apparmor
- apparmor-profiles-samba4.15.diff: Update samba profiles for
  samba 4.15 (jsc#SLE-23330);
ca-certificates
- p11-kit 0.23.1 supports pem-directory-hash. Add patch
  0001-p11-kit-0.23.1-supports-pem-directory-hash-now.patch
  (jsc#SLE-23330)
cloud-regionsrv-client
- Update -addon-azure to 1.0.2 (bsc#1196305)
  + The is-registered() function expects a string of the update server FQDN.
    The regionsrv-enabler-azure passed an Object of type SMT. Fix the call
    in regionsrv-enabler-azure.
- Update -plugin-azure to 2.0.0 (bsc#1196146)
  + Lower case the region hint to reduce issues with Azure region name
    case inconsistencies
- Update to version 10.0.0 (bsc#1195414, bsc#1195564)
  + Refactor removes check_registration() function in utils implementation
  + Only start the registration service for PAYG images
  - addon-azure sub-package to version 1.0.1
- Follow up changes to (jsc#PCT-130, bsc#1182026)
  + Fix executable name for AHB service/timer
  + Update manpage for BYOS instance registration
coreutils
- Add coreutils-du-fts-xfs-noleaf.patch to remove problematic
  special leaf optimization cases for XFS that can lead to du
  crashes.  (bsc#1190354)
cyrus-sasl
-  CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
  in plugins/sql.c (bsc#1196036)
  o add upstream patch:
    0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
cyrus-sasl-saslauthd
-  CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
  in plugins/sql.c (bsc#1196036)
  o add upstream patch:
    0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
expat
- Security fixes:
  * (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows
    attackers to insert namespace-separator characters into
    namespace URIs
  - Added expat-CVE-2022-25236.patch
  * (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before
    2.4.5 does not check whether a UTF-8 character is valid in a
    certain context.
  - Added expat-CVE-2022-25235.patch
  * (CVE-2022-25313, bsc#1196168) Stack exhaustion in
    build_model() via uncontrolled recursion
  - Added expat-CVE-2022-25313.patch
  - The fix upstream introduced a regression that was later
    amended in 2.4.6 version
    + Added expat-CVE-2022-25313-fix-regression.patch
  * (CVE-2022-25314, bsc#1196169) Integer overflow in copyString
  - Added expat-CVE-2022-25314-before.patch
  - Added expat-CVE-2022-25314.patch
  * (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames
  - Added expat-CVE-2022-25315.patch
- Security fix (CVE-2022-23852, bsc#1195054)
  * Expat (aka libexpat) before 2.4.4 has a signed integer overflow
    in XML_GetBuffer, for configurations with a nonzero
    XML_CONTEXT_BYTES
  * Add tests for CVE-2022-23852.
  * Added expat-CVE-2022-23852.patch
- Security fix (CVE-2022-23990, bsc#1195217)
  * Fix unsigned integer overflow in function doProlog triggered
    by large content in element type declarations when there is
    an element declaration handler present (from a prior call to
    XML_SetElementDeclHandler).
  * Add expat-CVE-2022-23990.patch
  * Added expat-CVE-2022-22827.patch
glibc
- clnt-create-unix-overflow.patch: Buffer overflow in sunrpc clnt_create
  for "/unix"/ (CVE-2022-23219, bsc#1194768, BZ #22542)
- svcunix-create-overflow.patch: Buffer overflow in sunrpc svcunix_create
  (CVE-2022-23218, bsc#1194770, BZ #28768)
- getcwd-erange.patch: getcwd: Set errno to ERANGE for size == 1
  (CVE-2021-3999, bsc#1194640, BZ #28769)
- hton-identity.patch: Make endian-conversion macros always return correct
  types (bsc#1193478, BZ #16458)
- dl-sort-maps.patch, dlopen-filter-object.patch: Allow dlopen of filter
  object to work (bsc#1192620, BZ #16272)
- cancelable-syscall-stack-align.patch: x86: fix stack alignment in
  cancelable syscall stub (bsc#1191835)
gnutls
- Security fix: [bsc#1196167, CVE-2021-4209]
  * Null pointer dereference in MD_UPDATE
  * Add gnutls-CVE-2021-4209.patch
- Require libp11-kit0 >= 0.23.1 in libgnutls30 [bsc#1195583]
- renamed the libname-devel packages to libnameMAJOR-devel
  to avoid overlaps with system gnutls
- Update to version 3.4.17: [jsc#SLE-23330]
  * SONAME bump to gnutls30
  * Add gnutls-CVE-2020-11501.patch [bsc#1168345, CVE-2020-11501]
  * Rebased patches:
  - 0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch
  - 0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
  - 0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
  - 0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
  * Remove gnutls-CVE-2017-10790.patch fixed in the update
jasper
- bsc#1188437 CVE-2021-27845: Fix divide-by-zery in cp_create()
  Add jasper-CVE-2021-27845.patch
kernel-default
- lib/iov_iter: initialize "/flags"/ in new pipe_buffer
  (bsc#1196584).
- commit 589ad87
- x86/speculation: Use generic retpoline by default on AMD
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 2229053
- ibmvnic: Update driver return codes (bsc#1196516 ltc#196391).
- commit 6184b3b
- ibmvnic: Allow queueing resets during probe (bsc#1196516
  ltc#196391).
- ibmvnic: clear fop when retrying probe (bsc#1196516 ltc#196391).
- ibmvnic: init init_done_rc earlier (bsc#1196516 ltc#196391).
- ibmvnic: register netdev after init of adapter (bsc#1196516
  ltc#196391).
- ibmvnic: complete init_done on transport events (bsc#1196516
  ltc#196391).
- ibmvnic: define flush_reset_queue helper (bsc#1196516
  ltc#196391).
- ibmvnic: initialize rc before completing wait (bsc#1196516
  ltc#196391).
- ibmvnic: free reset-work-item when flushing (bsc#1196516
  ltc#196391).
- commit 5dd4d04
- tracing: Have traceon and traceoff trigger honor the instance
  (git-fixes).
- commit a93e3c2
- tracing: Dump stacktrace trigger to the corresponding instance
  (git-fixes).
- commit f5d1861
- x86/speculation: Include unprivileged eBPF status in Spectre v2
  mitigation reporting (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch.
- commit 902686b
- Documentation/hw-vuln: Update spectre doc (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- commit 6c7745b
- x86/speculation: Add eIBRS + Retpoline options (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Refresh patches.suse/IBRS-forbid-shooting-in-foot.patch.
- commit 45191e7
- s390/hypfs: include z/VM guests with access control group set
  (bsc#1195638 LTC#196354).
- s390/cpumf: Support for CPU Measurement Sampling Facility LS
  bit (bsc#1195080 LTC#196090).
- s390/cpumf: Support for CPU Measurement Facility CSVN 7
  (bsc#1195080 LTC#196090).
- commit 6490f46
- scsi: zfcp: Fix failed recovery on gone remote port with
  non-NPIV FCP devices (bsc#1195377 LTC#196245).
- commit 53028f3
- crypto: af_alg - get_page upon reassignment to TX SGL
  (bsc#1195840).
- commit f9977fb
- x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- commit 9f1d160
- ibmvnic: schedule failover only if vioctl fails (bsc#1196400
  ltc#195815).
- commit ec1fbc9
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Delete patches.suse/do-not-default-to-ibrs-on-skl.patch.
  Remove a statement which cancels itself out with the following patch
  which removes it anyway.
- commit d8a59c7
- x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit bf75cfa
- udf: Restore i_lenAlloc when inode expansion fails (bsc#1196079
  CVE-2022-0617).
- commit 2533a5b
- udf: Fix NULL ptr deref when converting from inline format
  (bsc#1196079 CVE-2022-0617).
- commit 87d491f
- x86/speculation: Merge one test in
  spectre_v2_user_select_mitigation() (bsc#1191580 CVE-2022-0001
  CVE-2022-0002).
- commit c1dcbbf
- cpu/SMT: create and export cpu_smt_possible() (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- commit 2f54b88
- kabi: Hide changes to s390/AP structures (jsc#SLE-20809).
- s390/AP: support new dynamic AP bus size limit (jsc#SLE-20809).
- s390/ap: rework crypto config info and default domain code
  (jsc#SLE-20809).
- commit 8315837
- Refresh sorted patches
- commit edafc9f
- Update patch reference for vfs fix (CVE-2022-0644 bsc#1196155)
- commit 4656612
- net/ibmvnic: Cleanup workaround doing an EOI after partition
  migration (bsc#1089644 ltc#166495 ltc#165544 git-fixes).
- commit a49ae38
- NFSv4.x: by default serialize open/close operations (bsc#1114893 bsc#1195934).
  Make this work-around optional
- commit 188b38c
- blacklist.conf: added two duplicates
- commit c74dc0a
- powerpc/pseries: read the lpar name from the firmware
  (bsc#1187716 ltc#193451).
- commit 6691bc3
- Refresh patches.suse/rpadlpar_io-Add-MODULE_DESCRIPTION-entries-to-kernel.patch
- commit b8f15d4
- powerpc: add link stack flush mitigation status in debugfs
  (bsc#1157038 bsc#1157923 ltc#182612 git-fixes).
- powerpc/64s: Fix debugfs_simple_attr.cocci warnings (bsc#1157038
  bsc#1157923 ltc#182612 git-fixes).
- commit d196896
- scsi: lpfc: Fix pt2pt NVMe PRLI reject LOGO loop (bsc#1189126).
- commit 1808416
- scsi: qla2xxx: Remove unused qla_sess_op_cmd_list from
  scsi_qla_host_t (bsc#1195823).
- scsi: qla2xxx: Add qla2x00_async_done() for async routines
  (bsc#1195823).
- scsi: qla2xxx: Update version to 10.02.07.300-k (bsc#1195823).
- scsi: qla2xxx: Check for firmware dump already collected
  (bsc#1195823).
- scsi: qla2xxx: Add devids and conditionals for 28xx
  (bsc#1195823).
- scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()
  (bsc#1195823).
- scsi: qla2xxx: Fix T10 PI tag escape and IP guard options for
  28XX adapters (bsc#1195823).
- scsi: qla2xxx: edif: Fix clang warning (bsc#1195823).
- scsi: qla2xxx: Fix warning for missing error code (bsc#1195823).
- scsi: qla2xxx: Fix device reconnect in loop topology
  (bsc#1195823).
- scsi: qla2xxx: Add ql2xnvme_queues module param to configure
  number of NVMe queues (bsc#1195823).
- scsi: qla2xxx: Fix wrong FDMI data for 64G adapter
  (bsc#1195823).
- scsi: qla2xxx: Add retry for exec firmware (bsc#1195823).
- scsi: qla2xxx: Fix scheduling while atomic (bsc#1195823).
- scsi: qla2xxx: Fix premature hw access after PCI error
  (bsc#1195823).
- scsi: qla2xxx: Fix warning message due to adisc being flushed
  (bsc#1195823).
- scsi: qla2xxx: Fix stuck session in gpdb (bsc#1195823).
- scsi: qla2xxx: Implement ref count for SRB (bsc#1195823).
- scsi: qla2xxx: Refactor asynchronous command initialization
  (bsc#1195823).
- scsi: qla2xxx: Update version to 10.02.07.200-k (bsc#1195823).
- scsi: qla2xxx: edif: Fix inconsistent check of db_flags
  (bsc#1195823).
- scsi: qla2xxx: edif: Reduce connection thrash (bsc#1195823).
- scsi: qla2xxx: edif: Tweak trace message (bsc#1195823).
- scsi: qla2xxx: edif: Replace list_for_each_safe with
  list_for_each_entry_safe (bsc#1195823).
- scsi: qla2xxx: Remove a declaration (bsc#1195823).
- scsi: qla2xxx: Fix unmap of already freed sgl (bsc#1195823).
- scsi: qla2xxx: Return -ENOMEM if kzalloc() fails (bsc#1195823).
- commit 94d7f50
- Bluetooth: bfusb: fix division by zero in send path (git-fixes).
- commit 615915b
- gve: Recording rx queue before sending to napi (bsc#1191655).
- ixgbevf: Require large buffers for build_skb on 82599VF
  (bsc#1101674 FATE#325150 FATE#325151).
- IB/rdmavt: Validate remote_addr during loopback atomic tests
  (bsc#1114685 FATE#325854).
- gve: fix the wrong AdminQ buffer queue index check
  (bsc#1191655).
- gve: Fix GFP flags when allocing pages (bsc#1191655).
- i40e: Increase delay to 1 s after global EMP reset (bsc#1101816
  FATE#325147 FATE#325149).
- phylib: fix potential use-after-free (bsc#1119113 FATE#326472).
- gve: Add consumed counts to ethtool stats (bsc#1191655).
- gve: Implement suspend/resume/shutdown (bsc#1191655).
- gve: Add optional metadata descriptor type GVE_TXD_MTD
  (bsc#1191655).
- gve: remove memory barrier around seqno (bsc#1191655).
- gve: Update gve_free_queue_page_list signature (bsc#1191655).
- gve: Move the irq db indexes out of the ntfy block struct
  (bsc#1191655).
- gve: Correct order of processing device options (bsc#1191655).
- iavf: Fix limit of total number of queues to active queues of VF
  (bsc#1111981 FATE#326312 FATE#326313).
- i40e: Fix for displaying message regarding NVM version
  (jsc#SLE-4797).
- net: ena: Fix error handling when calculating max IO queues
  number (bsc#1174852).
- net: ena: Fix undefined state when tx request id is out of
  bounds (bsc#1174852).
- igb: Fix removal of unicast MAC filters of VFs (bsc#1117495).
- ice: ignore dropped packets during init (bsc#1118661
  FATE#325277).
- i40e: Fix pre-set max number of queues for VF (bsc#1111981
  FATE#326312 FATE#326313).
- gve: fix for null pointer dereference (bsc#1191655).
- net: marvell: mvpp2: Fix the computation of shared CPUs
  (bsc#1119113 FATE#326472).
- RDMA/netlink: Add __maybe_unused to static inline in C file
  (bsc#1046306 FATE#322942).
- i40e: Fix display error code in dmesg (bsc#1109837 bsc#1111981
  FATE#326312).
- i40e: Fix creation of first queue by omitting it if is not
  power of two (bsc#1101816 FATE#325147 FATE#325149).
- i40e: Fix ping is lost after configuring ADq on VF
  (bsc#1094978).
- i40e: Fix changing previously set num_queue_pairs for PFs
  (bsc#1094978).
- i40e: Fix correct max_pkt_size on VF RX queue (bsc#1101816
  FATE#325147 FATE#325149).
- iavf: prevent accidental free of filter structure (bsc#1111981
  FATE#326312 FATE#326313).
- cxgb4: fix eeprom len when diagnostics not implemented
  (bsc#1097585 bsc#1097586 bsc#1097587 bsc#1097588 bsc#1097583
  bsc#1097584).
- gve: fix unmatched u64_stats_update_end() (bsc#1191655).
- RDMA/bnxt_re: Fix query SRQ failure (bsc#1050244 FATE#322915).
- net: phylink: avoid mvneta warning when setting pause parameters
  (bsc#1119113 FATE#326472).
- gve: Add a jumbo-frame device option (bsc#1191655).
- gve: Implement packet continuation for RX (bsc#1191655).
- gve: Add RX context (bsc#1191655).
- gve: Track RX buffer allocation failures (bsc#1191655).
- gve: Allow pageflips on larger pages (bsc#1191655).
- gve: Add netif_set_xps_queue call (bsc#1191655).
- gve: Do lazy cleanup in TX path (bsc#1191655).
- gve: Add rx buffer pagecnt bias (bsc#1191655).
- gve: Switch to use napi_complete_done (bsc#1191655).
- gve: Use kvcalloc() instead of kvzalloc() (bsc#1191655).
- gve: DQO: avoid unused variable warnings (bsc#1191655).
- ice: Delete always true check of PF pointer (bsc#1118661
  FATE#325277).
- net: Prevent infinite while loop in skb_tx_hash() (bsc#1109837).
- RDMA/mlx5: Set user priority for DCT (bsc#1103991 FATE#326007).
- e1000e: Fix packet loss on Tiger Lake and later (bsc#1158533).
- mqprio: Correct stats in mqprio_dump_class_stats()
  (bsc#1109837).
- platform/mellanox: mlxreg-io: Fix argument base in kstrtou32()
  call (bsc#1112374).
- i40e: Fix freeing of uninitialized misc IRQ vector (bsc#1101816
  FATE#325147 FATE#325149).
- gve: report 64bit tx_bytes counter from
  gve_handle_report_stats() (bsc#1191655).
- gve: fix gve_get_stats() (bsc#1191655).
- gve: Properly handle errors in gve_assign_qpl (bsc#1191655).
- gve: Avoid freeing NULL pointer (bsc#1191655).
- gve: Correct available tx qpl check (bsc#1191655).
- qed: rdma - don't wait for resources under hw error recovery
  flow (bsc#1136460 jsc#SLE-4691 bsc#1136461 jsc#SLE-4692).
- qed: Handle management FW error (git-fixes).
- commit 287122e
- blacklist.conf: logging only
- commit d52bed3
- PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA
  controller (git-fixes).
- commit 99c4459
- net: usb: pegasus: Do not drop long Ethernet frames (git-fixes).
- commit f3b4a43
- rndis_host: support Hytera digital radios (git-fixes).
- commit 409a861
- blacklist.conf: optimization, not a bug fix
- commit 8686052
- powerpc/pseries/ddw: Revert "/Extend upper limit for huge DMA
  window for persistent memory"/ (bsc#1195995 ltc#196394).
- commit af87ae6
- f2fs: fix to do sanity check on inode type during garbage
  collection (CVE-2021-44879 bsc#1195987).
- commit e8b60dc
- Update
  patches.suse/0001-PCI-hv-Use-expected-affinity-when-unmasking-IRQ.patch
  (bsc#1185973, bsc#1195536).
- commit b3ac9c4
- tipc: improve size validations for received domain records
  (bsc#1195254, CVE-2022-0435).
- commit daaae48
- yam: fix a memory leak in yam_siocdevprivate() (CVE-2022-24959
  bsc#1195897).
- commit 2b51111
- EDAC/xgene: Fix deferred probing (bsc#1114648).
- commit cfd65af
- Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch
  (bsc#1194516 CVE-2022-0487).
- commit b3ff0d9
- sunrpc/auth_gss: support timeout on gss upcalls (bsc#1193857).
- commit 69bbdfa
- fuse: annotate lock in fuse_reverse_inval_entry() (bsc#1195795).
- commit 60fd4d3
- ext4: avoid trim error on fs with small groups (bsc#1191271).
- commit 00cdce0
- scsi: bnx2fc: Flush destroy_work queue before calling
  bnx2fc_interface_put() (git-fixes).
- scsi: nsp_cs: Check of ioremap return value (git-fixes).
- scsi: qedf: Fix potential dereference of NULL pointer
  (git-fixes).
- scsi: ufs: Fix race conditions related to driver data
  (git-fixes).
- scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write()
  (git-fixes).
- scsi: scsi_debug: Sanity check block descriptor length in
  resp_mode_select() (git-fixes).
- commit 4931645
- Added git-fix commmit to blacklist: too pervasive
- commit eaa0f49
- cgroup-v1: Require capabilities to set release_agent
  (bsc#1195543 CVE-2022-0492).
- commit 25a96a7
- NFSv4: Handle case where the lookup of a directory fails
  (bsc#1195612 CVE-2022-24448).
- commit fe40712
- usb: common: ulpi: Fix crash in ulpi_match() (git-fixes).
- commit f38a194
- usb: typec: tcpm: Do not disconnect while receiving VBUS off
  (git-fixes).
- commit 5916f0b
- NFSv4: nfs_atomic_open() can race when looking up a non-regular
  file (git-fixes).
- NFSv4: Handle case where the lookup of a directory fails
  (git-fixes).
- nfsd: fix use-after-free due to delegation race (git-fixes).
- NFSv42: Fix pagecache invalidation after COPY/CLONE (git-fixes).
- NFSv42: Don't fail clone() unless the OP_CLONE operation failed
  (git-fixes).
- commit ecc4580
- blacklist.conf: add unneeded commit
- commit 8b757b2
- blacklist.conf: irrelevant in our kernel config
- commit b5c4448
- blacklist.conf: this is an optimization, not a fix
- commit a07f81d
- blacklist.conf: for a compiler option we don't use
- commit 8631da6
- Update
  patches.suse/net-tipc-validate-domain-record-count-on-input.patch
  (bsc#1195254 CVE-2022-0435).
- commit 0369cb6
- net: allow retransmitting a TCP packet if original is still
  in queue (bsc#1188605 bsc#1187428).
- commit 8ae7229
- Update patch reference for BT fix (CVE-2021-3564 bsc#1186207)
- commit ea7857c
- Bluetooth: fix the erroneous flush_work() order (git-fixes).
- commit 9b1f0b0
- Update patch reference for BT fix (CVE-2021-3564 bsc#1186207)
- commit b2df5e2
- Update patch reference for vgacon patch (CVE-2020-28097 bsc#1187723 jsc#SLE-23486)
- commit 8272c66
- net: tipc: validate domain record count on input (bsc#1195254).
- commit eff4836
- s390/pci: move pseudo-MMIO to prevent MIO overlap (bsc#1194965).
- commit 3996412
- ucsi_ccg: Check DEV_INT bit only when starting CCG4 (git-fixes).
- commit afd5597
- crypto: qat - fix undetected PFVF timeout in ACK loop
  (git-fixes).
- commit 22ebc8e
- s390/cio: make ccw_device_dma_* more robust (bsc#1193242).
- commit 8bea447
- kABI fixup after adding vcpu_idx to struct kvm_cpu
  (bsc#1190973).
- KVM: remember position in kvm->vcpus array (bsc#1190973).
- commit 768c666
- KVM: s390: index kvm->arch.idle_mask by vcpu_idx (bsc#1190973).
- commit 67bbbe2
- phonet: refcount leak in pep_sock_accep (bsc#1193867,
  CVE-2021-45095).
- commit 413134f
- xfrm: fix MTU regression (bsc#1185377, bsc#1194048).
- Delete
  patches.suse/xfrm-xfrm_state_mtu-should-return-at-least-1280-for-.patch.
  which caused a regression (bsc#1194048).
- Replace with an alternative fix for bsc#1185377
- commit 3800186
- Refresh
  patches.suse/ibmvnic-Allow-extra-failures-before-disabling.patch.
- Refresh patches.suse/ibmvnic-don-t-spin-in-tasklet.patch.
- Refresh patches.suse/ibmvnic-init-running_cap_crqs-early.patch.
- Refresh
  patches.suse/ibmvnic-remove-unused-wait_capability.patch.
- commit d68e92d
- ext4: set csum seed in tmp inode while migrating to extents
  (bsc#1195272).
- commit 294d77e
- nvme: add 'iopolicy' module parameter (bsc#1177599 bsc#1193096).
  Refresh:
  - patches.kabi/kabi-nvme-multipath-fix-iopolicy.patch.
  - patches.suse/nvme-multipath-disable-native-NVMe-multipath-per-def.patch.
- commit f17ae54
- drm/vmwgfx: Fix stale file descriptors on failed usercopy
  (CVE-2022-22942 bsc#1195065).
- commit 136a4b2
- s390/pci: add s390_iommu_aperture kernel parameter
  (bsc#1193234).
- virtio: write back F_VERSION_1 before validate (bsc#1193235).
- commit a307e0d
- bpf: Verifer, adjust_scalar_min_max_vals to always call
  update_reg_bounds() (bsc#1194227).
- commit c098fc7
- scsi: ufs: Correct the LUN used in eh_device_reset_handler()
  callback (bsc#1193864 CVE-2021-39657).
- commit 39c5f8e
- net: mana: Add RX fencing (bsc#1193507).
- net: mana: Add XDP support (bsc#1193507).
- hv_netvsc: Set needed_headroom according to VF (bsc#1193507).
- net, xdp: Introduce xdp_prepare_buff utility routine
  (bsc#1193507).
- net, xdp: Introduce xdp_init_buff utility routine (bsc#1193507).
- commit c70ed8e
- usb: gadget: configfs: Fix use-after-free issue with udc_name
  (bsc#1193861 CVE-2021-39648).
- commit 9ec119b
- fget: clarify and improve __fget_files() implementation
  (bsc#1193727).
- commit 3ce5a50
- ibmvnic: remove unused ->wait_capability (bsc#1195073
  ltc#195713).
- ibmvnic: don't spin in tasklet (bsc#1195073 ltc#195713).
- ibmvnic: init ->running_cap_crqs early (bsc#1195073 ltc#195713).
- ibmvnic: Allow extra failures before disabling (bsc#1195073
  ltc#195713).
- commit 3d370d2
- tee: handle lookup of shm with reference count 0 (bsc#1193767
  CVE-2021-44733).
- commit 10b0db6
- drm/i915: Flush TLBs before releasing backing store
  (CVE-2022-0330 bsc#1194880).
- commit 20f1914
- drm/i915: Flush TLBs before releasing backing store
  (CVE-2022-0330 bsc#1194880).
- commit bd11976
- kabi/severities: Add a kabi exception for drivers/tee/tee
  According to the partner modules database, the structs of this driver
  are not used by anything external so make a kABI exception for them.
  Do that on purpose so that any external module using this fails to load
  instead of causing a potential memory corruption due to a kabi
  workaround which would use the same offset but for a different thing:
  - struct dma_buf *dmabuf;
  +	refcount_t refcount;
  See upstream commit
  dfd0743f1d9e ("/tee: handle lookup of shm with reference count 0"/)
- commit ac7feb6
- sctp: account stream padding length for reconf chunk
  (bsc#1194985 CVE-2022-0322).
- commit f5ee3ee
- of: Fix cpu node iterator to not ignore disabled cpu nodes
  (bsc#1065729).
- commit d8d9d32
- Refresh
  patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch.
- Refresh
  patches.suse/scsi-lpfc-Add-additional-debugfs-support-for-CMF.patch.
- Refresh
  patches.suse/scsi-lpfc-Adjust-CMF-total-bytes-and-rxmonitor.patch.
- Refresh patches.suse/scsi-lpfc-Cap-CMF-read-bytes-to-MBPI.patch.
- Refresh
  patches.suse/scsi-lpfc-Change-return-code-on-I-Os-received-during.patch.
- Refresh
  patches.suse/scsi-lpfc-Fix-NPIV-port-deletion-crash.patch.
- Refresh
  patches.suse/scsi-lpfc-Fix-leaked-lpfc_dmabuf-mbox-allocations-wi.patch.
- Refresh
  patches.suse/scsi-lpfc-Fix-lpfc_force_rscn-ndlp-kref-imbalance.patch.
- Refresh
  patches.suse/scsi-lpfc-Trigger-SLI4-firmware-dump-before-doing-dr.patch.
- Refresh
  patches.suse/scsi-lpfc-Update-lpfc-version-to-14.0.0.4.patch.
- commit f21e440
- vfs: check fd has read access in kernel_read_file_from_fd() (bsc#1194888).
- commit b248150
- powerpc/pseries/mobility: ignore ibm, platform-facilities
  updates (bsc#1065729).
- commit 965bacc
- powerpc/traps: do not enable irqs in _exception (bsc#1065729).
- powerpc: add interrupt_cond_local_irq_enable helper
  (bsc#1065729).
- commit 4a386a2
- blacklist.conf: Add a2308836880b powerpc: Fix arch_stack_walk() to have
  running function as first entry
  The stacktrace interface in this kernel version does not provide the
  parameters used to implement the fix.
- commit 21795fd
- blacklist.conf: Add 79ca6f74dae0 tpm: fix Atmel TPM crash caused by too frequent queries
  Breaks kABI, there is no report of this problem affecting users, likely
  broken old TPM firmware.
- commit 8a8da53
- tpm: Check for integer overflow in tpm2_map_response_body()
  (bsc#1082555).
- commit efacd25
- tpm: add request_locality before write TPM_INT_ENABLE
  (bsc#1082555).
- commit 8057fac
- moxart: fix potential use-after-free on remove path
  (bsc#1194516).
- commit 5a3dfcb
- memstick: rtsx_usb_ms: fix UAF (bsc#1194516).
- commit 9692e25
- livepatch: Avoid CPU hogging with cond_resched (bsc#1071995).
- commit e59d06e
- of: add node name compare helper functions (bsc#1065729).
- commit 5ef3ecd
- of: Fix property name in of_node_get_device_type (bsc#1065729).
- of: Add device_type access helper functions (bsc#1065729).
- commit fd75973
- of: Add cpu node iterator for_each_of_cpu_node() (bsc#1065729).
- commit e0452f1
- powerpc/prom_init: Fix improper check of prom_getprop()
  (bsc#1065729).
- commit 1a169ee
- powerpc/pseries/cpuhp: delete add/remove_by_count code
  (bsc#1065729).
- powerpc/pseries/cpuhp: cache node corrections (bsc#1065729).
- commit ab66a06
- powerpc/perf: Fix data source encodings for L2.1 and L3.1
  accesses (bsc#1065729).
- commit 532dbbd
- tpm: fix potential NULL pointer access in tpm_del_char_device
  (bsc#1184209 ltc#190917 git-fixes bsc#1193660 ltc#195634).
- commit c218b13
- tracing/kprobes: 'nmissed' not showed correctly for kretprobe
  (git-fixes).
- commit 38d905a
- blacklist.conf: 77360f9bbc7e ("/tracing: Add test for user space strings when filtering on string pointers"/)
  The code in question was heavily modified by 80765597bc58 ("/tracing:
  Rewrite filter logic to be simpler and faster"/) which is not present in
  SLE12-SP5. The reproducer does not work and the logic is different, so
  the existing code seems to be safe.
- commit 4313ee6
- blacklist.conf: 3e2a56e6f639 ("/tracing: Have syscall trace events use trace_event_buffer_lock_reserve()"/)
  Optimization only.
- commit 856add1
- mm/hwpoison: do not lock page again when me_huge_page()
  successfully recovers (bsc#1194814).
- commit 5a48d23
- nfs: don't dirty kernel pages read by direct-io (bsc#1194410).
- commit 80f1a10
- select: Fix indefinitely sleeping task in
  poll_schedule_timeout() (bsc#1194027).
- commit 1e8594d
- x86/platform/uv: Add more to secondary CPU kdump info
  (bsc#1194493).
- commit 303a333
- blacklist.conf: f28439db470c ("/tracing: Tag trace_percpu_buffer as a percpu pointer"/)
  It fixes a sparse warning only.
- commit c384e17
- tracing: Fix check for trace_percpu_buffer validity in
  get_trace_buf() (git-fixes).
- commit 1ad63e6
- cgroup: Use open-time credentials for process migraton perm
  checks (bsc#1194302 CVE-2021-4197).
- commit b76ad03
- NFC: add NCI_UNREG flag to eliminate the race (CVE-2021-4202
  bsc#1194529).
- NFC: reorder the logic in nfc_{un,}register_device
  (CVE-2021-4202 bsc#1194529).
- NFC: reorganize the functions in nci_request (CVE-2021-4202
  bsc#1194529).
- commit 68b4b42
- Update patches.suse/tcp-fix-a-race-in-inet_diag_dump_icsk.patch
  (networking-stable-19_01_04 bsc#1186222).
  Fix bsc#1186222 by using proper atomic helper.
- commit bd29e90
- fget: check that the fd still exists after getting a ref to it
  (bsc#1193727 CVE-2021-4083).
- commit 5441599
- kprobes: Limit max data_size of the kretprobe instances
  (bsc#1193669).
- commit 3600b27
- btrfs: unlock newly allocated extent buffer after error (bsc#1194001, CVE-2021-4149).
- commit 0a8af05
- netdevsim: Zero-initialize memory for new map's value in
  function nsim_bpf_map_alloc (bsc#1193927 CVE-2021-4135).
- commit 1d46c55
- USB: serial: option: add Telit FN990 compositions (git-fixes).
- commit 20a8f2b
- usb: core: config: fix validation of wMaxPacketValue entries
  (git-fixes).
- commit 650dbdc
- blacklist.conf: Add 7ee285395b21 cgroup: Make rebind_subsystems() disable v2 controllers all at once
- commit 8237a58
- net: usb: lan78xx: add Allied Telesis AT29M2-AF (git-fixes).
- commit 8f95759
- net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
  (git-fixes).
- commit 7655e21
- blacklist.conf: cosmetics for clang
- commit a46466a
- usbnet: fix error return code in usbnet_probe() (git-fixes).
- commit a1b9e9d
- usbnet: sanity check for maxpacket (git-fixes).
- commit 97566d2
- nvme: return BLK_STS_TRANSPORT unless DNR for
  NVME_SC_NS_NOT_READY (bsc#1163405).
- commit a71cfce
- SUNRPC: Optimise transport balancing code (bnc#1192729).
- SUNRPC: Fix initialisation of struct rpc_xprt_switch
  (bnc#1192729).
- SUNRPC: Skip zero-refcount transports (bnc#1192729).
- SUNRPC: Replace division by multiplication in calculation of
  queue length (bnc#1192729).
- SUNRPC: Add basic load balancing to the transport switch - kabi fix.
  (bnc#1192729).
- commit 54dcd98
- SUNRPC: Add basic load balancing to the transport switch.
  (bnc#1192729)
- commit 6b24397
- Revert "/net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405)"/
  This reverts commit 1c59b584ef0cc166f6f5c9f8ed6f47e2e811e1c0.
  With the backport of the upstream fix for bsc#1183405 race, this workaround
  is no longer needed.
- commit 0bfd1f2
- kabi: mask new member "/empty"/ of struct Qdisc (bsc#1183405).
- kabi: revert drop of Qdisc::atomic_qlen (bsc#1183405).
- net: sched: add barrier to ensure correct ordering for lockless
  qdisc (bsc#1183405).
- net: sched: avoid unnecessary seqcount operation for lockless
  qdisc (bsc#1183405).
- net: sched: fix tx action reschedule issue with stopped queue
  (bsc#1183405).
- net: sched: fix tx action rescheduling issue during deactivation
  (bsc#1183405).
- net: sched: fix packet stuck problem for lockless qdisc
  (bsc#1183405).
- net: sched: replaced invalid qdisc tree flush helper in
  qdisc_replace (bsc#1183405).
- net: sch_generic: aviod concurrent reset and enqueue op for
  lockless qdisc (bsc#1183405).
- net_sched: get rid of unnecessary dev_qdisc_reset()
  (bsc#1183405).
- net_sched: avoid resetting active qdisc for multiple times
  (bsc#1183405).
- net_sched: use qdisc_reset() in qdisc_destroy() (bsc#1183405).
- Revert "/net: dev: introduce support for sch BYPASS for lockless
  qdisc"/ (bsc#1183405).
- net/sched: annotate lockless accesses to qdisc->empty
  (bsc#1183405).
- net: sched: Avoid using yield() in a busy waiting loop
  (bsc#1183405).
- net/sched: fix race between deactivation and dequeue for NOLOCK
  qdisc (bsc#1183405).
- net/sched: pfifo_fast: fix wrong dereference in
  pfifo_fast_enqueue (bsc#1183405).
- net/sched: pfifo_fast: fix wrong dereference when qdisc is reset
  (bsc#1183405).
- Revert: "/net: sched: put back q.qlen into a single location"/
  (bsc#1183405).
- net: sched: when clearing NOLOCK, clear TCQ_F_CPUSTATS, too
  (bsc#1183405).
- net: sched: always do stats accounting according to
  TCQ_F_CPUSTATS (bsc#1183405).
- net: sched: prefer qdisc_is_empty() over direct qlen access
  (bsc#1183405).
- net: caif: avoid using qdisc_qlen() (bsc#1183405).
- net: dev: introduce support for sch BYPASS for lockless qdisc
  (bsc#1183405).
- net: sched: add empty status flag for NOLOCK qdisc
  (bsc#1183405).
- commit 53153a5
libnettle
- Update to version 3.1: (jsc#SLE-23330)
  * SONAME bumps libnettle5, libhogweed3
  * Rebased patches:
  - CVE-2015-8805.patch
  - libnettle-CVE-2021-20305.patch
  - libnettle-CVE-2021-3580.patch
  - nettle-CVE-2016-6489.patch
libpwquality
- Replace %make_build with "/make -O %{?_smp_mflags}"/ for pre-SLE15
  builds.
  [jsc#SLE-22490, libpwquality.spec]
- update to 1.4.4
  * e11f2bd Fix regression with enabling cracklib check
  * 02e6728 Use make macros in rpm spec file
  * xxxxxxx Translated using Weblate (Polish, Turkish, Ukrainian)
- update to 1.4.3
  * 1213d33 Update translation files
  * a951fbe Add --disable-cracklib-check configure parameter
  * 6a8845b fixup static compilation
  * 92c6066 python: Add missing getters/setters for newly added settings
  * bfef79d Add usersubstr check
  * 09a2e65 pam_pwquality: Add debug message for the local_users_only option
  * a6f7705 Fix some gcc warnings
  * 8c8a260 pwmake: Properly validate the bits parameter.
  * 7be4797 we use Fedora Weblate now
  * xxxxxxx Translated using Weblate (Azerbaijani, Bulgarian,
    Chinese (Simplified), Czech, French, Friulian, Hungarian, Italian,
    Japanese, Norwegian Bokmål, Persian, Russian, Spanish, Turkish)
- update to 1.4.2:
  * Fix regression in handling retry, enforce_for_root, and
    local_users_only options introduced with the previous
    release.
- Register with pam-config in %post(un)
- Add baselibs.conf
- Update to version 1.4.1:
  + Minor bugfix update of the library.
- Drop libpwquality-pythons.patch: Fixed upstream. Following this,
  drop autoconf, automake and libtool BuildRequires and autoreconf
  call.
- Use modern macros.
- Do not recommend lang package. The lang package already has a
  supplements.
- Modernize spec-file by calling spec-cleaner
- Update RPM groups and summaries.
- Switch url to https://github.com/libpwquality/libpwquality/
- Update to release 1.4.0:
  * Fix possible buffer overflow with data from /dev/urandom
    in pwquality_generate().
  * Do not try to check presence of too short username in password.
    (thanks to Nikos Mavrogiannopoulos)
  * Make the user name check optional (via usercheck option).
  * Add an 'enforcing' option to make the checks to be warning-only
    in PAM.
  * The difok = 0 setting will disable all old password similarity
    checks except new and old passwords being identical.
  * Updated translations from Zanata.
- Add patch libpwquality-pythons.patch to avoid duping pythondir
- Make python3 default and enable py2 only when needed
- Build python3 version of bindings as well
libqb
- Add libqb-fix-linker-hack.patch to fix incomplete check for
  needing a work-around, which is wrong for newer binutils. (bsc#1192470)
  Related to [bsc#1075418].
- log: callsite symbols of main object are also handled in initializer (bsc#1075418)
  * bsc#1075418-libqb-log_register_one.patch
- IPC: server: avoid temporary channel priority loss, up to deadlock-worth (gh#ClusterLabs/libqb#352, rh#1718773, bsc#1188212)
  * bsc#1188212-0001-IPC-server-avoid-temporary-channel-priority-loss-up-.patch
mdadm
- Incremental: Remove redundant spare movement logic
  (bsc#1190376)
  0036-Incremental-Remove-redundant-spare-movement-logic.patch
nfs-utils
- Add 0200-mountd-Initialize-logging-early.patch
  If an error or warning message is produced before
  closeall() is called, mountd gets confused and doesn't work.
  (bsc#1194661)
- 0191-mount-don-t-bind-a-socket-needlessly.patch
  Don't bind() a non-priv socket immediately before connecting,
  as this wastes port numbers.
  (bsc#1187922)
openldap2
- bsc#1193296 - Resolve double free in sssvlv overlay
  * 0223-ITS-8592-Fix-double-free-in-sssvlv-overlay.patch
p11-kit
- Update to 0.23.2; (jsc#SLE-23330);
  * Fix forking issues with libffi
  * Fix various crashes in corner cases
  * Updated translations
  * Build fixes
- Make building more verbose
- Enable tests
- Small spec file cleanup with spec-cleaner
- Fix multiple integer overflows in rpc code (bsc#1180064
  CVE-2020-29361):
  * 0001-common-Use-reallocarray-instead-of-realloc-as-approp.patch
  * 0001-Check-for-arithmetic-overflows-before-allocating.patch
  * 0001-Follow-up-to-arithmetic-overflow-fix.patch
- Rebased patches:
  * 0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch
  * 0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch
- Drop patches fixed in the update:
  * 0001-trust-Allow-BEGIN-PUBLIC-KEY-PEM-blocks-in-.p11-kit-.patch
  * 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff
  * trust-Fix-segfaults-in-expand_homedir-when-pw_dir-NULL.patch
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993,
  0001-trust-Support-CKA_NSS_-SERVER-EMAIL-_DISTRUST_AFTER.patch)
- add bcond to spec file to enable debug easily
- Also build documentation (boo#1013125)
- Use %license instead of %doc [bsc#1082318]
- 32-bit compatibility fixes:
  * Add PKCS11 module to p11-kit-32bit (bsc#996047#c39)
  * Add p11-kit-nss-trust-32bit NSS module
  * Fix potential bi-arch issue with private binaries
    (fdo#98817, p11-kit-biarch.patch)
polkit
- CVE-2021-4115: fixed a denial of service via file descriptor leak (bsc#1195542)
  added CVE-2021-4115.patch
psmisc
  * Determine the namespace of a process only once to speed
    up the parsing of fdinfo (bsc#1194172).
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
release-notes-sles
- 12.5.20220202 (tracked in bsc#933411)
- Added kernel parameter change (bsc#1195107)
- Added note about deprecating XFS V4 (jsc#SLE-22661)
- Updated note about unixODBC drivers in production (jsc#SLE-20553)
resource-agents
- RA reports "/string indices must be integers"/ to stderr after
  "/WARNING: Failed to reach the server: Gone"/ (bsc#1194502)
  Add upstream patch:
  0001-azure-events-report-error-if-jsondata-not-received.patch
salt
- Fix inspector module export function (bsc#1097531)
- Wipe NOTIFY_SOCKET from env in cmdmod (bsc#1193357)
- Fix possible traceback on ip6_interface grain (bsc#1193565)
- Don't check for cached pillar errors on state.apply (bsc#1190781)
- Added:
  * vendor-stateresult.patch
  * fix-possible-traceback-on-ip6_interface-grain-bsc-11.patch
  * state.apply-don-t-check-for-cached-pillar-errors.patch
  * wipe-notify_socket-from-env-in-cmdmod-bsc-1193357-30.patch
  * fix-inspector-module-export-function-bsc-1097531-478.patch
- Simplify "/transactional_update"/ module to not use SSH wrapper and allow more flexible execution
- Add "/--no-return-event"/ option to salt-call to prevent sending return event back to master.
- Make "/state.highstate"/ to acts on concurrent flag.
- Added:
  * refactor-and-improvements-for-transactional-updates-.patch
samba
- Fix ntlm authentications with "/winbind use default domain = yes"/;
  (bso#13126); (bsc#1173429); (bsc#1196308).
- Update spec file to do not provide nor require the bundled talloc,
  tdb, tevent and ldb libraries; (bsc#1195510);
- CVE-2021-44141: Information leak via symlinks of existance of
  files or directories outside of the exported share; (bso#14911);
  (bsc#1193690);
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
  in VFS module vfs_fruit allows code execution; (bso#14914);
  (bsc#1194859);
- CVE-2022-0336: Samba AD users with permission to write to an
  account can impersonate arbitrary services; (bso#14950);
  (bsc#1195048);
- Update to version 4.15.4; (jsc#SLE-23330);
  + CVE-2021-43566: Symlink race error can allow directory creation
    outside of the exported share; (bso#13979); (bsc#1139519);
  + CVE-2021-20316: Symlink race error can allow metadata read and
    modify outside of the exported share; (bso#14842); (bsc#1191227);
- Build samba with embedded talloc, pytalloc, pytalloc-util, tdb,
  pytdb, tevent, pytevent, ldb, pyldb and pyldb-util libraries.
  The tdb and ldb tools are installed in /usr/lib[64]/samba/bin and
  their manpages in /usr/lib[64]/samba/man
- Update to 4.15.4
  * Duplicate SMB file_ids leading to Windows client cache
    poisoning; (bso#14928);
  * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
    NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
  * kill_tcp_connections does not work; (bso#14934);
  * Can't connect to Windows shares not requiring authentication
    using KDE/Gnome; (bso#14935);
  * smbclient -L doesn't set "/client max protocol"/ to NT1 before
    calling the "/Reconnecting with SMB1 for workgroup listing"/
    path; (bso#14939);
  * Cross device copy of the crossrename module always fails;
    (bso#14940);
  * symlinkat function from VFS cap module always fails with an
    error; (bso#14941);
  * Fix possible fsp pointer deference; (bso#14942);
  * Missing pop_sec_ctx() in error path inside close_directory();
    (bso#14944);
  * "/smbd --build-options"/ no longer works without an smb.conf file;
    (bso#14945);
- Use pkgconfig(krb5) as dependency for the -devel package: allow
  OBS to pick the right flavor of krb5-devel (full vs mini).
- Do not require the 'krb5' symbol by samba-client-libs: this
  package has an automatic dependency due to linkage on
  libgssapi_krb5.so.2. Automatic deps are always better.
- Do not require the 'krb5' symbol from samba-libs: samba-libs
  requires samba-client-libs, which in turn requires krb5
  libraries. Samba-libs itself has no need for krb5 (but get it
  indirectly anyway).
- Reorganize libs packages. Split samba-libs into samba-client-libs,
  samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
  public libraries depending on internal samba libraries into these
  packages as there were dependency problems everytime one of these
  public libraries changed its version (bsc#1192684). The devel
  packages are merged into samba-devel.
- Rename package samba-core-devel to samba-devel
- Add python-rpm-macros to build requirements
- Update the symlink create by samba-dsdb-modules to private samba
  ldb modules following libldb2 changes from /usr/lib64/ldb/samba to
  /usr/lib64/ldb2/modules/ldb/samba
sudo
- Add support in the LDAP filter for negated users, patch taken
  from upstream (jsc#20068)
  * Adds sudo-feature-negated-LDAP-users.patch
- Restrict use of sudo -U other -l to people who have permission
  to run commands as that user (bsc#1181703, jsc#SLE-22569)
  * feature-upstream-restrict-sudo-U-other-l.patch
supportutils-plugin-suse-public-cloud
- Update to version 1.0.6 (bsc#1195095, bsc#1195096)
  + Include cloud-init logs whenever they are present
  + Update the packages we track in AWS, Azure, and Google
  + Include the ecs logs for AWS ECS instances
sysstat
- Fix possible segfault in read_task_stats() [bsc#1194679]
- Add sysstat-fix-segfault-in-read_task_stats.patch
tcl
- New version 8.6.12:
  * (bug)[d43f96] [string trim*] broken for Emoji
  * (bug)[22324b] [string reverse] broken for Emoji
  * (bug)[1dab71,7c64aa] BRE broken by uninitialized value use
  * (bug)[8419c5] Unix tty channels tolerate EINTR
  * ** POTENTIAL INCOMPATIBILITY ***
  * (bug)[4c591f] [string compare] EIAS violation
  * (bug)[266494] [concat foo [list #]] EIAS violation
  * (bug)[24b918] Save IO buffers from modern optimizers
  * (new) support for POSIX error EILSEQ
  * (bug)[688fcc] segfault during traced delete of alias
  * (bug)[ccc448] segfault in ensemble rewrite machinery
  * (new) Update to Unicode-14
  * (bug)[a8579d] failed proc argument spec processing
  * Obsoletes tcl-aa4a13c15516da45.patch
- Bump %itclver and ensure it stays in sync.
- bsc#1185662: Move tcl.macros /usr/lib/rpm/macros.d .
- https://core.tcl-lang.org/thread/tktview?name=98ae20f0f5:
  Add tcl-aa4a13c15516da45.patch to disable lto for the stubs
  libraries.
- tclConfig.sh: Fix path names and avoid braces in TCL_PACKAGE_PATH
- Set TCL_LIBRARY at configure time for better consistency.
- New version: 8.6.11:
  * Add tcltest::(Setup|Eval|Cleanup|)Test
  * Update to Unicode-13
  * Add 3 libtommath functions to stub table
  * Many more bug fixes
- Potentially incompatible changes:
  * (bug)[ffeb20] [binary decode base64] ignore invalid chars
  * (bug)[b8e82d] some -maxlen values break uuencode round trip
  * (bug)[085913] Tcl_DStringAppendElement # quoting precision
  * (bug)[81242a] revised documentation for Tcl_UtfAtIndex()
  * (bug)[ed2980] Tcl_UtfToUniChar reads > TCL_UTF_MAX bytes
  * (bug)[a1bd37] [clock scan] new ISO format (clock-34.(19-24))
  * (bug)[501974] [clock scan] +time zone (clock-34.(53-68))
  * (new) force -eofchar 032 when evaluating library scripts
  * (new)[48898a] improve error message consistency
  * (new) revised case of module names
- Add a manpage symlink for tclsh8.6.
- Fix build with RPM 4.16: error: bare words are no longer
  supported, please use "/..."/:  lib64 == lib64.
- New version: 8.6.10:
  * (bug)[7a9dc5] [file normalize ~/~foo] segfault
  * (bug)[3cf3a9] variable 'timezone' deprecated in vc2017
  * (bug)[cc1e91] [list [list {*}[set a "/ "/]]] regression
    obsoletes tcl-expand-regression.patch.
  * (bug)[e3f481] tests var-1.2[01]
  * (new) Update to Unicode 12.0
  * (new)[TIP 527] New command [timerate]
  * (bug)[39fed4] [package require] memory validity
  * (new) New command tcl::unsupported::corotype
  * (bug) memlink when namespace deletion kills linked var
  * (new) README file converted to README.md in Markdown
  * (bug)[8b9854] [info level 0] regression with ensembles
  * (bug)[6bdadf] crash multi-arg write-traced [lappend]
  * (bug)[f8a33c] crash Tcl_Exit before init
  * (bug)[fa6bf3] Bytecode fails epoch recovery at numLevel=0
  * (bug)[fec0c1] C stack overflow compiling bytecode
  * tzdata updated to Olson's tzdata2019c
  * (bug)[16768d] Fix [info hostname] on NetBSD
  * (new) libtommath updated to release 1.2.0
  * (bug)[bcd100] bad fs cache when system encoding changes
  * (bug)[135804] segfault in [next] after destroy
  * (bug)[13657a] application/json us text, not binary
- binary-40.3 is expected to fail on riscv64 which does not support NaN
  propagation
- Use FAT LTO objects in order to provide proper static
  library (boo#1138797).
- Fix a regression in the handling of denormalized empty lists
  (tcl-expand-regression.patch, tcl#cc1e91552c).
- New version: 8.6.9:
  * NR-enable [package require]
  * (bug)[9fd5c6] crash in object deletion, test oo-11.5
  * (bug)[3c32a3] crash deleting object with class mixed in
  * (platform) stop using -lieee, removed from glibc-2.27
    (bsc#1179615, bsc#1181840).
  * (bug)[8e6a9a] bad binary [string match], test string-11.55
  * (bug)[1873ea] repair multi-thread std channel init
  * (bug)[db36fa] broken bytecode for index values
  * (bug) broken compiled [string replace], test string-14.19
  * (bug) [string trim*] engine crashed on invalid UTF
  * (bug) missing trace in compiled [array set], test var-20.11
  * (bug)[46a241] crash in unset array with search, var-13.[23]
  * (bug)[27b682] race made [file delete] raise "/no such file"/
  * (bug)[925643] 32/64 cleanup of filesystem DIR operations
  * (bug) leaks in TclSetEnv and env cache
  * (bug)[3592747] [yieldto] dying namespace, tailcall-14.1
  * (bug)[270f78] race in [file mkdir]
  * (bug)[3f7af0] [file delete] raised "/permission denied"/
  * (bug)[d051b7] overflow crash in [format]
  * revised quoting of [exec] args in generated command line
  * HTTP Keep-Alive with pipelined requests
  * (new)[TIP 505] [lreplace] accepts all out of range indices
  * (bug) Prevent crash from NULL keyName in the registry package
  * Update tcltest package for Travis support
  * (bug)[35a8f1] overlong string length of some lists
  * (bug)[00d04c] Repair [binary encode base64]
- handle s390 like s390x (bnc#1085480)
- Version 8.6.8:
  * [array names -regexp] supports backrefs
  * Fix gcc build failures due to #pragma placement
  * (bug)[b50fb2] exec redir append stdout and stderr to file
  * (bug)[2a9465] http state 100 continue handling broken
  * (bug)[0e4d88] replace command, delete trace kills namespace
  * (bug)[1a5655] [info * methods] includes mixins
  * (bug)[fc1409] segfault in method cloning, oo-15.15
  * (bug)[3298012] Stop crash when hash tables overflow 32 bits
  * (bug)[5d6de6] Close failing case of [package prefer stable]
  * (bug)[4f6a1e] Crash when ensemble map and list are same
  * (bug)[ce3a21] file normalize failure when tail is empty
  * (new)[TIP 477] nmake build system reform
  * (bug)[586e71] EvalObjv exception handling at level #0
- adapt check section for rpm-4.14.0
- Add more tests in Whitelist as bypass boo#1072657
  identified following tests failed on PowerPC
  interp-34.9 interp-34.13 http-3.25 timer-2.1 thread-20.9
- Whitelist known-failing tests. Further investigation needed.
tcpdump
- Security fix: [bsc#1195825, CVE-2018-16301]
  * Fix segfault when handling large files
  * Add tcpdump-CVE-2018-16301.patch
tiff
- security update: Fix buffer overwrite
  * CVE-2019-17546[bsc#1154365]
    + tiff-CVE-2019-17546.patch
- security update: Fix heap based buffer overflow in pal2rgb
  * CVE-2017-17095[bsc#1071031]
    + tiff-CVE-2017-17095.patch
- security update: Fix OOB in _TIFFmemcpy
  * CVE-2022-22844[bsc#1194539]
    + tiff-CVE-2022-22844.patch
- security update: Fix memory allocation failure in tif_read.c
  * CVE-2020-35521[bsc#1182808] CVE-2020-35522[bsc#1182809]
    + tiff-CVE-2020-35521,CVE-2020-35522.patch
- security update: Fix DOS via invertImage()
  * CVE-2020-19131[bsc#1190312]
    + tiff-CVE-2020-19131.patch
- security update: Fix heap-based buffer overflow in TIFF2PDF tool
  * CVE-2020-35524[bsc#1182812]
    + tiff-CVE-2020-35524.patch
- security update: Fix integer overflow in tif_getimage
  * CVE-2020-35523 [bsc#1182811]
    + tiff-CVE-2020-35523.patch
wicked
- fsm: fix device rename via yast (bsc#1194392)
  Reset worker config instead to reject a NULL/empty config
  xml node -- introduced in wicked 0.6.67 by commit c2a0385.
  [+ 0001-fsm-fix-device-rename-via-yast-bsc-1194392.patch]
- version 0.6.68
- sysctl: process sysctl.d directories as in sysctl --system
- sysctl: fix sysctl values for loopback device (bsc#1181163, bsc#1178357)
- dhcp4: add option to set route pref-src to dhcp IP (bsc#1192353)
- cleanup: warnings, time calculations and dhcp fixes (bsc#1188019)
- wireless: reconnect on unexpected wpa_supplicant restart (bsc#1183495)
- tuntap: avoid sysfs attr read error (bsc#1192311)
- ifstatus: fix warning of unexpected interface flag combination (bsc#1192164)
- dbus: config files in /usr shouldn't be marked as config in spec
- version 0.6.67
- dbus: install bus config in /usr (bsc#1183407,jsc#SLE-9750)
- logging: log reaped sub-process command and as debug, not error
- ifstatus: Don't show link as "/up"/ without RUNNING flag set
- firewalld: Make the zone assignment permanent (boo#1189560)
- fsm: cleanup and improve ifconfig and ifpolicy access utils
- dbus: cleanup the dbus-service.h file and unused property makros
- cleanup: applied code-spell run typo corrections
- dracut: initial fixes and improved option handling (boo#1182227)
- version 0.6.66
- wireless: migrate to wpa-supplicant v1 DBus interface (bsc#1156920)
  - support multiple networks configurations per interface
  - show connection status and scan-results (bsc#1160654)
  - corrected eap-tls,ttls cetificate handling and open vs. shared
    wep,open,psk,eap-tls,ttls,peap parsing from ifcfg (bsc#1057592)
  - cleanups and several other improvements, see changes
  - updated man ifcfg-wireless manual pages
- nanny: fix identify node owner exit condition
- schema: several xml-schema and dbus/property improvements
- utils: format/parse bitmap to array and string alternatives
- client: expose ethtool --get-permanent-address option
- removed sle15-sp3 patches included in the master sources (bsc#1181812)
  [- 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
  [- 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- dhcp4: discover on reboot timeout after start-delay (bsc#1181812)
  [+ 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
- dhcp6: request nis options on sle15 by default (bsc#1181812)
  [+ 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- version 0.6.65
- ifconfig: differentiate if to re-trigger dad on address updates (bsc#1177215)
- client: parse sysctl files in the correct order (bsc#1181186)
- ifup: fix for set up with unenslave from unconfigured master (boo#954329)
- rpm: prepare for new builds using usrmerged rpm macro (boo#1029961)
- rpm: Let wicked-service also provide service(network)
- cleanup: remove obsolete use-nanny=false (gh#openSUSE/wicked#815)
- dbus: add variant container, generic object-path and uint32 array macros
yast2-samba-client
- With latest versions of samba (>=4.15.0) calling 'net ads lookup'
  with '-U%' fails; (boo#1193533).
- yast-samba-client fails to join if /etc/samba/smb.conf or
  /etc/krb5.conf don't exist; (bsc#1089938)
- Do not stop nmbd while nmbstatus is running, it is not necessary
  anymore; (bsc#1158916);
- 3.1.23
zsh
- Added CVE-2019-20044.patch: fixes insecure dropping of privileges when
  unsetting PRIVILEGED option (CVE-2019-20044 bsc#1163882)
- Add CVE-2018-1100.patch: it fixes buffer overflow in utils.c:checkmailpath()
  can lead to local arbitrary code execution (CVE-2018-1100 bsc#1089030)
- Added CVE-2021-45444.patch: fixes a vulnerability in prompt expansion which
  could be exploited through e.g.  VCS_Info to execute arbitrary shell
  commands (CVE-2021-45444 bsc#1196435)