cloud-regionsrv-client
- Update -addon-azure to 1.0.2 (bsc#1196305)
  + The is-registered() function expects a string of the update server FQDN.
    The regionsrv-enabler-azure passed an Object of type SMT. Fix the call
    in regionsrv-enabler-azure.
- Update -plugin-azure to 2.0.0 (bsc#1196146)
  + Lower case the region hint to reduce issues with Azure region name
    case inconsistencies
- Update to version 10.0.0 (bsc#1195414, bsc#1195564)
  + Refactor removes check_registration() function in utils implementation
  + Only start the registration service for PAYG images
  - addon-azure sub-package to version 1.0.1
containerd
- Add patch for CVE-2022-23648. bsc#1196441
  + CVE-2022-23648.patch
- Update to containerd v1.4.12 for Docker 20.10.11-ce. bsc#1192814
  bsc#1193273 CVE-2021-41190
- Update to containerd v1.4.11, to fix CVE-2021-41103. bsc#1191355
- Switch to Go 1.16.x compiler, in line with upstream.
coreutils
- coreutils-df-fuse-portal-dummy.patch:
  df: Add "/fuse.portal"/ as a dummy file system (used in flatpak
  implementations). (bsc#1189152)
cyrus-sasl
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
  in plugins/sql.c (bsc#1196036)
  o add upstream patch:
    0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
cyrus-sasl-saslauthd
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
  in plugins/sql.c (bsc#1196036)
  o add upstream patch:
    0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
docker
- Update to Docker 20.10.12-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#201012>.
- Remove CHANGELOG.md. It hasn't been maintained since 2017, and all of the
  changelogs are currently only available online.
- Update to Docker 20.10.11-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#201011>. bsc#1192814
  bsc#1193273 CVE-2021-41190
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- Remove upstreamed patches:
  - 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
- Update to Docker 20.10.9-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#20109>. bsc#1191355
  CVE-2021-41089 bsc#1191015 CVE-2021-41091 bsc#1191434
  CVE-2021-41092 bsc#1191334 CVE-2021-41103 bsc#1191121
- Update to Docker 20.10.6-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#20106>. bsc#1184768
- Update to Docker 20.10.5-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#20105>. bsc#1182947
expat
- Security fixes:
  * (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows
    attackers to insert namespace-separator characters into
    namespace URIs
  - Added expat-CVE-2022-25236.patch
  * (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before
    2.4.5 does not check whether a UTF-8 character is valid in a
    certain context.
  - Added expat-CVE-2022-25235.patch
  * (CVE-2022-25313, bsc#1196168) Stack exhaustion in
    build_model() via uncontrolled recursion
  - Added expat-CVE-2022-25313.patch
  - The fix upstream introduced a regression that was later
    amended in 2.4.6 version
    + Added expat-CVE-2022-25313-fix-regression.patch
  * (CVE-2022-25314, bsc#1196169) Integer overflow in copyString
  - Added expat-CVE-2022-25314.patch
  * (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames
  - Added expat-CVE-2022-25315.patch
- Security fix (CVE-2022-23852, bsc#1195054)
  * Expat (aka libexpat) before 2.4.4 has a signed integer overflow
    in XML_GetBuffer, for configurations with a nonzero
    XML_CONTEXT_BYTES
  * Add tests for CVE-2022-23852.
  * Added expat-CVE-2022-23852.patch
- Security fix (CVE-2022-23990, bsc#1195217)
  * Fix unsigned integer overflow in function doProlog triggered
    by large content in element type declarations when there is
    an element declaration handler present (from a prior call to
    XML_SetElementDeclHandler).
  * Add expat-CVE-2022-23990.patch
  * Added expat-CVE-2022-22827.patch
icewm-theme-branding
- Add fix-font-configuration.patch:
  Fix font configuration after google-droid-fonts update
  (boo#1195328 bsc#1196336)
kernel-default
- x86/speculation: Use generic retpoline by default on AMD
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 08270a1
- x86/speculation: Include unprivileged eBPF status in Spectre v2
  mitigation reporting (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch.
- commit a957593
- Documentation/hw-vuln: Update spectre doc (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- commit 77a533e
- x86/speculation: Add eIBRS + Retpoline options (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Refresh patches.suse/IBRS-forbid-shooting-in-foot.patch.
- commit b6ae9d0
- x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- commit 5dc5129
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Delete patches.suse/do-not-default-to-ibrs-on-skl.patch.
  Remove a statement which cancels itself out with the following patch
  which removes it anyway.
- commit 610b789
- lib/iov_iter: initialize "/flags"/ in new pipe_buffer
  (bsc#1196584).
- commit 589ad87
- x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 5a8f4f7
- x86/speculation: Merge one test in
  spectre_v2_user_select_mitigation() (bsc#1191580 CVE-2022-0001
  CVE-2022-0002).
- commit a0a390e
- cpu/SMT: create and export cpu_smt_possible() (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- commit b2b76a9
- crypto: af_alg - get_page upon reassignment to TX SGL
  (bsc#1195840).
- commit f9977fb
- hv_netvsc: move VF to same namespace as netvsc device
  (bsc#1107207).
- Refresh
  patches.suse/hv_netvsc-ignore-devices-that-are-not-PCI.patch.
- commit 91c769a
- hv_netvsc: fix network namespace issues with VF support
  (bsc#1107207).
- Refresh
  patches.suse/msft-hv-1755-hv_netvsc-fix-schedule-in-RCU-context.patch.
- commit 8332565
- udf: Restore i_lenAlloc when inode expansion fails (bsc#1196079
  CVE-2022-0617).
- commit 2533a5b
- udf: Fix NULL ptr deref when converting from inline format
  (bsc#1196079 CVE-2022-0617).
- commit 87d491f
- Update patch reference for vfs fix (CVE-2022-0644 bsc#1196155)
- commit 4656612
- f2fs: fix to do sanity check on inode type during garbage
  collection (CVE-2021-44879 bsc#1195987).
- commit e8b60dc
- Update
  patches.suse/0001-PCI-hv-Use-expected-affinity-when-unmasking-IRQ.patch
  (bsc#1185973, bsc#1195536).
- commit db02aea
- tipc: improve size validations for received domain records
  (bsc#1195254, CVE-2022-0435).
- commit daaae48
- yam: fix a memory leak in yam_siocdevprivate() (CVE-2022-24959
  bsc#1195897).
- commit 2b51111
- Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch
  (bsc#1194516 CVE-2022-0487).
- commit b3ff0d9
- cgroup-v1: Require capabilities to set release_agent
  (bsc#1195543 CVE-2022-0492).
- commit 25a96a7
- NFSv4: Handle case where the lookup of a directory fails
  (bsc#1195612 CVE-2022-24448).
- commit fe40712
- Add Thomas Abraham as additional maintainer.
- commit d646dec
- Refresh
  patches.suse/IPv6-reply-ICMP-error-if-the-first-fragment-don-t-in.patch.
- Refresh
  patches.suse/ipv6-netfilter-Discard-first-fragment-not-including-.patch.
- commit 2f5b8aa
- net: ipv6: Discard next-hop MTU less than minimum link MTU
  (bsc#1191241 bsc#1195166).
- commit 1590145
- ipv6/netfilter: Discard first fragment not including all headers
  (bsc#1191241 bsc#1195166).
- commit 506f21c
- IPv6: reply ICMP error if the first fragment don't include
  all headers (bsc#1191241 bsc#1195166).
- commit 2579fe0
- Update
  patches.suse/ICMPv6-Add-ICMPv6-Parameter-Problem-code-3-definitio.patch
  (bsc#1191241 bsc#1195166).
- commit a0eca28
- Update
  patches.suse/net-tipc-validate-domain-record-count-on-input.patch
  (bsc#1195254 CVE-2022-0435).
- commit 35a1350
- Update patch reference for BT fix (CVE-2021-3564 bsc#1186207)
- commit ea7857c
- Bluetooth: fix the erroneous flush_work() order (git-fixes).
- commit 9b1f0b0
- net: tipc: validate domain record count on input (bsc#1195254).
- commit eff4836
- phonet: refcount leak in pep_sock_accep (bsc#1193867,
  CVE-2021-45095).
- commit 413134f
- xfrm: fix MTU regression (bsc#1185377, bsc#1194048).
- Delete
  patches.suse/xfrm-xfrm_state_mtu-should-return-at-least-1280-for-.patch.
  which caused a regression (bsc#1194048).
- Replace with an alternative fix for bsc#1185377
- commit 3800186
- net: mana: Add RX fencing (bsc#1193506).
- commit 7ba462c
- net: mana: Add XDP support (bsc#1193506).
- commit 9645b57
- net: mana: Fix spelling mistake "/calledd"/ -> "/called"/
  (bsc#1193506).
- commit f1d0c49
- net: mana: Support hibernation and kexec (bsc#1193506).
- commit c480c6e
- net: mana: Improve the HWC error handling (bsc#1193506).
- commit 7d3be12
- net: mana: Fix the netdev_err()'s vPort argument in
  mana_init_port() (bsc#1193506).
- commit 61e4377
- net: mana: Allow setting the number of queues while the NIC
  is down (bsc#1193506).
- commit 63f4b90
- net: mana: Use kcalloc() instead of kzalloc() (bsc#1193506).
- commit e603eb6
- hv_netvsc: Set needed_headroom according to VF (bsc#1193506).
- commit fceab0c
- hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit()
  (bsc#1193506).
- commit ad2cedb
- bpf: Verifer, adjust_scalar_min_max_vals to always call
  update_reg_bounds() (bsc#1194227).
- commit c098fc7
- scsi: ufs: Correct the LUN used in eh_device_reset_handler()
  callback (bsc#1193864 CVE-2021-39657).
- commit 39c5f8e
- usb: gadget: configfs: Fix use-after-free issue with udc_name
  (bsc#1193861 CVE-2021-39648).
- commit 9ec119b
- fget: clarify and improve __fget_files() implementation
  (bsc#1193727).
- commit 3ce5a50
- tee: handle lookup of shm with reference count 0 (bsc#1193767
  CVE-2021-44733).
- commit 10b0db6
- drm/i915: Flush TLBs before releasing backing store
  (CVE-2022-0330 bsc#1194880).
- commit bd11976
- kabi/severities: Add a kabi exception for drivers/tee/tee
  According to the partner modules database, the structs of this driver
  are not used by anything external so make a kABI exception for them.
  Do that on purpose so that any external module using this fails to load
  instead of causing a potential memory corruption due to a kabi
  workaround which would use the same offset but for a different thing:
  - struct dma_buf *dmabuf;
  +	refcount_t refcount;
  See upstream commit
  dfd0743f1d9e ("/tee: handle lookup of shm with reference count 0"/)
- commit ac7feb6
- sctp: account stream padding length for reconf chunk
  (bsc#1194985 CVE-2022-0322).
- commit f5ee3ee
- vfs: check fd has read access in kernel_read_file_from_fd() (bsc#1194888).
- commit b248150
- moxart: fix potential use-after-free on remove path
  (bsc#1194516).
- commit 5a3dfcb
- memstick: rtsx_usb_ms: fix UAF (bsc#1194516).
- commit 9692e25
- livepatch: Avoid CPU hogging with cond_resched (bsc#1071995).
- commit 469ed4f
- cgroup: Use open-time credentials for process migraton perm
  checks (bsc#1194302 CVE-2021-4197).
- commit b76ad03
- NFC: add NCI_UNREG flag to eliminate the race (CVE-2021-4202
  bsc#1194529).
- NFC: reorder the logic in nfc_{un,}register_device
  (CVE-2021-4202 bsc#1194529).
- NFC: reorganize the functions in nci_request (CVE-2021-4202
  bsc#1194529).
- commit 68b4b42
- Update patches.suse/tcp-fix-a-race-in-inet_diag_dump_icsk.patch
  (networking-stable-19_01_04 bsc#1186222).
  Fix bsc#1186222 by using proper atomic helper.
- commit bd29e90
- fget: check that the fd still exists after getting a ref to it
  (bsc#1193727 CVE-2021-4083).
- commit 5441599
- kprobes: Limit max data_size of the kretprobe instances
  (bsc#1193669).
- commit 3600b27
- btrfs: unlock newly allocated extent buffer after error (bsc#1194001, CVE-2021-4149).
- commit 0a8af05
- inet: use bigger hash table for IP ID generation (CVE-2021-45486
  bsc#1194087).
- commit 0387442
- recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
- commit b8b1ef9
- recordmcount.pl: look for jgnop instruction as well as bcrl
  on s390 (bsc#1192267).
- Delete patches.suse/ftrace-recordmcount-binutils.patch.
- commit 9b6815f
- Update config files.
- commit f87a32f
- af_unix: fix garbage collect vs MSG_PEEK (CVE-2021-0920
  bsc#1193731).
- commit 167f0fb
- net: split out functions related to registering inflight socket
  files (CVE-2021-0920 bsc#1193731).
- commit 8ec3ad8
- xen/netback: don't queue unlimited number of packages
  (CVE-2021-28715 XSA-392 bsc#1193442).
- commit a67e40b
- xen/netback: fix rx queue stall detection (CVE-2021-28714
  XSA-392 bsc#1193442).
- commit aa10f67
- xen/console: harden hvc_xen against event channel storms
  (CVE-2021-28713 XSA-391 bsc#1193440).
- commit f9f6563
- xen/netfront: harden netfront against event channel storms
  (CVE-2021-28712 XSA-391 bsc#1193440).
- commit 785c1f2
- xen/blkfront: harden blkfront against event channel storms
  (CVE-2021-28711 XSA-391 bsc#1193440).
- commit adb747c
- tty: hvc: replace BUG_ON() with negative return value
  (git-fixes).
- commit 24773f9
- xen/netfront: don't trust the backend response data blindly
  (git-fixes).
- commit 61f473d
- xen/netfront: disentangle tx_skb_freelist (git-fixes).
- commit a27eb85
- xen/netfront: don't read data from request on the ring page
  (git-fixes).
- commit d843191
- xen/netfront: read response from backend only once (git-fixes).
- commit 10c97f1
- xen/blkfront: don't trust the backend response data blindly
  (git-fixes).
- commit 8238939
- xen/blkfront: don't take local copy of a request from the ring
  page (git-fixes).
- commit 0c42763
- xen/blkfront: read response from backend only once (git-fixes).
- commit 7b30def
- xen: sync include/xen/interface/io/ring.h with Xen's newest
  version (git-fixes).
- commit 0df7133
- ring-buffer: Protect ring_buffer_reset() from reentrancy
  (CVE-2020-27825 bsc#1179960).
- commit 432ad3d
- bpf: fix truncated jump targets on heavy expansions (bsc#1193575
  CVE-2018-25020).
- commit bf19161
- kABI compatibility for struct l2tp_tunnel (bsc#1192032
  CVE-2021-0935).
- commit 237dc6f
- l2tp: fix races with ipv4-mapped ipv6 addresses (bsc#1192032
  CVE-2021-0935).
- commit 3f8483b
- kernel-binary.spec: Fix kernel-default-base scriptlets after packaging
  merge.
- commit 275c61a
- nouveau: Suppress sysfs bind (CVE-2020-27820 bsc#1179599).
- commit c2489c9
- hugetlbfs: flush TLBs correctly after huge_pmd_unshare
  (bsc#1192946 (CVE-2021-4002)).
- commit c355959
- atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
  (bsc#1192845 CVE-2021-43975).
- commit c3c1eae
- rpm/kernel-binary.spec.in: don't strip vmlinux again (bsc#1193306)
  After usrmerge, vmlinux file is not named vmlinux-<version>, but simply
  vmlinux. And this is not reflected in STRIP_KEEP_SYMTAB we set.
  So fix this by removing the dash...
- commit 83af88d
- ixgbe: fix large MTU request from VF (bsc#1192877
  CVE-2021-33098).
- commit 56240b9
- Move upstreamed BT patch into sorted section
- commit a0f930a
- mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
  (CVE-2021-43976 bsc#1192847).
- commit c14a908
- brcmfmac: add CLM download support (bsc#1167162 CVE-2019-15126).
- commit 7737eec
- constraints: Build aarch64 on recent ARMv8.1 builders.
  Request asimdrdm feature which is available only on recent ARMv8.1 CPUs.
  This should prevent scheduling the kernel on an older slower builder.
- commit 60fc53f
- objtool: Support Clang non-section symbols in ORC generation
  (bsc#1169514).
- commit 5ab2439
- elfcore: fix building with clang (bsc#1169514).
- commit b91821c
- x86/xen: Mark cpu_bringup_and_idle() as dead_end_function
  (bsc#1169514).
- commit cf74b00
- kernel-source.spec: install-kernel-tools also required on 15.4
- commit 6cefb55
- kernel-*-subpackage: Add dependency on kernel scriptlets (bsc#1192740).
- commit a133bf4
- Fix problem with missing installkernel on Tumbleweed.
- commit 2ed6686
- ICMPv6: Add ICMPv6 Parameter Problem, code 3 definition
  (bsc#1191241).
- commit ff2b6b6
- rpm/kernel-obs-build.spec.in: reduce initrd functionality
  For building in OBS, we always build inside a virtual machine
  that gets a new, freshly created scratch filesystem image. So
  we do not need to handle fscks because that ain't gonna happen,
  as well as not we do not need to handle microcode update in the
  initrd as these only can be run on the host system anyway. We
  can also strip and hardlink as an additional optimisation that
  should not significantly hurt.
- commit c72c6fc
- kernel-spec-macros: Since rpm 4.17 %verbose is unusable (bsc#1191229).
  The semantic changed in an incompatible way so invoking the macro now
  causes a build failure.
- commit 3e55f55
- rpm: use _rpmmacrodir (boo#1191384)
- commit e350c14
- kernel-binary.spec: Do not sign kernel when no key provided
  (bsc#1187167).
- commit 6c24533
- kernel-binary.spec: suse-kernel-rpm-scriptlets required for uninstall as
  well.
  Fixes: e98096d5cf85 ("/rpm: Abolish scritplet templating (bsc#1189841)."/)
- commit e082fbf
- kernel-binary.spec: Check for no kernel signing certificates.
  Also remove unused variable.
- commit bdc323e
- Revert "/rpm/kernel-binary.spec: Use only non-empty certificates."/
  This reverts commit 30360abfb58aec2c9ee7b6a27edebe875c90029d.
- commit 413e05b
- rpm/kernel-binary.spec: Use only non-empty certificates.
- commit 30360ab
- fixup "/rpm: support gz and zst compression methods"/ once more
  (bsc#1190428, bsc#1190358)
  Fixes: 3b8c4d9bcc24 ("/rpm: support gz and zst compression methods"/)
  Fixes: 23510fce36ec ("/fixup "/rpm: support gz and zst compression methods"/"/)
- commit 165378a
- fixup "/rpm: support gz and zst compression methods"/ once more
  Fixes: 3b8c4d9bcc24 ("/rpm: support gz and zst compression methods"/)
  Fixes: 23510fce36ec ("/fixup "/rpm: support gz and zst compression methods"/"/)
- commit 34e68f4
- fixup "/rpm: support gz and zst compression methods"/
  Fixes: 3b8c4d9bcc24 ("/rpm: support gz and zst compression methods"/)
- commit 23510fc
- kernel-cert-subpackage: Fix certificate location in scriptlets
  (bsc#1189841).
  Fixes: d9a1357edd73 ("/rpm: Define $certs as rpm macro (bsc#1189841)."/)
- commit 8684de8
- kernel-binary.spec.in Stop templating the scriptlets for subpackages
  (bsc#1190358).
  The script part for base package case is completely separate from the
  part for subpackages. Remove the part for subpackages from the base
  package script and use the KMP scripts for subpackages instead.
- commit 5d1f677
- kernel-binary.spec: Do not fail silently when KMP is empty
  (bsc#1190358).
  Copy the code from kernel-module-subpackage that deals with empty KMPs.
- commit d7d2e6e
- rpm/kernel-source.spec.in: do some more for vanilla_only
  Make sure:
  * sources are NOT executable
  * env is not used as interpreter
  * timestamps are correct
  We do all this for normal kernel builds, but not for vanilla_only
  kernels (linux-next and vanilla).
- commit b41e4fd
- rpm: Fold kernel-devel and kernel-source scriptlets into spec files
  (bsc#1189841).
  These are unchanged since 2011 when they were introduced. No need to
  track them separately.
- commit 692d38b
- rpm: Abolish image suffix (bsc#1189841).
  This is used only with vanilla kernel which is not supported in any way.
  The only effect is has is that the image and initrd symlinks are created
  with this suffix.
  These symlinks are not used except on s390 where the unsuffixed symlinks
  are used by zipl.
  There is no reason why a vanilla kernel could not be used with zipl as
  well as it's quite unexpected to not be able to boot when only a vanilla
  kernel is installed.
  Finally we now have a backup zipl kernel so if the vanilla kernel is
  indeed unsuitable the backup kernel can be used.
- commit e2f37db
- kernel-binary.spec: Define $image as rpm macro (bsc#1189841).
- commit e602b0f
- rpm: Define $certs as rpm macro (bsc#1189841).
  Also pass around only the shortened hash rather than full filename.
  As has been discussed in bsc#1124431 comment 51
  https://bugzilla.suse.com/show_bug.cgi?id=1124431#c51 the placement of
  the certificates is an API which cannot be changed unless we can ensure
  that no two kernels that use different certificate location can be built
  with the same certificate.
- commit d9a1357
- rpm: Abolish scritplet templating (bsc#1189841).
  Outsource kernel-binary and KMP scriptlets to suse-module-tools.
  This allows fixing bugs in the scriptlets as well as defining initrd
  regeneration policy independent of the kernel packages.
- commit e98096d
- rpm/kernel-binary.spec.in: Use kmod-zstd provide.
  This makes it possible to use kmod with ZSTD support on non-Tumbleweed.
- commit 357f09a
- rpm/kernel-binary.spec.in: avoid conflicting suse-release
  suse-release has arbitrary values in staging, we can't use it for
  dependencies. The filesystem one has to be enough (boo#1184804).
- commit 56f2cba
- rpm: fix kmp install path
- commit 22ec560
- post.sh: detect /usr mountpoint too
- commit c7b3d74
- kernel-binary.spec.in: make sure zstd is supported by kmod if used
- commit f36412b
- kernel-binary.spec.in: add zstd to BuildRequires if used
- commit aa61dba
- rpm: support gz and zst compression methods
  Extend commit 18fcdff43a00 ("/rpm: support compressed modules"/) for
  compression methods other than xz.
- commit 3b8c4d9
- kernel-binary.spec: Require dwarves for kernel-binary-devel when BTF is
  enabled (jsc#SLE-17288).
  About the pahole version: v1.18 should be bare mnimum, v1.22 should be
  fully functional, for now we ship git snapshot with fixes on top of
  v1.21.
- commit 8ba3382
- README: Modernize build instructions.
- commit 8cc5c28
- rpm/kernel-obs-build.spec.in: make builds reproducible (bsc#1189305)
- commit 7f9ade7
- Fix filesystem requirement and suse-release requires
  Reduce filesystem conflict to anything less than 16 to allow pulling the
  change into the next major stable version.
  Don't require suse-release as that's not technically required. Conflict
  with a too old one instead.
- commit 913f755
- rpm/kernel-source.rpmlintrc: ignore new include/config files
  In 5.13, since 0e0345b77ac4, config files have no longer .h suffix.
  Adapt the zero-length check.
  Based on Martin Liska's change.
- commit b6f021b
- Add obsolete_rebuilds_subpackage (boo#1172073 bsc#1191731).
- commit f037781
libzypp
- Fix handling of redirected command in-/output (bsc#1195326)
  This fixes delays at the end of zypper operations, where
  zypper unintentionally waits for appdata plugin scripts to
  complete.
- version 17.29.4 (22)
- Public header files on older distros must use c++11
  (bsc#1194597)
- Fix exception handling when reading or writing credentials
  (bsc#1194898)
- version 17.29.3 (22)
- Fix Legacy include (bsc#1194597)
- version 17.29.2 (22)
- Fix broken install path for parser compat headers (fixes #372,
  bsc#1194597)
- RepoManager: remember exec errors in exception history
  (bsc#1193007)
- version 17.29.1 (22)
psmisc
  * Determine the namespace of a process only once to speed
    up the parsing of fdinfo (bsc#1194172).
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
salt
- Fix inspector module export function (bsc#1097531)
- Add all ssh kwargs to sanitize_kwargs method
- Wipe NOTIFY_SOCKET from env in cmdmod (bsc#1193357)
- Added:
  * wipe-notify_socket-from-env-in-cmdmod-bsc-1193357-30.patch
  * fix-inspector-module-export-function-bsc-1097531-480.patch
  * add-all-ssh-kwargs-to-sanitize_kwargs-method-3002.2-.patch
- Don't check for cached pillar errors on state.apply (bsc#1190781)
- Added:
  * vendor-stateresult.patch
  * state.apply-don-t-check-for-cached-pillar-errors.patch
- Simplify "/transactional_update"/ module to not use SSH wrapper and allow more flexible execution
- Add "/--no-return-event"/ option to salt-call to prevent sending return event back to master.
- Make "/state.highstate"/ to acts on concurrent flag.
- Added:
  * refactor-and-improvements-for-transactional-updates-.patch
samba
- CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
  module; (bsc#1194859); (bso#14914).
sudo
- Add support in the LDAP filter for negated users, patch taken
  from upstream (jsc#20068)
  * Adds sudo-feature-negated-LDAP-users.patch
- Restrict use of sudo -U other -l to people who have permission
  to run commands as that user (bsc#1181703, jsc#SLE-22569)
  * feature-upstream-restrict-sudo-U-other-l.patch
supportutils-plugin-suse-public-cloud
- Update to version 1.0.6 (bsc#1195095, bsc#1195096)
  + Include cloud-init logs whenever they are present
  + Update the packages we track in AWS, Azure, and Google
  + Include the ecs logs for AWS ECS instances
sysstat
- Fix possible segfault in read_task_stats() [bsc#1194679]
- Add sysstat-fix-segfault-in-read_task_stats.patch
systemd
- Import commit c46bcb2df93c802f43e240ceb96eaf28027808a8
  28e379cc21 systemctl: exit with 1 if no unit files found (bsc#1193841)
* 60-io-scheduler.rules: add rules for virtual devices
    (boo#1193759)
  * 60-io-scheduler.rules: enforce "/none"/ for loop devices
    (boo#1193759)
tiff
- security update: Fix buffer overwrite
  * CVE-2019-17546[bsc#1154365]
    + tiff-CVE-2019-17546.patch
- security update: Fix heap based buffer overflow in pal2rgb
  * CVE-2017-17095[bsc#1071031]
    + tiff-CVE-2017-17095.patch
- security update: Fix OOB in _TIFFmemcpy
  * CVE-2022-22844[bsc#1194539]
    + tiff-CVE-2022-22844.patch
- security update: Fix memory allocation failure in tif_read.c
  * CVE-2020-35521[bsc#1182808] CVE-2020-35522[bsc#1182809]
    + tiff-CVE-2020-35521,CVE-2020-35522.patch
- security update: Fix DOS via invertImage()
  * CVE-2020-19131[bsc#1190312]
    + tiff-CVE-2020-19131.patch
- security update: Fix heap-based buffer overflow in TIFF2PDF tool
  * CVE-2020-35524[bsc#1182812]
    + tiff-CVE-2020-35524.patch
- security update: Fix integer overflow in tif_getimage
  * CVE-2020-35523 [bsc#1182811]
    + tiff-CVE-2020-35523.patch
vim
- Minimal fix for Bug 1195004 - (CVE-2022-0318) VUL-0: CVE-2022-0318: vim:
  Heap-based Buffer Overflow in vim prior to 8.2.
  / vim-8.0.1568-CVE-2022-0413.patch
- Fixing bsc#1190570 CVE-2021-3796: vim: use-after-free in nv_replace() in
  normal.c / vim-8.0.1568-CVE-2021-3796.patch
- Fixing bsc#1191893 CVE-2021-3872: vim: heap-based buffer overflow in
  win_redr_status() drawscreen.c / vim-8.0.1568-CVE-2021-3872.patch
- Fixing bsc#1192481 CVE-2021-3927: vim: vim is vulnerable to
  Heap-based Buffer Overflow / vim-8.0.1568-CVE-2021-3927.patch
- Fixing bsc#1192478 CVE-2021-3928: vim: vim is vulnerable to
  Stack-based Buffer Overflow / vim-8.0.1568-CVE-2021-3928.patch
- Fixing bsc#1193294 CVE-2021-4019: vim: vim is vulnerable to
  Heap-based Buffer Overflow / vim-8.0.1568-CVE-2021-4019.patch
- Fixing bsc#1193298 CVE-2021-3984: vim: illegal memory access when C-indenting
  could lead to Heap Buffer Overflow / vim-8.0.1568-CVE-2021-3984.patch
- Fixing bsc#1190533 CVE-2021-3778: vim: Heap-based Buffer Overflow in regexp_nfa.c
  / vim-8.0.1568-CVE-2021-3778.patch
- Fixing bsc#1194216 CVE-2021-4193: vim: vulnerable to Out-of-bounds Read
  / vim-8.0.1568-CVE-2021-4193.patch
- Fixing bsc#1194556 CVE-2021-46059: vim: A Pointer Dereference vulnerability
  exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which
  causes a denial of service. / vim-8.0.1568-CVE-2021-46059.patch
- Fixing bsc#1195066 CVE-2022-0319: vim: Out-of-bounds Read in vim/vim
  prior to 8.2. / vim-8.0.1568-CVE-2022-0319.patch
- Fixing bsc#1195126 CVE-2022-0351: vim: uncontrolled recursion in eval7()
  / vim-8.0.1568-CVE-2022-0351.patch
- Fixing bsc#1195202 CVE-2022-0361: vim: Heap-based Buffer Overflow in vim
  prior to 8.2. / vim-8.0.1568-CVE-2022-0361.patch
- Fixing bsc#1195356 CVE-2022-0413: vim: use after free in src/ex_cmds.c
  / vim-8.0.1568-CVE-2022-0413.patch
zsh
- Added CVE-2019-20044.patch: fixes insecure dropping of privileges when
  unsetting PRIVILEGED option (CVE-2019-20044 bsc#1163882)
- Added CVE-2021-45444.patch: fixes a vulnerability in prompt expansion which
  could be exploited through e.g.  VCS_Info to execute arbitrary shell
  commands (CVE-2021-45444 bsc#1196435)
zypper
- Singletrans: handle fatal and non-fatal script errors properly.
- Add SingleTransReportReceiver.
- Immediately write out additional rpm output.
- BuildRequires:  libzypp-devel >= 17.29.0.
  Need SingleTransReport and immediate rpm script output reports.
- version 1.14.51