- 12.5.20240614 (tracked in bsc#933411)
- Added note about openSSH 8.4 (bsc#1222298)
- Added note about unsupported hibernate/suspend on Xen (bsc#1214405)
- Added note about chrony 4.1 (jsc#SLE-22248)
- Added note about adcli --dont-expire-password (jsc#SLE-21223)
- Added note about sudo -U -l restriction (jsc#SLE-22569)
- Added note about nodejs16 addition (jsc#SLE-21234)
- Added note about rsyslog 8.2106 (jsc#SLE-21522)
- Added note about tcl 8.6.12 (jsc#SLE-21015)
- Added note about sudo 1.8.27 update (jsc#SLE-17083)

- Security Fixes:
  * It is possible to craft excessively large numbers of resource
    record types for a given owner name, which has the effect of
    slowing down database processing. This has been addressed by
    only allowing a maximum of 100 records to be stored per name
    and type in a cache or zone database.
    (CVE-2024-1737)
    [bsc#1228256, bind-9.11-CVE-2024-1737.patch]
  * Validating DNS messages signed using the SIG(0) protocol (RFC
    2931) could cause excessive CPU load, leading to a
    denial-of-service condition. Support for SIG(0) message
    validation was removed from this version of named.
    (CVE-2024-1975)
    [bsc#1228257, bind-9.11-CVE-2024-1975.patch]

- Fix CVE-2023-29483-pre1.patch
  (bsc#1230353, gh#rthalley/dnspython@6d590f0a2e1b, gh#nrhall/dnspython@55d6a9d81930)

- Update py3_fixes.patch to fix all python3 issues and make the code
  compatible with python2 and python3.
- Add upstream patches to solve CVE-2023-29483:
  - CVE-2023-29483-pre1.patch
  - CVE-2023-29483.patch
  (bsc#1222693, CVE-2023-29483, gh#rthalley/dnspython#1044)

- Fix mishandled semicolons in the userinfo subcomponent could lead to an
  insecure behavior in which data that was supposed to be in the userinfo
  subcomponent is misinterpreted to be part of the host subcomponent.
  [bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch]

- Update to 10.3.4
  + Modify the message when network access over a specific IP version does
    not work. This is an informational message and should not look like
    an error
  + Inform the user that LTSS registration takes a little longer
  + Add fix-for-sles12-no-trans_update.patch
    + SLE 12 family has no products with transactional-update we do not
    need to look for this condition
- From 10.3.3 (bsc#1229472)
  + Handle changes in process structure to properly identify the running
    zypper parent process and only check for 1 PID
- From 10.3.2
  + Remove rgnsrv-clnt-fix-docker-setup.patch included upstream
- From 10.3.1 (jsc#PCT-400)
  + Add support for LTSS registration
  + Add fix-for-sles12-disable-registry.patch
    ~ No container support in SLE 12

- Add rgnsrv-clnt-fix-docker-setup.patch (bsc#1229137)
  + The entry for the update infrastructure registry mirror was written
    incorrectly causing docker daemon startup to fail.

- Update to version 10.3.0 (bsc#1227308, bsc#1222985)
  + Add support for sidecar registry
    Podman and rootless Docker support to set up the necessary
    configuration for the container engines to run as defined
  + Add running command as root through sudoers file

- Update to version 10.2.0 (bsc#1223571, bsc#1224014, bsc#1224016)
  + In addition to logging, write message to stderr when registration fails
  + Detect transactional-update system with read only setup and use
    the transactional-update command to register
  + Handle operation in a different target root directory for credentials
    checking

- Pull libopenssl-1_0_0 when updating openssl-1_0_0 with the same
  version. [bsc#1228291]

- Security fix: [bsc#1227138, bsc#1227227, CVE-2024-5535]
  * SSL_select_next_proto buffer overread
  * Add openssl-CVE-2024-5535.patch

- Prevent cursor escape from the login prompt [bsc#1194818]
  * Added: pam-bsc1194818-cursor-escape.patch

- do not use posix_spawn as it lacks proper job handling [bsc#1224057]
  new patch: ksh93-no-posix_spawn.dif
- fix segfault in variable substitution [bsc#1129288]
  new patch: ksh93-putval.dif
- fix untrusted environment execution [bsc#1160796] [CVE-2019-14868]
  new patch: ksh93-untrustedenv.dif

- tools: CIB clients retry signon upon an EAGAIN error (gh#ClusterLabs/pacemaker#3567, bsc#1224183)
  * bsc#1224183-0002-Fix-tools-CIB-clients-retry-signon-upon-an-EAGAIN-er.patch
- libcib: new function cib__signon_attempts() (gh#ClusterLabs/pacemaker#3567, bsc#1224183)
  * bsc#1224183-0001-Refactor-libcib-new-function-cib__signon_attempts.patch

- libstonithd: prevent to free 'op_reply' repeatedly in 'stonith_send_command' (gh#ClusterLabs/pacemaker#3517)
  * pacemaker#3517-0001-prevent-to-free-op_reply-repeatedly-in-stonith_send_.patch

- tools: make crm_mon exit upon loss of the attached pseudo-terminal (bsc#1220229, gh#ClusterLabs/pacemaker#3430)
  * bsc#1220229-0001-Fix-tools-make-crm_mon-exit-upon-loss-of-the-attache.patch

- libcib: Don't incorrectly expand "++" and "+=" in XML attr values (gh#ClusterLabs/pacemaker#3413)
  * pacemaker#3413-0003-Fix-libcib-Don-t-incorrectly-expand-and-in-XML-attr-.patch
- libpacemaker: pcmk__inject_failcount should set an integer value (gh#ClusterLabs/pacemaker#3413)
  * pacemaker#3413-0001-Low-libpacemaker-pcmk__inject_failcount-should-set-a.patch
- scheduler: log unknown nodes in location constraints (gh#ClusterLabs/pacemaker#3409, CLBZ#5415)
  * pacemaker#3409-0007-Log-scheduler-log-unknown-nodes-in-location-constrai.patch
- scheduler: correct lifetime deprecation warning (gh#ClusterLabs/pacemaker#3409)
  * pacemaker#3409-0006-Log-scheduler-correct-lifetime-deprecation-warning.patch
- scheduler: deprecate support for default instance attributes (gh#ClusterLabs/pacemaker#3409)
  * pacemaker#3409-0004-Low-scheduler-deprecate-support-for-default-instance.patch
- scheduler: use default timeout (20s) if user configures 0 (gh#ClusterLabs/pacemaker#3409)
  * pacemaker#3409-0003-Fix-scheduler-use-default-timeout-20s-if-user-config.patch
- tools: crm_resource should ignore resource meta-attribute node expressions (gh#ClusterLabs/pacemaker#3409)
  * pacemaker#3409-0001-Fix-tools-crm_resource-should-ignore-resource-meta-a.patch

- fencer: always format time_t values as long long (gh#ClusterLabs/pacemaker#3407)
  * pacemaker#3407-0001-Log-fencer-always-format-time_t-values-as-long-long.patch

- libpacemaker: Correctly free graphs and synapses (gh#ClusterLabs/pacemaker#3394)
  * pacemaker#3394-0002-Low-libpacemaker-Correctly-free-graphs-and-synapses.patch
- libcrmcommon: Initialize some variables (gh#ClusterLabs/pacemaker#3394)
  * pacemaker#3394-0001-Low-libcrmcommon-Initialize-some-variables.patch
- HealthSMART:fix the description of temp_lower_limit (gh#ClusterLabs/pacemaker#3392)
  * pacemaker#3392-0001-Doc-HealthSMART-fix-the-description-of-temp_lower_li.patch

- cibsecret: Use 'ps axww' to avoid truncating issue (gh#ClusterLabs/pacemaker#3384)
  * pacemaker#3384-0001-Fix-cibsecret-Use-ps-axww-to-avoid-truncating-issue.patch

- libcrmcommon: Don't try to parse XML from bad .bz2 file (gh#ClusterLabs/pacemaker#3361)
  * pacemaker#3361-0001-Low-libcrmcommon-Don-t-try-to-parse-XML-from-bad-.bz.patch

- libcrmcommon: use uint32_t for 32-bit magic numbers (gh#ClusterLabs/pacemaker#3381)
  * pacemaker#3381-0001-Fix-libcrmcommon-use-uint32_t-for-32-bit-magic-numbe.patch

- tools: Fix argument validation for crm_attribute update. (gh#ClusterLabs/pacemaker#3379)
  * pacemaker#3379-0001-Low-tools-Fix-argument-validation-for-crm_attribute-.patch

- attrd: write Pacemaker Remote node attributes even if not in cache (gh#ClusterLabs/pacemaker#3304)
  * pacemaker#3304-0001-Fix-attrd-write-Pacemaker-Remote-node-attributes-eve.patch
- agents: Use attrd_updater dampen delay in SysInfo (gh#ClusterLabs/pacemaker#3286)
  * pacemaker#3286-0002-Fix-agents-Use-attrd_updater-dampen-delay-in-SysInfo.patch
- libcrmcommon: Check correct env vars in pcmk__node_attr_target() (gh#ClusterLabs/pacemaker#3286)
  * pacemaker#3286-0001-Low-libcrmcommon-Check-correct-env-vars-in-pcmk__nod.patch

- scheduler: restore nvpair behavior without id-ref (gh#ClusterLabs/pacemaker#3292)
  * pacemaker#3292-0004-Low-scheduler-restore-nvpair-behavior-without-id-ref.patch
- libcrmcommon: fix NULL dereference in expand_idref() (gh#ClusterLabs/pacemaker#3292)
  * pacemaker#3292-0002-Low-libcrmcommon-fix-NULL-dereference-in-expand_idre.patch
- scheduler: improve logs for invalid id-ref's (gh#ClusterLabs/pacemaker#3292)
  * pacemaker#3292-0001-Log-scheduler-improve-logs-for-invalid-id-ref-s.patch
- pacemaker-attrd,libcrmcluster: avoid use-after-free when remote node in cluster node cache (gh#ClusterLabs/pacemaker#3293)
  * pacemaker#3293-0002-Fix-pacemaker-attrd-libcrmcluster-avoid-use-after-fr.patch
- libcrmcluster: avoid use-after-free in trace log (gh#ClusterLabs/pacemaker#3293)
  * pacemaker#3293-0001-Low-libcrmcluster-avoid-use-after-free-in-trace-log.patch
- HealthSmart: Check the parameter values of check_temperature to avoid error output (gh#ClusterLabs/pacemaker#3289)
  * pacemaker#3289-0001-Fix-HealthSmart-Check-the-parameter-values-of-check_.patch

- agents: handle dampening parameter consistently and correctly
  * 0001-Fix-agents-handle-dampening-parameter-consistently-a.patch

- crm_resource: make --wait wait for pending actions in CIB
  * 0001-Refactor-crm_resource-make-wait-wait-for-pending-act.patch

- agents: HealthCPU - fix the validation of input
  * 0001-fix-the-validation-of-input.patch

- Add CVE-2024-6923-email-hdr-inject.patch to prevent email
  header injection due to unquoted newlines (bsc#1228780,
  CVE-2024-6923).
- Add CVE-2024-7592-quad-complex-cookies.patch fixing quadratic
  complexity in parsing cookies with backslashes (bsc#1229596,
  CVE-2024-7592)
- %{profileopt} variable is set according to the variable
  %{do_profiling} (bsc#1227999)

- Remove %suse_update_desktop_file macro as it is not useful any
  more.

- Stop using %%defattr, it seems to be breaking proper executable
  attributes on /usr/bin/ scripts (bsc#1227378).

- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
  (CVE-2024-4032) rearranging definition of private v global IP
  addresses.

- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
  fixing bsc#1226447 (CVE-2024-0397) by removing memory race
  condition in ssl.SSLContext certificate store methods.

- Add glib2-gdbusmessage-cache-arg0.patch: cache the arg0 value in
  a dbus message. Fixes a possible use after free (boo#1224044).

- Security fix: [bsc#1230093, CVE-2024-8096]
  * curl: OCSP stapling bypass with GnuTLS
  * Add curl-CVE-2024-8096.patch

- Security fix: [bsc#1228535, CVE-2024-7264]
  * curl: ASN.1 date parser overread
  * Add curl-CVE-2024-7264.patch

- Fix btrfs subvolume for platform modules not mounting at runtime when the
  default subvolume is the topmost root tree (bsc#1228124)
  * grub2-btrfs-06-subvol-mount.patch
- Rediff
  * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch

- Fix error in grub-install when linux root device is on lvm thin volume
  (bsc#1192622) (bsc#1191974)
- Fix error in grub-install when root is on tmpfs (bsc#1226100)
  * 0001-grub-install-bailout-root-device-probing.patch

- Azure native fencing does not start due to Python version (SLE 12 SP5)
  (jsc#PED-9921)
  Put fence_azure_arm into a separate package to be able to provide
  the own requirements.
  o Add upstream patch:
    0001-fence_azure_arm-add-stack-cloud-support.patch

- Azure - Fence agent stopped working after installing python-azure-core-1.23.1-2.12.8 -
  Error: Azure Resource Manager Python SDK not found or not accessible - SFSC 01532079 - ref:_00D1igLOd._500TrCLmyq:ref
  (bsc#1226671)
  - Apply modified upstream patch
    0001-fence_azure_arm-fix-get-virtual-machines-call.patch

- resource-agents:azure-events-az retry handling (bsc#1226140)
  Add upstream patch:
    0001-azure-events-az-update-to-API-versions-add-retry-fun.patch

- Add patch CVE-2024-6345-code-execution-via-download-funcs.patch:
  * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105)

- security update:
  * CVE-2024-7006 [bsc#1228924]
    Fix pointer deref in tif_dirinfo.c
    + tiff-CVE-2024-7006.patch

- OCFS2 writes delay on large volumes - slow la window lookup from global_bitmap (bsc#1219224)
  * bsc1219224-debugfs.ocfs2-support-recording-gd-bg_contig_free_bi.patch

- Add CVE-2024-37891.patch (bsc#1226469, CVE-2024-37891)

- Update to GCC 13.3 release

- Update to gcc-13 branch head, b7a2697733d19a093cbdd0e200, git8761
- Removed gcc13-pr111731.patch now included upstream

- Add gcc13-amdgcn-remove-fiji.patch removing Fiji support from
  the GCN offload compiler as that is requiring Code Object version 3
  which is no longer supported by llvm18.

- Add gcc13-pr101523.patch to avoid combine spending too much
  compile-time and memory doing nothing on s390x.  [boo#1188441]

- Make requirement to lld version specific to avoid requiring the
  meta-package.

- Add gcc13-pr111731.patch to fix unwinding for JIT code.
  [bsc#1221239]

- Revert libgccjit dependency change.  [boo#1220724]

- Fix libgccjit-devel dependency, a newer shared library is OK.
- Fix libgccjit dependency, the corresponding compiler isn't required.

- Use %patch -P N instead of %patchN.

- Add gcc13-sanitizer-remove-crypt-interception.patch to remove
  crypt and crypt_r interceptors.  The crypt API change in SLE15 SP3
  breaks them.  [bsc#1219520]

- Update to gcc-13 branch head, 67ac78caf31f7cb3202177e642, git8285
- Add gcc13-pr88345-min-func-alignment.diff to add support for
  - fmin-function-alignment.  [bsc#1214934]

- Use %{_target_cpu} to determine host and build.

- Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250
  * Includes fix for building TVM.  [boo#1218492]

- Add cross-X-newlib-devel requires to newlib cross compilers.
  [boo#1219031]

- Package m2rte.so plugin in the gcc13-m2 sub-package rather than
  in gcc13-devel.  [boo#1210959]
- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs
  are linked against libstdc++6.

- Update to gcc-13 branch head, 36ddb5230f56a30317630a928, git8205

- Update to gcc-13 branch head, 741743c028dc00f27b9c8b1d5, git8109
  * Includes fix for building mariadb on i686.  [bsc#1217667]
  * Remove pr111411.patch contained in the update.

- Avoid update-alternatives dependency for accelerator crosses.
- Package tool links to llvm in cross-amdgcn-gcc13 rather than in
  cross-amdgcn-newlib13-devel since that also has the dependence.
- Depend on llvmVER instead of llvm with VER equal to
  %product_libs_llvm_ver where available and adjust tool discovery
  accordingly.  This should also properly trigger re-builds when
  the patchlevel version of llvmVER changes, possibly changing
  the binary names we link to.  [bsc#1217450]

- Updated nss-fips-approved-crypto-non-ec.patch to enforce
  approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).

- Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh
  depends on it and will create a broken, empty config, if sed is
  missing (bsc#1227918)

- update to NSS 3.101.2
  * bmo#1905691 - ChaChaXor to return after the function

- Added nss-fips-safe-memset.patch, fixing bsc#1222811.
- Removed some dead code from nss-fips-constructor-self-tests.patch.
- Rebased nss-fips-approved-crypto-non-ec.patch on above changes.
- Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813,
  bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118.
- Updated nss-fips-approved-crypto-non-ec.patch and
  nss-fips-constructor-self-tests.patch, fixing bsc#1222807,
  bsc#1222828, bsc#1222834.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222804,
  bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116.

- update to NSS 3.101.1
  * bmo#1901932 - missing sqlite header.
  * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
- update to NSS 3.101
  * bmo#1900413 - add diagnostic assertions for SFTKObject refcount.
  * bmo#1899759 - freeing the slot in DeleteCertAndKey if authentication failed
  * bmo#1899883 - fix formatting issues.
  * bmo#1889671 - Add Firmaprofesional CA Root-A Web to NSS.
  * bmo#1899593 - remove invalid acvp fuzz test vectors.
  * bmo#1898830 - pad short P-384 and P-521 signatures gtests.
  * bmo#1898627 - remove unused FreeBL ECC code.
  * bmo#1898830 - pad short P-384 and P-521 signatures.
  * bmo#1898825 - be less strict about ECDSA private key length.
  * bmo#1854439 - Integrate HACL* P-521.
  * bmo#1854438 - Integrate HACL* P-384.
  * bmo#1898074 - memory leak in create_objects_from_handles.
  * bmo#1898858 - ensure all input is consumed in a few places in mozilla::pkix
  * bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
  * bmo#1748105 - clean up escape handling
  * bmo#1896353 - Use lib::pkix as default validator instead of the old-one
  * bmo#1827444 - Need to add high level support for PQ signing.
  * bmo#1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
  * bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
  * bmo#1893404 - Allow for non-full length ecdsa signature when using softoken
  * bmo#1830415 - Modification of .taskcluster.yml due to mozlint indent defects
  * bmo#1793811 - Implement support for PBMAC1 in PKCS#12
  * bmo#1897487 - disable VLA warnings for fuzz builds.
  * bmo#1895032 - remove redundant AllocItem implementation.
  * bmo#1893334 - add PK11_ReadDistrustAfterAttribute.
  * bmo#215997  - Clang-formatting of SEC_GetMgfTypeByOidTag update
  * bmo#1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
  * bmo#1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile.
  * bmo#1830415 - Switch to the mozillareleases/image_builder image
- Follow upstream changes in nss-fips-constructor-self-tests.patch (switch from ec_field_GFp to ec_field_plain)
- Remove part of nss-fips-zeroization.patch that got removed upstream
- update to NSS 3.100
  - bmo#1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for
    faster Xyber operations.
  - bmo#1893752 - remove ckcapi.
  - bmo#1893162 - avoid a potential PK11GenericObject memory leak.
  - bmo#671060  - Remove incomplete ESDH code.
  - bmo#215997  - Decrypt RSA OAEP encrypted messages.
  - bmo#1887996 - Fix certutil CRLDP URI code.
  - bmo#1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
  - bmo#676118  - Add ability to encrypt and decrypt CMS messages using ECDH.
  - bmo#676100  - Correct Templates for key agreement in smime/cmsasn.c.
  - bmo#1548723 - Moving the decodedCert allocation to NSS.
  - bmo#1885404 - Allow developers to speed up repeated local execution
    of NSS tests that depend on certificates.
- update to NSS 3.99
  * Removing check for message len in ed25519 (bmo#1325335)
  * add ed25519 to SECU_ecName2params. (bmo#1884276)
  * add EdDSA wycheproof tests. (bmo#1325335)
  * nss/lib layer code for EDDSA. (bmo#1325335)
  * Adding EdDSA implementation. (bmo#1325335)
  * Exporting Certificate Compression types (bmo#1881027)
  * Updating ACVP docker to rust 1.74 (bmo#1880857)
  * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
  * Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
- update to NSS 3.98
  * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption
    in TLS
  * bmo#1879513 - Certificate Compression: enabling the check that
    the compression was advertised
  * bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha
  * bmo#1879945 - Remove Email trust bit from OISTE WISeKey
    Global Root GC CA
  * bmo#1877344 - Replace `distutils.spawn.find_executable` with
    `shutil.which` within `mach` in `nss`
  * bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to
    support Certificate compression
  * bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation
  * bmo#1875356 - Add valgrind annotations to freebl kyber operations
    for constant-time execution tests
  * bmo#1870673 - Set nssckbi version number to 2.66
  * bmo#1874017 - Add Telekom Security roots
  * bmo#1873095 - Add D-Trust 2022 S/MIME roots
  * bmo#1865450 - Remove expired Security Communication RootCA1 root
  * bmo#1876179 - move keys to a slot that supports concatenation in
    PK11_ConcatSymKeys
  * bmo#1876800 - remove unmaintained tls-interop tests
  * bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim
    flags
  * bmo#1874937 - bogo: add support for the -curves shim flag and
    update Kyber expectations
  * bmo#1874937 - bogo: adjust expectation for a key usage bit test
  * bmo#1757758 - mozpkix: add option to ignore invalid subject
    alternative names
  * bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value
  * bmo#1876390 - take ownership of ecckilla shims
  * bmo#1874458 - add valgrind annotations to freebl/ec.c
  * bmo#864039  - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
  * bmo#1875965 - Update zlib to 1.3.1
- Use %patch -P N instead of deprecated %patchN.
- update to NSS 3.97
  * bmo#1875506 - make Xyber768d00 opt-in by policy
  * bmo#1871631 - add libssl support for xyber768d00
  * bmo#1871630 - add PK11_ConcatSymKeys
  * bmo#1775046 - add Kyber and a PKCS#11 KEM interface to softoken
  * bmo#1871152 - add a FreeBL API for Kyber
  * bmo#1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
  * bmo#1826451 - part 1: add a script for vendoring kyber from pq-crystals repo
  * bmo#1835828 - Removing the calls to RSA Blind from loader.*
  * bmo#1874111 - fix worker type for level3 mac tasks
  * bmo#1835828 - RSA Blind implementation
  * bmo#1869642 - Remove DSA selftests
  * bmo#1873296 - read KWP testvectors from JSON
  * bmo#1822450 - Backed out changeset dcb174139e4f
  * bmo#1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
  * bmo#1871219 - Wrap CC shell commands in gyp expansions
- update to NSS 3.96.1
  * bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh
  * bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups)
  * bmo#1867408 - add a defensive check for large ssl_DefSend return values
  * bmo#1869378 - Add dependency to the taskcluster script for Darwin
  * bmo#1869378 - Upgrade version of the MacOS worker for the CI
- add nss-allow-slow-tests-s390x.patch: "certutil dump keys with
  explicit default trust flags" test needs longer than the allowed
  6 seconds on s390x
- update to NSS 3.95
  * bmo#1842932 - Bump builtins version number.
  * bmo#1851044 - Remove Email trust bit from Autoridad de Certificacion
    Firmaprofesional CIF A62634068 root cert.
  * bmo#1855318 - Remove 4 DigiCert (Symantec/Verisign) Root Certificates
  * bmo#1851049 - Remove 3 TrustCor Root Certificates from NSS.
  * bmo#1850982 - Remove Camerfirma root certificates from NSS.
  * bmo#1842935 - Remove old Autoridad de Certificacion Firmaprofesional
    Certificate.
  * bmo#1860670 - Add four Commscope root certificates to NSS.
  * bmo#1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates.
  * bmo#1863605 - Include P-384 and P-521 Scalar Validation from HACL*
  * bmo#1861728 - Include P-256 Scalar Validation from HACL*.
  * bmo#1861265 - After the HACL 256 ECC patch, NSS incorrectly encodes
    256 ECC without DER wrapping at the softoken level
  * bmo#1837987 - Add means to provide library parameters to C_Initialize
  * bmo#1573097 - clang format
  * bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
  * bmo#1858241 - Typo in ssl3_AppendHandshakeNumber
  * bmo#1858241 - Introducing input check of ssl3_AppendHandshakeNumber
  * bmo#1573097 - Fix Invalid casts in instance.c
- update to NSS 3.94
  * bmo#1853737 - Updated code and commit ID for HACL*
  * bmo#1840510 - update ACVP fuzzed test vector: refuzzed with
    current NSS
  * bmo#1827303 - Softoken C_ calls should use system FIPS setting
    to select NSC_ or FC_ variants
  * bmo#1774659 - NSS needs a database tool that can dump the low level
    representation of the database
  * bmo#1852179 - declare string literals using char in pkixnames_tests.cpp
  * bmo#1852179 - avoid implicit conversion for ByteString
  * bmo#1818766 - update rust version for acvp docker
  * bmo#1852011 - Moving the init function of the mpi_ints before
    clean-up in ec.c
  * bmo#1615555 - P-256 ECDH and ECDSA from HACL*
  * bmo#1840510 - Add ACVP test vectors to the repository
  * bmo#1849077 - Stop relying on std::basic_string<uint8_t>
  * bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp
- rebased patches
- added nss-fips-test.patch to fix broken test
- Update to NSS 3.93:
  * bmo#1849471 - Update zlib in NSS to 1.3.
  * bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
  * bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).
- Rebase nss-fips-pct-pubkeys.patch.
- update to NSS 3.92
  * bmo#1822935 - Set nssckbi version number to 2.62
  * bmo#1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS
  * bmo#1839992 - Add 4 SSL.com Root CA certificates
  * bmo#1840429 - Add Sectigo E46 and R46 Root CA certificates
  * bmo#1840437 - Add LAWtrust Root CA2 (4096)
  * bmo#1822936 - Remove E-Tugra Certification Authority root
  * bmo#1827224 - Remove Camerfirma Chambers of Commerce Root.
  * bmo#1840505 - Remove Hongkong Post Root CA 1
  * bmo#1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3
  * bmo#1842937 - Avoid redefining BYTE_ORDER on hppa Linux
- update to NSS 3.91
  * bmo#1837431 - Implementation of the HW support check for ADX instruction
  * bmo#1836925 - Removing the support of Curve25519
  * bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData
  * bmo#1839327 - Adding args to enable-legacy-db build
  * bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit
    default trust flags"
  * bmo#1837617 - Initialize flags in slot structures
  * bmo#1835425 - Improve the length check of RSA input to avoid heap overflow
  * bmo#1829112 - Followup Fixes
  * bmo#1784253 - avoid processing unexpected inputs by checking for
    m_exptmod base sign
  * bmo#1826652 - add a limit check on order_k to avoid infinite loop
  * bmo#1834851 - Update HACL* to commit 5f6051d2
  * bmo#1753026 - add SHA3 to cryptohi and softoken
  * bmo#1753026 - HACL SHA3
  * bmo#1836781 - Disabling ASM C25519 for A but X86_64
- removed upstreamed patch nss-fix-bmo1836925.patch

- update to NSS 3.90.3
  * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
  * bmo#1748105 - clean up escape handling.
  * bmo#1895032 - remove redundant AllocItem implementation.
  * bmo#1836925 - Disable ASM support for Curve25519.
  * bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64.
- remove upstreamed nss-fix-bmo1836925.patch

- Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox
  when using FIPS-mode (bsc#1223724).

- Added "Provides: nss" so other RPMs that require 'nss' can
  be installed (jira PED-6358).

- Add 6001-udev_monitor_receive_device-dynamically-allocate-rec.patch (bsc#1226095)

- Add bpo27240-rewrite_email_hdr_fold.patch rewriting the email
  header folding algorithm to make the codebase compatible with
  Python 3.6.4+, so we can continue to maintain it.
- And even before that we have to add
  bpo24211-RFC6532-supp-email.patch.
- Also bpo20098-email-mangle_from-policy.patch.
- Add finally, CVE-2024-6923-email-hdr-inject.patch to prevent
  email header injection due to unquoted newlines (bsc#1228780,
  CVE-2024-6923).

- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
  (CVE-2024-4032) rearranging definition of private v global IP
  addresses.

- Stop using %%defattr, it seems to be breaking proper executable
  attributes on /usr/bin/ scripts (bsc#1227378).

- Fix vulnerabilities in GSS message token handling, add patch
  0016-Fix-vulnerabilities-in-GSS-message-token-handling.patch
  * CVE-2024-37370, bsc#1227186
  * CVE-2024-37371, bsc#1227187

- agetty: Prevent login cursor escape (bsc#1194818,
  util-linux-agetty-prevent-cursor-escape.patch).

- Don't delete binaries not common for all architectures. Create an
  util-linux-extra subpackage instead, so users of third party
  tools can use them. (bsc#1222285)

- fix Xen virtualization type misidentification bsc#1215918
  lscpu-fix-parameter-order-for-ul_prefix_fopen.patch

- Update version to 1.12:
  - Set the filesystem root on zypper when given (bsc#1230229,bsc#1229014)

- Update version to 1.11
  - Added uname as collector
  - Added SAP workload detection
  - Added detection of container runtimes
  - Multiple fixes on ARM64 detection
  - Use `read_values` for the CPU collector on Z
  - Fixed data collection for ppc64le
  - Grab the home directory from /etc/passwd if needed (bsc#1226128)

- Update version to 1.10.0
  * Build zypper-migration and zypper-packages-search as standalone
    binaries rather then one single binary
  * Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004)
  * Include /etc/products.d in directories whose content are backed
    up and restored if a zypper-migration rollback happens. (bsc#1219004)
  * Add the ability to upload the system uptime logs, produced by the
    suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report.
    (jsc#PED-7982) (jsc#PED-8018)
  * Add support for third party packages in SUSEConnect
  * Refactor existing system information collection implementation

- Add CVE-2024-6655.patch: CVE-2024-6655 Stop looking for modules
  in cwd (bsc#1228120).

- Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525)
  - Added: FIRMAPROFESIONAL CA ROOT-A WEB
  - Distrust: GLOBALTRUST 2020

- Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356)
  Added:
  - CommScope Public Trust ECC Root-01
  - CommScope Public Trust ECC Root-02
  - CommScope Public Trust RSA Root-01
  - CommScope Public Trust RSA Root-02
  - D-Trust SBR Root CA 1 2022
  - D-Trust SBR Root CA 2 2022
  - Telekom Security SMIME ECC Root 2021
  - Telekom Security SMIME RSA Root 2023
  - Telekom Security TLS ECC Root 2020
  - Telekom Security TLS RSA Root 2023
  - TrustAsia Global Root CA G3
  - TrustAsia Global Root CA G4
  Removed:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - Chambers of Commerce Root - 2008
  - Global Chambersign Root - 2008
  - Security Communication Root CA
  - Symantec Class 1 Public Primary Certification Authority - G6
  - Symantec Class 2 Public Primary Certification Authority - G6
  - TrustCor ECA-1
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - VeriSign Class 1 Public Primary Certification Authority - G3
  - VeriSign Class 2 Public Primary Certification Authority - G3
- remove-trustcor.patch: removed, now upstream
- do a versioned obsoletes of "openssl-certs".

- Add patch to fix syntax error in python 3.4 (bsc#1225002)
  + az-core-syntx-tuple-bsc1225002.patch

- Url: Hide known password entires when writing the query part
  (bsc#1050625 bsc#1177583, CVE-2017-9271)
- version 16.22.13 (0)

- Security fix (bsc#1229932, CVE-2024-45492): detect integer
  overflow in function nextScaffoldPart
  * Added expat-CVE-2024-45492.patch
- Security fix (bsc#1229931, CVE-2024-45491): detect integer
  overflow in dtdCopy
  * Added expat-CVE-2024-45491.patch
- Security fix (bsc#1229930, CVE-2024-45490): reject negative
  len for XML_ParseBuffer
  * Added expat-CVE-2024-45490.patch

- Security fix (bsc#1221563, bsc#1219559, CVE-2023-52425):
  * expat-CVE-2023-52425-1.patch: [PATCH] Grow buffer based on
    current size
  * expat-CVE-2023-52425-2.patch:
  * expat-CVE-2023-52425-backport-parser-changes.patch:
    CVE-2023-52425 Additional parser fixes
  * expat-CVE-2023-52425-fix-tests.patch: CVE-2023-52425 Tests and
    Test suite fixes

- Restart the agent (bsc#1227600)
  + The agent service gets restarted in post but may fail due to a missing
    config file. config files were split into their own package previously.
    When we detect that we have to restore a config file we also need
    to restart the agent again.

- Add agent-btrfs-use-f.patch (bsc#1227711)
  + Use the proper option to force btrfs to overwrite a file system on the
    resource disk if one already exists.

- Set Provisioning.Agent parameter to 'cloud-init' in SLE Micro >= 5.5
  (bsc#1227106).
- Do not package waagent2.0 in Python 3 builds.
- Drop obsolete otherproviders keyword from Conflicts statements

- Do not require wicked in non-SUSE build environments.

- Apply python3 interpreter patch in non SLE build environments
  (bcs#1227067)
- Simplify %suse_version conditionals

- Use the -Z option for mv and cp in the posttrans to properly handle
  SELinux context (bsc#1225946)

- Keep the existing config file (bsc#1222620)
  + During separation of the config file into subpackages it was forgotten
    that on update of the main package the previously provided config file
    would be removed. SInce we do not know which flavor of our images the
    package is being upgraded on, preserve the previously existing config
    file. This will orphan the file if non of the -config-* packages gets
    installed.

- Do not force wicked dependency for networking, allow NM in SLE Micro 5.5
  and for ALP based products
- Change patch syntax in preparetion for RPM 4.20

- Recognise SLE-Micro as a SLE based distro
  + Add agent-micro-is-sles.patch

- Create sub-packages for the config (jsc#PED-7869)
  + Remove config manipulation from image building
  + Set up a config for SLE-Micro
  + Makes deafult upstream config available
- Update to 2.9.1.1 (bsc#1217301, bsc#1217302)
  + Update remove-mock.patch
  + Download certificates when goal state source is fast track #2761
  + Increase the max number of extension events by 20% #2785
  + Remove version suffix from extension slice #2782
  + Support int type for eventPid and eventTid fields #2786
  + Improve log for swap counter not found #2789
  + Remove cgroup files during deprovisioning #2790
  + Log VM architecture in heartbeat telemetry for arm64 adoption
    monitoring #2818
  + Enforce memory usage for agent #2671
  + Use common download logic for agent downloads #2682
  + Implement Fedora distro #2642
  + Report message in handler heartbeat #2688
  + Remove dependency on pathlib from makepkg #2717
  + Do not fetch extensions goal state in log collector #2713
  + Update log collector unit file to remove memory limit #2757
  + Fix bug in get_dhcp_pid (CoreOS) #2784
  + Fetch full distro version for mariner #2773
  From 2.9.04
  + Resource Governance on extensions (CPU monitoring and enforcing & Memory
    monitoring) #2632 #2581 #2555
  + Agent resource governance #2597 #2591 #2546
  + monitor system-wide memory metrics (#2610)
  + Additional telemetry for goal state (#2675)
  + HostGAPlugin usage improvements #2662 #2673 #2655 #2651
  + Add logging statements for mrseq migration during update (#2667)
  + Logcollector memory usage #2658 #2637
  + Update Log Collector default in Comments and Readme (#2608)
  + Improve telemetry success and failure markers (#2605) #2604 #2599
  + Fix formatting of exceptions on Python 3.10
    (traceback.format's etype argument) (#2663)
  + Fix UNKNOWN(Zombie) Process in unexpected processes check (#2644)
  + SUSE: Fix valid values for DHCLIENT_HOSTNAME_OPTION (#2643)
  + Debian - string conversion for systemd service (#2574)
  + Do not set a CPU quota on the agent for RHEL and Centos (#2685) #2689 #2693
  + support rhel distro (#2620) #2598
  + Added support for devuan linux distribution (#2553)
  No incremental updates between 2.8.011 and 2.9.0.4

- Clean up conditions in spec file:
  + There is no maintained distro > 1315 (SLE12) AND < 1500
    (SLE15). Only openSUSE 13.2 and 13.3 lived in that space, but
    they are clearly not the target of this spec file.
  + if 0%{?Suse_version} && 0{?suse_version} > 1315: no need to
    first validate suse_version being defined: whenever it
    is > 1315, must be defined.

- Add patch remove-mock.patch:
  * Use unittest.mock first, falling back to mock if required.
- Tighten Requires against python3-mock.

- Add bpo27240-rewrite_email_hdr_fold.patch rewriting the email
  header folding algorithm to make the codebase compatible with
  Python 3.6.4+, so we can continue to maintain it.
- And even before that we have to add
  bpo24211-RFC6532-supp-email.patch.
- Also bpo20098-email-mangle_from-policy.patch.
- Add finally, CVE-2024-6923-email-hdr-inject.patch to prevent
  email header injection due to unquoted newlines (bsc#1228780,
  CVE-2024-6923).

- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
  (CVE-2024-4032) rearranging definition of private v global IP
  addresses.

- Stop using %%defattr, it seems to be breaking proper executable
  attributes on /usr/bin/ scripts (bsc#1227378).

- Security fix (CVE-2024-34459, bsc#1224282) buffer over-read in
  xmlHTMLPrintFileContext in xmllint.c
  * Added libxml2-CVE-2024-34459.patch

- bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition
  Update shadow-CVE-2013-4235.patch to be more complete

- bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition
  Add shadow-CVE-2013-4235.patch

- libfrog: fix missing error checking in workqueue code (bsc#1227232)
  - add xfsprogs-libfrog-fix-missing-error-checking-in-workqueue-code.patch

- xfs_repair: ignore empty xattr leaf blocks (bsc#1227911)
  - add xfsprogs-xfs_repair-ignore-empty-xattr-leaf-blocks.patch

- mkfs: terminate getsubopt arrays properly (bsc#1228270)
  - add xfsprogs-mkfs-terminate-getsubopt-arrays-properly.patch

- xfs_copy: bail out early when superblock cannot be verified
  (bsc#1227150)
  - fix return value of error code, which is expected to be negative

- xfs_copy: bail out early when superblock cannot be verified
  (bsc#1227150)
  - add xfs_copy-bail-out-early-when-superblock-cannot-be-ve.patch

- Update to version 2.2.0 (jsc#PCT-360)
  + Add IPv6 certs to enable IPv6 access of the update infrastructure
  + Add noipv6.patch to patch out IPv6 on SLE 12, no IPv6 support in SLE 12
    in the Public Cloud

- Security fix: [bsc#1227138, CVE-2024-5535]
  * SSL_select_next_proto buffer overread
  * Add openssl-CVE-2024-5535.patch

- agetty: Prevent login cursor escape (bsc#1194818,
  util-linux-agetty-prevent-cursor-escape.patch).

- Don't delete binaries not common for all architectures. Create an
  util-linux-extra subpackage instead, so users of third party
  tools can use them. (bsc#1222285)

- fix Xen virtualization type misidentification bsc#1215918
  lscpu-fix-parameter-order-for-ul_prefix_fopen.patch

- extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339)
  - gpg-pubkey-39db7c82-5f68629b.asc
  + gpg-pubkey-39db7c82-66c5d91a.asc

- Update to version 0.6.76
  - compat-suse: warn user and create missing parent config of
    infiniband children (gh#openSUSE/wicked#1027)
  - client: fix origin in loaded xml-config with obsolete port
    references but missing port interface config, causing a
    no-carrier of master (bsc#1226125)
  - ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976)
  - wireless: add frequency-list in station mode (jsc#PED-8715)
  - client: fix crash while hierarchy traversing due to loop in
    e.g. systemd-nspawn containers (bsc#1226664)
  - man: add supported bonding options to ifcfg-bonding(5) man page
    (gh#openSUSE/wicked#1021)
  - arputil: Document minimal interval for getopts (gh#openSUSE/wicked#1019)
  - man: (re)generate man pages from md sources (gh#openSUSE/wicked#1018)
  - client: warn on interface wait time reached (gh#openSUSE/wicked#1017)
  - compat-suse: fix dummy type detection from ifname to not cause
    conflicts with e.g. correct vlan config on dummy0.42 interfaces
    (gh#openSUSE/wicked#1016)
  - compat-suse: fix infiniband and infiniband child type detection
    from ifname (gh#openSUSE/wicked#1015)
- Removed patches included in the source archive:
  [- 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch]
  [- 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]

- arp: increase arp-send retry value to avoid address configuration
  failure due to ENOBUF reported by kernel while duplicate address
  detection with underlying bonding in 802.3ad mode reporting link
  "up & running" too early (bsc#1218668, gh#openSUSE/wicked#1020,
  gh#openSUSE/wicked#1022).
  [+ 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]

- Show rpm install size before installing (bsc#1224771)
  If filesystem snapshots are taken before the installation (e.g.
  by snapper) no disk space is freed by removing old packages. In
  this case the install size of all packages is a hint how much
  additional disk space is needed by the new packages static
  content.
- version 1.13.67

- clean: Do not report an error if no repos are defined at all
  (bsc#1223971)
- version 1.13.66

- ipc: Retry receiving credentials if the the message is short (gh#ClusterLabs/libqb#476, rh#2111711, bsc#1224183)
  * bsc#1224183-0001-ipc-Retry-receiving-credentials-if-the-the-message-i.patch