bash
- Add bsc1197674.patch to fix memory leak in array asignment (bsc#1197674)
cifs-utils
- CVE-2022-27239: mount.cifs: fix length check for ip option
  parsing; (bsc#1197216) (bso#15025); CVE-2022-27239.
  * add 0016-CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch
cloud-regionsrv-client
- Update to version 10.0.3 (bsc#1198389)
  - Descend into the extension tree even if top level module is recommended
  - Cache license state for AHB support to detect type switch
  - Properly clean suse.com credentials when switching from SCC to update
    infrastructure
  - New log message to indicate base product registration success
crmsh
- Update to version 4.1.1+git.1647830282.d380378a:
  * medium: utils: update detect_cloud pattern for aws (bsc#1197351)
fence-agents
- (bsc#1196350) fence_gce updates pull from Clusterlabs repo
  - Apply proposed upstream patch
    0001-fence_gce-Add-timeouts-and-failure-options-458.patch
gzip
- Fix escaping of malicious filenames (CVE-2022-1271 bsc#1198062)
  * bsc1198062.patch
jasper
- bsc#1184757 CVE-2021-3467: Fix NULL pointer deref in jp2_decode()
  Add jasper-CVE-2021-3467.patch
- bsc#1184798 CVE-2021-3443: Fix NULL pointer derefin jp2_decode()
  Add jasper-CVE-2021-3443.patch
- bsc#1182104 CVE-2021-26927: Fix NULL pointer deref in jp2_decode()
  bsc#1182105 CVE-2021-26926: Fix Out of bounds read in jp2_decode()
  Add jasper-CVE-2021-26926-CVE-2021-26927.patch
kdump
- Update kdump-add-watchdog-modules.patch
  Fix return code when no watchdog sysfs entry is found (bsc#1197069)
kernel-default
- Update
  patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch
  references (add CVE-2022-28356 bsc#1197391).
- commit 658b50e
- netfilter: nf_tables: initialize registers in nft_do_chain()
  (CVE-2022-1016 bsc#1197227).
- commit 4726ea9
- llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
- commit caaa7d4
- can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb
  in error path (CVE-2022-28389 bsc#1198033).
- can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb()
  in error path (CVE-2022-28388 bsc#1198032).
- can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb()
  in error path (CVE-2022-28390 bsc#1198031).
- commit 2396928
- tcp: add some entropy in __inet_hash_connect() (bsc#1180153).
- tcp: change source port randomizarion at connect() time
  (bsc#1180153).
- commit c5e24fe
- xprtrdma: fix incorrect header size calculations (CVE-2022-0812
  bsc#1196639).
- commit 19d5b1d
- ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and
  mmap_lock (CVE-2022-1048 bsc#1197331).
- Refresh
  patches.kabi/ALSA-kABI-workaround-for-snd_pcm_runtime-changes.patch.
- commit 62bc950
- series sort
- commit 6f57f5d
- ext4: fix kernel infoleak via ext4_extent_header (bsc#1189562
  bsc#1196761 CVE-2022-0850).
- commit 91866e7
- Update patches.suse/sr9700-sanity-check-for-packet-length.patch
  (bsc#1196836 CVE-2022-26966).
  fixed typo in References
- commit e04f4f1
- x86/tsc: Make calibration refinement more robust (bsc#1196573).
- commit cbea5b9
- esp: Fix possible buffer overflow in ESP transformation
  (bsc#1197131 CVE-2022-0886).
- commit d9e58bc
- Refresh patches.suse/xfrm-fix-mtu-regression.patch.
- commit 0ee241b
- quota: check block number when reading the block in quota  file
  (bsc#1197366 CVE-2021-45868).
- commit b7d9616
- ALSA: kABI workaround for snd_pcm_runtime changes (CVE-2022-1048
  bsc#1197331).
- Refresh patches.kabi/ALSA-pcm-oss-rw_ref-kabi-fix.patch.
- commit f284bec
- Fixing a series_sort.py issue for a patch
  The patch: blk-mq-move-_blk_mq_update_nr_hw_queues-synchronize_rcu-call
  was placed at the end of the sorted section by series_insert.py at
  one time, but now series_sort.py is complaining. So move this patch
  to later in series.conf, outside of the sorted section, making
  series_sort.py happy.
- commit a65cae5
- ALSA: pcm: Fix races among concurrent prealloc proc writes
  (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent prepare and
  hw_params/hw_free calls (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent read/write and buffer
  changes (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent hw_params and hw_free
  calls (CVE-2022-1048 bsc#1197331).
- commit 0f72275
- macros.kernel-source: Fix conditional expansion.
  Fixes: bb95fef3cf19 ("/rpm: Use bash for %() expansion (jsc#SLE-18234)."/)
- commit 7e857f7
- rpm: Use bash for %() expansion (jsc#SLE-18234).
  Since 15.4 alternatives for /bin/sh are provided by packages
  <something>-sh. While the interpreter for the build script can be
  selected the interpreter for %() cannot.
  The kernel spec files use bashisms in %().
  While this could technically be fixed there is more serious underlying
  problem: neither bash nor any of the alternatives are 100% POSIX
  compliant nor bug-free.
  It is not my intent to maintain bug compatibility with any number of
  shells for shell scripts embedded in the kernel spec file. The spec file
  syntax is not documented so embedding the shell script in it causes some
  unspecified transformation to be applied to it. That means that
  ultimately any changes must be tested by building the kernel, n times if
  n shells are supported.
  To reduce maintenance effort require that bash is used for kernel build
  always.
- commit bb95fef
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
  (bsc#1196018).
- commit 95d7e2c
- net: usb: ax88179_178a: fix packet alignment padding
  (bsc#1196018).
- commit 065384f
- ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32
  (bsc#1196018).
- commit f59903f
- Update patches.suse/sr9700-sanity-check-for-packet-length.patch
  (bac#1196836 CVE-2022-26966).
  added CVE number
- commit 7e940d6
- rpm: Run external scriptlets on uninstall only when available
  (bsc#1196514 bsc#1196114 bsc#1196942).
  When dependency cycles are encountered package dependencies may not be
  fulfilled during zypper transaction at the time scriptlets are run.
  This is a problem for kernel scriptlets provided by suse-module-tools
  when migrating to a SLE release that provides these scriptlets only as
  part of LTSS. The suse-module-tools that provides kernel scriptlets may
  be removed early causing migration to fail.
- commit ab8dd2d
- rpm: SC2006: Use $(...) notation instead of legacy backticked `...`.
- commit f0d0e90
- rpm/kernel-source.spec.in: call fdupes per subpackage
  It is a waste of time to do a global fdupes when we have
  subpackages.
- commit 1da8439
- net: sched: use Qdisc rcu API instead of relying on rtnl lock
  (bsc#1196973 CVE-2021-39713).
- net: sched: add helper function to take reference to Qdisc
  (bsc#1196973 CVE-2021-39713).
- net: sched: extend Qdisc with rcu (bsc#1196973 CVE-2021-39713).
- net: sched: rename qdisc_destroy() to qdisc_put() (bsc#1196973
  CVE-2021-39713).
- net: core: netlink: add helper refcount dec and lock function
  (bsc#1196973 CVE-2021-39713).
- commit a22ecb0
- xen/netfront: react properly to failing
  gnttab_end_foreign_access_ref() (bsc#1196488, XSA-396,
  CVE-2022-23042).
- commit 2b38f30
- xen/gnttab: fix gnttab_end_foreign_access() without page
  specified (bsc#1196488, XSA-396, CVE-2022-23041).
- commit 7149843
- xen/9p: use alloc/free_pages_exact() (bsc#1196488, XSA-396,
  CVE-2022-23041).
- commit a920e1c
- xen/usb: don't use gnttab_end_foreign_access() in
  xenhcd_gnttab_done() (bsc#1196488, XSA-396).
- commit e8ca175
- xen/gntalloc: don't use gnttab_query_foreign_access()
  (bsc#1196488, XSA-396, CVE-2022-23039).
- commit 02e08de
- xen/scsifront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23038).
- commit 78fd62a
- xen/netfront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23037).
- commit 335a138
- xen/blkfront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23036).
- commit 69cc608
- xen/grant-table: add gnttab_try_end_foreign_access()
  (bsc#1196488, XSA-396, CVE-2022-23036, CVE-2022-23038).
- commit d8d4a06
- xen/xenbus: don't let xenbus_grant_ring() remove grants in
  error case (bsc#1196488, XSA-396, CVE-2022-23040).
- commit 9eb0e70
- genirq: Use rcu in kstat_irqs_usr() (bsc#1193738).
- commit b6e9db8
- rpm/arch-symbols,guards,*driver: Replace Novell with SUSE.
- commit 174a64f
- usb: host: xen-hcd: add missing unlock in error path
  (git-fixes).
- commit af60176
- Refresh
  patches.suse/0002-usb-Introduce-Xen-pvUSB-frontend-xen-hcd.patch.
- commit ee8e3fd
- Refresh
  patches.suse/0001-usb-Add-Xen-pvUSB-protocol-description.patch.
- commit 29bb7f5
- rpm/kernel-docs.spec.in: use %%license for license declarations
  Limited to SLE15+ to avoid compatibility nightmares.
- commit 73d560e
- rpm/*.spec.in: Use https:// urls
- commit 77b5f8e
- sr9700: sanity check for packet length (bsc#1196836).
- commit 7ac3395
- nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
  (CVE-2022-26490 bsc#1196830).
- commit 47ae8c5
- Update patch reference for iov security fix (CVE-2022-0847 bsc#1196584)
- commit 43f0d0b
- net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
- commit 4fdd4d6
- kernel-binary.spec: Also exclude the kernel signing key from devel package.
  There is a check in OBS that fails when it is included. Also the key is
  not reproducible.
  Fixes: bb988d4625a3 ("/kernel-binary: Do not include sourcedir in certificate path."/)
- commit 68fa069
- rpm/check-for-config-changes: Ignore PAHOLE_VERSION.
- commit 88ba5ec
- kernel-binary: Do not include sourcedir in certificate path.
  The certs macro runs before build directory is set up so it creates the
  aggregate of supplied certificates in the source directory.
  Using this file directly as the certificate in kernel config works but
  embeds the source directory path in the kernel config.
  To avoid this symlink the certificate to the build directory and use
  relative path to refer to it.
  Also fabricate a certificate in the same location in build directory
  when none is provided.
- commit bb988d4
- constraints: Also adjust disk requirement for x86 and s390.
- commit 9719db0
- constraints: Increase disk space for aarch64
- commit 09c2882
- kernel-obs-build: include 9p (boo#1195353)
  To be able to share files between host and the qemu vm of the build
  script, the 9p and 9p_virtio kernel modules need to be included in
  the initrd of kernel-obs-build.
- commit 0cfe67a
- kernel-binary.spec.in: Move 20-kernel-default-extra.conf to the correctr
  directory (bsc#1195051).
- commit c80b5de
- kernel-binary.spec: Do not use the default certificate path (bsc#1194943).
  Using the the default path is broken since Linux 5.17
- commit 68b36f0
- fix rpm build warning
  tumbleweed rpm is adding these warnings to the log:
  It's not recommended to have unversioned Obsoletes: Obsoletes:      microcode_ctl
- commit 3ba8941
- build initrd without systemd
  This reduces the size of the initrd by over 25%, which
  improves startup time of the virtual machine by 0.5-0.6s on
  very fast machines, more on slower ones.
- commit ef4c569
- kernel-obs-build: remove duplicated/unused parameters
  lbs=0 - this parameters is just giving "/unused parameter"/ and it looks
  like I can not find any version that implemented this.
  rd.driver.pre=binfmt_misc is not needed when setup_obs is used, it
  alread loads the kernel module.
  quiet and panic=1 will now be also always added by OBS, so we don't have
  to set it here anymore.
- commit 972c692
- Revert "/- rpm/*build: use buildroot macro instead of env variable"/
  buildroot macro is not being expanded inside a shell script. go
  back to the environment variable usage. This reverts parts of
  commit e2f60269b9330d7225b2547e057ef0859ccec155.
- commit fe85f96
- kernel-obs-build: include the preferred kernel parameters
  Currently the Open Build Service hardcodes the kernel boot parameters
  globally. Recently functionality was added to control the parameters
  by the kernel-obs-build package, so make use of that. parameters here
  will overwrite what is used by OBS otherwise.
- commit a631240
- kernel-obs-build: inform build service about virtio-serial
  Inform the build worker code that this kernel supports virtio-serial,
  which improves performance and relability of logging.
- commit 301a3a7
- rpm/*.spec.in: use buildroot macro instead of env variable
  The RPM_BUILD_ROOT variable is considered deprecated over
  a buildroot macro. future proof the spec files.
- commit e2f6026
- rpm/kernel-obs-build.spec.in: move to zstd for the initrd
  Newer distros have capability to decompress zstd, which
  provides a 2-5% better compression ratio at very similar
  cpu overhead. Plus this tests the zstd codepaths now as well.
- commit 3d53a5b
libsolv
- fix memory leaks in SWIG generated code
- fix misparsing of '&' in attributes with libxml2
- try to keep packages from a cycle close togther in the
  transaction order [bsc#1189622]
- fix split provides not working if the update includes a
  forbidden vendor change [bsc#1195485]
- fix segfault on conflict resolution when using bindings
- do not replace noarch problem rules with arch dependent ones
  in problem reporting
- fix and simplify pool_vendor2mask implementation
- bump version to 0.6.39
libxml2
- Security fix: [bsc#1196490, CVE-2022-23308]
  * Use-after-free of ID and IDREF attributes.
- Add libxml2-CVE-2022-23308.patch
libzypp
- Hint on ptf resolver conflicts (bsc#1194848)
- Fix package signature check (bsc#184501)
  Pay attention that header and payload are secured by a valid
  signature and report more detailed which signature is missing.
- Set ZYPP_RPM_DEBUG=1 to capture verbose rpm command output.
- version 16.22.4 (0)
mutt
- Add patch uudecode-e5ed080c.patch for bsc#1198518 and CVE-2022-1328
  to fix a buffer overflow in uudecoder
ocfs2-tools
- fsck.ocfs2: do not try locking after replaying journals if -F is given (bsc#1196705)
  + fsck.ocfs2-do-not-try-locking-after-replaying-journa.patch
python
- python-2.7.9-sles-disable-verification-by-default.patch: removed,
  was no longer been used (default was "/enabled"/ since a while).
python-base
- python-2.7.9-sles-disable-verification-by-default.patch: removed,
  was no longer been used (default was "/enabled"/ since a while).
python-paramiko
- Add CVE-2022-24302-race-condition.patch:
  * Fix a race condition between creation and chmod when writing private
    keys. (bsc#1197279)
salt
- Clear network interfaces cache on grains request (bsc#1196050)
- Handle old qemu-img not supporting -U parameter (bsc#1195221)
- Added:
  * clear-network-interface-cache-when-grains-are-reques.patch
  * handle-old-qemu-img-not-supporting-u-parameter-bsc-1.patch
- Renamed:
  * patch_for_cve_bsc1197417.patch -> fix-multiple-security-issues-bsc-1197417.patch
- Restrict "/state.orchestrate_single"/ to pass a pillar value if it exists (bsc#1194632)
- Added:
  * fix-state.orchestrate_single-to-not-pass-pillar-none.patch
- Fix sparse disk errors on Python 2 (virt module)
- Added:
  * python2-adjustments-for-virt-module.patch
- Fix multiple security fixes (bsc#1197417)
  * Sign authentication replies to prevent MiTM (CVE-2020-22935)
  * Sign pillar data to prevent MiTM attacks. (CVE-2022-22934)
  * Prevent job and fileserver replays (CVE-2022-22936)
  * Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941)
systemd
- Import commit 81e1235110a58f78e4e7514b45a2897ceddadf88
  8348b7f7ea systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23869 jsc#SLE-23871)
  d827639164 systemctl: exit with 1 if no unit files found (bsc#1193841)
  99d0949499 umount: show correct error message
  16f9b8a5fa core/umount: fix unitialized fields in MountPoint in dm_list_get()
  8f7b39e250 umount: Add more asserts and remove some unused arguments
  6858714b68 umount: Fix memory leak
  4a83c21fb1 mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
- Import commit 3fad90a5e2a1d0099ba2925793df42e0084cad35
  dbf8419fdb busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225 jsc#SLE-21861)
  7a9abad886 sysctl: configure kernel parameters in the order they occur in each sysctl configuration files (#4205) (bsc#1191399)
  7dd902bfa6 manager: reexecute on SIGRTMIN+25, user instances only
  fb9e399bca basic/unit-name: do not use strdupa() on a path (bsc#1188063 CVE-2021-33910)
  e0fde642ec logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018)
  fe106cccdd units: make fsck/grows/makefs/makeswap units conflict against shutdown.target
- Make sure the versions of both udev and systemd packages are always the same (bsc#1189480)
- Avoid the error message when udev is updated due to udev being
  already active when the sockets are started again (bsc#1188291)
- Drop 1001-basic-unit-name-do-not-use-strdupa-on-a-path.patch
  It's been merged in branch SUSE/v228.
- Allow systemd sysusers config files to be overriden during system
  installation (bsc#1171962).
- While at it, add a comment to explain why we don't use
  %sysusers_create in %pre and why it should be safe in %post.
xz
- Fix ZDI-CAN-16587 Fix escaping of malicious filenames
  (ZDI-CAN-16587 bsc#1198062 CVE-2022-1271)
  * bsc1198062.patch