- azure-cli-core
-
- Refresh CVE-2025-24049.patch
- azure-cli
-
- Drop CVE-2024-43591.patch, fixed upstream
- Fix testsuite evaluation logic
- coreutils
-
- coreutils-9.7-sort-CVE-2025-5278.patch: Add upstream patch:
sort with key character offsets of SIZE_MAX, could induce
a read of 1 byte before an allocated heap buffer.
(CVE-2025-5278, bsc#1243767)
- cyrus-sasl
-
- Add Channel Binding support for GSSAPI/GSS-SPNEGO; (bsc#1229655);
(jsc#PED-12097); Add patch
0009-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch
- Add support for setting max ssf 0 to GSS-SPNEGO; (bsc#1229655);
(jsc#PED-12097); Add patch
0010-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch
- docker
-
[ This update is a no-op, only needed to work around unfortunate automated
packaging script behaviour on SLES. ]
- The following patches were removed in openSUSE in the Docker 28.1.1-ce
update, but the patch names were later renamed in a SLES-only update before
Docker 28.1.1-ce was submitted to SLES.
This causes the SLES build scripts to refuse the update because the patches
are not referenced in the changelog. There is no obvious place to put the
patch removals (the 28.1.1-ce update removing the patches chronologically
predates their renaming in SLES), so they are included here a dummy changelog
entry to work around the issue.
- 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Update to docker-buildx v0.25.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.25.0>
- Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as
Docker does not have permission to access the host zypper credentials in this
mode (and unprivileged users cannot disable the feature using
/etc/docker/suse-secrets-enable.) bsc#1240150
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- Rebase patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Always clear SUSEConnect suse_* secrets when starting containers regardless
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.
This was a long-standing issue with our secrets support but until recently
this would've required migrating from SLE packages to openSUSE packages
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
away from in-built SUSEConnect support, this is now a practical issue users
will run into. bsc#1244035
+ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
- Rearrange patches:
- 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
- 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
[NOTE: This update was only ever released in SLES and Leap.]
- Always clear SUSEConnect suse_* secrets when starting containers regardless
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.
This was a long-standing issue with our secrets support but until recently
this would've required migrating from SLE packages to openSUSE packages
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
away from in-built SUSEConnect support, this is now a practical issue users
will run into. bsc#1244035
+ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
- Rearrange patches:
- 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
- 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+ 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+ 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Update to Docker 28.2.2-ce. See upstream changelog online at
<https://github.com/moby/moby/releases/tag/v28.2.2>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Update to Docker 28.2.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2820> bsc#1243833
<https://github.com/moby/moby/releases/tag/v28.2.1>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Update to docker-buildx v0.24.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.24.0>
- Update to Docker 28.1.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2811> bsc#1242114
Includes upstream fixes:
- CVE-2025-22872 bsc#1241830
- Remove long-outdated build handling for deprecated and unsupported
devicemapper and AUFS storage drivers. AUFS was removed in v24, and
devicemapper was removed in v25.
<https://docs.docker.com/engine/deprecated/#aufs-storage-driver>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Remove upstreamed patches:
- 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to docker-buildx v0.23.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.23.0>
- Update to docker-buildx v0.22.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.22.0>
* Includes fixes for CVE-2025-0495. bsc#1239765
- Disable transparent SUSEConnect support for SLE-16. PED-12534
When this patchset was first added in 2013 (and rewritten over the years),
there was no upstream way to easily provide SLE customers with a way to build
container images based on SLE using the host subscription. However, with
docker-buildx you can now define secrets for builds (this is not entirely
transparent, but we can easily document this new requirement for SLE-16).
Users should use
RUN --mount=type=secret,id=SCCcredentials zypper -n ...
in their Dockerfiles, and
docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
when doing their builds.
- Now that the only blocker for docker-buildx support was removed for SLE-16,
enable docker-buildx for SLE-16 as well. PED-8905
- iputils
-
- Security fix [bsc#1243772, CVE-2025-48964]
* Fix integer overflow in ping statistics via zero timestamp
* Add iputils-CVE-2025-48964_01.patch
* Add iputils-CVE-2025-48964_02.patch
* Add iputils-CVE-2025-48964_03.patch
* Add iputils-CVE-2025-48964_04.patch
* Add iputils-CVE-2025-48964_regression.patch
- libgcrypt
-
- Security fix [bsc#1221107, CVE-2024-2236]
* Add --enable-marvin-workaround to spec to enable workaround
* Fix timing based side-channel in RSA implementation ( Marvin attack )
* Add libgcrypt-CVE-2024-2236_01.patch
* Add libgcrypt-CVE-2024-2236_02.patch
- polkit
-
- CVE-2025-7519: Fixed that a XML policy file with a large number of
nested elements may lead to out-of-bounds write (bsc#1246472)
added 0001-Nested-.policy-files-cause-xml-parsing-overflow-lead.patch
- libxml2
-
- security update
- added patches
CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS)
CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS)
+ libxml2-CVE-2025-49794,49796.patch
CVE-2025-49795 [bsc#1244555], null pointer dereference may lead to Denial of service (DoS)
+ libxml2-CVE-2025-49795.patch
- security update
- added patches
CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash
CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2
+ libxml2-CVE-2025-6170,6021.patch
- mozilla-nspr
-
- update to version 4.36
* remove support for OS/2
* remove support for Unixware, Bsdi, old AIX, old HPUX9 & scoos
* remove support for Windows 16 bit
* renamed the prwin16.h header to prwin.h
* configure was updated from 2.69 to 2.71
* various build, test and automation script fixes
* major parts of the source code were reformatted
- mozilla-nss
-
- update to NSS 3.112
* bmo#1963792 - Fix alias for mac workers on try
* bmo#1966786 - ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault
* bmo#1931930 - ABI/API break in ssl certificate processing
* bmo#1955971 - remove unnecessary assertion in sec_asn1d_init_state_based_on_template
* bmo#1965754 - update taskgraph to v14.2.1
* bmo#1964358 - Workflow for automation of the release on GitHub when pushing a tag
* bmo#1952860 - fix faulty assertions in SEC_ASN1DecoderUpdate
* bmo#1934877 - Renegotiations should use a fresh ECH GREASE buffer
* bmo#1951396 - update taskgraph to v14.1.1
* bmo#1962503 - Partial fix for ACVP build CI job
* bmo#1961827 - Initialize find in sftk_searchDatabase
* bmo#1963121 - Add clang-18 to extra builds
* bmo#1963044 - Fault tolerant git fetch for fuzzing
* bmo#1962556 - Tolerate intermittent failures in ssl_policy_pkix_ocsp
* bmo#1962770 - fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set
* bmo#1961835 - fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls
* bmo#1963102 - Remove Cryptofuzz CI version check
- update to NSS 3.111
* bmo#1930806 - FIPS changes need to be upstreamed: force ems policy
* bmo#1957685 - Turn off Websites Trust Bit from CAs
* bmo#1937338 - Update nssckbi version following April 2025 Batch of Changes
* bmo#1943135 - Disable SMIME ‘trust bit’ for GoDaddy CAs
* bmo#1874383 - Replaced deprecated sprintf function with snprintf in dbtool.c
* bmo#1954612 - Need up update NSS for PKCS 3.1
* bmo#1773374 - avoid leaking localCert if it is already set in ssl3_FillInCachedSID
* bmo#1953097 - Decrease ASAN quarantine size for Cryptofuzz in CI
* bmo#1943962 - selfserv: Add support for zlib certificate compression
- update to NSS 3.110
* bmo#1930806 - FIPS changes need to be upstreamed: force ems policy
* bmo#1954724 - Prevent excess allocations in sslBuffer_Grow
* bmo#1953429 - Remove Crl templates from ASN1 fuzz target
* bmo#1953429 - Remove CERT_CrlTemplate from ASN1 fuzz target
* bmo#1952855 - Fix memory leak in NSS_CMSMessage_IsSigned
* bmo#1930807 - NSS policy updates
* bmo#1951161 - Improve locking in nssPKIObject_GetInstances
* bmo#1951394 - Fix race in sdb_GetMetaData
* bmo#1951800 - Fix member access within null pointer
* bmo#1950077 - Increase smime fuzzer memory limit
* bmo#1949677 - Enable resumption when using custom extensions
* bmo#1952568 - change CN of server12 test certificate
* bmo#1949118 - Part 2: Add missing check in
NSS_CMSDigestContext_FinishSingle
* bmo#1949118 - Part 1: Fix smime UBSan errors
* bmo#1930806 - FIPS changes need to be upstreamed: updated key checks
* bmo#1951491 - Don't build libpkix in static builds
* bmo#1951395 - handle `-p all` in try syntax
* bmo#1951346 - fix opt-make builds to actually be opt
* bmo#1951346 - fix opt-static builds to actually be opt
* bmo#1916439 - Remove extraneous assert
- Removed upstreamed nss-fips-stricter-dh.patch
- Added bmo1962556.patch to fix test failures
- Rebased nss-fips-approved-crypto-non-ec.patch nss-fips-combined-hash-sign-dsa-ecdsa.patch
- update to NSS 3.109
* bmo#1939512 - Call BL_Init before RNG_RNGInit() so that special
SHA instructions can be used if available
* bmo#1930807 - NSS policy updates - fix inaccurate key policy issues
* bmo#1945883 - SMIME fuzz target
* bmo#1914256 - ASN1 decoder fuzz target
* bmo#1936001 - Part 2: Revert “Extract testcases from ssl gtests
for fuzzing”
* bmo#1915155 - Add fuzz/README.md
* bmo#1936001 - Part 4: Fix tstclnt arguments script
* bmo#1944545 - Extend pkcs7 fuzz target
* bmo#1912320 - Extend certDN fuzz target
* bmo#1944300 - revert changes to HACL* files from bug 1866841
* bmo#1936001 - Part 3: Package frida corpus script
- update to NSS 3.108
* bmo#1923285 - libclang-16 -> libclang-19
* bmo#1939086 - Turn off Secure Email Trust Bit for Security
Communication ECC RootCA1
* bmo#1937332 - Turn off Secure Email Trust Bit for BJCA Global Root
CA1 and BJCA Global Root CA2
* bmo#1915902 - Remove SwissSign Silver CA – G2
* bmo#1938245 - Add D-Trust 2023 TLS Roots to NSS
* bmo#1942301 - fix fips test failure on windows
* bmo#1935925 - change default sensitivity of KEM keys
* bmo#1936001 - Part 1: Introduce frida hooks and script
* bmo#1942350 - add missing arm_neon.h include to gcm.c
* bmo#1831552 - ci: update windows workers to win2022
* bmo#1831552 - strip trailing carriage returns in tools tests
* bmo#1880256 - work around unix/windows path translation issues
in cert test script
* bmo#1831552 - ci: let the windows setup script work without $m
* bmo#1880255 - detect msys
* bmo#1936680 - add a specialized CTR_Update variant for AES-GCM
* bmo#1930807 - NSS policy updates
* bmo#1930806 - FIPS changes need to be upstreamed: FIPS 140-3 RNG
* bmo#1930806 - FIPS changes need to be upstreamed: Add SafeZero
* bmo#1930806 - FIPS changes need to be upstreamed - updated POST
* bmo#1933031 - Segmentation fault in SECITEM_Hash during pkcs12 processing
* bmo#1929922 - Extending NSS with LoadModuleFromFunction functionality
* bmo#1935984 - Ensure zero-initialization of collectArgs.cert
* bmo#1934526 - pkcs7 fuzz target use CERT_DestroyCertificate
* bmo#1915898 - Fix actual underlying ODR violations issue
* bmo#1184059 - mozilla::pkix: allow reference ID labels to begin
and/or end with hyphens
* bmo#1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if
NSS_DISABLE_DBM is set
* bmo#1934526 - Fix memory leak in pkcs7 fuzz target
* bmo#1934529 - Set -O2 for ASan builds in CI
* bmo#1934543 - Change branch of tlsfuzzer dependency
* bmo#1915898 - Run tests in CI for ASan builds with detect_odr_violation=1
* bmo#1934241 - Fix coverage failure in CI
* bmo#1934213 - Add fuzzing for delegated credentials, DTLS short
header and Tls13BackendEch
* bmo#1927142 - Add fuzzing for SSL_EnableTls13GreaseEch and
SSL_SetDtls13VersionWorkaround
* bmo#1913677 - Part 3: Restructure fuzz/
* bmo#1931925 - Extract testcases from ssl gtests for fuzzing
* bmo#1923037 - Force Cryptofuzz to use NSS in CI
* bmo#1923037 - Fix Cryptofuzz on 32 bit in CI
* bmo#1933154 - Update Cryptofuzz repository link
* bmo#1926256 - fix build error from 9505f79d
* bmo#1926256 - simplify error handling in get_token_objects_for_cache
* bmo#1931973 - nss doc: fix a warning
* bmo#1930797 - pkcs12 fixes from RHEL need to be picked up
- remove obsolete patches
* nss-fips-safe-memset.patch
* nss-bmo1930797.patch
- update to NSS 3.107
* bmo#1923038 - Remove MPI fuzz targets.
* bmo#1925512 - Remove globals `lockStatus` and `locksEverDisabled`.
* bmo#1919015 - Enable PKCS8 fuzz target.
* bmo#1923037 - Integrate Cryptofuzz in CI.
* bmo#1913677 - Part 2: Set tls server target socket options in config class
* bmo#1913677 - Part 1: Set tls client target socket options in config class
* bmo#1913680 - Support building with thread sanitizer.
* bmo#1922392 - set nssckbi version number to 2.72.
* bmo#1919913 - remove Websites Trust Bit from Entrust Root
Certification Authority - G4.
* bmo#1920641 - remove Security Communication RootCA3 root cert.
* bmo#1918559 - remove SecureSign RootCA11 root cert.
* bmo#1922387 - Add distrust-after for TLS to Entrust Roots.
* bmo#1927096 - update expected error code in pk12util pbmac1 tests.
* bmo#1929041 - Use random tstclnt args with handshake collection script
* bmo#1920466 - Remove extraneous assert in ssl3gthr.c.
* bmo#1928402 - Adding missing release notes for NSS_3_105.
* bmo#1874451 - Enable the disabled mlkem tests for dtls.
* bmo#1874451 - NSS gtests filter cleans up the constucted buffer
before the use.
* bmo#1925505 - Make ssl_SetDefaultsFromEnvironment thread-safe.
* bmo#1925503 - Remove short circuit test from ssl_Init.
- fix build on loongarch64 (setting it as 64bit arch)
- Remove upstreamed bmo-1400603.patch
- Added nss-bmo1930797.patch to fix failing tests in testsuite
- update to NSS 3.106
* bmo#1925975 - NSS 3.106 should be distributed with NSPR 4.36.
* bmo#1923767 - pk12util: improve error handling in p12U_ReadPKCS12File.
* bmo#1899402 - Correctly destroy bulkkey in error scenario.
* bmo#1919997 - PKCS7 fuzz target, r=djackson,nss-reviewers.
* bmo#1923002 - Extract certificates with handshake collection script.
* bmo#1923006 - Specify len_control for fuzz targets.
* bmo#1923280 - Fix memory leak in dumpCertificatePEM.
* bmo#1102981 - Fix UBSan errors for SECU_PrintCertificate and
SECU_PrintCertificateBasicInfo.
* bmo#1921528 - add new error codes to mozilla::pkix for Firefox to use.
* bmo#1921768 - allow null phKey in NSC_DeriveKey.
* bmo#1921801 - Only create seed corpus zip from existing corpus.
* bmo#1826035 - Use explicit allowlist for for KDF PRFS.
* bmo#1920138 - Increase optimization level for fuzz builds.
* bmo#1920470 - Remove incorrect assert.
* bmo#1914870 - Use libFuzzer options from fuzz/options/\*.options in CI.
* bmo#1920945 - Polish corpus collection for automation.
* bmo#1917572 - Detect new and unfuzzed SSL options.
* bmo#1804646 - PKCS12 fuzzing target.
- requires NSPR 4.36
- update to NSS 3.105
* bmo#1915792 - Allow importing PKCS#8 private EC keys missing public key
* bmo#1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c
* bmo#1919577 - set KRML_MUSTINLINE=inline in makefile builds
* bmo#1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
* bmo#1918767 - override default definition of KRML_MUSTINLINE
* bmo#1916525 - libssl support for mlkem768x25519
* bmo#1916524 - support for ML-KEM-768 in softoken and pk11wrap
* bmo#1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL
* bmo#1911912 - Avoid misuse of ctype(3) functions
* bmo#1917311 - part 2: run clang-format
* bmo#1917311 - part 1: upgrade to clang-format 13
* bmo#1916953 - clang-format fuzz
* bmo#1910370 - DTLS client message buffer may not empty be on retransmit
* bmo#1916413 - Optionally print config for TLS client and server
fuzz target
* bmo#1916059 - Fix some simple documentation issues in NSS.
* bmo#1915439 - improve performance of NSC_FindObjectsInit when
template has CKA_TOKEN attr
* bmo#1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
- Fix build error under Leap by rebasing nss-fips-safe-memset.patch.
- update to NSS 3.104
* bmo#1910071 - Copy original corpus to heap-allocated buffer
* bmo#1910079 - Fix min ssl version for DTLS client fuzzer
* bmo#1908990 - Remove OS2 support just like we did on NSPR
* bmo#1910605 - clang-format NSS improvements
* bmo#1902078 - Adding basicutil.h to use HexString2SECItem function
* bmo#1908990 - removing dirent.c from build
* bmo#1902078 - Allow handing in keymaterial to shlibsign to make
the output reproducible
* bmo#1908990 - remove nec4.3, sunos4, riscos and SNI references
* bmo#1908990 - remove other old OS (BSDI, old HP UX, NCR,
openunix, sco, unixware or reliantUnix
* bmo#1908990 - remove mentions of WIN95
* bmo#1908990 - remove mentions of WIN16
* bmo#1913750 - More explicit directory naming
* bmo#1913755 - Add more options to TLS server fuzz target
* bmo#1913675 - Add more options to TLS client fuzz target
* bmo#1835240 - Use OSS-Fuzz corpus in NSS CI
* bmo#1908012 - set nssckbi version number to 2.70.
* bmo#1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert.
* bmo#1908009 - Remove Email Trust bit from certSIGN ROOT CA.
* bmo#1908006 - Add Cybertrust Japan Roots to NSS.
* bmo#1908004 - Add Taiwan CA Roots to NSS.
* bmo#1911354 - remove search by decoded serial in
nssToken_FindCertificateByIssuerAndSerialNumber
* bmo#1913132 - Fix tstclnt CI build failure
* bmo#1913047 - vfyserv: ensure peer cert chain is in db for
CERT_VerifyCertificateNow
* bmo#1912427 - Enable all supported protocol versions for UDP
* bmo#1910361 - Actually use random PSK hash type
* bmo#1911576 - Initialize NSS DB once
* bmo#1910361 - Additional ECH cipher suites and PSK hash types
* bmo#1903604 - Automate corpus file generation for TLS client Fuzzer
* bmo#1910364 - Fix crash with UNSAFE_FUZZER_MODE
* bmo#1910605 - clang-format shlibsign.c
- remove obsolete nss-reproducible-builds.patch
- update to NSS 3.103
* bmo#1908623 - move list size check after lock acquisition in sftk_PutObjectToList.
* bmo#1899542 - Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
* bmo#1909638 - Follow-up to fix test for presence of file nspr.patch.
* bmo#1903783 - Adjust libFuzzer size limits
* bmo#1899542 - Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
* bmo#1899542 - Add fuzzing support for SSL_ENABLE_GREASE and
SSL_ENABLE_CH_EXTENSION_PERMUTATION
- Add nss-reproducible-builds.patch to make the rpms reproducible,
by using a hardcoded, static key to generate the checksums (*.chk-files)
- Updated nss-fips-approved-crypto-non-ec.patch to enforce
approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
- update to NSS 3.102.1
* bmo#1905691 - ChaChaXor to return after the function
- update to NSS 3.102
* bmo#1880351 - Add Valgrind annotations to freebl Chacha20-Poly1305.
* bmo#1901932 - missing sqlite header.
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* bmo#1615298 - improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
* bmo#1660676 - correct length of raw SPKI data before printing in pp utility.
- Add nss-reproducible-chksums.patch to make NSS-build reproducible
Use key from openssl (bsc#1081723)
- Updated nss-fips-approved-crypto-non-ec.patch to exclude the
SHA-1 hash from SLI approval.
- python-azure-agent
-
- Set AutoUpdate.UpdateToLatestVersion=n in /etc/waagent.conf
(bsc#1244933)
- Fix %suse_version conditional in spec file so package is built
using python2 in SLE 12 (bsc#1240385)
- python-psutil
-
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- salt
-
- Add `minion_legacy_req_warnings` option to avoid noisy warnings
- Require M2Crypto >= 0.44.0 for SUSE Family distros
- Added:
* add-minion_legacy_req_warnings-option-to-avoid-noisy.patch
- Prevent tests failures when pygit2 is not present
- Several fixes for security issues
(bsc#1244561, CVE-2024-38822)
(bsc#1244564, CVE-2024-38823)
(bsc#1244565, CVE-2024-38824)
(bsc#1244566, CVE-2024-38825)
(bsc#1244567, CVE-2025-22240)
(bsc#1244568, CVE-2025-22236)
(bsc#1244570, CVE-2025-22241)
(bsc#1244571, CVE-2025-22237)
(bsc#1244572, CVE-2025-22238)
(bsc#1244574, CVE-2025-22239)
(bsc#1244575, CVE-2025-22242)
* Request server hardening
* Prevent traversal in local_cache::save_minions
* Add test and fix for file_recv cve
* Fix traversal in gitfs find_file
* Fix traversal in salt.utils.virt
* Fix traversal in pub_ret
* Reasonable failures when pillars timeout
* Make send_req_async wait longer
* Remove token to prevent decoding errors
* Fix checking of non-url style git remotes
* Allow subdirs in GitFS find_file check
- Add subsystem filter to udev.exportdb (bsc#1236621)
- tornado.httputil: raise errors instead of logging in
multipart/form-data parsing (CVE-2025-47287, bsc#1243268)
- Fix Ubuntu 24.04 edge-case test failures
- Fix broken tests for Ubuntu 24.04
- Fix refresh of osrelease and related grains on Python 3.10+
- Make "salt" package to obsolete "python3-salt" package on SLE15SP7+
- Fix issue requiring proper Python flavor for dependencies and recommended package
- Added:
* fix-tests-issues-in-salt-shaker-environments-721.patch
* several-fixes-for-security-issues.patch
* add-subsystem-filter-to-udev.exportdb-bsc-1236621-71.patch
* fix-of-cve-2025-47287-bsc-1243268-718.patch
* fix-ubuntu-24.04-specific-failures-716.patch
* fix-debian-tests-715.patch
* fix-refresh-of-osrelease-and-related-grains-on-pytho.patch
- python-azure-appconfiguration
-
- New upstream release
+ Version 1.7.1
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- New upstream release
+ Version 1.7.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Drop extra LICENSE.txt as upstream now ships its own
- Rename LICENSE.txt to LICENSE in %files section
- New upstream release
+ Version 1.6.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- python-azure-batch
-
- New upstream release
+ Version 14.2.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- python-azure-mgmt-batch
-
- New upstream release
+ Version 17.3.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- python-azure-mgmt-compute
-
- New upstream release
+ Version 33.1.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Adjust upstream source name in spec file
- New upstream release
+ Version 33.0.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- New upstream release
+ Version 32.0.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Drop extra LICENSE.txt as upstream now ships its own
- Rename LICENSE.txt to LICENSE in %files section
- Update Requires from setup.py
- New upstream release
+ Version 31.0.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- New upstream release
+ Version 30.6.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Update Requires from setup.py
- python-azure-mgmt-containerservice
-
- New upstream release
+ Version 32.1.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- New upstream release
+ Version 32.0.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Adjust upstream source name in spec file
- New upstream release
+ Version 31.0.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Drop extra LICENSE.txt as upstream now ships its own
- Rename LICENSE.txt to LICENSE in %files section
- Update Requires from setup.py
- New upstream release
+ Version 30.0.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- python-azure-mgmt-cosmosdb
-
- New upstream release
+ Version 9.6.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Adjust upstream source name in spec file
- Drop extra LICENSE.txt as upstream now ships its own
- Rename LICENSE.txt to LICENSE in %files section
- Update Requires from setup.py
- New upstream release
+ Version 9.5.1
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- New upstream release
+ Version 9.5.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Update Requires from setup.py
- python-azure-mgmt-rdbms
-
- New upstream release
+ Version 10.2.0b17
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- New upstream release
+ Version 10.2.0b16
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- New upstream release
+ Version 10.2.0b14
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Update Requires from setup.py
- python-azure-mgmt-recoveryservicesbackup
-
- New upstream release
+ Version 9.2.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Adjust upstream source name in spec file
- Drop extra LICENSE.txt as upstream now ships its own
- Rename LICENSE.txt to LICENSE in %files section
- New upstream release
+ Version 9.1.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- python-azure-mgmt-recoveryservices
-
- New upstream release
+ Version 3.0.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Update Requires from setup.py
- python-azure-mgmt-redhatopenshift
-
- New upstream release
+ Version 1.5.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Update Requires from setup.py
- python-azure-mgmt-redis
-
- New upstream release
+ Version 14.5.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Adjust upstream source name in spec file
- Drop extra LICENSE.txt as upstream now ships its own
- Rename LICENSE.txt to LICENSE in %files section
- Update Requires from setup.py
- New upstream release
+ Version 14.4.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Update Requires from setup.py
- python-azure-mgmt-resource
-
- New upstream release
+ Version 23.3.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- New upstream release
+ Version 23.2.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Adjust upstream source name in spec file
- Drop extra LICENSE.txt as upstream now ships its own
- Rename LICENSE.txt to LICENSE in %files section
- Update Requires from setup.py
- New upstream release
+ Version 23.1.1
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Remove temporary version override
- Remove unzip package from BuildRequires
- Switch source archive format to TAR.GZ
- Update Requires from setup.py
- python-azure-mgmt-servicefabricmanagedclusters
-
- New upstream release
+ Version 2.0.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Drop extra LICENSE.txt as upstream now ships its own
- Remove temporary version override
- Rename LICENSE.txt to LICENSE in %files section
- python-azure-mgmt-servicelinker
-
- New upstream release
+ Version 1.2.0b3
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Adjust upstream source name in spec file
- Drop extra LICENSE.txt as upstream now ships its own
- Rename LICENSE.txt to LICENSE in %files section
- New upstream release
+ Version 1.2.0b2
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Remove unzip package from BuildRequires
- Switch source archive format to TAR.GZ
- Update Requires from setup.py
- python-azure-mgmt-signalr
-
- New upstream release
+ Version 2.0.0b2
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Adjust upstream source name in spec file
- Drop extra LICENSE.txt as upstream now ships its own
- Rename LICENSE.txt to LICENSE in %files section
- python-azure-mgmt-sql
-
- New upstream release
+ Version 4.0.0b21
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- New upstream release
+ Version 4.0.0b20
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- New upstream release
+ Version 4.0.0b19
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Adjust upstream source name in spec file
- Drop extra LICENSE.txt as upstream now ships its own
- Rename LICENSE.txt to LICENSE in %files section
- Update Requires from setup.py
- New upstream release
+ Version 4.0.0b18
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- New upstream release
+ Version 4.0.0b17
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- New upstream release
+ Version 4.0.0b16
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Update Requires from setup.py
- python-azure-mgmt-storage
-
- New upstream release
+ Version 21.2.1
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- New upstream release
+ Version 21.2.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- Update Requires from setup.py
- python-azure-multiapi-storage
-
- New upstream release
+ Version 1.4.0
+ For detailed information about changes see the
README.rst file provided with this package
- New upstream release
+ Version 1.3.0
+ For detailed information about changes see the
README.rst file provided with this package
- Drop extra LICENSE.txt as upstream now ships its own
- Rename LICENSE.txt to LICENSE in %files section
- python-azure-synapse-artifacts
-
- New upstream release
+ Version 0.19.0
+ For detailed information about changes see the
CHANGELOG.md file provided with this package
- python-msal-extensions
-
- Update to version 1.3.1
* Do not install tests in site-packages by @musicinmybrain in (#139)
* Also dropped Python 3.7 and 3.8 since this release
- from version 1.3.0
* Fix a typo in README.md (persistance/persistence)
by @musicinmybrain in (#133)
* Maintenance by @rayluo in (#137)
* Allow portalocker version 3 by @musicinmybrain in (#136)
* Make portalocker optional (opt in by pip install
msal-extensions[portalocker]) by @rayluo in (#117)
- Drop me_relax-portalocker.patch, fixed upstream
- Add patch to relax python-portalocker version dependency in setup.py
+ me_relax-portalocker.patch
- Relax python-portalocker version dependency in BuildRequires and Requires
- Update to version 1.2.0
+ Remove mentions of Travis CI by @akx in (#126)
+ Set proper lower bound for portalocker dependency,
drop packaging dependency by @akx in (#125)
+ Switch to MSAL 1.29+'s TokenCache.search()
by @rayluo in (#131)
- Remove temporary version override
- Update BuildRequires and Requires from setup.py
- Update to version 1.2.0b1
+ MSAL Extensions has been updated to work with
MSAL Python 1.27.* and 1.28.* (#127, #128)
- Adjust upstream source name in spec file
- Override upstream version with 1.2.0~b1
- Update Requires from setup.py
- python-msal
-
- Update to version 1.32.3
* Fix a regression on Azure Arc / on-prem servers (#814, #815)
- from version 1.32.2
* Bugfix for Authentication Failed: MsalResponse object has no
attribute 'headers' (#812)
- from version 1.32.1
* Optimization on cache
- Update to version 1.32.0
* Refactor to allow adding new field into cache key
and/or content by @rayluo in (#751)
* Warning when obsolete msal-extensions is detected
by @rayluo in (#752)
* Add msal_cache.bin to .gitignore by @DharshanBJ in (#753)
* MSAL will use env var MSAL_FORCE_REGION by default
by @rayluo in (#756)
* Allow MI endpoint changing through environment variable
by @jimdigriz in (#754)
* Revert "allow MI endpoint changing through environment
variable" by @rayluo in (#769)
* Fix document for using SystemAssigned managed identity
by @jiasli in (#764)
* Suppress a false positive CodeQL alarm by @rayluo in (#783)
* Pass Sku and Ver to MsalRuntime by @Ugonnaak1 in (#786)
* Try to suppress another verify=False by @rayluo in (#788)
* Supports dSTS by ClientApplication(..., authority=
"https://...example.com/dstsv2/...") by @rayluo in (#772)
* Add test case to show that OBO supports SP by @rayluo in (#481)
* Enable Issue-Sentinel to scan for similar issues by @DharshanBJ in (#790)
* Support pod identity by @rayluo in (#795)
* Scope to resource by @rayluo in (#785)
- Update to version 1.31.2b1
* acquire_token_interactive(...) supports scope with the shape of
"GUID/.default" when running inside Cloud Shell (#784, #785)
- Override upstream version with 1.31.2~b1
- Update to version 1.31.1
* Bugfix: The Managed Identity detection logic on Arc (#731)
had a bug (#762), now fixed in PR (#763)
- Update to version 1.31.0
* Integration with Broker-on-Mac in (#596)
* Change Managed Identity detection logic on Arc in (#731)
* Managed Identity supports CAE in (#730)
* Support Managed Identity on Azure Container
Instance (ACI) with Resource id in (#741)
* Other refactoring in (#740)
- Update to version 1.30.0
* New feature: Support Subject Name/Issuer authentication when using
.pfx certificate file. Documentation available in one of the recent
purple boxes here. (#718)
* New feature: Automatically use SHA256 and PSS padding when using
.pfx certificate on non-ADFS, non-OIDC authorities. (#722)
* New feature: Expose refresh_on (if any) to fresh or cached response,
so that caller may choose to proactively call acquire_token_silent()
early. (#723)
* Bugfix for token cache search. MSAL 1.27+ customers please upgrade
to MSAL 1.30+. (#717)
- Update to version 1.29.0
* New feature: Supports Managed Identity for Azure VM, App Service
(including Azure Functions, Azure Automation), Service Fabric,
Azure Machine Learning, Arc, etc.. Comes with a sample, its
configuration via ENV VAR, and its API documentation.
(#58, #480, #634, #674)
* New feature: Support reading ConfidentialClientApplication's
cert from a pfx file (#684, #699)
* New feature: TokenCache class has a new search() method which will
return a generator of tokens. The old find() method still exists and
returns a list, but MSAL 1.27+ will not call find() anymore. (#693, #644)
* Change: Re-enable the username password flow to go through broker,
if available. (#712)
- from version 1.28.1
* Change: pip install msal[broker] will now pick up the latest PyMsalRuntime
0.16.x which contains a bugfix for being run as administrator. This release
fixes #707.
- Update to version 1.28.0
* New feature: PublicClientApplication and ConfidentialClientApplication
have a new oidc_authority parameter that can be used to specify authority
of any generic OpenID Connect authority, typically the customized domain
for CIAM. (#676, #678)
* Dropping Python 2.7
- from version 1.27.0
* New feature: remove_tokens_for_client() will remove tokens acquired
by acquire_token_for_client() (#640, #650, #666)
* Performance: Throughput of token-cache-hit happy path is roughly 2x faster (#644)
* Adjustment: MSAL no longer attempts to validate an ID token's time (#656, #657)
* Adjustment: Bump upstream broker dependency to 0.14.x
* Improvement: Better chance to remove accounts from broker (#651)
* Improvement: Cleaner console output when the http local server
is visited in https protocol (#546)
* Improvement: Reduce a bare except clause (#667)
- protobuf
-
- Add CVE-2025-4565.patch to fix parsing of untrusted Protocol Buffers
data containing an arbitrary number of recursive groups or messages
can lead to crash due to RecursionError (bsc#1244663, CVE-2025-4565)
- samba
-
- Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName; (bsc#1246431); (bso#15876).