- aaa_base
-
- Add patch git-51-fbf7ee9dc9cd970532a54eed6472d7f3b0e7f431.patch
* If a user switches the login shell respect the already set
PATH environment (bsc#1235481)
- add patch aaa_base-rc.status.patch (bsc#1236033)
(no git, file is gone in factory/tumbleweed)
update detection for systemd in rc.status, mountpoint for
cgroup changed with cgroup2, so just check if pid 1 is systemd
- apparmor
-
- Add dac_read_search capability for unix_chkpwd to allow it to read the shadow
file even if it has 000 permissions. This is needed after the CVE-2024-10041
fix in PAM.
* unix-chkpwd-add-read-capability.path, bsc#1241678
- Allow pam_unix to execute unix_chkpwd with abi/3.0
- remove dovecot-unix_chkpwd.diff
- Add allow-pam_unix-to-execute-unix_chkpwd.patch
- Add revert-abi-change-for-unix_chkpwd.patch
(bsc#1234452, bsc#1232234)
- Add dovecot-unix_chkpwd.diff to allow dovecot-auth to execute
unix_chkpwd, and add a profile for unix_chkpwd. This is needed
for PAM with CVE-2024-10041 (bsc#1234452)
- augeas
-
- Add patch, fix for bsc#1239909 / CVE-2025-2588:
* CVE-2025-2588.patch
- azure-cli-core
-
- Add patch to fix improper neutralization of special elements
used in a command which allows an unauthorized attacker to
elevate privileges locally
+ CVE-2025-24049.patch (bsc#1239460, CVE-2025-24049)
- Prefer %patch and %setup to allow individual patch strip levels
- azure-cli
-
- Add patch to fix elevation of privilege vulnerability
+ CVE-2024-43591.patch (bsc#1231971, CVE-2024-43591)
- ca-certificates-mozilla
-
- revert the distrusted certs for now. originally these only
distrust "new issued" certs starting after a certain date,
while old certs should still work. (bsc#1240343)
- remove-distrusted.patch: removed
- explit remove distruted certs, as the distrust does not get exported
correctly and the SSL certs are still trusted. (bsc#1240343)
- Entrust.net Premium 2048 Secure Server CA
- Entrust Root Certification Authority
- AffirmTrust Commercial
- AffirmTrust Networking
- AffirmTrust Premium
- AffirmTrust Premium ECC
- Entrust Root Certification Authority - G2
- Entrust Root Certification Authority - EC1
- GlobalSign Root E46
- GLOBALTRUST 2020
- remove-distrusted.patch: apply to certdata.txt
- Fix awk to compare (missing a =) and give the following output:
[#] NSS_BUILTINS_LIBRARY_VERSION "2.74"
- pass file argument to awk (bsc#1240009)
- update to 2.74 state of Mozilla SSL root CAs:
Removed:
* SwissSign Silver CA - G2
Added:
* D-TRUST BR Root CA 2 2023
* D-TRUST EV Root CA 2 2023
- remove extensive signature printing in comments of the cert
bundle
- Define two macros to break a build cycle with p11-kit.
- Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798)
Removed:
- SecureSign RootCA11
- Security Communication RootCA3
Added:
- TWCA CYBER Root CA
- TWCA Global Root CA G2
- SecureSign Root CA12
- SecureSign Root CA14
- SecureSign Root CA15
- cifs-utils
-
- CVE-2025-2312: cifs-utils: cifs.upcall makes an upcall to the wrong
namespace in containerized environments while trying to get Kerberos
credentials (bsc#1239680)
* add New-mount-option-for-cifs.upcall-namespace-reso.patch
- cloud-regionsrv-client
-
- Update version to 10.4.0
+ Remove repositories when the package is being removed
We do not want to leave repositories behind refering to the plugin that
is being removed when the package gets removed (bsc#1240310, bsc#1240311)
+ Turn docker into an optional setup (jsc#PCT-560)
Change the Requires into a Recommends and adapt the code accordingly
+ Support flexible licenses in GCE (jsc#PCT-531)
+ Drop the azure-addon package it is geting replaced by the
license-watcher package which has a generic implementation of the
same functionality.
+ Handle cache inconsistencies (bsc#1218345)
+ Properly handle the zypper root target argument (bsc#1240997)
- containerd
-
- Update to containerd v1.7.27. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.27>
bsc#1239749 CVE-2024-40635
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.26. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.26>
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.25. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.25>
<https://github.com/containerd/containerd/releases/tag/v1.7.24>
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- lvm2
-
- LVM filter behaves unexpectedly for MPIO devices in SLES15SP5 (bsc#1216938)
* set lvm.conf devices.multipath_wwids_file=""
- docker
-
- Don't use the new container-selinux conditional requires on SLE-12, as the
RPM version there doesn't support it. Arguably the change itself is a bit
suspect but we can fix that later. bsc#1237367
- Add backport for golang.org/x/oauth2 CVE-2025-22868 fix. bsc#1239185
+ 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- Add backport for golang.org/x/crypto CVE-2025-22869 fix. bsc#1239322
+ 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Refresh patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Make container-selinux requirement conditional on selinux-policy
(bsc#1237367)
- Update to Docker 27.5.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/27/#2741> bsc#1237335
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to docker-buildx 0.20.1. See upstream changelog online at
<https://github.com/docker/buildx/releases/tag/v0.20.1>
- Update to Docker 27.4.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/27/#2741>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to docker-buildx 0.19.3. See upstream changelog online at
<https://github.com/docker/buildx/releases/tag/v0.19.3>
- Update to Docker 27.4.0-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/27/#274>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Remove upstreamed patches:
- 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
- 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
- glib2
-
- Add glib2-CVE-2025-3360.patch:
Backport 8d60d7dc from upstream, Fix integer overflow when
parsing very long ISO8601 inputs. This will only happen with
invalid (or maliciously invalid) potential ISO8601 strings,
but `g_date_time_new_from_iso8601()` needs to be robust against
that.
(CVE-2025-3360, bsc#1240897)
- glibc
-
- static-setuid-ld-library-path.patch: elf: Ignore LD_LIBRARY_PATH and
debug env var for setuid for static (CVE-2025-4802, bsc#1243317)
- pthread-wakeup.patch: pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ
[#25847])
- grub2
-
- Refresh PPC NVMEoF ofpath related patches to newer revision
* 0002-ieee1275-ofpath-enable-NVMeoF-logical-device-transla.patch
- Patch refreshed
* 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
- Patch obsoleted
* 0004-ofpath-controller-name-update.patch
- Fix segmentation fault error in grub2-probe with target=hints_string
(bsc#1235971) (bsc#1235958) (bsc#1239651)
* 0001-ofpath-Add-error-check-in-NVMEoF-device-translation.patch
- Fix zfs.mo not found message when booting on legacy BIOS (bsc#1237865)
* 0001-autofs-Ignore-zfs-not-found.patch
- hwinfo
-
- merge gh#openSUSE/hwinfo#156
- fix network card detection on aarch64 (bsc#1240648)
- 21.88
- merge gh#openSUSE/hwinfo#152
- avoid reporting of spurious usb storage devices (bsc#1223330)
- 21.87
- merge gh#openSUSE/hwinfo#151
- do not overdo usb device de-duplication (bsc#1239663)
- 21.86
- iproute2
-
- avoid spurious cgroup warning (bsc#1234383):
- ss-Tone-down-cgroup-path-resolution.patch
- iputils
-
- Security fix [bsc#1242300, CVE-2025-47268]
* integer overflow in RTT calculation can lead to undefined behavior
* Add iputils-CVE-2025-47268.patch
- kbd
-
- Don't search for resources in the current directory. It can cause
unwanted side effects or even infinite loop (bsc#1237230,
kbd-ignore-working-directory-1.patch,
kbd-ignore-working-directory-2.patch,
kbd-ignore-working-directory-3.patch).
- kdump
-
- dracut: fix filtering ro keys in kdump_bond_config (bsc#1233137)
- kexec-tools
-
- add support for lockless ringbuffer (bsc#1241249)
- kexec-tools-Cleanup-remove-the-read_elf_kcore.patch
- kexec-tools-Fix-an-error-definition-about-the-variable-fname.patch
- kexec-tools-Cleanup-move-it-back-from-util_lib-elf_info.c.patch
- kexec-tools-printk-add-support-for-lockless-ringbuffer.patch
- libX11
-
- U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch
* Buffer overflow in XkbChangeTypesOfKey()
(CVE-2025-26597, bsc#1237431)
- libapparmor
-
- Add dac_read_search capability for unix_chkpwd to allow it to read the shadow
file even if it has 000 permissions. This is needed after the CVE-2024-10041
fix in PAM.
* unix-chkpwd-add-read-capability.path, bsc#1241678
- Allow pam_unix to execute unix_chkpwd with abi/3.0
- remove dovecot-unix_chkpwd.diff
- Add allow-pam_unix-to-execute-unix_chkpwd.patch
- Add revert-abi-change-for-unix_chkpwd.patch
(bsc#1234452, bsc#1232234)
- Add dovecot-unix_chkpwd.diff to allow dovecot-auth to execute
unix_chkpwd, and add a profile for unix_chkpwd. This is needed
for PAM with CVE-2024-10041 (bsc#1234452)
- expat
-
- version update to 2.7.1
Bug fixes:
[#980] #989 Restore event pointer behavior from Expat 2.6.4
(that the fix to CVE-2024-8176 changed in 2.7.0);
affected API functions are:
- XML_GetCurrentByteCount
- XML_GetCurrentByteIndex
- XML_GetCurrentColumnNumber
- XML_GetCurrentLineNumber
- XML_GetInputContext
Other changes:
[#976] #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
with Automake that were missing from 2.7.0 release tarballs
[#983] #984 Fix printf format specifiers for 32bit Emscripten
[#992] docs: Promote OpenSSF Best Practices self-certification
[#978] tests/benchmark: Resolve mistaken double close
[#986] Address compiler warnings
[#990] #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
for what these numbers do
Infrastructure:
[#982] CI: Start running Perl XML::Parser integration tests
[#987] CI: Enforce Clang Static Analyzer clean code
[#991] CI: Re-enable warning clang-analyzer-valist.Uninitialized
for clang-tidy
[#981] CI: Cover compilation with musl
[#983] #984 CI: Cover compilation with 32bit Emscripten
[#976] #977 CI: Protect against fuzzer files missing from future
release archives
- version update to 2.7.0 for SLE-15-SP4
- deleted patches
- expat-CVE-2022-25235.patch (upstreamed)
- expat-CVE-2022-25236-relax-fix.patch (upstreamed)
- expat-CVE-2022-25236.patch (upstreamed)
- expat-CVE-2022-25313-fix-regression.patch (upstreamed)
- expat-CVE-2022-25313.patch (upstreamed)
- expat-CVE-2022-25314.patch (upstreamed)
- expat-CVE-2022-25315.patch (upstreamed)
- expat-CVE-2022-40674.patch (upstreamed)
- expat-CVE-2022-43680.patch (upstreamed)
- expat-CVE-2023-52425-1.patch (upstreamed)
- expat-CVE-2023-52425-2.patch (upstreamed)
- expat-CVE-2023-52425-backport-parser-changes.patch (upstreamed)
- expat-CVE-2023-52425-fix-tests.patch (upstreamed)
- expat-CVE-2024-28757.patch (upstreamed)
- expat-CVE-2024-45490.patch (upstreamed)
- expat-CVE-2024-45491.patch (upstreamed)
- expat-CVE-2024-45492.patch (upstreamed)
- expat-CVE-2024-50602.patch (upstreamed)
- version update to 2.7.0 (CVE-2024-8176 [bsc#1239618])
* Security fixes:
[#893] #973 CVE-2024-8176 -- Fix crash from chaining a large number
of entities caused by stack overflow by resolving use of
recursion, for all three uses of entities:
- general entities in character data ("<e>&g1;</e>")
- general entities in attribute values ("<e k1='&g1;'/>")
- parameter entities ("%p1;")
Known impact is (reliable and easy) denial of service:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
(Base Score: 7.5, Temporal Score: 7.2)
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
* Other changes:
[#935] #937 Autotools: Make generated CMake files look for
libexpat.@SO_MAJOR@.dylib on macOS
[#925] Autotools: Sync CMake templates with CMake 3.29
[#945] #962 #966 CMake: Drop support for CMake <3.13
[#942] CMake: Small fuzzing related improvements
[#921] docs: Add missing documentation of error code
XML_ERROR_NOT_STARTED that was introduced with 2.6.4
[#941] docs: Document need for C++11 compiler for use from C++
[#959] tests/benchmark: Fix a (harmless) TOCTTOU
[#944] Windows: Fix installer target location of file xmlwf.xml
for CMake
[#953] Windows: Address warning -Wunknown-warning-option
about -Wno-pedantic-ms-format from LLVM MinGW
[#971] Address Cppcheck warnings
[#969] #970 Mass-migrate links from http:// to https://
[#947] #958 ..
[#974] #975 Document changes since the previous release
[#974] #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
for what these numbers do
- no source changes, just adding jira reference: jsc#SLE-21253
- freetype2
-
- enable brotli support (jsc#PED-12258)
- Added patch:
* CVE-2025-27363.patch
+ fixes bsc#1239465, CVE-2025-27363: out-of-bounds write when
attempting to parse font subglyph structures related to
TrueType GX and variable font files
- gnutls
-
- Security fix [bsc#1236974, CVE-2024-12243]
* gnutls: inefficient DER Decoding in libtasn1 could lead to remote DoS
* Add gnutls-CVE-2024-12243.patch
- ncurses
-
- Modify patch ncurses-5.9-ibm327x.dif
* Backport sclp terminfo description entry if for s390 sclp terminal lines
* Add a further sclp entry for qemu s390 based systems
* Make use of dumb
- python311
-
- Allow to disable PGO
- Skip PGO with %want_reproducible_builds (bsc#1239210)
- python3
-
- Update CVE-2024-11168-validation-IPv6-addrs.patch
according to the Debian version
(gh#python/cpython#103848#issuecomment-2708135083).
- librdkafka
-
- 0001-Fix-timespec-conversion-to-avoid-infinite-loop-2108-.patch:
avoid endless loops (bsc#1242842)
- ruby2.5
-
- update suse.patch to 736ea75f25d52fdebb88ed6583468bd7c21190f6
- fix ReDoS in CGI::Util#escapeElement
bsc#1237806 CVE-2025-27220
- fix denial of service in CGI::Cookie.parse
bsc#1237804 CVE-2025-27219
- update suse.patch to 6bf78da1fc4048a11a8612741216ebc47d9ebb41
- move the request smuggling patch to the correct place
actually fixes bsc#1230930 CVE-2024-47220 and now boo#1235773
- libsolv
-
- build both static and dynamic libraries on new suse distros
- support the apk package and repository format (both v2 and v3)
- new dataiterator_final_{repo,solvable} functions
- bump version to 0.7.32
- Provide a symbol specific for the ruby-version
so yast does not break across updates (boo#1235598)
- sqlite3
-
- Sync version 3.49.1 from Factory (jsc#SLE-16032):
* CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws()
function, introduced in version 3.44.0, that could lead to a
memory error if the separator string is very large (hundreds
of megabytes).
* CVE-2025-29088, bsc#1241078: Enhanced the
SQLITE_DBCONFIG_LOOKASIDE interface to make it more robust
against misuse.
* Obsoletes sqlite3-rtree-i686.patch
- libxml2
-
- security update
- added patches
CVE-2025-32414 [bsc#1241551], out-of-bounds read when parsing text via the Python API
+ libxml2-CVE-2025-32414.patch
CVE-2025-32415 [bsc#1241453], a crafted XML document may lead to a heap-based buffer under-read
+ libxml2-CVE-2025-32415.patch
- security update
- added patches
fix CVE-2024-56171 [bsc#1237363], use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c
+ libxml2-CVE-2024-56171.patch
fix CVE-2025-24928 [bsc#1237370], stack-based buffer overflow in xmlSnprintfElements in valid.c
+ libxml2-CVE-2025-24928.patch
fix CVE-2025-27113 [bsc#1237418], NULL Pointer Dereference in libxml2 xmlPatMatch
+ libxml2-CVE-2025-27113.patch
- libxslt
-
- Security fixes:
* Fix use-after-free of XPath context node [bsc#1239625, CVE-2025-24855]
* Fix UAF related to excluded namespaces [bsc#1239637, CVE-2024-55549]
* Make generate-id() deterministic [bsc#1238591, CVE-2023-40403]
Just adding the reference here as this CVE was already fixed
in 0009-Make-generate-id-deterministic.patch
* Rebase patches to use autosetup:
- libxslt-1.1.24-no-net-autobuild.patch
- libxslt-config-fixes.patch
* Add patches:
- libxslt-CVE-2024-55549.patch
- libxslt-CVE-2025-24855.patch
- libzypp
-
- fixed build with boost 1.88.
- XmlReader: Fix detection of bad input streams (fixes #635)
libxml2 2.14 potentially reads the complete stream, so it may
have the 'eof' bit set. Which is not 'good' but also not 'bad'.
- rpm: Fix detection of %triggerscript starts (bsc#1222044)
- RepoindexFileReader: add more <repo> related attributes a
service may set.
Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck,
keeppackages, gpgkey, mirrorlist, and metalink with the same
semantic as in a .repo file.
- version 17.36.7 (35)
- Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172)
- BuildRequires: %{libsolv_devel_package} >= 0.7.32.
Code16 moved static libs to libsolv-devel-static.
- Drop usage of SHA1 hash algorithm because it will become
unavailable in FIPS mode (bsc#1240529)
- Fix zypp.conf dupAllowVendorChange to reflect the correct
default (false).
The default was true in Code12 (libzypp-16.x) and changed to
false with Code15 (libzypp-17.x). Unfortunately this was done by
shipping a modified zypp.conf file rather than fixing the code.
- zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809)
- version 17.36.6 (35)
- Fix computation of RepStatus if Repo URLs change.
- Fix lost double slash when appending to an absolute FTP url
(bsc#1238315)
Ftp actually differs between absolute and relative URL paths.
Absolute path names begin with a double slash encoded as '/%2F'.
This must be preserved when manipulating the path.
- version 17.36.5 (35)
- Add a transaction package preloader (fixes openSUSE/zypper#104)
This patch adds a preloader that concurrently downloads files
during a transaction commit. It's not yet enabled per default.
To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1
in the environment.
- RpmPkgSigCheck_test: Exchange the test package signingkey
(fixes #622)
- Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626)
- Strip a mediahandler tag from baseUrl querystrings.
- version 17.36.4 (35)
- Disable zypp.conf:download.use_deltarpm by default (fixes #620)
Measurements show that you don't benefit from using deltarpms
unless your network connection is very slow. That's why most
distributions even stop offering deltarpms. The default remains
unchanged on SUSE-15.6 and older.
- Make sure repo variables are evaluated in the right context
(bsc#1237044)
- Introducing MediaCurl2 a alternative HTTP backend.
This patch adds MediaCurl2 as a testbed for experimenting with a
more simple way to download files. Set ZYPP_CURL2=1 in the
environment to use it.
- version 17.36.3 (35)
- Filesystem usrmerge must not be done in singletrans mode
(bsc#1236481, bsc#1189788)
Commit will amend the backend in case the transaction would
perform a filesystem usrmerge.
- Workaround bsc#1216091 on Code16.
- version 17.36.2 (35)
- mozilla-nss
-
- Updated nss-fips-approved-crypto-non-ec.patch to not pass in
bad targetKeyLength parameters when checking for FIPS approval
after keygen. This was causing false rejections.
- Updated nss-fips-approved-crypto-non-ec.patch to approve
RSA signature verification mechanisms with PKCS padding and
legacy moduli (bsc#1222834).
- openssh
-
- Added openssh-bsc1241045-kexalgo-gt-256bits.patch (bsc#1241045)
from upstream, which allows KEX hashes greater than 256 bits.
Thanks to Ali Abdallah <ali.abdallah@suse.com>.
- Added openssh-cve-2025-32728.patch (bsc#1241012, CVE-2025-32728).
This fixes an upstream logic error handling the DisableForwarding
option.
- Update openssh-7.6p1-audit_race_condition.patch (bsc#1232533),
fixing failures with very large MOTDs. Thanks to Ali Abdallah
<ali.abdallah@suse.com>.
- Updated openssh-8.1p1-audit.patch (bsc#1228634) with modification
from Jaroslav Jindrak (jjindrak@suse.com) to fix the hostname
being left out of the audit output.
- pam
-
- pam_unix/passverify: (get_account_info) [!HELPER_COMPILE]: Always return
PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file
entry.
[passverify-always-run-the-helper-to-obtain-shadow_pwd.patch, bsc#1232234,
CVE-2024-10041]
- Do not reject the user with a hash assuming it's non-empty.
[pam_unix-allow-empty-passwords-with-non-empty-hashes.patch]
- patterns-base
-
- add bpftool to patterns enhanced base. jsc#PED-8375
- python-azure-agent
-
- Add a new version of paa_force_py3_sle15.patch to compensate for
missing Python RPM macros in older distros
- Update to version 2.12.04 (bsc#1235140)
+ Remove agent-no-auto-update.patch handeled by config file specialization
sub-packages
+ Remove paa_force_py3_sle15.patch handled by RPM macro
+ Remove agent-micro-is-sles.patch included upstream
+ Forward port paa_12_sp5_rdma_no_ext_driver.patch
+ Forward port remove-mock.patch
+ Add paa_direct_exec_in_service.patch
~ The waagent script is executable and we set the proper interpreter
using the macro for multibuild python. Do prefix the execution in the
service file wit the interpreter
+ Fix install_requires list syntax
+ Update spec file
~ Remove conditions for distros no longer maintained
~ Simplify build and install conditionals using macros
+ Enable GA versioning #3082 #3184 #3189
+ Cgroups api refactor for v2 #3096 #3135 #3188 #3196
+ Fix JIT for FIPS 140-3 #3190
+ reset network service unit file if python version changes #3058
+ Recognize SLE-Micro as a SLE based distribution #3048
+ Add distutils/version.py to azurelinuxagent #3063
+ Use legacycrypt instead of crypt on Python >= 3.13 #3070
+ Fix osutil/default route_add to pass string array. #3072
+ Fix argument to GoalState.init #3073
+ Add lock around access to fast_track.json #3076
+ Add DistroVersion class to compare distro versions #3078
+ LogCollector should skip and log warning for files that don't exist #3098
+ check for unexpected process in agent cgroups before cgroups enabled #3103
+ [Redo with correct source/target]: Remove check for "ibXX" interface
format and rework mac-address regex to expand support #3150
+ Fix Ubuntu version codename for 24.04 #3159
+ Update test certificate data #3166
+ move setupslice after cgroupsv2 check, remove unit file for
log collector and remove fiirewall daemon-reload #3223
+ Address pylint warning deprecated-method #3059
+ Run pylint on Python 3.11 #3067
+ Run unit tests with pytest on Python >= 3.10
+ Log logcollector cgroups if process is found in unexpected slice #3107
+ remove secret and use cert for aad app in e2e pipeline #3116
+ suppress pylint warn contextmanager-generator-missing-cleanup #3138
+ Switching to SNI based authentication for aad app #3137
+ updated PR template #3144
+ Avoiding mocked exception from being lost on test when using
python 3.12: complete mocked info #3149
+ Add more useful logging statement for agent unit properties #3154
+ Remove wireserver fallback for imds calls #3152
+ Remove unused import #3155
+ Add support for Azure Linux 3 #3183
+ Fix pytest warnings #3084
+ Allow use of node 16 #3160
+ Send controller/cgroup path telemetry #3231
From 2.13.0.2
+ #3221 Add support for nftables (+ refactoring of firewall code)
+ #3239 Create walinuxagent nftable atomically
+ Features in progress (Verify extension signature/Policy Enforcement)
+ #3200 Parse encodedSignature property from EGS
+ #3187 Add Regorus policy engine framework
+ #3222 Remove Regorus and platform check for policy enforcement
+ #3242 Telemetry (update logcollector telemetry with common properties)
+ #3208 Handle non-boolean when parsing extension manifests
+ #3211 Fix unicode type check when parsing extension manifests
+ #3133 Telemetry: high-priority events
+ #3240 Telemetry: report apparent dead code
+ #3210 Cleanup: remove AMA extension services cgroups tracking code
+ #3197 Accommodate the new behavior in OpenSSL 3.2.2 when given an
empty input
From 2.11.1.12
+ Remove multi config extension status only on extension delete #3172
From 2.111.1.4
+ General Improvements
+ Improvements in telemetry for firewall settings #3110, #3124
From 2.10.0.8
+ GA versioning #2810 #2850 #2860 #2881 #2974 #3004 #3015 #3033
+ Disabled GA versioning #2909 #2917 #3044
+ Add regular expression to match logs from very old agents #2839
+ Remove empty "distro" module #2854
+ Enable Python 2.7 for unit tests #2856
+ Add check for noexec on Permission denied errors #2859
+ Reorganize file structure of unit tests #2894
+ Report useful message when extension processing is disabled #2895
+ Add log and telemetry event for extension disabled #2897
+ Cleanup common directory #2902
+ Fix agent memory usage check #2903
+ enable rhel/centos agent-cgroups #2922
+ Add support for EC certificates #2936
+ Add Cpu Arch in local logs and telemetry events #2938
+ Clarify support status of installing from source. #2941
+ Gathering Guest ProxyAgent Log Files #2975
+ Remove debug info from waagent.status.json #2971
+ Handle errors when adding logs to the archive #2982
+ Update supported Ubuntu versions #2980
+ Fix pylint warning #2988
+ Add information about HTTP proxies #2985
+ update the proxy agenet log folder for logcollector #3028
+ Add config parameter to wait for cloud-init
(Extensions.WaitForCloudInit) #3031 [Added in 2.10.0.8]
+ Adding AutoUpdate.UpdateToLatestVersion new flag support #3020 #3027
[Added in 2.10.0.8]
+ Check certificates only if certificates are included in goal state #2803
+ Redact access tokens from extension's output #2811
+ Fix name of single IB device when provisioning RDMA #2814
+ Port NSBSD system to the latest version of waagent #2828
+ fix daemon version #2874
+ fix version checking in setup.py #2920
+ fix(ubuntu): Point to correct dhcp lease files #2979
+ Download certs on FT GS after check_certificates only when missing
from disk #2907
+ Add support for EC certificates (#2936) #2943 [Added in 2.10.0.5]
+ Fix for "local variable _COLLECT_NOEXEC_ERRORS referenced before
assignment" (#2935) #2944 [Added in 2.10.0.5]
+ Cache daemon version #2942 #2946 [Added in 2.10.0.5]
+ undo get daemon version change #2951 [Added in 2.10.0.5]
+ fix self-update frequency to spread over 24 hrs for regular type
and 4 hrs for hotfix #2948 [Added in 2.10.0.5]
+ ignore dependencies from extensions that do not have settings #2957
[Added in 2.10.0.6]
+ Do not reset the mode of a extension's log directory #3014
[Added in 2.10.0.8]
+ skip cgroup monitoring if log collector doesn't start by the agent.
[#2939] [Added in 2.10.0.8]
+ NM should not be restarted during hostname publish if NM_CONTROLLED=y
[#3008] [Added in 2.10.0.8]
+ Daemon should remove stale published_hostname file and log
useful warning #3016 [Added in 2.10.0.8]
+ Revert changes to publish_hostname in RedhatOSModernUtil #3032
[Added in 2.10.0.8]
+ Recover primary nic if down after publishing hostname in
RedhatOSUtil #3024 [Added in 2.10.0.8]
- fix a few typos in the spec file and use proper macros where
applicable
- remove python3 requires
- python-instance-billing-flavor-check
-
- Update to version 1.0.0 (jsc#PCT-531)
+ API incompatibility: The check_payg_byos function no longer exits, it now
returns a tuple of (flavor, exit_code). This makes the function reusable.
+ Update the build setup to work with the system interpreter of
upcoming SLE releases. SLE 12 stays with the Python 3.4 interpreter
and SLE 15 with the Python 3.6 interpreter.
- python-Jinja2
-
- Add security patch CVE-2025-27516.patch (bsc#1238879)
- python3-M2Crypto
-
- Change macro to %{?sle15allpythons} so we build both Python 3.6
and Python 3.11 on SLE-15.
- Fix spelling of BSD-2-Clause license.
- Add rpmlintrc … overflow of ignorable rpmlint warnings caused
me not to see the previous problem.
- Update to 0.44.0:
- fix(rsa): introduce internal cache for rsa.check_key()
(bsc#1236664, srht#mcepl/m2crypto#369)
- fix[authcookie]: modernize the module
- fix(_lib): add missing #include for windows
- ci: relax fedora crypto policy to legacy.
- enhance setup.py for macos compatibility
- prefer packaging.version over distutils.version
- fix segfault with openssl 3.4.0
- fix[ec]: raise ioerror instead when load_key_bio() cannot read
the file.
- doc: update installation instructions for windows.
- fix setting x509.verify_* variables
- fix building against openssl in non-standard location
- test_x509: use only x509_version_1 (0) as version for csr.
- The real license is BSD 2-Clause, not MIT.
- Update to 0.43.0:
- feat[m2]: add m2.time_t_bits to checking for 32bitness.
- fix[tests]: Use only X509_VERSION_1 (0) as version for CSR.
- fix[EC]: raise ValueError when load_key_bio() cannot read the
file (bsc#1231589).
- ci: use -mpip wheel instead of -mbuild
- fix: use PyMem_Malloc() instead of malloc()
- fix[hints]: more work on conversion of type hints to the py3k ones
- fix: make the package build even on Python 3.6
- ci[local]: skip freezing local tests
- fix[hints]: remove AnyStr type
- test: add suggested test for RSA.{get,set}_ex_data
- fix: implement interfaces for RSA_{get,set}_ex_new_{data,index}
- fix: generate src/SWIG/x509_v_flag.h to overcome weaknesses of
swig
- fix: replace literal enumeration of all VERIFY_ constants by a
cycle
- test: unify various test cases in test_ssl related to ftpslib
- fix: replace deprecated url keyword in setup.cfg with complete
project_urls map
- Update 0.42.0:
- allow ASN1_{Integer,String} be initialized directly
- minimal infrastructure for type hints for a C extension and
some type hints for some basic modules
- time_t on 32bit Linux is 32bit (integer) not 64bit (long)
- EOS for CentOS 7
- correct checking for OpenSSL version number on Windows
- make compatible with Python 3.13 (replace PyEval_CallObject
with PyObject_CallObject)
- fix typo in extern function signature (and proper type of
engine_ctrl_cmd_string())
- move the package to Sorucehut
- setup CI to use Sourcehut CI
- setup CI on GitLab for Windows as well (remove Appveyor)
- initial draft of documentation for migration to
pyca/cryptography
- fix Read the Docs configuration (contributed kindly by Facundo
Tuesca)
- Remove upstreamed 32bit_ASN1_Time.patch
- Remove python-M2Crypto.keyring, because PyPI broke GPG support
- Build for modern python stack on SLE/Leap
- zypp-plugin
-
- version 0.6.5
- Build package for multiple Python flavors on the SLE15 family
(fixes #4)
- python-setuptools
-
- Add patch CVE-2025-47273.patch to fix A path traversal
vulnerability.
(bsc#1243313, CVE-2025-47273, gh#pypa/setuptools@250a6d17978f)
- rsync
-
- Fix bsc#1237187 - broken rsyncd
* Lists digests available in greeting line
* Add rsync-fix-daemon-proto-32.patch
- 000release-packages:sle-module-basesystem-release
-
n/a
- 000release-packages:sle-module-containers-release
-
n/a
- 000release-packages:sle-module-desktop-applications-release
-
n/a
- 000release-packages:sle-module-development-tools-release
-
n/a
- 000release-packages:sle-module-public-cloud-release
-
n/a
- 000release-packages:sle-module-python3-release
-
n/a
- 000release-packages:sle-module-server-applications-release
-
n/a
- 000release-packages:sle-module-web-scripting-release
-
n/a
- supportutils
-
- Changes to version 3.2.10
+ network.txt collect all firewalld zones (pr#233)
+ Collects gfs2 info (PED-11853, pr#235, pr#236)
+ Ignore tasks/threads to prevent collecting duplicate fd data in open_files (bsc#1230371, pr#237)
+ Added openldap2_5 support for SLES (pr#238)
+ Collects additional hawk details (pr#239)
+ Optimized filtering D/Z processes (pr#241)
+ Collect firewalld permanent configuration (pr#243)
+ ldap_info: support for multiple DBs and sanitize olcRootPW (bsc#1231838, pr#247)
+ Added dbus_info for dbus.txt (bsc#1222650, pr#248)
- Changes to version 3.2.9
+ Map running PIDs to RPM package owner aiding BPF program detection (bsc#1222896, bsc#1213291, PED-8221)
+ Supportconfig available in current distro (PED-7131)
+ Corrected display issues (bsc#1231396)
+ NFS takes too long, showmount times out (bsc#1231423)
+ Merged sle15 and master branches (bsc#1233726, PED-11669)
- suse-build-key
-
- changed keys to use SHA256 UIDs instead of SHA1. (bsc#1237294
bsc#1236779 jsc#PED-12321)
- gpg-pubkey-3fa1d6ce-67c856ee.asc to gpg-pubkey-09d9ea69-67c857f3.asc
- gpg-pubkey-09d9ea69-645b99ce.asc to gpg-pubkey-3fa1d6ce-63c9481c.asc
- suse_ptf_key_2023.asc, suse_ptf_key.asc: adjusted
- timezone
-
- Update to 2025b:
* New zone for Aysén Region in Chile (America/Coyhaique) which
moves from -04/-03 to -03
- Refresh patches
* revert-philippines-historical-data.patch
* tzdata-china.diff
- Update to 2025a:
* Paraguay adopts permanent -03 starting spring 2024
* Improve pre-1991 data for the Philippines
* Etc/Unknown is now reserved
- Update to 2024b:
* Improve historical data for Mexico, Mongolia, and Portugal.
* System V names are now obsolescent.
* The main data form now uses %z.
* The code now conforms to RFC 8536 for early timestamps.
* Support POSIX.1-2024, which removes asctime_r and ctime_r.
* Assume POSIX.2-1992 or later for shell scripts.
* SUPPORT_C89 now defaults to 1.
- Add revert-philippines-historical-data.patch, revert-systemv-deprecation.patch
* Fixes testsuite failures for other packages
- vim
-
- Introduce patch to fix bsc#1235751 (regression).
* vim-9.1.1134-revert-putty-terminal-colors.patch
- Update to 9.1.1176. Changes:
* 9.1.1176: wrong indent when expanding multiple lines
* 9.1.1175: inconsistent behaviour with exclusive selection and motion commands
* 9.1.1174: tests: Test_complete_cmdline() may fail
* 9.1.1173: filetype: ABNF files are not detected
* 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag file
* 9.1.1171: tests: wrong arguments passed to assert_equal()
* 9.1.1170: wildmenu highlighting in popup can be improved
* 9.1.1169: using global variable for get_insert()/get_lambda_name()
* 9.1.1168: wrong flags passed down to nextwild()
* 9.1.1167: mark '] wrong after copying text object
* 9.1.1166: command-line auto-completion hard with wildmenu
* 9.1.1165: diff: regression with multi-file diff blocks
* 9.1.1164: [security]: code execution with tar.vim and special crafted tar files
* 9.1.1163: $MYVIMDIR is set too late
* 9.1.1162: completion popup not cleared in cmdline
* 9.1.1161: preinsert requires bot "menu" and "menuone" to be set
* 9.1.1160: Ctrl-Y does not work well with "preinsert" when completing items
* 9.1.1159: $MYVIMDIR may not always be set
* 9.1.1158: :verbose set has wrong file name with :compiler!
* 9.1.1157: command completion wrong for input()
* 9.1.1156: tests: No test for what patch 9.1.1152 fixes
* 9.1.1155: Mode message not cleared after :silent message
* 9.1.1154: Vim9: not able to use autoload class accross scripts
* 9.1.1153: build error on Haiku
* 9.1.1152: Patch v9.1.1151 causes problems
* 9.1.1151: too many strlen() calls in getchar.c
* 9.1.1150: :hi completion may complete to wrong value
* 9.1.1149: Unix Makefile does not support Brazilian lang for the installer
* 9.1.1148: Vim9: finding imported scripts can be further improved
* 9.1.1147: preview-window does not scroll correctly
* 9.1.1146: Vim9: wrong context being used when evaluating class member
* 9.1.1145: multi-line completion has wrong indentation for last line
* 9.1.1144: no way to create raw strings from a blob
* 9.1.1143: illegal memory access when putting a register
* 9.1.1142: tests: test_startup fails if $HOME/$XDG_CONFIG_HOME is defined
* 9.1.1141: Misplaced comment in readfile()
* 9.1.1140: filetype: m17ndb files are not detected
* 9.1.1139: [fifo] is not displayed when editing a fifo
* 9.1.1138: cmdline completion for :hi is too simplistic
* 9.1.1137: ins_str() is inefficient by calling STRLEN()
* 9.1.1136: Match highlighting marks a buffer region as changed
* 9.1.1135: 'suffixesadd' doesn't work with multiple items
* 9.1.1134: filetype: Guile init file not recognized
* 9.1.1133: filetype: xkb files not recognized everywhere
* 9.1.1132: Mark positions wrong after triggering multiline completion
* 9.1.1131: potential out-of-memory issue in search.c
* 9.1.1130: 'listchars' "precedes" is not drawn on Tabs.
* 9.1.1129: missing out-of-memory test in buf_write()
* 9.1.1128: patch 9.1.1119 caused a regression with imports
* 9.1.1127: preinsert text is not cleaned up correctly
* 9.1.1126: patch 9.1.1121 used a wrong way to handle enter
* 9.1.1125: cannot loop through pum menu with multiline items
* 9.1.1124: No test for 'listchars' "precedes" with double-width char
* 9.1.1123: popup hi groups not falling back to defaults
* 9.1.1122: too many strlen() calls in findfile.c
* 9.1.1121: Enter does not insert newline with "noselect"
* 9.1.1120: tests: Test_registers fails
* 9.1.1119: Vim9: Not able to use an autoloaded class from another autoloaded script
* 9.1.1118: tests: test_termcodes fails
* 9.1.1117: there are a few minor style issues
* 9.1.1116: Vim9: super not supported in lambda expressions
* 9.1.1115: [security]: use-after-free in str_to_reg()
* 9.1.1114: enabling termguicolors automatically confuses users
* 9.1.1113: tests: Test_terminal_builtin_without_gui waits 2 seconds
* 9.1.1112: Inconsistencies in get_next_or_prev_match()
* 9.1.1111: Vim9: variable not found in transitive import
* 9.1.1110: Vim tests are slow and flaky
* 9.1.1109: cmdexpand.c hard to read
* 9.1.1108: 'smoothscroll' gets stuck with 'listchars' "eol"
* 9.1.1107: cannot loop through completion menu with fuzzy
* 9.1.1106: tests: Test_log_nonexistent() causes asan failure
* 9.1.1105: Vim9: no support for protected new() method
* 9.1.1104: CI: using Ubuntu 22.04 Github runners
* 9.1.1103: if_perl: still some compile errors with Perl 5.38
* 9.1.1102: tests: Test_WinScrolled_Resized_eiw() uses wrong filename
- zypper
-
- Updated translations (bsc#1230267)
- version 1.14.89
- Do not double encode URL strings passed on the commandline
(bsc#1237587)
URLs passed on the commandline must have their special chars
encoded already. We just want to check and encode forgotten
unsafe chars like a blank. A '%' however must not be encoded
again.
- version 1.14.88
- Package preloader that concurrently downloads files. It's not yet
enabled per default. To enable the preview set ZYPP_CURL2=1 and
ZYPP_PCK_PRELOAD=1 in the environment. (#104)
- BuildRequires: libzypp-devel >= 17.36.4.
- version 1.14.87
- refresh: add --include-all-archs (fixes #598)
Future multi-arch repos may allow to download only those metadata
which refer to packages actually compatible with the systems
architecture. Some tools however want zypp to provide the full
metadata of a repository without filtering incompatible
architectures.
- info,search: add option to search and list Enhances
(bsc#1237949)
- version 1.14.86
- Annonunce --root in commands not launching a Target
(bsc#1237044)
- BuildRequires: libzypp-devel >= 17.36.3.
- version 1.14.85