- apparmor
-
- Allow dovecot-auth to execute unix_chkpwd from /sbin, not only from /usr/bin
(bsc#1234452)
* Update dovecot-unix_chkpwd.diff
- ca-certificates-mozilla
-
- explit remove distruted certs, as the distrust does not get exported
correctly and the SSL certs are still trusted. (bsc#1240343)
- Entrust.net Premium 2048 Secure Server CA
- Entrust Root Certification Authority
- AffirmTrust Commercial
- AffirmTrust Networking
- AffirmTrust Premium
- AffirmTrust Premium ECC
- Entrust Root Certification Authority - G2
- Entrust Root Certification Authority - EC1
- GlobalSign Root E46
- GLOBALTRUST 2020
- remove-distrusted.patch: apply to certdata.txt
- Fix awk to compare (missing a =) and give the following output:
[#] NSS_BUILTINS_LIBRARY_VERSION "2.74"
- pass file argument to awk (bsc#1240009)
- update to 2.74 state of Mozilla SSL root CAs:
Removed:
* SwissSign Silver CA - G2
Added:
* D-TRUST BR Root CA 2 2023
* D-TRUST EV Root CA 2 2023
- remove extensive signature printing in comments of the cert
bundle
- Define two macros to break a build cycle with p11-kit.
- Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798)
Removed:
- SecureSign RootCA11
- Security Communication RootCA3
Added:
- TWCA CYBER Root CA
- TWCA Global Root CA G2
- SecureSign Root CA12
- SecureSign Root CA14
- SecureSign Root CA15
- cpupower
-
- For latest changelog entries, please look up the changelog of
a kernel-FLAVOR or kernel-source with the exact same version and
release build number.
rpm -q --changelog kernel-source |grep "turbostat\|intel-speed-select|cpupower"
- docker
-
- Don't use the new container-selinux conditional requires on SLE-12, as the
RPM version there doesn't support it. Arguably the change itself is a bit
suspect but we can fix that later. bsc#1237367
- Add backport for golang.org/x/oauth2 CVE-2025-22868 fix. bsc#1239185
+ 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- Add backport for golang.org/x/crypto CVE-2025-22869 fix. bsc#1239322
+ 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Refresh patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Make container-selinux requirement conditional on selinux-policy
(bsc#1237367)
- dracut
-
- Update to version 059+suse.557.gccd6ab94:
* fix(iscsi): make sure services are shut down when switching root (bsc#1237695)
* fix(iscsi): don't require network setup for qedi
* fix(network-legacy): do not require pgrep when using wicked (bsc#1236982)
- gettext-runtime
-
- Fix crash while handling po files with malformed header and
process them properly
(0003-Fix-malformed-header-processing.patch, boo#1227316).
- hwinfo
-
- merge gh#openSUSE/hwinfo#152
- avoid reporting of spurious usb storage devices (bsc#1223330)
- 21.87
- merge gh#openSUSE/hwinfo#151
- do not overdo usb device de-duplication (bsc#1239663)
- 21.86
- freetype2
-
- Added patch:
* CVE-2025-27363.patch
+ fixes bsc#1239465, CVE-2025-27363: out-of-bounds write when
attempting to parse font subglyph structures related to
TrueType GX and variable font files
- xz
-
- Add CVE-2025-31115.patch
* Fix heap use after free and writing to an address based on the null
pointer plus an offset (CVE-2025-31115, bsc#1240414)
- python3
-
- Update CVE-2024-11168-validation-IPv6-addrs.patch
according to the Debian version
(gh#python/cpython#103848#issuecomment-2708135083).
- systemd
-
- Import commit 83b9060b6e4c9cdffbbed0e27467cbd2f806dc0d
09b7477895 udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015)
- Drop 5004-udev-allow-denylist-for-reading-sysfs-attributes-whe.patch
The path has been merged into the SUSE/v254 branch.
- Import commit 2b599c7501253b0e6b7987fdb2676af21bc72ab3 (merge of v254.24)
For a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/b25faa18ee7ef3c2d0b16416dfa331d0013dd112...2b599c7501253b0e6b7987fdb2676af21bc72ab3
- Import commit b25faa18ee7ef3c2d0b16416dfa331d0013dd112
b4693652f3 journald: close runtime journals before their parent directory removed
044d051f0c journald: reset runtime seqnum data when flushing to system journal (bsc#1236886)
- Move systemd-userwork from the experimental sub-package to the main package (bsc#1236643)
It is likely an oversight from when systemd-userdb was migrated from the
experimental package to the main one.
- openssh
-
- Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2
due to gssapi proposal not being correctly initialized
(bsc#1236826). The problem was introduced in the rebase of
the patch for 9.6p1:
* openssh-8.0p1-gssapi-keyex.patch
- Rebase patch and apply it:
* fix-memleak-in-process_server_config_line_depth.patch
- python-azure-agent
-
- Add a new version of paa_force_py3_sle15.patch to compensate for
missing Python RPM macros in older distros
- Update to version 2.12.04 (bsc#1235140)
+ Remove agent-no-auto-update.patch handeled by config file specialization
sub-packages
+ Remove paa_force_py3_sle15.patch handled by RPM macro
+ Remove agent-micro-is-sles.patch included upstream
+ Forward port paa_12_sp5_rdma_no_ext_driver.patch
+ Forward port remove-mock.patch
+ Add paa_direct_exec_in_service.patch
~ The waagent script is executable and we set the proper interpreter
using the macro for multibuild python. Do prefix the execution in the
service file wit the interpreter
+ Fix install_requires list syntax
+ Update spec file
~ Remove conditions for distros no longer maintained
~ Simplify build and install conditionals using macros
+ Enable GA versioning #3082 #3184 #3189
+ Cgroups api refactor for v2 #3096 #3135 #3188 #3196
+ Fix JIT for FIPS 140-3 #3190
+ reset network service unit file if python version changes #3058
+ Recognize SLE-Micro as a SLE based distribution #3048
+ Add distutils/version.py to azurelinuxagent #3063
+ Use legacycrypt instead of crypt on Python >= 3.13 #3070
+ Fix osutil/default route_add to pass string array. #3072
+ Fix argument to GoalState.init #3073
+ Add lock around access to fast_track.json #3076
+ Add DistroVersion class to compare distro versions #3078
+ LogCollector should skip and log warning for files that don't exist #3098
+ check for unexpected process in agent cgroups before cgroups enabled #3103
+ [Redo with correct source/target]: Remove check for "ibXX" interface
format and rework mac-address regex to expand support #3150
+ Fix Ubuntu version codename for 24.04 #3159
+ Update test certificate data #3166
+ move setupslice after cgroupsv2 check, remove unit file for
log collector and remove fiirewall daemon-reload #3223
+ Address pylint warning deprecated-method #3059
+ Run pylint on Python 3.11 #3067
+ Run unit tests with pytest on Python >= 3.10
+ Log logcollector cgroups if process is found in unexpected slice #3107
+ remove secret and use cert for aad app in e2e pipeline #3116
+ suppress pylint warn contextmanager-generator-missing-cleanup #3138
+ Switching to SNI based authentication for aad app #3137
+ updated PR template #3144
+ Avoiding mocked exception from being lost on test when using
python 3.12: complete mocked info #3149
+ Add more useful logging statement for agent unit properties #3154
+ Remove wireserver fallback for imds calls #3152
+ Remove unused import #3155
+ Add support for Azure Linux 3 #3183
+ Fix pytest warnings #3084
+ Allow use of node 16 #3160
+ Send controller/cgroup path telemetry #3231
From 2.13.0.2
+ #3221 Add support for nftables (+ refactoring of firewall code)
+ #3239 Create walinuxagent nftable atomically
+ Features in progress (Verify extension signature/Policy Enforcement)
+ #3200 Parse encodedSignature property from EGS
+ #3187 Add Regorus policy engine framework
+ #3222 Remove Regorus and platform check for policy enforcement
+ #3242 Telemetry (update logcollector telemetry with common properties)
+ #3208 Handle non-boolean when parsing extension manifests
+ #3211 Fix unicode type check when parsing extension manifests
+ #3133 Telemetry: high-priority events
+ #3240 Telemetry: report apparent dead code
+ #3210 Cleanup: remove AMA extension services cgroups tracking code
+ #3197 Accommodate the new behavior in OpenSSL 3.2.2 when given an
empty input
From 2.11.1.12
+ Remove multi config extension status only on extension delete #3172
From 2.111.1.4
+ General Improvements
+ Improvements in telemetry for firewall settings #3110, #3124
From 2.10.0.8
+ GA versioning #2810 #2850 #2860 #2881 #2974 #3004 #3015 #3033
+ Disabled GA versioning #2909 #2917 #3044
+ Add regular expression to match logs from very old agents #2839
+ Remove empty "distro" module #2854
+ Enable Python 2.7 for unit tests #2856
+ Add check for noexec on Permission denied errors #2859
+ Reorganize file structure of unit tests #2894
+ Report useful message when extension processing is disabled #2895
+ Add log and telemetry event for extension disabled #2897
+ Cleanup common directory #2902
+ Fix agent memory usage check #2903
+ enable rhel/centos agent-cgroups #2922
+ Add support for EC certificates #2936
+ Add Cpu Arch in local logs and telemetry events #2938
+ Clarify support status of installing from source. #2941
+ Gathering Guest ProxyAgent Log Files #2975
+ Remove debug info from waagent.status.json #2971
+ Handle errors when adding logs to the archive #2982
+ Update supported Ubuntu versions #2980
+ Fix pylint warning #2988
+ Add information about HTTP proxies #2985
+ update the proxy agenet log folder for logcollector #3028
+ Add config parameter to wait for cloud-init
(Extensions.WaitForCloudInit) #3031 [Added in 2.10.0.8]
+ Adding AutoUpdate.UpdateToLatestVersion new flag support #3020 #3027
[Added in 2.10.0.8]
+ Check certificates only if certificates are included in goal state #2803
+ Redact access tokens from extension's output #2811
+ Fix name of single IB device when provisioning RDMA #2814
+ Port NSBSD system to the latest version of waagent #2828
+ fix daemon version #2874
+ fix version checking in setup.py #2920
+ fix(ubuntu): Point to correct dhcp lease files #2979
+ Download certs on FT GS after check_certificates only when missing
from disk #2907
+ Add support for EC certificates (#2936) #2943 [Added in 2.10.0.5]
+ Fix for "local variable _COLLECT_NOEXEC_ERRORS referenced before
assignment" (#2935) #2944 [Added in 2.10.0.5]
+ Cache daemon version #2942 #2946 [Added in 2.10.0.5]
+ undo get daemon version change #2951 [Added in 2.10.0.5]
+ fix self-update frequency to spread over 24 hrs for regular type
and 4 hrs for hotfix #2948 [Added in 2.10.0.5]
+ ignore dependencies from extensions that do not have settings #2957
[Added in 2.10.0.6]
+ Do not reset the mode of a extension's log directory #3014
[Added in 2.10.0.8]
+ skip cgroup monitoring if log collector doesn't start by the agent.
[#2939] [Added in 2.10.0.8]
+ NM should not be restarted during hostname publish if NM_CONTROLLED=y
[#3008] [Added in 2.10.0.8]
+ Daemon should remove stale published_hostname file and log
useful warning #3016 [Added in 2.10.0.8]
+ Revert changes to publish_hostname in RedhatOSModernUtil #3032
[Added in 2.10.0.8]
+ Recover primary nic if down after publishing hostname in
RedhatOSUtil #3024 [Added in 2.10.0.8]
- fix a few typos in the spec file and use proper macros where
applicable
- remove python3 requires
- python-Jinja2
-
- Add security patch CVE-2025-27516.patch (bsc#1238879)
- suse-build-key
-
- changed keys to use SHA256 UIDs instead of SHA1. (bsc#1237294
bsc#1236779 jsc#PED-12321)
- gpg-pubkey-3fa1d6ce-67c856ee.asc to gpg-pubkey-09d9ea69-67c857f3.asc
- gpg-pubkey-09d9ea69-645b99ce.asc to gpg-pubkey-3fa1d6ce-63c9481c.asc
- suse_ptf_key_2023.asc, suse_ptf_key.asc: adjusted
- vim
-
- Introduce patch to fix bsc#1235751 (regression).
* vim-9.1.1134-revert-putty-terminal-colors.patch
- Update to 9.1.1176. Changes:
* 9.1.1176: wrong indent when expanding multiple lines
* 9.1.1175: inconsistent behaviour with exclusive selection and motion commands
* 9.1.1174: tests: Test_complete_cmdline() may fail
* 9.1.1173: filetype: ABNF files are not detected
* 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag file
* 9.1.1171: tests: wrong arguments passed to assert_equal()
* 9.1.1170: wildmenu highlighting in popup can be improved
* 9.1.1169: using global variable for get_insert()/get_lambda_name()
* 9.1.1168: wrong flags passed down to nextwild()
* 9.1.1167: mark '] wrong after copying text object
* 9.1.1166: command-line auto-completion hard with wildmenu
* 9.1.1165: diff: regression with multi-file diff blocks
* 9.1.1164: [security]: code execution with tar.vim and special crafted tar files
* 9.1.1163: $MYVIMDIR is set too late
* 9.1.1162: completion popup not cleared in cmdline
* 9.1.1161: preinsert requires bot "menu" and "menuone" to be set
* 9.1.1160: Ctrl-Y does not work well with "preinsert" when completing items
* 9.1.1159: $MYVIMDIR may not always be set
* 9.1.1158: :verbose set has wrong file name with :compiler!
* 9.1.1157: command completion wrong for input()
* 9.1.1156: tests: No test for what patch 9.1.1152 fixes
* 9.1.1155: Mode message not cleared after :silent message
* 9.1.1154: Vim9: not able to use autoload class accross scripts
* 9.1.1153: build error on Haiku
* 9.1.1152: Patch v9.1.1151 causes problems
* 9.1.1151: too many strlen() calls in getchar.c
* 9.1.1150: :hi completion may complete to wrong value
* 9.1.1149: Unix Makefile does not support Brazilian lang for the installer
* 9.1.1148: Vim9: finding imported scripts can be further improved
* 9.1.1147: preview-window does not scroll correctly
* 9.1.1146: Vim9: wrong context being used when evaluating class member
* 9.1.1145: multi-line completion has wrong indentation for last line
* 9.1.1144: no way to create raw strings from a blob
* 9.1.1143: illegal memory access when putting a register
* 9.1.1142: tests: test_startup fails if $HOME/$XDG_CONFIG_HOME is defined
* 9.1.1141: Misplaced comment in readfile()
* 9.1.1140: filetype: m17ndb files are not detected
* 9.1.1139: [fifo] is not displayed when editing a fifo
* 9.1.1138: cmdline completion for :hi is too simplistic
* 9.1.1137: ins_str() is inefficient by calling STRLEN()
* 9.1.1136: Match highlighting marks a buffer region as changed
* 9.1.1135: 'suffixesadd' doesn't work with multiple items
* 9.1.1134: filetype: Guile init file not recognized
* 9.1.1133: filetype: xkb files not recognized everywhere
* 9.1.1132: Mark positions wrong after triggering multiline completion
* 9.1.1131: potential out-of-memory issue in search.c
* 9.1.1130: 'listchars' "precedes" is not drawn on Tabs.
* 9.1.1129: missing out-of-memory test in buf_write()
* 9.1.1128: patch 9.1.1119 caused a regression with imports
* 9.1.1127: preinsert text is not cleaned up correctly
* 9.1.1126: patch 9.1.1121 used a wrong way to handle enter
* 9.1.1125: cannot loop through pum menu with multiline items
* 9.1.1124: No test for 'listchars' "precedes" with double-width char
* 9.1.1123: popup hi groups not falling back to defaults
* 9.1.1122: too many strlen() calls in findfile.c
* 9.1.1121: Enter does not insert newline with "noselect"
* 9.1.1120: tests: Test_registers fails
* 9.1.1119: Vim9: Not able to use an autoloaded class from another autoloaded script
* 9.1.1118: tests: test_termcodes fails
* 9.1.1117: there are a few minor style issues
* 9.1.1116: Vim9: super not supported in lambda expressions
* 9.1.1115: [security]: use-after-free in str_to_reg()
* 9.1.1114: enabling termguicolors automatically confuses users
* 9.1.1113: tests: Test_terminal_builtin_without_gui waits 2 seconds
* 9.1.1112: Inconsistencies in get_next_or_prev_match()
* 9.1.1111: Vim9: variable not found in transitive import
* 9.1.1110: Vim tests are slow and flaky
* 9.1.1109: cmdexpand.c hard to read
* 9.1.1108: 'smoothscroll' gets stuck with 'listchars' "eol"
* 9.1.1107: cannot loop through completion menu with fuzzy
* 9.1.1106: tests: Test_log_nonexistent() causes asan failure
* 9.1.1105: Vim9: no support for protected new() method
* 9.1.1104: CI: using Ubuntu 22.04 Github runners
* 9.1.1103: if_perl: still some compile errors with Perl 5.38
* 9.1.1102: tests: Test_WinScrolled_Resized_eiw() uses wrong filename
- xen
-
- bsc#1219354 - xen channels and domU console
67c86fc1-xl-fix-channel-configuration-setting.patch
- bsc#1237692 - When attempting to start guest vm's libxl fills disk with errors
67d2a3fe-libxl-avoid-infinite-loop-in-libxl__remove_directory.patch
- Upstream bug fixes (bsc#1027519)
67b4961e-console-dont-truncate-panic-messages.patch
67b49d86-memory-resource_max_frames-retval.patch
67b5d27c-SVM-separate-STI-from-VMRUN.patch
67cb03e0-x86-vlapic-ESR-write-handling.patch
67d17edd-x86-expose-MSR_FAM10H_MMIO_CONF_BASE-on-AMD.patch
67d17ede-VT-x-PI-usage-of-msi_desc-msg-field.patch
- bsc#1238043 - VUL-0: CVE-2025-1713: xen: deadlock potential with
VT-d and legacy PCI device pass-through (XSA-467)
67c06178-x86-IOMMU-bus-to-bridge-lock-acquired-IRQ-safe.patch
- Xen call trace and APIC Error found after reboot operation on AMD
machine (bsc#1233796)
67acb684-x86-offline-APs-with-IRQs-disabled.patch
67acb685-x86-SMP-disable-IRQs-ahead-of-AP-shutdown.patch
67acb686-x86-PCI-disable-MSI-at-shutdown.patch
67acb687-x86-IOMMU-disable-IRQs-at-shutdown.patch
- Upstream bug fixes (bsc#1027519)
66dedebf-x86-HVM-recursion-in-linear-rw.patch
677bcb65-x86-traps-rework-LER-init-and.patch
677c1a7c-x86-AMD-misc-setup-for-Fam1A.patch
67921698-x86-HVM-MMIO-emul-cache-bounds-check.patch
67935a31-x86-HVM-dyn-alloc-emul-cache-ents.patch
67935a4c-x86-HVM-rw-split-at-page.patch
67977673-x86-IOMMU-check-CMPXCHG16B-when-enabling.patch
67977677-AMD-IOMMU-atomically-update-IRTE.patch
679796ff-x86-PV-further-harden-guest-mem-access.patch
67a5cb5f-radix-tree-purge-node-alloc-hooks.patch
67a5cb94-radix-tree-introduce-RADIX_TREE_INIT.patch