ca-certificates-mozilla
- Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525)
  - Added: FIRMAPROFESIONAL CA ROOT-A WEB
  - Distrust: GLOBALTRUST 2020

- Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356)
  Added:
  - CommScope Public Trust ECC Root-01
  - CommScope Public Trust ECC Root-02
  - CommScope Public Trust RSA Root-01
  - CommScope Public Trust RSA Root-02
  - D-Trust SBR Root CA 1 2022
  - D-Trust SBR Root CA 2 2022
  - Telekom Security SMIME ECC Root 2021
  - Telekom Security SMIME RSA Root 2023
  - Telekom Security TLS ECC Root 2020
  - Telekom Security TLS RSA Root 2023
  - TrustAsia Global Root CA G3
  - TrustAsia Global Root CA G4
  Removed:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - Chambers of Commerce Root - 2008
  - Global Chambersign Root - 2008
  - Security Communication Root CA
  - Symantec Class 1 Public Primary Certification Authority - G6
  - Symantec Class 2 Public Primary Certification Authority - G6
  - TrustCor ECA-1
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - VeriSign Class 1 Public Primary Certification Authority - G3
  - VeriSign Class 2 Public Primary Certification Authority - G3
- remove-trustcor.patch: removed, now upstream
- do a versioned obsoletes of "openssl-certs".
dmidecode
- Update to upstream version 3.6 (jsc#PED-8574):
  * Support for SMBIOS 3.6.0. This includes new memory device types, new
    processor upgrades, and Loongarch support.
  * Support for SMBIOS 3.7.0. This includes new port types, new processor
    upgrades, new slot characteristics and new fields for memory modules.
  * Add bash completion.
  * Decode HPE OEM records 197, 216, 224, 230, 238, 239, 242 and 245.
  * Implement options --list-strings and --list-types.
  * Update HPE OEM records 203, 212, 216, 221, 233 and 236.
  * Update Redfish support.
  * Bug fixes:
    Fix enabled slot characteristics not being printed
  * Minor improvements:
    Print slot width on its own line
    Use standard strings for slot width
  * Add a --no-quirks option.
  * Drop the CPUID exception list.
  * Obsoletes dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch,
    dmidecode-fortify-entry-point-length-checks.patch,
    dmidecode-split-table-fetching-from-decoding.patch,
    dmidecode-write-the-whole-dump-file-at-once.patch,
    dmioem-fix-segmentation-fault-in-dmi_hp_240_attr.patch,
    dmioem-hpe-oem-record-237-firmware-change.patch,
    dmioem-typo-fix-virutal-virtual.patch,
    ensure-dev-mem-is-a-character-device-file.patch,
    news-fix-typo.patch and
    use-read_file-to-read-from-dump.patch.
  Update for HPE servers from upstream:
- dmioem-update-hpe-oem-type-238.patch: Decode PCI bus segment in
  HPE type 238 records.
dracut
- Update to version 059+suse.531.g48487c31:
  * feat(systemd*): include systemd config files from /usr/lib/systemd (bsc#1228398)
  * fix(convertfs): error in conditional expressions (bsc#1228847)
grub2
- Fix btrfs subvolume for platform modules not mounting at runtime when the
  default subvolume is the topmost root tree (bsc#1228124)
  * grub2-btrfs-06-subvol-mount.patch
- Rediff
  * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch

- Fix error in grub-install when root is on tmpfs (bsc#1226100)
  * 0001-grub-install-bailout-root-device-probing.patch

- Fix input handling in ppc64le grub2 has high latency (bsc#1223535)
  * 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch
util-linux
- agetty: Prevent login cursor escape (bsc#1194818,
  util-linux-agetty-prevent-cursor-escape.patch).

- Document unexpected side effects of lazy destruction
  (bsc#1159034, util-linux-umount-losetup-lazy-destruction.patch,
  util-linux-umount-losetup-lazy-destruction-generated.patch).

- Don't delete binaries not common for all architectures. Create an
  util-linux-extra subpackage instead, so users of third party
  tools can use them. (bsc#1222285)
cryptsetup
- cryptsetup-fips140-3.patch: extend the password for PBKDF2 benchmarking
  to be more than 20 chars to meet FIPS 140-3 requirements (bsc#1229975)
ldb
-  Update to 2.8.1
  * Many qsort() comparison functions are non-transitive, which
    can lead to out-of-bounds access in some circumstances;
    (bso#15625).
nfs-utils
- Include source for libnfsidmap 0.26 and build that.
  This is needed for compatability with SLE15-SP5 and earlier
  (bsc#1228159)
  Copied from old nfsidmap package:
    libnfsidmap-0.26.tar.bz2
    idmap-fix-prototype.patch
    idmap-libnfsidmap-export-symbols.patch
    idmap-0001-libnfsidmap-add-options-to-aid-id-mapping-in-multi-d.patch
    idmap-0002-nss_gss_princ_to_ids-and-nss_gss_princ_to_grouplist-.patch
    idmap-0001-Removed-some-unused-and-set-but-not-used-warnings.patch
    idmap-0002-Handle-NULL-names-better.patch
    idmap-0003-Strip-newlines-out-of-IDMAP_LOG-messages.patch
    idmap-0004-onf_parse_line-Ignore-whitespace-at-the-beginning-of.patch
    idmap-0005-nss.c-wrong-check-of-return-value.patch
    idmap-0006-Fixed-a-memory-leak-nss_name_to_gid.patch
openssl-1_1
- Build with no-afalgeng [bsc#1226463]

- Security fix: [bsc#1227138, CVE-2024-5535]
  * SSL_select_next_proto buffer overread
  * Add openssl-CVE-2024-5535.patch

- Fixed C99 violations in patches bsc1185319-FIPS-KAT-for-ECDSA.patch
  (need to for explicity typecast) and
  openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch
  (missing include) to allow the package to build with GCC 14.
  [boo#1225907]
openssl-3
- Security fix: [bsc#1229465, CVE-2024-6119]
  * possible denial of service in X.509 name checks
  * openssl-CVE-2024-6119.patch
pam
- Prevent cursor escape from the login prompt [bsc#1194818]
  * Added: pam-bsc1194818-cursor-escape.patch
permissions
- Update to version 20240826:
  * permissions: remove outdated entries (bsc#1228968)

- Update to version 20240826:
  * cockpit: revert path change (bsc#1229329)
python-azure-agent
- Restart the agent (bsc#1227600)
  + The agent service gets restarted in post but may fail due to a missing
    config file. config files were split into their own package previously.
    When we detect that we have to restore a config file we also need
    to restart the agent again.
python-PyYAML
- reenable the cython yaml loader (bsc#1225641)
python3-setuptools
- Add patch CVE-2024-6345-code-execution-via-download-funcs.patch:
  * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105)
rsyslog
- Upgrade to rsyslog 8.2406.0
-patches replaced by upgrade (see details in upgrade logs below)
    0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch
  * 2023-11-29: Revert "Update omlibdbi.c"
  * 2023-11-21: imkmsg: add params "readMode" and "expectedBootCompleteSeconds"
  * 2023-11-10: testbench: fix "typo" in test case
  * 2023-11-08: omazureeventhubs: Corrected handling of transport closed failures
  * 2023-10-31: imkmsg: add module param parseKernelTimestamp
  * 2023-11-03: imfile: remove state file on file delete fix
  * 2023-10-30: imklog bugfix: keepKernelTimestamp=off config param did not work
  * 2023-10-30: Netstreamdriver: deallocate certificate related resources
  * 2023-10-20: TLS subsystem: add remote hostname to error reporting
  * 2023-10-21: Fix forking issue do to close_range call
  * 2023-10-23: replace debian sample systemd service file by readme
  * 2023-10-20: testbench: bump zookeeper version to match current offering
  * 2023-10-20: Update rsyslog.service sample unit to the latest version used in Debian Trixie
  * 2023-10-20: Only keep a single rsyslog.service for Debian
  * 2023-10-20: Remove no longer used --with-systemdsystemunitdir configure switch
  * 2023-10-18: use logind instead of utmp for wall messages with systemd
  * 2023-10-11: Typo fixes
  * 2023-10-11: Drop CAP_IPC_LOCK capability
  * 2023-10-04: Add CAP_NET_RAW capability due to the omudpspoof module
  * 2023-10-03: Add new global config option "libcapng.enable"
  * 2023-10-02: tcp net subsystem: handle data race gracefully
  * 2023-08-31: Avoid crash on restart in imrelp SIGTTIN handler
  - replaces 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch
  * 2023-09-26: fix startup issue on modern systemd systems
  * 2023-09-14: Fix misspeling in message.
  * 2023-09-13: tcpflood bugfix: plain tcp send error not properly reported
  * 2023-09-12: omprog bugfix: Add CAP_DAC_OVERRIDE to the bounding set
  * 2023-08-02: testbench: cleanup and improve some more imfile tests
  * 2023-08-02: lookup tables: fix static analyzer issue
  * 2023-08-02: lookup tables bugfix: reload on HUP did not work when backgrounded
  * 2023-07-28: CI: fix and cleaup github workflow
  * 2023-03-07: imjournal: Support input module
  * 2023-07-28: testbench: make test more reliable
  * 2023-07-28: tcpflood: add -A option to NOT abort when sending fails
  * 2023-07-28: tcpflood: fix today's programming error
  * 2023-07-28: openssl: Replaced depreceated method SSLv23_method with TLS_method
  * 2023-07-27: testbench improvement: define state file directories for imfile tests
  * 2023-07-28: testbench: cleanup a test and some nitfixes to it
  * 2023-07-27: tcpflood bugfix: TCP sending was not implemented properly
  * 2023-07-26: testbench: make waiting for HUP processing more reliable
  * 2023-07-25: build system: make rsyslogd execute when --disable-inet is configured
  * 2023-07-25: CI: update zookeper download to newer version
  * 2023-07-10: ossl driver: Using newer INIT API for OpenSSL 1.1+ Versions
  * 2023-07-11: ossl: Fix CRL File Expire from 1 day to 100 years.
  * 2023-07-06: PR5175: Add TLS CRL Support for GnuTLS driver and OpenSSL 1.0.2+
  * 2022-05-13: omazureeventhubs: Initial implementation of new output module
  * 2023-07-03: TLS CRL Support Issue 5081
  * 2023-06-29: action.resumeintervalmax: the parameter was not respected
  * 2023-06-28: IMHIREDIS::FIXED:: Restore compatiblity with hiredis < v1.0.0
  * 2023-05-15: Add the 'batchsize' parameter to imhiredis
  * 2023-06-28: Clear undefined behavior in libgcry.c (GH #5167)
  * 2023-06-22: Do not try to drop capabilities when we don't have any
  * 2023-06-22: testbench: use newer zookeeper version in tests
  * 2023-06-22: build system: more precise error message on too-old lib
  * 2023-05-17: Fix quoting for omprog, improg, mmexternal
samba
- Fix a crash when joining offline and 'kerberos method' includes
  keytab; (bsc#1228732);
- Fix reading the password from STDIN or environment vars if it
  was already given in the command line; (bsc#1228732);

- Update to 4.19.7
  * ldb qsort might r/w out of bounds with an intransitive
    compare function (ldb 2.8.1 is already released);
    (bso#15569).
  * Many qsort() comparison functions are non-transitive, which
    can lead to out-of-bounds access in some circumstances (ldb
    2.8.1 is already released); (bso#15625).
  * Need to change gitlab-ci.yml tags in all branches to avoid CI
    bill; (bso#15638).
  * netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
    SysvolReady=0; (bso#14981).
  * Anonymous smb3 signing/encryption should be allowed (similar
    to Windows Server 2022); (bso#15412).
  * Panic in dreplsrv_op_pull_source_apply_changes_trigger;
    (bso#15573).
  * winbindd, net ads join and other things don't work on an ipv6
    only host; (bso#15642).
  * Smbcacls incorrectly propagates inheritance with Inherit-Only
    flag; (bso#15636).
  * http library doesn't support  'chunked transfer encoding';
    (bso#15611).
- Update to 4.19.6
  * fd_handle_destructor() panics within an smbd_smb2_close() if
    vfs_stat_fsp() fails in fd_close(); (bso#15527).
  * samba-gpupdate: Correctly implement site support;
    (bso#15588).
  * libgpo: Segfault in python bindings; (bso#15599).
  * Packet marshalling push support missing for
    CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
    CTDB_CONTROL_TCP_CLIENT_PASSED; (bso#15580).
supportutils
- Changes to version 3.2.8
  + Avoid getting duplicate kernel verifications in boot.text (pr#190)
  + lvm: suppress file descriptor leak warnings from lvm commands (pr#191)
  + docker_info: Add timestamps to container logs (pr#196)
  + Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198)
  + Update supportconfig get pam.d sorted (pr#199)
  + yast_files: Exclude .zcat (pr#201)
  + Sanitize grub bootloader (bsc#1227127, pr#203)
  + Sanitize regcodes (pr#204)
  + Improve product detection (pr#205)
  + Add read_values for s390x (bsc#1228265, pr#206)
  + hardware_info: Remove old alsa ver check (pr#209)
  + drbd_info: Fix incorrect escape of quotes (pr#210)
suse-build-key
- extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339)
  - gpg-pubkey-39db7c82-5f68629b.asc
  + gpg-pubkey-39db7c82-66c5d91a.asc
xen
- Update to Xen 4.18.3 security bug fix release (bsc#1027519)
  xen-4.18.3-testing-src.tar.bz2
  * No upstream changelog found in sources or webpage
- bsc#1228574 - VUL-0: CVE-2024-31145: xen: error handling in x86
  IOMMU identity mapping (XSA-460)
- bsc#1228575 - VUL-0: CVE-2024-31146: xen: PCI device pass-through
  with shared resources (XSA-461)
- Dropped patches contained in new tarball
  6627a4ee-vRTC-UIP-set-for-longer-than-expected.patch
  6627a5fc-x86-MTRR-inverted-WC-check.patch
  662a6a4c-x86-spec-reporting-of-BHB-clearing.patch
  662a6a8d-x86-spec-adjust-logic-to-elide-LFENCE.patch
  663090fd-x86-gen-cpuid-syntax.patch
  663a383c-libxs-open-xenbus-fds-as-O_CLOEXEC.patch
  663a4f3e-x86-cpu-policy-migration-IceLake-to-CascadeLake.patch
  663d05b5-x86-ucode-distinguish-up-to-date.patch
  663eaa27-libxl-XenStore-error-handling-in-device-creation.patch
  66450626-sched-set-all-sched_resource-data-inside-locked.patch
  66450627-x86-respect-mapcache_domain_init-failing.patch
  6646031f-x86-ucode-further-identify-already-up-to-date.patch
  6666ba52-x86-irq-remove-offline-CPUs-from-old-CPU-mask-when.patch
  666994ab-x86-SMP-no-shorthand-IPI-in-hotplug.patch
  666994f0-x86-IRQ-limit-interrupt-movement-in-fixup_irqs.patch
  666b07ee-x86-EPT-special-page-in-epte_get_entry_emt.patch
  666b0819-x86-EPT-avoid-marking-np-ents-for-reconfig.patch
  666b085a-x86-EPT-drop-questionable-mfn_valid-from-.patch
  667187cc-x86-Intel-unlock-CPUID-earlier.patch
  66718849-x86-IRQ-old_cpu_mask-in-fixup_irqs.patch
  6671885e-x86-IRQ-handle-moving-in-_assign_irq_vector.patch
  6672c846-x86-xstate-initialisation-of-XSS-cache.patch
  6672c847-x86-CPUID-XSAVE-dynamic-leaves.patch
  6673ffdc-x86-IRQ-forward-pending-to-new-dest-in-fixup_irqs.patch
  xsa458.patch
xfsprogs
- xfs_repair: allow symlinks with short remote targets (bsc#1229160)
  - add xfsprogs-xfs_repair-allow-symlinks-with-short-remote-targets.patch