-graph-card-fix-refcount-leak-of-cpu_ep-in.patch
  (git-fixes CVE-2022-50572 bsc#1252526).
- Update patches.suse/NFS-Fix-a-potential-data-corruption.patch
  (bsc#1211162 CVE-2023-53711 bsc#1252536).
- Update
  patches.suse/USB-gadget-Fix-the-memory-leak-in-raw_gadget-driver.patch
  (git-fixes CVE-2023-53693 bsc#1252489).
- Update
  patches.suse/arm64-csum-Fix-OoB-access-in-IP-checksum-code-for-ne.patch
  (git-fixes CVE-2023-53726 bsc#1252565).
- Update
  patches.suse/arm64-ftrace-fix-module-PLTs-with-mcount.patch
  (git-fixes CVE-2022-50579 bsc#1252521).
- Update
  patches.suse/blk-iocost-use-spin_lock_irqsave-in-adjust_inuse_and.patch
  (bsc#1214992 CVE-2023-53730 bsc#1252495).
- Update
  patches.suse/class-fix-possible-memory-leak-in-__class_register.patch
  (git-fixes CVE-2022-50578 bsc#1252519).
- Update
  patches.suse/clk-imx-clk-imx8mp-improve-error-handling-in-imx8mp_.patch
  (git-fixes CVE-2023-53704 bsc#1252490).
- Update
  patches.suse/clk-imx-scu-fix-memleak-on-platform_device_add-fails.patch
  (git-fixes CVE-2022-50559 bsc#1252535).
- Update
  patches.suse/clocksource-drivers-cadence-ttc-Fix-memory-leak-in-t.patch
  (git-fixes CVE-2023-53725 bsc#1252492).
- Update
  patches.suse/drm-Fix-potential-null-ptr-deref-due-to-drmm_mode_co.patch
  (git-fixes CVE-2022-50556 bsc#1252529).
- Update
  patches.suse/drm-amdgpu-disable-sdma-ecc-irq-only-when-sdma-RAS-i.patch
  (git-fixes CVE-2023-53723 bsc#1252634).
- Update
  patches.suse/drm-meson-explicitly-remove-aggregate-driver-at-modu.patch
  (git-fixes CVE-2022-50560 bsc#1252568).
- Update patches.suse/drm-omap-dss-Fix-refcount-leak-bugs.patch
  (git-fixes CVE-2022-50574 bsc#1252516).
- Update
  patches.suse/ext4-fix-use-after-free-read-in-ext4_find_extent-for.patch
  (bsc#1213098 CVE-2023-53692 bsc#1252515).
- Update
  patches.suse/fs-jfs-fix-shift-out-of-bounds-in-dbAllocAG.patch
  (git-fixes CVE-2022-50567 bsc#1252486).
- Update patches.suse/hfs-fix-OOB-Read-in-__hfs_brec_find.patch
  (git-fixes CVE-2022-50581 bsc#1252549).
- Update
  patches.suse/iio-fix-memory-leak-in-iio_device_register_eventset.patch
  (git-fixes CVE-2022-50561 bsc#1252474).
- Update
  patches.suse/md-raid1-fix-potential-OOB-in-raid1_remove_disk-8b04.patch
  (git-fixes CVE-2023-53722 bsc#1252499).
- Update
  patches.suse/media-max9286-Fix-memleak-in-max9286_v4l2_register.patch
  (git-fixes CVE-2023-53700 bsc#1252522).
- Update
  patches.suse/mfd-pcf50633-adc-Fix-potential-memleak-in-pcf50633_a.patch
  (git-fixes CVE-2023-53724 bsc#1252497).
- Update
  patches.suse/mtd-Fix-device-name-leak-when-register-device-failed.patch
  (git-fixes CVE-2022-50566 bsc#1252484).
- Update
  patches.suse/platform-chrome-fix-memory-corruption-in-ioctl.patch
  (git-fixes CVE-2022-50570 bsc#1252475).
- Update
  patches.suse/regulator-core-Prevent-integer-underflow.patch
  (git-fixes CVE-2022-50582 bsc#1252476).
- Update
  patches.suse/ring-buffer-Do-not-swap-cpu_buffer-during-resize-process.patch
  (git-fixes CVE-2023-53718 bsc#1252564).
- Update
  patches.suse/ring-buffer-Handle-race-between-rb_move_tail-and-rb_check_pages.patch
  (git-fixes CVE-2023-53709 bsc#1252532).
- Update
  patches.suse/s390-netiucv-Fix-return-type-of-netiucv_tx.patch
  (git-fixes bsc#1211692 CVE-2022-50564 bsc#1252538).
- Update
  patches.suse/scsi-qla2xxx-Fix-memory-leak-in-qla2x00_probe_one.patch
  (git-fixes CVE-2023-53696 bsc#1252513).
- Update
  patches.suse/scsi-ses-Fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch
  (git-fixes CVE-2023-7324 bsc#1252893).
- Update
  patches.suse/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch
  (git-fixes CVE-2023-53719 bsc#1252501).
- Update
  patches.suse/serial-pch-Fix-PCI-device-refcount-leak-in-pch_reque.patch
  (git-fixes CVE-2022-50576 bsc#1252508).
- Update
  patches.suse/tpm-acpi-Call-acpi_put_table-to-fix-memory-leak.patch
  (git-fixes CVE-2022-50562 bsc#1252528).
- Update
  patches.suse/udf-Detect-system-inodes-linked-into-directory-hiera.patch
  (bsc#1213114 CVE-2023-53695 bsc#1252539).
- Update
  patches.suse/usb-gadget-f_hid-fix-f_hidg-lifetime-vs-cdev.patch
  (git-fixes CVE-2022-50568 bsc#1252523).
- Update
  patches.suse/wifi-ath9k-Fix-potential-stack-out-of-bounds-write-i.patch
  (git-fixes CVE-2023-53717 bsc#1252560).
- Update
  patches.suse/wifi-brcmfmac-cfg80211-Pass-the-PMK-in-binary-instea.patch
  (git-fixes CVE-2023-53715 bsc#1252545).
- Update
  patches.suse/xen-privcmd-Fix-a-possible-warning-in-privcmd_ioctl_.patch
  (git-fixes CVE-2022-50575 bsc#1252509).
- Update
  patches.suse/xfrm-xfrm_alloc_spi-shouldn-t-use-0-as-SPI.patch
  (CVE-2025-39797 bsc#1249608 CVE-2025-39965 bsc#1251967).
- commit a20baaf

- cnic: Fix use-after-free bugs in cnic_delete_task
  (CVE-2025-39945 bsc#1251230).
- commit cf588ad

- fbcon: Fix OOB access in font allocation (bsc#1252033)
- commit 9b4c3c9

- fbcon: fix integer overflow in fbcon_do_set_font (bsc#1252033 CVE-2025-39967)
- commit 1b6fabe

- ipv6: Fix out-of-bounds access in ipv6_find_tlv()
  (CVE-2023-53705 bsc#1252554).
- commit 687e17e

- ipvs: Defer ip_vs_ftp unregister during netns cleanup
  (CVE-2025-40018 bsc#1252688).
- commit c7af0e8

- i40e: add max boundary check for VF filters (CVE-2025-39968
  bsc#1252047).
- i40e: add validation for ring_len param (CVE-2025-39973
  bsc#1252035).
- commit 633f8e2

- Revert "e1000e: fix heap overflow in e1000_set_eeprom (CVE-2025-39898"
  This reverts commit 379b618bf55370d4841c5198a0b5f351835122f9.
- commit e1cd1f0

- Revert "Refresh"
  This reverts commit 9ad8cd50b6445581168619320b0c733a628c00ff.
- commit 329ba12

- octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()
  (CVE-2025-39978 bsc#1252069).
- commit 54a21ef

- ip_vti: fix potential slab-use-after-free in decode_session6
  (CVE-2023-53559 bsc#1251052).
- commit 0ec7a1a

- net: hv_netvsc: fix loss of early receive events from host during channel open (bsc#1252265).
- commit 784eeba

- hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
  (CVE-2022-50334 bsc#1249857).
- commit 706d0a6

- Refresh
  patches.suse/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch.
  Fix the following warning:
  drivers/net/ethernet/intel/e1000e/ethtool.c: In function 'e1000_set_eeprom':
  include/linux/overflow.h:61:15: warning: comparison of distinct pointer types lacks a cast
  drivers/net/ethernet/intel/e1000e/ethtool.c:575:6: note: in expansion of macro 'check_add_overflow'
- commit 9ad8cd5

- doc/README.SUSE: Correct the character used for TAINT_NO_SUPPORT
  The character was previously 'N', but upstream used it for TAINT_TEST,
  which prompted the change of TAINT_NO_SUPPORT to 'n'. This occurred in
  commit c35dc3823d08 ("Update to 6.0-rc1") on master and in d016c04d731d
  ("Bump to 6.4 kernel (jsc#PED-4593)") for SLE15-SP6 (and onwards).
  Update the documentation to reflect this change.
- commit f42ecf5

- ip6mr: Fix skb_under_panic in ip6mr_cache_report()
  (CVE-2023-53365 bsc#1249988).
- commit fe685ad

- mm: avoid unnecessary page fault retires on shared memory types
  (bsc#1251823).
- commit fe04619

- Update
  patches.suse/bcache-Fix-__bch_btree_node_alloc-to-make-the-failur-80fc.patch
  (git-fixes CVE-2023-53681 bsc#1251769).
- Update
  patches.suse/dm-integrity-call-kmem_cache_destroy-in-dm_integrity-6b79.patch
  (git-fixes CVE-2023-53604 bsc#1251210).
- Update
  patches.suse/null_blk-Always-check-queue-mode-setting-from-config-63f8.patch
  (git-fixes CVE-2023-53576 bsc#1251064).
- commit 073fcdc

- Update patches.suse/0046-dm-cache-Fix-UAF-in-destroy.patch
  (git-fixes CVE-2022-50496 bsc#1251091).
- Update
  patches.suse/0048-dm-thin-Fix-ABBA-deadlock-between-shrink_slab-and-dm_pool_abort_metadata.patch
  (git-fixes CVE-2022-50549 bsc#1251550).
- Update
  patches.suse/0052-dm-thin-Use-last-transaction-s-pmd-root-when-commit-failed.patch
  (git-fixes CVE-2022-50534 bsc#1251292).
- Update
  patches.suse/0053-block-bfq-fix-possible-uaf-for-bfqq-bic.patch
  (git-fixes CVE-2022-50488 bsc#1251201).
- Update
  patches.suse/ALSA-ac97-Fix-possible-NULL-dereference-in-snd_ac97_.patch
  (git-fixes CVE-2023-53648 bsc#1251750).
- Update
  patches.suse/ALSA-usb-audio-Fix-potential-memory-leaks.patch
  (git-fixes CVE-2022-50484 bsc#1251115).
- Update
  patches.suse/ALSA-ymfpci-Fix-BUG_ON-in-probe-function.patch
  (git-fixes CVE-2023-53607 bsc#1251136).
- Update
  patches.suse/ARM-dts-exynos-Use-Exynos5420-compatible-for-the-MIP.patch
  (git-fixes CVE-2023-53542 bsc#1251154).
- Update
  patches.suse/ASoC-lpass-Fix-for-KASAN-use_after_free-out-of-bound.patch
  (git-fixes CVE-2023-53640 bsc#1251327).
- Update
  patches.suse/IB-mad-Don-t-call-to-function-that-might-sleep-while-in-atomic-context.patch
  (git-fixes CVE-2022-50472 bsc#1251101).
- Update
  patches.suse/Input-exc3000-properly-stop-timer-on-shutdown.patch
  (git-fixes CVE-2023-53651 bsc#1251753).
- Update
  patches.suse/Input-raspberrypi-ts-fix-refcount-leak-in-rpi_ts_pro.patch
  (git-fixes CVE-2023-53533 bsc#1251080).
- Update
  patches.suse/NFSD-Avoid-calling-OPDESC-with-ops-opnum-OP_ILLEGAL.patch
  (git-fixes CVE-2023-53680 bsc#1251767).
- Update
  patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch
  (bsc#1205128 CVE-2022-43945 CVE-2022-50487 bsc#1251208).
- Update
  patches.suse/RDMA-core-Make-sure-ib_port-is-valid-when-access-sys.patch
  (git-fixes CVE-2022-50475 bsc#1251104).
- Update
  patches.suse/binfmt_misc-fix-shift-out-of-bounds-in-check_special.patch
  (git-fixes CVE-2022-50497 bsc#1251223).
- Update
  patches.suse/blk-mq-fix-null-pointer-dereference-in-blk_mq_clear_.patch
  (bsc#1217366 CVE-2022-50530 bsc#1251299).
- Update
  patches.suse/cifs-fix-mid-leak-during-reconnection-after-timeout-threshold.patch
  (git-fixes CVE-2023-53597 bsc#1251159).
- Update
  patches.suse/clk-Fix-memory-leak-in-devm_clk_notifier_register.patch
  (git-fixes CVE-2023-53674 bsc#1251764).
- Update
  patches.suse/clk-imx-scu-use-_safe-list-iterator-to-avoid-a-use-a.patch
  (git-fixes CVE-2023-53572 bsc#1251027).
- Update
  patches.suse/clk-rockchip-Fix-memory-leak-in-rockchip_clk_registe.patch
  (git-fixes CVE-2022-50523 bsc#1251306).
- Update
  patches.suse/dmaengine-ti-k3-udma-Reset-UDMA_CHAN_RT-byte-counter.patch
  (git-fixes CVE-2022-50541 bsc#1251519).
- Update
  patches.suse/driver-core-fix-resource-leak-in-device_add.patch
  (git-fixes CVE-2023-53594 bsc#1251166).
- Update patches.suse/drm-amd-display-Fix-memory-leakage.patch
  (git-fixes CVE-2023-53605 bsc#1251149).
- Update
  patches.suse/drm-amd-display-Fix-potential-null-deref-in-dm_resum.patch
  (git-fixes CVE-2022-50535 bsc#1251331).
- Update patches.suse/drm-amdkfd-Fix-memory-leakage.patch
  (git-fixes CVE-2022-50528 bsc#1251303).
- Update
  patches.suse/drm-i915-Make-intel_get_crtc_new_encoder-less-oopsy.patch
  (git-fixes CVE-2023-53571 bsc#1251032).
- Update
  patches.suse/drm-i915-gvt-fix-vgpu-debugfs-clean-in-remove.patch
  (git-fixes CVE-2023-53625 bsc#1251324).
- Update
  patches.suse/drm-i915-mark-requests-for-GuC-virtual-engines-to-av.patch
  (git-fixes CVE-2023-53552 bsc#1251065).
- Update
  patches.suse/drm-mediatek-mtk_drm_crtc-Add-checks-for-devm_kcallo.patch
  (git-fixes CVE-2023-53534 bsc#1251082).
- Update
  patches.suse/drm-mipi-dsi-Detach-devices-when-removing-the-host.patch
  (git-fixes CVE-2022-50489 bsc#1251169).
- Update
  patches.suse/drm-msm-fix-use-after-free-on-probe-deferral.patch
  (git-fixes CVE-2022-50492 bsc#1251087).
- Update
  patches.suse/drm-radeon-Fix-PCI-device-refcount-leak-in-radeon_at.patch
  (git-fixes CVE-2022-50520 bsc#1251310).
- Update patches.suse/eth-alx-take-rtnl_lock-on-resume.patch
  (git-fixes CVE-2022-50498 bsc#1251092).
- Update
  patches.suse/ext4-add-EXT4_IGET_BAD-flag-to-prevent-unexpected-ba.patch
  (bsc#1207619 CVE-2022-50485 bsc#1251197).
- Update
  patches.suse/ext4-fix-memory-leaks-in-ext4_fname_-setup_filename-.patch
  (bsc#1214954 CVE-2023-53662 bsc#1251282).
- Update
  patches.suse/ext4-fix-possible-double-unlock-when-moving-a-direct.patch
  (bsc#1210763 CVE-2023-53626 bsc#1251775).
- Update
  patches.suse/ext4-fix-potential-memory-leak-in-ext4_fc_record_reg.patch
  (bsc#1207612 CVE-2022-50512 bsc#1251296).
- Update
  patches.suse/ext4-fix-uninititialized-value-in-ext4_evict_inode.patch
  (bsc#1206893 CVE-2022-50546 bsc#1251723).
- Update
  patches.suse/fbdev-omapfb-lcd_mipid-Fix-an-error-handling-path-in.patch
  (git-fixes CVE-2023-53650 bsc#1251283).
- Update
  patches.suse/firmware-raspberrypi-fix-possible-memory-leak-in-rpi.patch
  (git-fixes CVE-2022-50537 bsc#1251294).
- Update
  patches.suse/fs-hfsplus-remove-WARN_ON-from-hfsplus_cat_-read-write-_inode.patch
  (git-fixes CVE-2023-53683 bsc#1251329).
- Update
  patches.suse/gfs2-Fix-possible-data-races-in-gfs2_show_options.patch
  (git-fixes CVE-2023-53622 bsc#1251777).
- Update patches.suse/gpio-mvebu-fix-irq-domain-leak.patch
  (git-fixes CVE-2023-53579 bsc#1251170).
- Update
  patches.suse/gpio-sifive-Fix-refcount-leak-in-sifive_gpio_probe.patch
  (git-fixes CVE-2023-53592 bsc#1251147).
- Update
  patches.suse/hwmon-coretemp-Simplify-platform-device-handling.patch
  (git-fixes CVE-2023-53612 bsc#1251218).
- Update
  patches.suse/iavf-Fix-out-of-bounds-when-setting-channels-on-remo.patch
  (git-fixes CVE-2023-53659 bsc#1251247).
- Update patches.suse/iavf-Fix-use-after-free-in-free_netdev.patch
  (git-fixes CVE-2023-53556 bsc#1251059).
- Update
  patches.suse/iommu-amd-Fix-pci-device-refcount-leak-in-ppr_notifier
  (git-fixes CVE-2022-50505 bsc#1251086).
- Update
  patches.suse/iommu-fsl_pamu-Fix-resource-leak-in-fsl_pamu_probe
  (git-fixes CVE-2022-50525 bsc#1251302).
- Update
  patches.suse/iommu-vt-d-Clean-up-si_domain-in-the-init_dmars-error-path
  (git-fixes CVE-2022-50482 bsc#1251133).
- Update patches.suse/ipmi_si-fix-a-memleak-in-try_smi_init.patch
  (git-fixes CVE-2023-53611 bsc#1251123).
- Update
  patches.suse/jfs-fix-invalid-free-of-JFS_IP-ipimap-i_imap-in-diUnmount.patch
  (git-fixes CVE-2023-53616 bsc#1251215).
- Update
  patches.suse/lib-fonts-fix-undefined-behavior-in-bit-shift-for-ge.patch
  (git-fixes CVE-2022-50511 bsc#1251527).
- Update
  patches.suse/media-coda-Add-check-for-dcoda_iram_alloc.patch
  (git-fixes CVE-2022-50501 bsc#1251099).
- Update patches.suse/media-coda-Add-check-for-kmalloc.patch
  (git-fixes CVE-2022-50509 bsc#1251522).
- Update
  patches.suse/media-dvb-core-Fix-double-free-in-dvb_register_devic.patch
  (git-fixes CVE-2022-50499 bsc#1251093).
- Update
  patches.suse/media-i2c-ov772x-Fix-memleak-in-ov772x_probe.patch
  (git-fixes CVE-2023-53637 bsc#1251326).
- Update patches.suse/media-radio-shark-Add-endpoint-checks.patch
  (git-fixes CVE-2023-53644 bsc#1251736).
- Update
  patches.suse/media-si470x-Fix-use-after-free-in-si470x_int_in_cal.patch
  (git-fixes CVE-2022-50542 bsc#1251330).
- Update
  patches.suse/memory-pl353-smc-Fix-refcount-leak-bug-in-pl353_smc_.patch
  (git-fixes CVE-2022-50480 bsc#1251047).
- Update
  patches.suse/msft-hv-2831-HID-hyperv-avoid-struct-memcpy-overrun-warning.patch
  (git-fixes CVE-2023-53553 bsc#1251068).
- Update
  patches.suse/mtd-lpddr2_nvm-Fix-possible-null-ptr-deref.patch
  (git-fixes CVE-2022-50503 bsc#1251097).
- Update
  patches.suse/mtd-rawnand-brcmnand-Fix-potential-out-of-bounds-acc.patch
  (git-fixes CVE-2023-53541 bsc#1251043).
- Update
  patches.suse/net-cdc_ncm-Deal-with-too-low-values-of-dwNtbOutMaxS.patch
  (git-fixes CVE-2023-53667 bsc#1251761).
- Update
  patches.suse/net-usbnet-Fix-WARNING-in-usbnet_start_xmit-usb_subm.patch
  (git-fixes CVE-2023-53548 bsc#1251066).
- Update
  patches.suse/netfilter-nft_set_rbtree-fix-null-deref-on-element-inserti.patch
  (CVE-2023-52923 bsc#1236104 CVE-2023-53566 bsc#1251040).
- Update
  patches.suse/nilfs2-fix-potential-UAF-of-struct-nilfs_sc_info-in-.patch
  (git-fixes CVE-2023-53608 bsc#1251178).
- Update
  patches.suse/nilfs2-fix-shift-out-of-bounds-overflow-in-nilfs_sb2.patch
  (git-fixes CVE-2022-50478 bsc#1251200).
- Update
  patches.suse/nilfs2-replace-WARN_ONs-by-nilfs_error-for-checkpoin.patch
  (git-fixes CVE-2022-50519 bsc#1251295).
- Update patches.suse/nvme-core-fix-dev_pm_qos-memleak.patch
  (git-fixes CVE-2023-53670 bsc#1251762).
- Update
  patches.suse/ocfs2-fix-defrag-path-triggering-jbd2-ASSERT.patch
  (git-fixes CVE-2023-53564 bsc#1251072).
- Update
  patches.suse/platform-x86-dell-sysman-Fix-reference-leak.patch
  (git-fixes CVE-2023-53631 bsc#1251529).
- Update
  patches.suse/platform-x86-mxm-wmi-fix-memleak-in-mxm_wmi_call_mx-.patch
  (git-fixes CVE-2022-50521 bsc#1251312).
- Update
  patches.suse/powerpc-rtas-avoid-scheduling-in-rtas_os_term.patch
  (bsc#1065729 CVE-2022-50504 bsc#1251182).
- Update patches.suse/r6040-Fix-kmemleak-in-probe-and-remove.patch
  (git-fixes CVE-2022-50545 bsc#1251285).
- Update
  patches.suse/ring-buffer-Fix-deadloop-issue-on-reading-trace_pipe.patch
  (git-fixes CVE-2023-53668 bsc#1251286).
- Update
  patches.suse/ring-buffer-Sync-IRQ-works-before-buffer-destruction.patch
  (git-fixes CVE-2023-53587 bsc#1251128).
- Update
  patches.suse/s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch
  (git-fixes bsc#1215148 CVE-2023-53568 bsc#1251035).
- Update
  patches.suse/scsi-mpt3sas-Fix-possible-resource-leaks-in-mpt3sas_transport_port_add.patch
  (git-fixes CVE-2022-50532 bsc#1251300).
- Update
  patches.suse/scsi-qla2xxx-Avoid-fcport-pointer-dereference.patch
  (bsc#1213747 CVE-2023-53603 bsc#1251180).
- Update
  patches.suse/scsi-qla2xxx-Fix-crash-when-I-O-abort-times-out.patch
  (jsc#PED-568 CVE-2022-50493 bsc#1251088).
- Update
  patches.suse/scsi-qla2xxx-Fix-deletion-race-condition.patch
  (bsc#1213747 CVE-2023-53615 bsc#1251113).
- Update
  patches.suse/scsi-ses-Fix-possible-desc_ptr-out-of-bounds-accesses.patch
  (git-fixes CVE-2023-53675 bsc#1251325).
- Update
  patches.suse/soc-aspeed-socinfo-Add-kfree-for-kstrdup.patch
  (git-fixes CVE-2023-53617 bsc#1251268).
- Update
  patches.suse/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch
  (git-fixes CVE-2023-53658 bsc#1251759).
- Update
  patches.suse/spi-qup-Don-t-skip-cleanup-in-remove-s-error-path.patch
  (git-fixes CVE-2023-53567 bsc#1251034).
- Update
  patches.suse/staging-ks7010-potential-buffer-overflow-in-ks_wlan_.patch
  (git-fixes CVE-2023-53554 bsc#1251057).
- Update
  patches.suse/staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch
  (git-fixes CVE-2022-50513 bsc#1251730).
- Update
  patches.suse/test_firmware-fix-memory-leak-in-test_firmware_init.patch
  (git-fixes CVE-2022-50529 bsc#1251298).
- Update
  patches.suse/thermal-intel_powerclamp-Use-get_cpu-instead-of-smp_.patch
  (git-fixes CVE-2022-50494 bsc#1251173).
- Update
  patches.suse/tracing-hist-Fix-out-of-bound-write-on-action_data.var_ref_idx.patch
  (git-fixes CVE-2022-50553 bsc#1251281).
- Update
  patches.suse/tracing-histograms-Add-histograms-to-hist_vars-if-they-have-referenced-variables.patch
  (git-fixes CVE-2023-53560 bsc#1251045).
- Update
  patches.suse/tty-serial-samsung_tty-Fix-a-memory-leak-in-s3c24xx_-832e231cff47.patch
  (git-fixes CVE-2023-53687 bsc#1251772).
- Update
  patches.suse/usb-gadget-f_hid-fix-refcount-leak-on-error-path.patch
  (git-fixes CVE-2022-50514 bsc#1251737).
- Update
  patches.suse/usb-gadget-u_serial-Add-null-pointer-check-in-gseria.patch
  (git-fixes CVE-2023-53551 bsc#1251063).
- Update
  patches.suse/usb-host-xhci-Fix-potential-memory-leak-in-xhci_allo.patch
  (git-fixes CVE-2022-50544 bsc#1251725).
- Update
  patches.suse/wifi-ath6kl-reduce-WARN-to-dev_dbg-in-callback.patch
  (git-fixes CVE-2023-53639 bsc#1251521).
- Update
  patches.suse/wifi-ath9k-hif_usb-fix-memory-leak-of-remain_skbs.patch
  (git-fixes CVE-2023-53641 bsc#1251728).
- Update
  patches.suse/wifi-brcmfmac-Fix-potential-shift-out-of-bounds-in-b.patch
  (git-fixes CVE-2022-50551 bsc#1251322).
- Update
  patches.suse/wifi-brcmfmac-ensure-CLM-version-is-null-terminated-.patch
  (git-fixes CVE-2023-53582 bsc#1251061).
- Update
  patches.suse/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch
  (git-fixes CVE-2023-53589 bsc#1251129).
- Update patches.suse/wifi-mt7601u-fix-an-integer-underflow.patch
  (git-fixes CVE-2023-53679 bsc#1251785).
- Update patches.suse/xen-gntdev-Accommodate-VMA-splitting.patch
  (git-fixes CVE-2022-50471 bsc#1251110).
- Update
  patches.suse/xhci-Remove-device-endpoints-from-bandwidth-list-whe.patch
  (git-fixes CVE-2022-50470 bsc#1251202).
- commit 043e2c3

- netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
  (CVE-2023-53619 bsc#1251743).
- commit 7ac9023

- xfrm: fix slab-use-after-free in decode_session6 (CVE-2023-53500
  bsc#1250816).
- commit a6d416d

- e1000e: fix heap overflow in e1000_set_eeprom (CVE-2025-39898
  bsc#1250742).
- commit 379b618

- Refresh
  patches.suse/netfilter-nf_tables-reject-duplicate-device-on-updates.patch.
  Fix warning:
  * unused-variable (nft_net) in ../net/netfilter/nf_tables_api.c in nf_tables_updchain
  ../net/netfilter/nf_tables_api.c: In function 'nf_tables_updchain':
  ../net/netfilter/nf_tables_api.c:2348:26: warning: unused variable 'nft_net' [-Wunused-variable]
- commit 2ca55c8

- fs: dlm: fix invalid derefence of sb_lvbptr (bsc#1251741
  CVE-2022-50516).
- commit 329a4e4

- Bluetooth: hci_event: call disconnect callback before deleting
  conn (CVE-2023-53673 bsc#1251763).
- commit 0293ef5

- bpf: Propagate error from htab_lock_bucket() to userspace
  (CVE-2022-50490 bsc#1251164).
- commit f2d82dc

- ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value (CVE-2022-50327 bsc#1249859)
- commit 2911a91

- man: modprobe.d: document the config file order handling (bsc#1253741)
  * man-modprobe.d-document-the-config-file-order-handling.patch

- Remove des3-cbc-sha1 and arcfour-hmac-md5 from permitted
  enctypes unless new special options "allow_des3" or "allow_rc4"
  are set; (CVE-2025-3576); (bsc#1241219).
- Add patch 0015-CVE-2025-3576.patch

- Add bmo1990242.patch to move NSS DB password hash away from SHA-1

- update to NSS 3.112.2
  * bmo#1970079 - Prevent leaks during pkcs12 decoding.
  * bmo#1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates
- Adding patch bmo1980465.patch to fix bug on s390x (bmo#1980465)
- Adding patch bmo1956754.patch to fix possible undefined behaviour (bmo#1956754)

- update to NSS 3.112.1
  * bmo#1982742 - restore support for finding certificates by decoded serial number.

- Security fix bsc#1254132 CVE-2025-9820
  * Fix buffer overflow in gnutls_pkcs11_token_init
  * Added gnutls-CVE-2025-9820.patch

- pciutils.spec: Add a strict dependency to libpci. [bsc#1252338]
  Mixing different versions of pciutils and libpci could result in
  a segmentation fault due to incompatible ABI.

- Synchronize SLE-12 and openSUSE:Factory [jsc#PED-4587].
  The following patches are now obsolete in version 3.13.0:
  * add-decoding-of-vendor-specific-vpd-fields.patch
  * pciutils-3.1.7-fix-memory-leak-in-get_cache_name.patch
  * pciutils-3.2.0_update-dist.patch
  * pciutils-3.5.1-add-support-for-32-bit-pci-domains.patch
  * pciutils-lspci-Correct-Root-Capabilities-CRS-Software-Visibil.patch
  * show-gen4-speed-properly.patch

- Synchronize SLE-15 and openSUSE:Factory [jsc#PED-8393, bsc#1224138].
  The following patches are now obsolete in version 3.13.0:
  * lspci-Fixed-buffer-overflows-in-ls-tree.c.patch
  * pciutils-Add-PCIe-5.0-data-rate-32-GT-s-support.patch
  * pciutils-Add-PCIe-6.0-data-rate-64-GT-s-support.patch
  * pciutils-Add-decoding-of-vendor-specific-VPD-fields.patch
  * pciutils-VPD-Cleanup.patch
  * pciutils-VPD-When-printing-item-IDs-escape-non-ASCII-characte.patch

- update to 3.13.0:
  * lspci decodes CXL 1.1 device link status information.
  * Further development of the pcilmr (the link margining
    utility)
  * Dump parsing supports 6-digit domain numbers.
  * Bug fixes in PCIe link state reporting.
  * Decode more fields in PCIe AER capability.
  * Fixed build on Linux systems with musl libc.
  * Updated pci.ids.

- update to 3.12.0:
  * lspci decodes the IDE (Integrity & Data Encryption) and
    TEE-IO extended capabilities.
  * Optimization flags used for compiling individual object files
    should be the same as optimization flags for linking the final
    executable to make link-time optimization possible.
  * no longer look up subsystems in the HWDB
  * Updated pci.ids
- include changes from 3.11:
  * update-pciids now supports XZ compression
  * update-pciids now sends itself as the User-Agent.
  * Added a pcilmr utility for PCIe lane margining
  * ECAM back-end now scans ACPI and BIOS memory faster.
  * Linux systems without pread/pwrite are no longer supported
  * Improved decoding of PCIe control and status registers.
  * Decoding of CXL capabilities now supports up to CXL 3.0.
  * lspci now displays interrupt message numbers consistently across
    different capabilities.
  * Cache of IDs resolved via DNS, which was located in ~/.pci-ids
    by default, is now stored according to the XDG base directory
    specification in $XDG_CACHE_HOME/pci-ids.
  * All source files now have SPDX license identifiers.
  * various minor bug fixes and updated pci.ids.

- security update
- modified patches
  * libpng-1.2.51-CVE-2013-7353.patch (-p1)
  * libpng-1.2.51-CVE-2013-7354.patch (-p1)
- added patches
  CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index
  * libpng12-CVE-2025-64505.patch

- security update
- added patches
  CVE-2025-66293 [bsc#1254480], LIBPNG out-of-bounds read in png_image_read_composite
  * libpng16-CVE-2025-66293-1.patch
  * libpng16-CVE-2025-66293-2.patch

- security update
- added patches
  CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index
  * libpng16-CVE-2025-64505.patch
  CVE-2025-64506 [bsc#1254158], heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled
  * libpng16-CVE-2025-64506.patch
  CVE-2025-64720 [bsc#1254159], buffer overflow in `png_image_read_composite` via incorrect palette premultiplication
  * libpng16-CVE-2025-64720.patch
  CVE-2025-65018 [bsc#1254160], heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`
  * libpng16-CVE-2025-65018.patch

- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
  quadratic complexity vulnerabilities of os.path.expandvars()
  (CVE-2025-6075, bsc#1252974).
- Readjusted patches:
  - CVE-2023-52425-libexpat-2.6.0-backport.patch
  - CVE-2023-52425-remove-reparse_deferral-tests.patch
  - fix_configure_rst.patch
  - skip_if_buildbot-extend.patch

- Update to 3.11.14:
  - Security
  - gh-139700: Check consistency of the zip64 end of central
    directory record. Support records with “zip64 extensible data”
    if there are no bytes prepended to the ZIP file
    (CVE-2025-8291, bsc#1251305).
  - gh-139400: xml.parsers.expat: Make sure that parent Expat
    parsers are only garbage-collected once they are no longer
    referenced by subparsers created by
    ExternalEntityParserCreate(). Patch by Sebastian Pipping.
  - gh-135661: Fix parsing start and end tags in
    html.parser.HTMLParser according to the HTML5 standard.
  * Whitespaces no longer accepted between </ and the tag name. E.g.
    </ script> does not end the script section.
  * Vertical tabulation (\v) and non-ASCII whitespaces no longer
    recognized as whitespaces. The only whitespaces are \t\n\r\f and
    space.
  * Null character (U+0000) no longer ends the tag name.
  * Attributes and slashes after the tag name in end tags are now
    ignored, instead of terminating after the first > in quoted
    attribute value. E.g. </script/foo=">"/>.
  * Multiple slashes and whitespaces between the last attribute and
    closing > are now ignored in both start and end tags. E.g. <a
    foo=bar/ //>.
  * Multiple = between attribute name and value are no longer
    collapsed. E.g. <a foo==bar> produces attribute “foo” with value
    “=bar”.
  - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
    according to the HTML5 standard: ] ]> and ]] > no longer end the
    CDATA section. Add private method _set_support_cdata() which can
    be used to specify how to parse <[CDATA[ — as a CDATA section in
    foreign content (SVG or MathML) or as a bogus comment in the
    HTML namespace.
  - gh-102555: Fix comment parsing in html.parser.HTMLParser
    according to the HTML5 standard. --!> now ends the comment. -- >
    no longer ends the comment. Support abnormally ended empty
    comments <--> and <--->.
  - gh-135462: Fix quadratic complexity in processing specially
    crafted input in html.parser.HTMLParser. End-of-file errors are
    now handled according to the HTML5 specs – comments and
    declarations are automatically closed, tags are ignored.
  - gh-118350: Fix support of escapable raw text mode (elements
    “textarea” and “title”) in html.parser.HTMLParser.
  - gh-86155: html.parser.HTMLParser.close() no longer loses data
    when the <script> tag is not closed. Patch by Waylan Limberg.
  - Library
  - gh-139312: Upgrade bundled libexpat to 2.7.3
  - gh-138998: Update bundled libexpat to 2.7.2
  - gh-130577: tarfile now validates archives to ensure member
    offsets are non-negative. (Contributed by Alexander Enrique
    Urieles Nieto in gh-130577.)
  - gh-135374: Update the bundled copy of setuptools to 79.0.1.
- Drop upstreamed patches:
  - CVE-2025-8194-tarfile-no-neg-offsets.patch
  - CVE-2025-6069-quad-complex-HTMLParser.patch

- Add gh139257-Support-docutils-0.22.patch to fix build with latest
  docutils (>=0.22) gh#python/cpython#139257

- Drop AppStream buildrequires and don't run appstreamcli validate
  as part of the build process: the appdata.xml is not updated by
  source directly, so we have more contol. Having Appstream or the
  deprecated appstream-glib result in a build cycle.

- Require AppStream to validate appdata file instead of deprecated
  appstream-glib.
- Update idle3.appdata.xml to pass the more pedantic appstreamcli.

- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
  CVE-2025-13836) to prevent reading an HTTP response from
  a server, if no read amount is specified, with using
  Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
  behavior in node ID cache clearing (CVE-2025-12084,
  bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
  against OOM when loading malicious content (CVE-2025-13837,
  bsc#1254401).

- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
  quadratic complexity vulnerabilities of os.path.expandvars()
  (CVE-2025-6075, bsc#1252974).
- Skip test_curses on ppc64le (gh#python/cpython#141534)

- Add CVE-2025-8291-consistency-zip64.patch which checks
  consistency of the zip64 end of central directory record, and
  preventing obfuscation of the payload, i.e., you scanning for
  malicious content in a ZIP file with one ZIP parser (let's say
  a Rust one) then unpack it in production with another (e.g.,
  the Python one) and get malicious content that the other parser
  did not see (CVE-2025-8291, bsc#1251305)
- Readjust patches while synchronizing between openSUSE and SLE trees:
  - F00251-change-user-install-location.patch
  - doc-py38-to-py36.patch
  - gh126985-mv-pyvenv.cfg2getpath.patch

- add limit-decompressed-name-length.patch
  - fix ruby: denial of service (DoS) due to an insufficient check
    on the length of a decompressed domain name within a DNS packet
    in resolv gem
    bsc#1246430 CVE-2025-24294

- Security fix: [CVE-2025-8277, bsc#1249375]
  * Memory Exhaustion via Repeated Key Exchange
  * Add patches:
  - libssh-CVE-2025-8277-packet-Adjust-packet-filter-to-work-wh.patch
  - libssh-CVE-2025-8277-Fix-memory-leak-of-unused-ephemeral-ke.patch
  - libssh-CVE-2025-8277-ecdh-Free-previously-allocated-pubkeys.patch

- Security fix: [CVE-2025-8114, bsc#1246974]
  * NULL pointer dereference when calculating session ID during KEX
  * Add libssh-CVE-2025-8114.patch

- security update:
  * CVE-2025-9900 [bsc#1250413]
    Fix Write-What-Where in libtiff via TIFFReadRGBAImageOriented
    + tiff-CVE-2025-9900.patch

- security update
- added patches
  CVE-2025-9714 [bsc#1249076], Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c
  * libxml2-CVE-2025-9714.patch

- security update
- added patches
  CVE-2025-8732 [bsc#1247850], infinite recursion in catalog parsing functions when processing malformed SGML catalog files
  * libxml2-CVE-2025-8732.patch

- security update
- added patches
  CVE-2025-11731 [bsc#1251979], type confusion in exsltFuncResultCompfunction leading to denial of service
  * libxslt-CVE-2025-11731.patch

- propagate test failure into build failure
- added sources
  * libxslt-test-results.ref

- security update
- added patches
  CVE-2025-10911 [bsc#1250553], use-after-free with key data stored cross-RVT
  * libxslt-CVE-2025-10911.patch

- update to NSPR 4.36.2
  * Fixed a syntax error in test file parsetm.c,
    which was introduced in 4.36.1
- update to NSPR 4.36.1
  * Incorrect time value produced by PR_ParseTimeString and
    PR_ParseTimeStringToExplodedTime if input string doesn't
    specify seconds.

- Add openssh-cve-2025-61984-username-validation.patch
  (bsc#1251198, CVE-2025-61984).
- Add openssh-cve-2025-61985-nul-url-encode.patch
  (bsc#1251199, CVE-2025-61985).

- Update to version 2.14.0.1 (bsc#1253001)
  + Drop - included upstream
    ~ agent-btrfs-use-f.patch included upstream
    ~ remove-mock.patch
  + FIPS 140-3 support
  + Block extensions disallowed by policy
  + Report ext policy errors in heartbeat
  + Implement signature validation helper functions
  + Prevent ssh public key override
  + Use proper filesystem creation flag for btrfs
  + Enable resource monitoring in cgroup v2 machines
  + Update agent cgroup cleanup
  + Add cgroupv2 distros to supported list
  + Clean old agent cgroup setup
  + Redact sas tokens in telemetry events and agent log
  + Add conf option to use hardcoded wireserver ip instead of dhcp request
    to discover wireserver ip
  + Support for python 3.12
  + Update telemetry message for agent updates and send new telemetry for
    ext resource governance
  + Disable rsm downgrade
  + Add community support for Chainguard OS
  + Swap out legacycrypt for crypt-r for Python 3.13+
  + Pin setuptools version
  + Set the agent config file path for FreeBSD
  + Handle errors importing crypt module
- From 2.13.1.1
  + Setup: Fix install_requires list syntax
  + Pickup latest goal state on tenant certificate rotation + Avoid
    infinite loop when the tenant certificate is missing
  + Fix unsupported syntax in py2.6
  + Cgroup rewrite: uses systemctl for expressing desired configuration
    instead drop-in files
  + Remove usages of tempfile.mktemp
  + Use random time for attempting new Agent update
  + Enable logcollector in v2 machines
  + Clean history files
  + Missing firewall rules reason
  + Add support for nftables (+ refactoring of firewall code)
  + Create walinuxagent nftable atomically

- Add python36-certifi provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-decorator provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-idna provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-importlib-metadata provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-packaging provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-ply provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-pyasn1 provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-pycparser provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-pytz provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-py provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36- provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-six provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- 15.4.20251031 (tracked in bsc#933411)
- Added note about docker-runc deprecation (jsc#PED-4018)
- Added note about net-snmpd user data location change (jsc#SLE-21469)
- Added note about NVMe-oF/TCP nBFT (jsc#SLE-21510)
- Added note about tmp2-pkcs11 (jsc#SLE-21517)
- Added note about IO scheduling (jsc#SLE-23823)
- Added note about PHP 8 BCI image (jsc#SLE-22419)
- Added note about KVM PMEM access (jsc#SLE-23241)
- Added note about renaming APR devel packages (bsc#1247839)

- Security update (CVE-2025-10158, bsc#1254441): rsync: Out of
  bounds array access via negative index
  - Add rsync-CVE-2025-10158.patch

- Update to runc v1.3.4. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.3.4>. bsc#1254362

- Update to runc v1.3.3. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.3.3>. bsc#1252232
  * CVE-2025-31133
  * CVE-2025-52565
  * CVE-2025-52881
- Remove upstreamed patches for bsc#1252232:
  - 2025-11-05-CVEs.patch

[ This update was only released for SLE 12 and 15. ]
- Backport patches for three CVEs. All three vulnerabilities ultimately allow
  (through different methods) for full container breakouts by bypassing runc's
  restrictions for writing to arbitrary /proc files. bsc#1252232
  * CVE-2025-31133
  * CVE-2025-52565
  * CVE-2025-52881
  + 2025-11-05-CVEs.patch

[ This update was only released for SLE 12 and 15. ]
- Update to runc v1.2.7. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.2.7>.

- Update to runc v1.3.2. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.3.2> bsc#1252110
  - Includes an important fix for the CPUSet translation for cgroupv2.

- Update to runc v1.3.1. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.3.1>
- Fix runc 1.3.x builds on SLE-12 by enabling --std=gnu11.

- Update to runc v1.3.0. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.3.0>

n/a

n/a

n/a

n/a

n/a

n/a

n/a

n/a

- Fix for bsc#1229750.
- nocompatible must be set before the syntax highlighting is turned on.

- bsc#1251271 - VUL-0: CVE-2025-58147,CVE-2025-58148: xen:
  Incorrect input sanitisation in Viridian hypercalls (XSA-475)
  xsa475-1.patch
  xsa475-2.patch

- bsc#1248807 - VUL-0: CVE-2025-27466, CVE-2025-58142,
  CVE-2025-58143: xen: Mutiple vulnerabilities in the Viridian
  interface (XSA-472)
  xsa472-1.patch
  xsa472-2.patch
  xsa472-3.patch

- 0001-xkbcomp-Don-t-crash-on-no-op-modmask-expressions.patch
  (CVE-2018-15863, bsc#1105832)
- 0002-xkbcomp-Don-t-falsely-promise-from-ExprResolveLhs.patch
  (CVE-2018-15861, bsc#1105832)
- 0003-Fail-expression-lookup-on-invalid-atoms.patch
  (CVE-2018-15859, bsc#1105832)
- 0004-xkbcomp-fix-stack-overflow-when-evaluating-boolean-n.patch
  (CVE-2018-15853, bsc#1105832)

- bsc1251958_CVE-2025-62229_0001-present-Fix-use-after-free-in-present_create_notifie.patch
  * Use-after-free in XPresentNotify structures creation
    (CVE-2025-62229, bsc#1251958)
- bsc1251959_CVE-2025-62230_0001-xkb-Make-the-RT_XKBCLIENT-resource-private.patch
  bsc1251959_CVE-2025-62230_0002-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch
  * Use-after-free in Xkb client resource removal
    (CVE-2025-62230, bsc#1251959)
- bsc1251960_CVE-2025-62231_0001-xkb-Prevent-overflow-in-XkbSetCompatMap.patch
  * Value overflow in Xkb extension XkbSetCompatMap()
    (CVE-2025-62231, bsc#1251960)