SAPHanaSR
- SAPHanaSR-monitor not reporting correctly
  (bsc#1192963)
  add patch:
    0001-bsc-1192963.patch
- Version bump to 0.161.1_BF
- add the required 'xmllint' to the package
  (bsc#1201945)
- changes to the demote_clone function of the resource agent:
  if the role is '1:P' (topology agent run into timeouts) the
  function fail with rc=1, to get the managed resource stopped
  changes to the stop_clone function of the topology agent:
  call landscapeHostConfiguration.py and set the roles as they were
  reported. If the command timed out, set the role to '1:P' and
  return 1 to get the node fenced.
  The used timeout for the landscapeHostConfiguration.py call can
  be configured by the cluster action timeout, if needed. It will
  be 50% of the action timeout or the minimum of 300s.
  (bsc#1198127)
- add new HA/DR provider hook susChkSrv
  (jsc#PED-1241, jsc#PED-1240)
- add new tool SAPHanaSR-manageProvider to show, add and delete
  HA/DR provider sections in the global.ini of SAP HANA.
- update suse icon to new branding
- Version bump to 0.160.1
- fix HANA_CALL function to support MCOS environments again
  (bsc#1198780)
- fix SAPHanaSR-replay-archive to handle hb_report archives again
  (bsc#1198897)
- add HANA_CALL_TIMEOUT parameter back to the resource agents and
  read the setting from the cluster configuration, if available.
  Defaults to '60'.
  Related to github issue#36
- add new HA/DR provider hook susTkOver
  (jsc#SLE-16347)
- add new hook script for SAP HANA System Replication Scale-Up Cost
  Optimized Scenario.
  (jsc#SLE-18613)
- add a new instance parameter 'REMOVE_SAP_SOCKETS'.
  It is an optional parameter and defaults to 'true'. Now you can
  control, if the RA should remove the unix domain sockets related
  to sapstartsrv before (re-)start sapstartsrv or if it should try
  to adjust the permissions and ownership of these files instead.
bind
- Security Fixes:
  * Previously, there was no limit to the number of database lookups
  performed while processing large delegations, which could be abused
  to severely impact the performance of named running as a recursive
  resolver. This has been fixed.
  [bsc#1203614, CVE-2022-2795, bind-CVE-2022-2795.patch]
  * A memory leak was fixed that could be externally triggered in the
  DNSSEC verification code for the ECDSA algorithm.
  [bsc#1203619, CVE-2022-38177, bind-CVE-2022-38177.patch]
  * Memory leaks were fixed that could be externally triggered in the
  DNSSEC verification code for the EdDSA algorithm.
  [bsc#1203620, CVE-2022-38178, bind-CVE-2022-38178.patch]
ca-certificates-mozilla
- Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)
  Added:
  - Certainly Root E1
  - Certainly Root R1
  - DigiCert SMIME ECC P384 Root G5
  - DigiCert SMIME RSA4096 Root G5
  - DigiCert TLS ECC P384 Root G5
  - DigiCert TLS RSA4096 Root G5
  - E-Tugra Global Root CA ECC v3
  - E-Tugra Global Root CA RSA v3
  Removed:
  - Hellenic Academic and Research Institutions RootCA 2011
- Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079)
  Added:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - D-TRUST BR Root CA 1 2020
  - D-TRUST EV Root CA 1 2020
  - GlobalSign ECC Root CA R4
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
  - HiPKI Root CA - G1
  - ISRG Root X2
  - Telia Root CA v2
  - vTrus ECC Root CA
  - vTrus Root CA
  Removed:
  - Cybertrust Global Root
  - DST Root CA X3
  - DigiNotar PKIoverheid CA Organisatie - G2
  - GlobalSign ECC Root CA R4
  - GlobalSign Root CA R2
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
- updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)
- Added CAs:
  + HARICA Client ECC Root CA 2021
  + HARICA Client RSA Root CA 2021
  + HARICA TLS ECC Root CA 2021
  + HARICA TLS RSA Root CA 2021
  + TunTrust Root CA
- Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994)
- Added new root CAs:
  - NAVER Global Root Certification Authority
- Removed old root CA:
  - GeoTrust Global CA
  - GeoTrust Primary Certification Authority
  - GeoTrust Primary Certification Authority - G3
  - GeoTrust Universal CA
  - GeoTrust Universal CA 2
  - thawte Primary Root CA
  - thawte Primary Root CA - G2
  - thawte Primary Root CA - G3
  - VeriSign Class 3 Public Primary Certification Authority - G4
  - VeriSign Class 3 Public Primary Certification Authority - G5
cifs-utils
- CVE-2022-29869: mount.cifs: fix verbose messages on option parsing
  (bsc#1198976, CVE-2022-29869)
  * add cifs-utils-CVE-2022-29869.patch
cloud-regionsrv-client
- Follow up fix to 10.0.4 (bsc#1202706)
  - While the source code was updated to support SLE Micro the spec file
    was not updated for the new locations of the cache and the certs.
    Update the spec file to be consistent with the code implementation.
- Update to version 10.0.5 (bsc#1201612)
  - Handle exception when trying to deregister a system form the server
- Update to version 10.0.4 (bsc#1199668)
  - Store the update server certs in the /etc path instead of /usr to
    accomodate read only setup of SLE-Micro
compat-openssl098
- bsc#1201283 - fix unknown option passed to 'openssl x509' from c_rehash
  * Modified openssl1-Fix-file-operations-in-c_rehash.patch
cronie
- Allow to define the logger info and warning priority, fixes
  jsc#SLE-24577
  * run-crons
  * sysconfig.cron
curl
- Security Fix: [bsc#1204383, CVE-2022-32221]
  * POST following PUT confusion
  * Add curl-CVE-2022-32221.patch
- Security fix: [bsc#1202593, CVE-2022-35252]
  * Control codes in cookie denial of service
  * Add curl-CVE-2022-35252.patch
- Security fix: [bsc#1200735, CVE-2022-32206]
  * HTTP compression denial of service
  * Add curl-CVE-2022-32206.patch
- Security fix: [bsc#1200737, CVE-2022-32208]
  * FTP-KRB bad message verification
  * Add curl-CVE-2022-32208.patch
- Securiy fix: [bsc#1199224, CVE-2022-27782]
  * TLS and SSH connection too eager reuse
  * Add curl-CVE-2022-27782.patch
- Securiy fix: [bsc#1199223, CVE-2022-27781]
  * CERTINFO never-ending busy-loop
  * Add curl-CVE-2022-27781.patch
dbus-1
- Fix a potential crash that could be triggered by an invalid signature.
  (CVE-2022-42010, bsc#1204111)
  * fix-upstream-CVE-2022-42010.patch
- Fix an out of bounds read caused by a fixed length array (CVE-2022-42011,
  bsc#1204112)
  * fix-upstream-CVE-2022-42011.patch
- A message in non-native endianness with out-of-band Unix file descriptors
  would cause a use-after-free and possible memory corruption CVE-2022-42012,
  bsc#1204113)
  * fix-upstream-CVE-2022-42012.patch
- Disable asserts (bsc#1087072)
- Refreshed patches
  * dbus-do-autolaunch.patch
  * increase-backlog.patch
  * fix-upstream-timeout-reset-2.patch
  * fix-upstream-CVE-2020-12049_2.patch
dbus-1-x11
- Fix a potential crash that could be triggered by an invalid signature.
  (CVE-2022-42010, bsc#1204111)
  * fix-upstream-CVE-2022-42010.patch
- Fix an out of bounds read caused by a fixed length array (CVE-2022-42011,
  bsc#1204112)
  * fix-upstream-CVE-2022-42011.patch
- A message in non-native endianness with out-of-band Unix file descriptors
  would cause a use-after-free and possible memory corruption CVE-2022-42012,
  bsc#1204113)
  * fix-upstream-CVE-2022-42012.patch
- Disable asserts (bsc#1087072)
- Refreshed patches
  * dbus-do-autolaunch.patch
  * increase-backlog.patch
  * fix-upstream-timeout-reset-2.patch
  * fix-upstream-CVE-2020-12049_2.patch
dracut
- Fix vrev so package gets properly updated when comming from older products
  eg. SLE-12.3
expat
- Security fix:
  * (CVE-2022-43680, bsc#1204708) use-after free caused by overeager
    destruction of a shared DTD in XML_ExternalEntityParserCreate in
    out-of-memory situations
  - Added patch expat-CVE-2022-43680.patch
- Security fix:
  * (CVE-2022-40674, bsc#1203438) use-after-free in the doContent
    function in xmlparse.c
  - Added patch expat-CVE-2022-40674.patch
fence-agents
- Azure fence agent doesn’t work correctly on SLES15 SP3 - fence_azure_arm
  fails with error 'MSIAuthentication' object has no attribute 'get_token' - SFSC00334437
  (bsc#1195891)
  - Apply proposed patch
    0001-fix_support_for_sovereign_clouds_and_MSI-439.patch
- fence-agents-4.9.0+git.1624456340.8d746be9-150300.3.8.1 broken in
  GCP due to missing "/--zone"/ parameter (bsc#1198872)
  - Apply proposed patch
    0001-fence_gce-Make-zone-optional-for-get_nodes_list-487.patch
gpg2
- Security fix [CVE-2022-34903, bsc#1201225]
  - Vulnerable to status injection
  - Added patch gnupg-CVE-2022-34903.patch
grub2
- fs/xfs: add bigtime incompat feature support (bsc#1203387)
  * grub2-fs-xfs-Add-bigtime-incompat-feature-support.patch
icu
- Backport icu-CVE-2020-21913.patch: backport commit 727505bdd
  from upstream, use LocalMemory for cmd to prevent use after free
  (bsc#1193951 CVE-2020-21913).
jasper
- security update:
  * CVE-2022-2963 [bsc#1202642]
    + jasper-CVE-2022-2963.patch
java-1_7_1-ibm
- Update to Java 7.1 Service Refresh 5 Fix Pack 15 [bsc#1202427]
  [bsc#1201684, CVE-2022-34169] [bsc#1201692, CVE-2022-21541]
  [bsc#1201685, CVE-2022-21549] [bsc#1201694, CVE-2022-21540]
- Update to Java 7.1 Service Refresh 5 Fix Pack 10 [bsc#1201643]
  [bsc#1198671, CVE-2022-21476] [bsc#1198670, CVE-2022-21449]
  [bsc#1198673, CVE-2022-21496] [bsc#1198674, CVE-2022-21434]
  [bsc#1198672, CVE-2022-21426] [bsc#1198675, CVE-2022-21443]
  [bsc#1191912, CVE-2021-35561] [bsc#1194931, CVE-2022-21299]
json-c
- Added CVE-2020-12762.patch (bsc#1171479, CVE-2020-12762)
- Added gcc7-fix.patch
- Update to upstream release 0.12.1
- Removed upstream fixed json-c-0.12-unused_variable_size.patch
- Added fix-set-but-not-used.patch
- json-c 0.12
  Fixes for security issues contained in this release have been
  previously patched into this package, but listed for completeness:
  * Address security issues:
  * CVE-2013-6371: hash collision denial of service
  * CVE-2013-6370: buffer overflow if size_t is larger than int
- Further changes:
  * Avoid potential overflow in json_object_get_double
  * Eliminate the mc_abort() function and MC_ABORT macro.
  * Make the json_tokener_errors array local.  It has been deprecated for
    a while, and json_tokener_error_desc() should be used instead.
  * change the floating point output format to %.17g so values with
    more than 6 digits show up in the output.
  * Remove the old libjson.so name compatibility support.  The library is
    only created as libjson-c.so now and headers are only installed
    into the ${prefix}/json-c directory.
  * When supported by the linker, add the -Bsymbolic-functions flag.
  * Make strict mode more strict:
  * number must not start with 0
  * no single-quote strings
  * no comments
  * trailing char not allowed
  * only allow lowercase literals
  * Added a json_object_new_double_s() convenience function to allow
    an exact string representation of a double to be specified when
    creating the object and use it in json_tokener_parse_ex() so
    a re-serialized object more exactly matches the input.
  * Add support NaN and Infinity
- packaging changes:
  * json-c-hash-dos-and-overflow-random-seed-4e.patch is upstream
  * Move from json-c-lfs.patch which removed warning errors and
    autoconf call to json-c-0.12-unused_variable_size.patch from
    upstream which fixes the warning
  * except for SLE 11 where autoreconf call is required
  * add licence file to main package
kernel-default
- net: mana: Add rmb after checking owner bits (git-fixes).
- commit cf3a26a
- net: mana: Add the Linux MANA PF driver (bug#1201309, jsc#PED-529).
- commit a1ccfcd
- media: dvb-core: Fix UAF due to refcount races at releasing
  (CVE-2022-41218 bsc#1202960).
- commit 231362a
- media: em28xx: initialize refcount before kref_get
  (CVE-2022-3239 bsc#1203552).
- commit 477c587
- x86/bugs: Reenable retbleed=off
  While for older kernels the return thunks are statically built in and
  cannot be dynamically patched out, retbleed=off should still be possible
  to do so that the mitigation can still be disabled on Intel who don't
  use the return thunks but IBRS.
- Update
  patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271).
- Update patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271).
- commit e2cf3a6
  patches.suse/netfilter-nf_conntrack_irc-Fix-forged-IP-logic.patch.
- commit a2eaeb6
- dm verity: set DM_TARGET_IMMUTABLE feature flag (CVE-2022-2503,
  bsc#1202677).
- commit b644c0f
- mm: Force TLB flush for PFNMAP mappings before unlink_file_vma()
  (CVE-2022-39188, bsc#1203107).
- commit 7df6276
- netfilter: nf_conntrack_irc: Tighten matching on DCC message
  (CVE-2022-2663 bsc#1202097).
- netfilter: nf_conntrack_irc: Fix forged IP logic (CVE-2022-2663
  bsc#1202097).
- commit 7253cd6
- Update
  patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch.
- Update
  patches.suse/x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch.
  Add missing objtool annotations from upstream commits to fix bsc#1202396.
- commit 04338d1
- objtool: Track original function across branches (bsc#1202396).
- Refresh
  patches.suse/objtool-clean-instruction-state-before-each-function-validation.patch.
- Refresh
  patches.suse/objtool-make-bp-scratch-register-warning-more-robust.patch.
- commit c9a2efe
- objtool: Don't use ignore flag for fake jumps (bsc#1202396).
- Refresh patches.suse/objtool-add-is_static_jump-helper.patch.
- commit d008d3c
- objtool: Add --backtrace support (bsc#1202396).
- Refresh
  patches.suse/objtool-clean-instruction-state-before-each-function-validation.patch.
- commit 923b23e
- objtool: Set insn->func for alternatives (bsc#1202396).
- Refresh patches.suse/objtool-add-is_static_jump-helper.patch.
- Refresh
  patches.suse/objtool-add-relocation-check-for-alternative-sections.patch.
- commit 881bd07
- mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
  (git-fixes, bsc#1203098).
  kABI: Fix kABI after "/mm/rmap: Fix anon_vma->degree ambiguity
  leading to double-reuse"/ (git-fixes, bsc#1203098).
- commit 9b79372
- mm/rmap.c: don't reuse anon_vma if we just want a copy
  (git-fixes, bsc#1203098).
- commit d3fffdb
- objtool: Allow no-op CFI ops in alternatives (bsc#1202396).
- commit 28f1746
- objtool: Add support for intra-function calls (bsc#1202396).
- commit 93bc738
- objtool: Remove INSN_STACK (bsc#1202396).
- commit 6e91884
- objtool: Make handle_insn_ops() unconditional (bsc#1202396).
- commit 53607e4
- objtool: Rework allocating stack_ops on decode (bsc#1202396).
- commit 63057c7
- objtool: Fix ORC vs alternatives (bsc#1202396).
- commit 7738c2e
- objtool: Uniquely identify alternative instruction groups
  (bsc#1202396).
- commit 67086e3
- objtool: Remove check preventing branches within alternative
  (bsc#1202396).
- commit 139d41d
- objtool: Fix !CFI insn_state propagation (bsc#1202396).
- commit 56f9880
- objtool: Rename struct cfi_state (bsc#1202396).
- commit b354131
- objtool: Support multiple stack_op per instruction
  (bsc#1202396).
- commit 48c54a4
- objtool: Support conditional retpolines (bsc#1202396).
- commit 65f3866
- objtool: Convert insn type to enum (bsc#1202396).
- commit b962b87
- objtool: Rename elf_open() to prevent conflict with libelf
  from elftoolchain (bsc#1202396).
- commit 7bee2f3
- objtool: Use Elf_Scn typedef instead of assuming struct name
  (bsc#1202396).
- commit 882e170
- rpm/kernel-source.spec.in: simplify finding of broken symlinks
  "/find -xtype l"/ will report them, so use that to make the search a bit
  faster (without using shell).
- commit 13bbc51
- mkspec: eliminate @NOSOURCE@ macro
  This should be alsways used with @SOURCES@, just include the content
  there.
- commit 403d89f
- kernel-source: include the kernel signature file
  We assume that the upstream tarball is used for released kernels.
  Then we can also include the signature file and keyring in the
  kernel-source src.rpm.
  Because of mkspec code limitation exclude the signature and keyring from
  binary packages always - mkspec does not parse spec conditionals.
- commit e76c4ca
- kernel-binary: move @NOSOURCE@ to @SOURCES@ as in other packages
- commit 4b42fb2
- dtb: Do not include sources in src.rpm - refer to kernel-source
  Same as other kernel binary packages there is no need to carry duplicate
  sources in dtb packages.
- commit 1bd288c
- objtool: Fix sibling call detection (bsc#1202396).
- commit 07f4371
- objtool: Rewrite alt->skip_orig (bsc#1202396).
- commit 5c9e381
- af_key: Do not call xfrm_probe_algs in parallel (bsc#1202898
  CVE-2022-3028).
- commit e68eb5b
- Update patch reference for net rds fix (CVE-2022-21385 bsc#1202897)
- commit c9ac9a2
- Update patch reference for net rds fix (CVE-2022-21385 bsc#1202897)
- commit d995183
- cifs: fix error paths in cifs_tree_connect() (bsc#1177440).
- commit cf9a74a
- cifs: report error instead of invalid when revalidating a
  dentry fails (bsc#1177440).
- commit a3f2294
- Backport causes crashes on all arches so revert the patch until
  I find the root cause
- commit 83c44b2
- check sk_peer_cred pointer before put_cred() call
- commit 78087f4
- tpm: fix reference counting for struct tpm_chip (CVE-2022-2977
  bsc#1202672).
- commit 743f12e
- net: handle kABI change in struct sock (bsc#1194535
  CVE-2021-4203).
- commit c37013b
- Drop the unused function after porting on 4.12
- commit a8cf8a3
- fuse: handle kABI change in struct sock (bsc#1194535
  CVE-2021-4203).
- commit cb0be42
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
  (bsc#1194535 CVE-2021-4203).
- commit cfbed38
- cifs: fix uninitialized pointer in error case in
  dfs_cache_get_tgt_share (bsc#1188944).
- commit adb8007
- cifs: skip trailing separators of prefix paths (bsc#1188944).
- commit bb8e115
- net_sched: cls_route: disallow handle of 0 (bsc#1202393).
- net_sched: cls_route: remove from list when handle is 0
  (CVE-2022-2588 bsc#1202096).
- commit 05c19f7
- lightnvm: Remove lightnvm implemenation (bsc#1191881 bsc#1201420
  ZDI-CAN-17325).
- commit 30cd9be
- ext4: make sure ext4_append() always allocates new block
  (bsc#1198577 CVE-2022-1184).
- commit bc8c541
- ext4: check if directory block is within i_size (bsc#1198577
  CVE-2022-1184).
- commit b9efa04
- ext4: Fix check for block being out of directory size
  (bsc#1198577 CVE-2022-1184).
- commit be40637
- rpm/kernel-binary.spec.in: move vdso to a separate package (bsc#1202385)
  We do the move only on 15.5+.
- commit 9c7ade3
- rpm/kernel-binary.spec.in: simplify find for usrmerged
  The type test and print line are the same for both cases. The usrmerged
  case only ignores more, so refactor it to make it more obvious.
- commit 583c9be
- xfrm: xfrm_policy: fix a possible double xfrm_pols_put()
  in xfrm_bundle_lookup() (bsc#1201948 CVE-2022-36879).
- commit 6a240fe
- net/packet: fix slab-out-of-bounds access in packet_recvmsg()
  (CVE-2022-20368 bsc#1202346).
- commit bcc8988
- media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers
  across ioctls (bsc#1202347 CVE-2022-20369).
- commit 0cf8c8f
- x86/speculation: Add LFENCE to RSB fill sequence (bsc#1201726
  CVE-2022-26373).
- commit b4f64d8
- x86/speculation: Add RSB VM Exit protections (bsc#1201726
  CVE-2022-26373).
- commit 679800f
- x86/speculation: Fill RSB on vmexit for IBRS (bsc#1201726
  CVE-2022-26373).
- commit 1a1bc6e
- x86/speculation: Change FILL_RETURN_BUFFER to work with objtool
  (bsc#1201726 CVE-2022-26373).
- commit 2e32661
- openvswitch: fix OOB access in reserve_sfa_size() (CVE-2022-2639
  bsc#1202154).
- commit 0d36370
- ipv4: avoid using shared IP generator for connected sockets
  (CVE-2020-36516 bsc#1196616).
- ipv4: tcp: send zero IPID in SYNACK messages (CVE-2020-36516
  bsc#1196616).
- commit df5e606
- Fix parsing of rpm/macros.kernel-source on SLE12 (bsc#1201019).
- commit 9816878
- cifs: use the expiry output of dns_query to schedule next
  resolution (bsc#1201926).
- commit 9e72b3d
- cifs: fix potential use-after-free in cifs_echo_request()
  (bsc#1201926).
- commit 63d5cc7
- cifs: fix memory leak of smb3_fs_context_dup::server_hostname
  (bsc#1201926).
- commit 696ce53
- cifs: To match file servers, make sure the server hostname
  matches (bsc#1201926).
- commit 265867f
- KVM: emulate: do not adjust size of fastop and setcc subroutines
  (bsc#1201930).
- commit f527a88
- kvm/emulate: Fix SETcc emulation function offsets with SLS
  (bsc#1201930).
- commit 30c285c
- netfilter: nf_queue: do not allow packet truncation below
  transport header offset (bsc#1201940 CVE-2022-36946).
- commit 06aa700
- cifs: set a minimum of 120s for next dns resolution
  (bsc#1201926).
- commit 40bb64c
- cifs: On cifs_reconnect, resolve the hostname again
  (bsc#1201926).
- commit a466ab8
- cifs: Simplify reconnect code when dfs upcall is enabled
  (bsc#1201926).
- commit 9d203d0
- kABI workaround for including mm.h in fs/sysfs/file.c
  (bsc#1200598 CVE-2022-20166).
- commit fe1fe6b
- mm: and drivers core: Convert hugetlb_report_node_meminfo to
  sysfs_emit (bsc#1200598 CVE-2022-20166).
- commit 3d23964
- drivers core: Miscellaneous changes for sysfs_emit (bsc#1200598
  CVE-2022-20166).
- commit c8e2e5b
- drivers core: Remove strcat uses around sysfs_emit and neaten
  (bsc#1200598 CVE-2022-20166).
- commit 5cd9512
- drivers core: Use sysfs_emit and sysfs_emit_at for show(device
  * ...) functions (bsc#1200598 CVE-2022-20166).
- commit 7554520
- x86/entry: Remove skip_r11rcx (bsc#1199657 CVE-2022-29900
- Refresh
  patches.suse/x86-entry-add-kernel-ibrs-implementation.patch.
- commit b1071b3
- sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output
  (bsc#1200598 CVE-2022-20166).
- commit c5a70d7
- x86/kexec: Disable RET on kexec (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 191d646
- commit 5c77536
- Refresh
  patches.suse/sched-topology-Improve-load-balancing-on-AMD-EPYC.patch.
- commit 8397b0e
- commit be4f5a3
- commit 95c7c85
- commit e0da5e4
- commit be2020e
- commit f577c84
- commit 169cc5b
- commit 25a7fe5
- commit bba8676
- commit 8791bc4
- commit 031a8ba
- commit a8a6605
- Re-backport an upstream commit
  Backport
  fdf82a7856b3 ("/x86/speculation: Protect against userspace-userspace spectreRSB"/)
  properly in order to get rid of the now-unused is_skylake_era() symbol.
- Refresh
  patches.suse/x86-intel-aggregate-big-core-client-naming.patch.
- Refresh
  patches.suse/x86-intel-aggregate-big-core-mobile-naming.patch.
- Refresh
  patches.suse/x86-speculation-add-eibrs-retpoline-options.patch.
- Refresh
  patches.suse/x86-speculation-enable-cross-hyperthread-spectre-v2-stibp-mitigation.patch.
- Refresh
  patches.suse/x86-speculation-reorder-the-spec_v2-code.patch.
- commit ecf8345
- commit c458857
- commit ef21bc9
- commit c195904
- commit 38fd246
- commit 8246682
- x86/bugs: Add AMD retbleed= boot parameter (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- Update config files.
- commit 3a343bc
- commit fd68631
- commit 407dacc
- commit fe1b3c3
- commit acfc9e6
- commit 9f9f050
- commit 5ea2bf6
- commit ce6827b
- commit 01c7d45
- commit 19e5ab2
- x86: Add straight-line-speculation mitigation (bsc#1201050
  CVE-2021-26341).
- Update config files.
- Refresh
  patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- commit fe797ea
- Sort in CPU vuln fixes
  And remove the homegrown IBRS functionality - will be replaced by the
  upstream one.
- Refresh
  patches.suse/0001-x86-entry-64-compat-Fix-stack-switching-for-XEN-PV.patch.
- Refresh
  patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch.
- Refresh
  patches.suse/documentation-hw-vuln-update-spectre-doc.patch.
- Refresh
  patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch.
- Refresh
  patches.suse/x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch.
- Refresh
  patches.suse/x86-cpu-add-table-argument-to-cpu_matches.patch.
- Refresh
  patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch.
- Refresh
  patches.suse/x86-speculation-add-eibrs-retpoline-options.patch.
- Refresh
  patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch.
- Refresh
  patches.suse/x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch.
- Refresh
  patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch.
- Refresh
  patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- Refresh
  patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch.
- Refresh
  patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch.
- Refresh
  patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch.
- Delete
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Delete
  patches.suse/0002-x86-speculation-Add-inlines-to-control-Indirect-Bran.patch.
- Delete
  patches.suse/0003-x86-idle-Control-Indirect-Branch-Speculation-in-idle.patch.
- Delete
  patches.suse/0004-x86-enter-Create-macros-to-restrict-unrestrict-Indir.patch.
- Delete
  patches.suse/0005-x86-enter-Use-IBRS-on-syscall-and-interrupts.patch.
- Delete patches.suse/IBRS-forbid-shooting-in-foot.patch.
- commit 44b7026
- CVE Mitigation for CVE-2022-29900 and CVE-2022-29901
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 1ca4472
- x86: Prepare inline-asm for straight-line-speculation
  (bsc#1201050 CVE-2021-26341).
- commit 6c064d3
- x86: Prepare asm files for straight-line-speculation
  (bsc#1201050 CVE-2021-26341).
- commit b57e26a
- x86/lib/atomic64_386_32: Rename things (bsc#1201050
  CVE-2021-26341).
- commit 010d7d0
- vt: vt_ioctl: fix race in VT_RESIZEX (bsc#1200910
  CVE-2020-36558).
- commit 3c76a1f
- vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
  (bsc#1201429 CVE-2020-36557).
- commit f15e18d
- kernel-obs-build: include qemu_fw_cfg (boo#1201705)
- commit e2263d4
- vt: drop old FONT ioctls (bsc#1201636 CVE-2021-33656).
- commit 704434f
- Refresh patches.suse/fbcon-Prevent-that-screen-size-is-smaller-than-font-.patch
  Fix the build error due to missing is_console_locked()
- commit 39e2064
- fbmem: Check virtual screen sizes in fb_set_var()
  (CVE-2021-33655 bsc#1201635).
- fbcon: Prevent that screen size is smaller than font size
  (CVE-2021-33655 bsc#1201635).
- fbcon: Disallow setting font bigger than screen size
  (CVE-2021-33655 bsc#1201635).
- commit c1a0922
- rpm/kernel-binary.spec.in: Require dwarves >= 1.22 on SLE15-SP3 or newer
  Dwarves 1.22 or newer is required to build kernels with BTF information
  embedded in modules.
- commit ee19e9d
- pty: do tty_flip_buffer_push without port->lock in pty_write
  (bsc#1198829 CVE-2022-1462).
- commit c0b9f34
- tty: use new tty_insert_flip_string_and_push_buffer() in
  pty_write() (bsc#1198829 CVE-2022-1462).
- tty: extract tty_flip_buffer_commit() from
  tty_flip_buffer_push() (bsc#1198829 CVE-2022-1462).
- commit 1b70eb4
- rpm/check-for-config-changes: ignore GCC12/CC_NO_ARRAY_BOUNDS
  Upstream commit f0be87c42cbd (gcc-12: disable '-Warray-bounds'
  universally for now) added two new compiler-dependent configs:
  * CC_NO_ARRAY_BOUNDS
  * GCC12_NO_ARRAY_BOUNDS
  Ignore them -- they are unset by dummy tools (they depend on gcc version
  == 12), but set as needed during real compilation.
- commit a14607c
- kernel-binary.spec: check s390x vmlinux location
  As a side effect of mainline commit edd4a8667355 ("/s390/boot: get rid of
  startup archive"/), vmlinux on s390x moved from "/compressed"/ subdirectory
  directly into arch/s390/boot. As the specfile is shared among branches,
  check both locations and let objcopy use one that exists.
- commit cd15543
- Add missing recommends of kernel-install-tools to kernel-source-vanilla (bsc#1200442)
- commit 93b1375
- kernel-binary.spec: Support radio selection for debuginfo.
  To disable debuginfo on 5.18 kernel a radio selection needs to be
  switched to a different selection. This requires disabling the currently
  active option and selecting NONE as debuginfo type.
- commit 43b5dd3
- Add dtb-starfive
- commit 85335b1
- rpm/kernel-obs-build.spec.in: Also depend on dracut-systemd (bsc#1195775)
- commit 5d4e32c
- pahole 1.22 required for full BTF features.
  also recommend pahole for kernel-source to make the kernel buildable
  with standard config
- commit 364f54b
- use jobs not processors in the constraints
  jobs is the number of vcpus available to the build, while processors
  is the total processor count of the machine the VM is running on.
- commit a6e141d
- rpm/constraints.in: skip SLOW_DISK workers for kernel-source
- commit e84694f
- rpm/*.spec.in: remove backtick usage
- commit 87ca1fb
- rpm/kernel-obs-build.spec.in: add systemd-initrd and terminfo dracut module (bsc#1195775)
- commit d9a821b
- rpm/kernel-obs-build.spec.in: use default dracut modules (bsc#1195926,
  bsc#1198484)
  Let's iron out the reduced initrd optimisation in Tumbleweed.
  Build full blown dracut initrd with systemd for SLE15 SP4.
- commit ea76821
- Add dtb-microchip
- commit c797107
- rpm/kernel-source.spec.in: temporary workaround for a build failure
  Upstream c6x architecture removal left a dangling link behind which
  triggers openSUSE post-build check in kernel-source, failing
  kernel-source build.
  A fix deleting the danglink link has been submitted but it did not make
  it into 5.12-rc1. Unfortunately we cannot add it as a patch as patch
  utility does not handle symlink removal. Add a temporary band-aid which
  deletes all dangling symlinks after unpacking the kernel source tarball.
  [jslaby] It's not that temporary as we are dragging this for quite some
  time in master. The reason is that this can happen any time again, so
  let's have this in packaging instead.
- commit 52a1ad7
- powerpc/pci: Fix broken INTx configuration via OF (bsc#1172145
  ltc#184630 bsc#1200770 ltc#198666).
- powerpc/pci: Use of_irq_parse_and_map_pci() helper (bsc#1172145
  ltc#184630 bsc#1200770 ltc#198666).
- commit 0d4a2e4
- powerpc/pci: Remove LSI mappings on device teardown (bsc#1172145
  ltc#184630 bsc#1200770 ltc#198666).
- commit ab4cfbd
keyutils
- Apply default TTL to DNS records from getaddrinfo() (upstream):
  * dns-Apply-a-default-TTL-to-records-obtained-from-get.patch
less
- Fix Startup terminal initialization, bsc#1200738
  * bsc1200738.patch
libcroco
- Add libcroco-CVE-2020-12825.patch: limit recursion in block and
  any productions (boo#1171685 CVE-2020-12825).
libgcrypt
- FIPS: Auto-initialize drbg if needed. [bsc#1200095]
  * Add a _gcry_drbg_init() to _gcry_drbg_randomize() and to
    _gcry_drbg_add_bytes() to fix a crash in FIPS mode.
  * Add libgcrypt-FIPS-Autoinitialize-drbg-if-needed.patch
libjpeg-turbo
  fix CVE-2020-35538 [bsc#1202915], Null pointer dereference in jcopy_sample_rows() function
  + libjpeg-turbo-CVE-2020-35538.patch
- security update
- added patches
libjpeg62-turbo
  fix CVE-2020-35538 [bsc#1202915], Null pointer dereference in jcopy_sample_rows() function
  + libjpeg-turbo-CVE-2020-35538.patch
- security update
- added patches
libksba
- Security fix: [bsc#1204357, CVE-2022-3515]
  * Detect a possible overflow directly in the TLV parser.
  * Add libksba-CVE-2022-3515.patch
libnl-1_1
- Fix elevation of privilege vulnerability (bsc#1020123, CVE-2017-0386).
  Add: libnl-1_1-fix-elevation-of-privilege-vulnerability.patch
libnl3
- Fix elevation of privilege vulnerability (bsc#1020123, CVE-2017-0386).
  Add: libnl3-fix-elevation-of-privilege-vulnerability.patch
libtasn1
- Add libtasn1-CVE-2021-46848.patch: Fixed off-by-one array size check
  that affects asn1_encode_simple_der (CVE-2021-46848, bsc#1204690).
libtirpc
- fix CVE-2021-46828: libtirpc: DoS vulnerability with lots of
  connections (bsc#1201680)
  - backport 0001-Fix-DoS-vulnerability-in-libtirpc.patch
- exclude ipv6 addresses in client protocol 2 code (bsc#1200800)
  - update 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
libxml2
- Security fixes:
  * [CVE-2022-40303, bsc#1204366] Fix integer overflows with
    XML_PARSE_HUGE
    + Added patch libxml2-CVE-2022-40303.patch
  * [CVE-2022-40304, bsc#1204367] Fix dict corruption caused by
    entity reference cycles
    + Added patch libxml2-CVE-2022-40304.patch
- Security fix: [bsc#1201978, CVE-2016-3709]
  * Cross-site scripting vulnerability after commit 960f0e2
  * Add libxml2-CVE-2016-3709.patch
mozilla-nspr
- update to version 4.34
  * add an API that returns a preferred loopback IP on hosts that
    have two IP stacks available.
- update to 4.33:
  * fixes to build system and export of private symbols
mozilla-nss
- update to NSS 3.79.1 (bsc#1202645)
  * bmo#1366464 - compare signature and signatureAlgorithm fields in legacy certificate verifier.
  * bmo#1771498 - Uninitialized value in cert_ComputeCertType.
  * bmo#1759794 - protect SFTKSlot needLogin with slotLock.
  * bmo#1760998 - avoid data race on primary password change.
  * bmo#1330271 - check for null template in sec_asn1{d,e}_push_state.
- Update nss-fips-approved-crypto-non-ec.patch to unapprove the
  rest of the DSA ciphers, keeping signature verification only
  (bsc#1201298).
- Update nss-fips-constructor-self-tests.patch to fix compiler
  warning.
- Update nss-fips-constructor-self-tests.patch to add on-demand
  integrity tests through sftk_FIPSRepeatIntegrityCheck()
  (bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to mark algorithms
  as approved/non-approved according to security policy
  (bsc#1191546, bsc#1201298).
- Update nss-fips-approved-crypto-non-ec.patch to remove hard
  disabling of unapproved algorithms. This requirement is now
  fulfilled by the service level indicator (bsc#1200325).
- Remove nss-fips-tls-allow-md5-prf.patch, since we no longer need
  the workaround in FIPS mode (bsc#1200325).
- Remove nss-fips-tests-skip.patch. This is no longer needed since
  we removed the code to short-circuit broken hashes and moved to
  using the SLI.
- Remove upstreamed patches:
  * nss-fips-version-indicators.patch
  * nss-fips-tests-pin-paypalee-cert.patch
- update to NSS 3.79
  - bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
  - bmo#1766907 - Update mercurial in clang-format docker image.
  - bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail.
  - bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
  - bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
  - bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
  - bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
  - bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
  - bmo#1764788 - Correct invalid record inner and outer content type alerts.
  - bmo#1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
  - bmo#1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle.
  - bmo#1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
  - bmo#1769302 - NSS 3.79 should depend on NSPR 4.34
- update to NSS 3.78.1
  * bmo#1767590 - Initialize pointers passed to
    NSS_CMSDigestContext_FinishMultiple
- update to NSS 3.78
    bmo#1755264 - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
    bmo#1294978 - Reworked overlong record size checks and added TLS1.3 specific boundaries.
    bmo#1763120 - Add ECH Grease Support to tstclnt
    bmo#1765003 - Add a strict variant of moz::pkix::CheckCertHostname.
    bmo#1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
    bmo#1760813 - Make SEC_PKCS12EnableCipher succeed
    bmo#1762489 - Update zlib in NSS to 1.2.12.
- update to NSS 3.77
  * Bug 1762244 - resolve mpitests build failure on Windows.
  * bmo#1761779 - Fix link to TLS page on wireshark wiki
  * bmo#1754890 - Add two D-TRUST 2020 root certificates.
  * bmo#1751298 - Add Telia Root CA v2 root certificate.
  * bmo#1751305 - Remove expired explicitly distrusted certificates
    from certdata.txt.
  * bmo#1005084 - support specific RSA-PSS parameters in mozilla::pkix
  * bmo#1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
  * bmo#1756271 - Remove token member from NSSSlot struct.
  * bmo#1602379 - Provide secure variants of mpp_pprime and mpp_make_prime.
  * bmo#1757279 - Support UTF-8 library path in the module spec string.
  * bmo#1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
  * bmo#1760827 - Add a CI Target for gcc-11.
  * bmo#1760828 - Change to makefiles for gcc-4.8.
  * bmo#1741688 - Update googletest to 1.11.0
  * bmo#1759525 - Add SetTls13GreaseEchSize to experimental API.
  * bmo#1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
  * bmo#1755904 - Fix calculation of ECH HRR Transcript.
  * bmo#1758741 - Allow ld path to be set as environment variable.
  * bmo#1760653 - Ensure we don't read uninitialized memory in ssl gtests.
  * bmo#1758478 - Fix DataBuffer Move Assignment.
  * bmo#1552254 - internal_error alert on Certificate Request with
    sha1+ecdsa in TLS 1.3
  * bmo#1755092 - rework signature verification in mozilla::pkix
- Require nss-util in nss.pc and subsequently remove -lnssutil3
- update to NSS 3.76.1
  NSS 3.76.1
  * bmo#1756271 - Remove token member from NSSSlot struct.
  NSS 3.76
  * bmo#1755555 - Hold tokensLock through nssToken_GetSlot calls in
    nssTrustDomain_GetActiveSlots.
  * bmo#1370866 - Check return value of PK11Slot_GetNSSToken.
  * bmo#1747957 - Use Wycheproof JSON for RSASSA-PSS
  * bmo#1679803 - Add SHA256 fingerprint comments to old
    certdata.txt entries.
  * bmo#1753505 - Avoid truncating files in nss-release-helper.py.
  * bmo#1751157 - Throw illegal_parameter alert for illegal extensions
    in handshake message.
- Add nss-util pkgconfig and config files (copied from RH/Fedora)
- update to NSS 3.75
  * bmo#1749030 - This patch adds gcc-9 and gcc-10 to the CI.
  * bmo#1749794 - Make DottedOIDToCode.py compatible with python3.
  * bmo#1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
  * bmo#1748386 - Remove redundant key type check.
  * bmo#1749869 - Update ABI expectations to match ECH changes.
  * bmo#1748386 - Enable CKM_CHACHA20.
  * bmo#1747327 - check return on NSS_NoDB_Init and NSS_Shutdown.
  * bmo#1747310 - real move assignment operator.
  * bmo#1748245 - Run ECDSA test vectors from bltest as part of the CI tests.
  * bmo#1743302 - Add ECDSA test vectors to the bltest command line tool.
  * bmo#1747772 - Allow to build using clang's integrated assembler.
  * bmo#1321398 - Allow to override python for the build.
  * bmo#1747317 - test HKDF output rather than input.
  * bmo#1747316 - Use ASSERT macros to end failed tests early.
  * bmo#1747310 - move assignment operator for DataBuffer.
  * bmo#1712879 - Add test cases for ECH compression and unexpected
    extensions in SH.
  * bmo#1725938 - Update tests for ECH-13.
  * bmo#1725938 - Tidy up error handling.
  * bmo#1728281 - Add tests for ECH HRR Changes.
  * bmo#1728281 - Server only sends GREASE HRR extension if enabled
    by preference.
  * bmo#1725938 - Update generation of the Associated Data for ECH-13.
  * bmo#1712879 - When ECH is accepted, reject extensions which were
    only advertised in the Outer Client Hello.
  * bmo#1712879 - Allow for compressed, non-contiguous, extensions.
  * bmo#1712879 - Scramble the PSK extension in CHOuter.
  * bmo#1712647 - Split custom extension handling for ECH.
  * bmo#1728281 - Add ECH-13 HRR Handling.
  * bmo#1677181 - Client side ECH padding.
  * bmo#1725938 - Stricter ClientHelloInner Decompression.
  * bmo#1725938 - Remove ECH_inner extension, use new enum format.
  * bmo#1725938 - Update the version number for ECH-13 and adjust
    the ECHConfig size.
- update to NSS 3.74
  * bmo#966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in
    OCSP responses
  * bmo#1553612 - Ensure clients offer consistent ciphersuites after HRR
  * bmo#1721426 - NSS does not properly restrict server keys based on policy
  * bmo#1733003 - Set nssckbi version number to 2.54
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate
  * bmo#1735407 - Replace GlobalSign ECC Root CA R4
  * bmo#1733560 - Remove Expired Root Certificates - DST Root CA X3
  * bmo#1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root
    certificates
  * bmo#1741930 - Add renewed Autoridad de Certificacion Firmaprofesional
    CIF A62634068 root certificate
  * bmo#1740095 - Add iTrusChina ECC root certificate
  * bmo#1740095 - Add iTrusChina RSA root certificate
  * bmo#1738805 - Add ISRG Root X2 root certificate
  * bmo#1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
  * bmo#1738028 - Avoid a clang 13 unused variable warning in opt build
  * bmo#1735028 - Check for missing signedData field
  * bmo#1737470 - Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
- update to NSS 3.73.1:
  * Add SHA-2 support to mozilla::pkix's OSCP implementation
- update to NSS 3.73
  * bmo#1735028 - check for missing signedData field.
  * bmo#1737470 - Ensure DER encoded signatures are within size limits.
  * bmo#1729550 - NSS needs FiPS 140-3 version indicators.
  * bmo#1692132 - pkix_CacheCert_Lookup doesn't return cached certs
  * bmo#1738600 - sunset Coverity from NSS
  MFSA 2021-51 (bsc#1193170)
  * CVE-2021-43527 (bmo#1737470)
    Memory corruption via DER-encoded DSA and RSA-PSS signatures
- update to NSS 3.72
  * Remove newline at the end of coreconf.dep
  * bmo#1731911 - Fix nsinstall parallel failure.
  * bmo#1729930 - Increase KDF cache size to mitigate perf
    regression in about:logins
- update to NSS 3.71
  * bmo#1717716 - Set nssckbi version number to 2.52.
  * bmo#1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
  * bmo#1373716 - Import of PKCS#12 files with Camellia encryption is not supported
  * bmo#1717707 - Add HARICA Client ECC Root CA 2021.
  * bmo#1717707 - Add HARICA Client RSA Root CA 2021.
  * bmo#1717707 - Add HARICA TLS ECC Root CA 2021.
  * bmo#1717707 - Add HARICA TLS RSA Root CA 2021.
  * bmo#1728394 - Add TunTrust Root CA certificate to NSS.
- update to NSS 3.70
  * bmo#1726022 - Update test case to verify fix.
  * bmo#1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
  * bmo#1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
  * bmo#1681975 - Avoid using a lookup table in nssb64d.
  * bmo#1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
  * bmo#1714579 - Change default value of enableHelloDowngradeCheck to true.
  * bmo#1726022 - Cache additional PBE entries.
  * bmo#1709750 - Read HPKE vectors from official JSON.
- Update to NSS 3.69.1
  * bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
  * bmo#1720226 (Backout) - integrity checks in key4.db not happening
    on private components with AES_CBC
  NSS 3.69
  * bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again)
  * bmo#1720226 - integrity checks in key4.db not happening on private
    components with AES_CBC (backed out again)
  * bmo#1720235 - SSL handling of signature algorithms ignores
    environmental invalid algorithms.
  * bmo#1721476 - sqlite 3.34 changed it's open semantics, causing
    nss failures.
    (removed obsolete nss-btrfs-sqlite.patch)
  * bmo#1720230 - Gtest update changed the gtest reports, losing gtest
    details in all.sh reports.
  * bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
  * bmo#1720232 - SQLite calls could timeout in starvation situations.
  * bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67
  * bmo#1709817 - Import the NSS documentation from MDN in nss/doc.
  * bmo#1720227 - NSS using a tempdir to measure sql performance not active
- add nss-fips-stricter-dh.patch
- updated existing patches with latest SLE
- Update nss-fips-constructor-self-tests.patch to scan
  LD_LIBRARY_PATH for external libraries to be checksummed.
- Run test suite at build time, and make it pass (bsc#1198486).
  Based on work by Marcus Meissner.
- Add nss-fips-tests-skip.patch to skip algorithms that are hard
  disabled in FIPS mode.
- Add nss-fips-tests-pin-paypalee-cert.patch to prevent expired
  PayPalEE cert from failing the tests.
- Add nss-fips-tests-enable-fips.patch, which enables FIPS during
  test certificate creation and disables the library checksum
  validation during same.
- Update nss-fips-constructor-self-tests.patch to allow
  checksumming to be disabled, but only if we entered FIPS mode
  due to NSS_FIPS being set, not if it came from /proc.
- Add nss-fips-pbkdf-kat-compliance.patch (bsc#1192079). This
  makes the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- Update nss-fips-approved-crypto-non-ec.patch to remove XCBC MAC
  from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
  for build.
- Update nss-fips-approved-crypto-non-ec.patch to claim 3DES
  unapproved in FIPS mode (bsc#1192080).
- Update nss-fips-constructor-self-tests.patch to allow testing
  of unapproved algorithms (bsc#1192228).
- Add nss-fips-version-indicators.patch (bmo#1729550, bsc#1192086).
  This adds FIPS version indicators.
- Add nss-fips-180-3-csp-clearing.patch (bmo#1697303, bsc#1192087).
  Most of the relevant changes are already upstream since NSS 3.60.
multipath-tools
- Update to version 0.7.3+177+suse.b16d5dc:
  * fix crash in liburcu (bsc#1204325)
- Update to version 0.7.3+176+suse.163fed0:
  * Fix multipathd authorization bypass (bsc#1202739 CVE-2022-41974)
- Update to version 0.7.3+174+suse.63d6d741:
  * Avoid linking to libreadline to avoid licensing issue
    (bsc#1202616)
ncurses
- Add patch ncurses-bnc1198627.patch
  * Fix bsc#1198627: CVE-2022-29458: ncurses: segfaulting OOB read
openldap2
- bsc#1198341 - Prevent memory reuse which may lead to instability
  * 0226-Change-malloc-to-use-calloc-to-prevent-memory-reuse-.patch
pacemaker
- scheduler: do not enforce resource stop if any new probe/monitor indicates the resource was not running on the target of a failed migrate_to (bsc#1196340)
  * bsc#1196340-0009-Test-scheduler-do-not-enforce-resource-stop-if-any-n.patch
- scheduler: do not enforce resource stop on a rejoined node that was the target of a failed migrate_to (bsc#1196340)
  * bsc#1196340-0008-Test-scheduler-do-not-enforce-resource-stop-on-a-rej.patch
- scheduler: do not enforce resource stop if any new probe/monitor indicates the resource was not running on the target of a failed migrate_to (bsc#1196340)
  * bsc#1196340-0007-Fix-scheduler-do-not-enforce-resource-stop-if-any-ne.patch
- scheduler: find_lrm_op() to be able to check against a specified target_rc (bsc#1196340)
  * bsc#1196340-0006-Refactor-scheduler-find_lrm_op-to-be-able-to-check-a.patch
- cts-scheduler: fix on_node attribute of lrm_rsc_op entries in the tests (bsc#1196340)
  * bsc#1196340-0005-Test-cts-scheduler-fix-on_node-attribute-of-lrm_rsc_.patch
- scheduler: is_newer_op() to be able to compare lrm_rsc_op entries from different nodes (bsc#1196340)
  * bsc#1196340-0004-Refactor-scheduler-is_newer_op-to-be-able-to-compare.patch
- scheduler: compare ids of lrm_rsc_op entries case-sensitively (bsc#1196340)
  * bsc#1196340-0003-Fix-scheduler-compare-ids-of-lrm_rsc_op-entries-case.patch
- scheduler: functionize comparing which lrm_rsc_op is newer (bsc#1196340)
  * bsc#1196340-0002-Refactor-scheduler-functionize-comparing-which-lrm_r.patch
- scheduler: do not enforce resource stop on a rejoined node that was the target of a failed migrate_to (bsc#1196340)
  * bsc#1196340-0001-Fix-scheduler-do-not-enforce-resource-stop-on-a-rejo.patch
- OCF: controld: Give warning when no-quorum-policy not set as freeze while using DLM (bsc#1129707)
  * bsc#1129707-0001-OCF-controld-Give-warning-when-no-quorum-policy-not-.patch
patterns-sles
- downgrade requires of libopenssl-1_1-hmac to avoid explicit pulling
  in perhaps unwanted openssl 1.1.1 (bsc#1196307)
perl-HTTP-Daemon
- Fix request smuggling in HTTP::Daemon
  (CVE-2022-31081, bsc#1201157)
  * CVE-2022-31081.patch
  * CVE-2022-31081-2.patch
  * CVE-2022-31081-Add-new-test-for-Content-Length-issues.patch
python
- Add patch CVE-2021-28861-double-slash-path.patch:
  * BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
python-M2Crypto
- Add CVE-2020-25657-Bleichenbacher-attack.patch (CVE-2020-25657,
  bsc#1178829), which mitigates the Bleichenbacher timing attacks
  in the RSA decryption API.
- Add python-M2Crypto.keyring to verify GPG signature of tarball.
python-azure-core
- Add az-core-py2-syntx-bsc1202024.patch (bsc#1202024)
  + Fix syntax error in Python2
python-base
- Add patch CVE-2021-28861-double-slash-path.patch:
  * BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
python-paramiko
- Add patch BZ-1199454-Fix-Deprecation-Warnings.patch from upstream pull
  request https://github.com/paramiko/paramiko/pull/1379 to fix deprecation
  warnings. NOTE: the .travis changes were excluded as the file doesn't
  exist in the tarball as it was used by upstream CI only. bsc#1199454
python3
- Add patch CVE-2021-28861-double-slash-path.patch:
  * http.server: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
python3-base
- Add patch CVE-2021-28861-double-slash-path.patch:
  * http.server: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
python3-lxml
- Add patch CVE-2020-27783.patch to fix CVE-2020-27783 mXSS due to the use of
  improper parser
  Fix bsc#1179534
resource-agents
- DB2 HADR resource-agents bug (bsc#1203758)
  Add patches:
    0001-db2-HADR-add-STANDBY-REMOTE_CATCHUP_PENDING-DISCONNE.patch
    0001-db2-add-PRIMARY-REMOTE_CATCHUP_PENDING-CONNECTED-sta.patch
- ECO: Maint: Azure Events RA can not handle AV Zones (jsc#PED-2000)
  Add upstream patch:
    0001-azure-events-az-new-resource-agent-1774.patch
- RA aws-vpc-move-ip is lacking the possibility to assign a label to an interface.
  (bsc#1199766)  Include upsteam patch:
    0001-aws-vpc-move-ip-Allow-to-set-the-interface-label.patch
rsync
- Add support for --trust-sender parameter (patch by Jie Gong in
  bsc#1202970). (related to CVE-2022-29154, bsc#1201840)
  * Added patch rsync-CVE-2022-29154-trust-sender-1.patch
  * Added patch rsync-CVE-2022-29154-trust-sender-2.patch
- Apply "/rsync-CVE-2022-29154.patch"/ to fix a security vulnerability
  in the do_server_recv() function. [bsc#1201840, CVE-2022-29154]
- Run rsync's regression test suite as part of the build.
salt
- Fix state.apply in test mode with file state module
  on user/group checking (bsc#1202167)
- Added:
  * fix-state.apply-in-test-mode-with-file-state-module-.patch
- Make zypperpkg to retry if RPM lock is temporarily unavailable (bsc#1200596)
- Added:
  * retry-if-rpm-lock-is-temporarily-unavailable-547-551.patch
- Add support for gpgautoimport in zypperpkg module
- Fix salt.states.file.managed() for follow_symlinks=True and test=True (bsc#1199372)
- Added:
  * fix-salt.states.file.managed-for-follow_symlinks-tru.patch
  * add-support-for-gpgautoimport-to-refresh_db-in-the-z.patch
- Add support for name, pkgs and diff_attr parameters to upgrade
  function for zypper and yum (bsc#1198489)
- Added:
  * add-support-for-name-pkgs-and-diff_attr-parameters-t.patch
- Unify logic on using multiple requisites and add onfail_all (bsc#1198738)
- Normalize package names once with pkg.installed/removed using yum (bsc#1195895)
- Added:
  * normalize-package-names-once-with-pkg.installed-remo.patch
  * unify-logic-on-using-multiple-requisites-and-add-onf.patch
- Fix handling of a sign-in response by a syndic node (bsc#1199906)
- Added:
  * fix-handling-of-a-sign-in-response-by-a-syndic-node-.patch
- Remove redundant overrides causing confusing DEBUG logging (bsc#1189501)
- Added:
  * remove-redundand-overrides-causing-confusing-debug-l.patch
- Fix PAM auth issue due missing check for PAM_ACCT_MGM return value (CVE-2022-22967) (bsc#1200566)
samba
- CVE-2022-32742:SMB1 code does not correct verify SMB1write,
  SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085);
  (bsc#1201496).
sqlite3
- update to 3.39.3:
  * Use a statement journal on DML statement affecting two or more
    database rows if the statement makes use of a SQL functions
    that might abort.
  * Use a mutex to protect the PRAGMA temp_store_directory and
    PRAGMA data_store_directory statements, even though they are
    decremented and documented as not being threadsafe.
- update to 3.39.2:
  * Fix a performance regression in the query planner associated
    with rearranging the order of FROM clause terms in the
    presences of a LEFT JOIN.
  * Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and
    1345947, forum post 3607259d3c, and other minor problems
    discovered by internal testing. [boo#1201783]
- update to 3.39.1:
  * Fix an incorrect result from a query that uses a view that
    contains a compound SELECT in which only one arm contains a
    RIGHT JOIN and where the view is not the first FROM clause term
    of the query that contains the view
  * Fix a long-standing problem with ALTER TABLE RENAME that can
    only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set
    to a very small value.
  * Fix a long-standing problem in FTS3 that can only arise when
    compiled with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time
    option.
  * Fix the initial-prefix optimization for the REGEXP extension so
    that it works correctly even if the prefix contains characters
    that require a 3-byte UTF8 encoding.
  * Enhance the sqlite_stmt virtual table so that it buffers all of
    its output.
- update to 3.39.0:
  * Add (long overdue) support for RIGHT and FULL OUTER JOIN
  * Add new binary comparison operators IS NOT DISTINCT FROM and
    IS DISTINCT FROM that are equivalent to IS and IS NOT,
    respective, for compatibility with PostgreSQL and SQL standards
  * Add a new return code (value "/3"/) from the sqlite3_vtab_distinct()
    interface that indicates a query that has both DISTINCT and
    ORDER BY clauses
  * Added the sqlite3_db_name() interface
  * The unix os interface resolves all symbolic links in database
    filenames to create a canonical name for the database before
    the file is opened
  * Defer materializing views until the materialization is actually
    needed, thus avoiding unnecessary work if the materialization
    turns out to never be used
  * The HAVING clause of a SELECT statement is now allowed on any
    aggregate query, even queries that do not have a GROUP BY
    clause
  * Many microoptimizations collectively reduce CPU cycles by about
    2.3%.
- drop sqlite-src-3380100-atof1.patch, included upstream
- add sqlite-src-3390000-func7-pg-181.patch to skip float precision
  related test failures on 32 bit
- update to 3.38.5:
  * Fix a blunder in the CLI of the 3.38.4 release
- includes changes from 3.38.4:
  * fix a byte-code problem in the Bloom filter pull-down
    optimization added by release 3.38.0 in which an error in the
    byte code causes the byte code engine to enter an infinite loop
    when the pull-down optimization encounters a NULL key
- update to 3.38.3:
  * Fix a case of the query planner be overly aggressive with
    optimizing automatic-index and Bloom-filter construction,
    using inappropriate ON clause terms to restrict the size of the
    automatic-index or Bloom filter, and resulting in missing rows
    in the output.
  * Other minor patches. See the timeline for details.
- update to 3.38.2:
  * Fix a problem with the Bloom filter optimization that might
    cause an incorrect answer when doing a LEFT JOIN with a WHERE
    clause constraint that says that one of the columns on the
    right table of the LEFT JOIN is NULL.
  * Other minor patches.
- Remove obsolete configure flags
- Package the Tcl bindings here again so that we only ship one copy
  of SQLite (bsc#1195773).
- update to 3.38.1:
  * Fix problems with the new Bloom filter optimization that might
    cause some obscure queries to get an incorrect answer.
  * Fix the localtime modifier of the date and time functions so
    that it preserves fractional seconds.
  * Fix the sqlite_offset SQL function so that it works correctly
    even in corner cases such as when the argument is a virtual
    column or the column of a view.
  * Fix row value IN operator constraints on virtual tables so that
    they work correctly even if the virtual table implementation
    relies on bytecode to filter rows that do not satisfy the
    constraint.
  * Other minor fixes to assert() statements, test cases, and
    documentation. See the source code timeline for details.
- add upstream patch to run atof1 tests only on x86_64
  sqlite-src-3380100-atof1.patch
- update to 3.38.0
  * Add the -> and ->> operators for easier processing of JSON
  * The JSON functions are now built-ins
  * Enhancements to date and time functions
  * Rename the printf() SQL function to format() for better
    compatibility, with alias for backwards compatibility.
  * Add the sqlite3_error_offset() interface for helping localize
    an SQL error to a specific character in the input SQL text
  * Enhance the interface to virtual tables
  * CLI columnar output modes are enhanced to correctly handle tabs
    and newlines embedded in text, and add options like "/--wrap N"/,
    "/--wordwrap on"/, and "/--quote"/ to the columnar output modes.
  * Query planner enhancements using a Bloom filter to speed up
    large analytic queries, and a balanced merge tree to evaluate
    UNION or UNION ALL compound SELECT statements that have an
    ORDER BY clause.
  * The ALTER TABLE statement is changed to silently ignores
    entries in the sqlite_schema table that do not parse when
    PRAGMA writable_schema=ON
- update to 3.37.2:
  * Fix a bug introduced in version 3.35.0 (2021-03-12) that can
    cause database corruption if a SAVEPOINT is rolled back while
    in PRAGMA temp_store=MEMORY mode, and other changes are made,
    and then the outer transaction commits
  * Fix a long-standing problem with ON DELETE CASCADE and ON
    UPDATE CASCADE in which a cache of the bytecode used to
    implement the cascading change was not being reset following a
    local DDL change
- update to 3.37.1:
  * Fix a bug introduced by the UPSERT enhancements of version
    3.35.0 that can cause incorrect byte-code to be generated for
    some obscure but valid SQL, possibly resulting in a NULL-
    pointer dereference.
  * Fix an OOB read that can occur in FTS5 when reading corrupt
    database files.
  * Improved robustness of the --safe option in the CLI.
  * Other minor fixes to assert() statements and test cases.
- SQLite3 3.37.0:
  * STRICT tables provide a prescriptive style of data type
    management, for developers who prefer that kind of thing.
  * When adding columns that contain a CHECK constraint or a
    generated column containing a NOT NULL constraint, the
    ALTER TABLE ADD COLUMN now checks new constraints against
    preexisting rows in the database and will only proceed if no
    constraints are violated.
  * Added the PRAGMA table_list statement.
  * Add the .connection command, allowing the CLI to keep multiple
    database connections open at the same time.
  * Add the --safe command-line option that disables dot-commands
    and SQL statements that might cause side-effects that extend
    beyond the single database file named on the command-line.
  * CLI: Performance improvements when reading SQL statements that
    span many lines.
  * Added the sqlite3_autovacuum_pages() interface.
  * The sqlite3_deserialize() does not and has never worked
    for the TEMP database. That limitation is now noted in the
    documentation.
  * The query planner now omits ORDER BY clauses on subqueries and
    views if removing those clauses does not change the semantics
    of the query.
  * The generate_series table-valued function extension is modified
    so that the first parameter ("/START"/) is now required. This is
    done as a way to demonstrate how to write table-valued
    functions with required parameters. The legacy behavior is
    available using the -DZERO_ARGUMENT_GENERATE_SERIES
    compile-time option.
  * Added new sqlite3_changes64() and sqlite3_total_changes64()
    interfaces.
  * Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
  * Use less memory to hold the database schema.
  * bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert
    extension when a column has no collating sequence.
sudo
- Modified sudo-sudoers.patch
  * bsc#1177578
  * Removed redundant and confusing 'secure_path' settings in
    sudo-sudoers file.
supportutils-plugin-ha-sap
- Update to version 0.0.4+git.1663748456.ad13e75:
  * fix basic support for saptune
    add saptune version 3 awareness and add a hint for the new
    saptune supportconfig plugin delivered within the saptune
    package >= 3.x
    (bsc#1203202)
- Update to version 0.0.3+git.1659022100.39bfcd6:
  * Update README.md
  * Replace spaces to tabs.
  * Search for other groups too.
  * Include /etc/group in plugin-ha_sap.txt (bsc#1201831)
  * Update ha_sap
  * Update pacemaker.log location change
  * suppress link path in Readme.md
  * add section 'Additional information' to the Readme.md
  * change release status of the project
  * Update README.md
  * Update ha_sap
systemd-presets-branding-SLE
- Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)
telnet
- Fix CVE-2022-39028, NULL pointer dereference in telnetd
  (CVE-2022-39028, bsc#1203759)
  CVE-2022-39028.patch
tiff
- security update:
  * CVE-2022-2519 [bsc#1202968]
  * CVE-2022-2520 [bsc#1202973]
  * CVE-2022-2521 [bsc#1202971]
    + tiff-CVE-2022-2519,CVE-2022-2520,CVE-2022-2521.patch
  * CVE-2022-2867 [bsc#1202466]
  * CVE-2022-2868 [bsc#1202467]
  * CVE-2022-2869 [bsc#1202468]
    + tiff-CVE-2022-2867,CVE-2022-2868,CVE-2022-2869.patch
- CVE-2022-34266 [bsc#1201971] and [bsc#1201723]:
  Rename tiff-CVE-2022-0561.patch to
  tiff-CVE-2022-0561,CVE-2022-34266.patch
  This CVE is actually a duplicate.
- security update:
  * CVE-2022-34526 [bsc#1202026]
    + tiff-CVE-2022-34526.patch
- security update
  * CVE-2022-2056 [bsc#1201176]
  * CVE-2022-2057 [bsc#1201175]
  * CVE-2022-2058 [bsc#1201174]
    + tiff-CVE-2022-2056,CVE-2022-2057,CVE-2022-2058.patch
timezone
- Update to reflect new Chile DST change, bsc#1202310
  * bsc1202310.patch
unzip
- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string
  to a local string (CVE-2022-0530, bsc#1196177)
  * CVE-2022-0530.patch
- Fix CVE-2022-0529, Heap out-of-bound writes and reads during
  conversion of wide string to local string (CVE-2022-0529, bsc#1196180)
  * CVE-2022-0529.patch
update-alternatives

      
util-linux
- mesg: use only stat() to get the current terminal status
  (bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
  util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
  in utab (bsc#1198731,
  util-linux-libmount-moving-mount-point-sub-mounts.patch,
  util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
util-linux-systemd
- mesg: use only stat() to get the current terminal status
  (bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
  util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
  in utab (bsc#1198731,
  util-linux-libmount-moving-mount-point-sub-mounts.patch,
  util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
which
- https urls, added signature (but did not find the public key)
- Use %license instead of %doc [bsc#1082318]
- Move installinfo scriptlet to preun so it won't fail
- Cleanup spec file with spec-cleaner
- Correct usage of info scriplets
- GNU which 2.21:
  * Upgraded code from bash to version 4.3 (now uses eaccess).
  * Fixed a bug related to getgroups / sysconfig that caused Which
    not to see more than 64 groups for a single user
  * Build system maintenance.
- Update project and source URL to GNU project
xfsprogs
- mkfs: validate extent size hint parameters (bsc#1138247)
  - add xfsprogs-xfs-move-inode-extent-size-hint-validation-to-libxfs.patch
  - add xfsprogs-xfs_repair-use-libxfs-extsize-cowextsize-validation-.patch
  - add xfsprogs-mkfs-validate-extent-size-hint-parameters.patch
- xfs_repair: Fix root inode's parent when it's bogus for sf directory
  (bsc#1138227)
  - add xfsprogs-xfs_repair-Fix-root-inode-s-parent-when-it-s-bogus-f.patch
zlib
- Fix heap-based buffer over-read or buffer overflow in inflate via
  large gzip header extra field (bsc#1202175, CVE-2022-37434,
  CVE-2022-37434-extra-header-1.patch,
  CVE-2022-37434-extra-header-2.patch).