SAPHanaSR
- SAPHanaSR-monitor not reporting correctly
  (bsc#1192963)
  add patch:
    0001-bsc-1192963.patch
- Version bump to 0.161.1_BF
- add the required 'xmllint' to the package
  (bsc#1201945)
- changes to the demote_clone function of the resource agent:
  if the role is '1:P' (topology agent run into timeouts) the
  function fail with rc=1, to get the managed resource stopped
  changes to the stop_clone function of the topology agent:
  call landscapeHostConfiguration.py and set the roles as they were
  reported. If the command timed out, set the role to '1:P' and
  return 1 to get the node fenced.
  The used timeout for the landscapeHostConfiguration.py call can
  be configured by the cluster action timeout, if needed. It will
  be 50% of the action timeout or the minimum of 300s.
  (bsc#1198127)
- add new HA/DR provider hook susChkSrv
  (jsc#PED-1241, jsc#PED-1240)
- add new tool SAPHanaSR-manageProvider to show, add and delete
  HA/DR provider sections in the global.ini of SAP HANA.
- update suse icon to new branding
- Version bump to 0.160.1
- fix HANA_CALL function to support MCOS environments again
  (bsc#1198780)
- fix SAPHanaSR-replay-archive to handle hb_report archives again
  (bsc#1198897)
- add HANA_CALL_TIMEOUT parameter back to the resource agents and
  read the setting from the cluster configuration, if available.
  Defaults to '60'.
  Related to github issue#36
- add new HA/DR provider hook susTkOver
  (jsc#SLE-16347)
- add new hook script for SAP HANA System Replication Scale-Up Cost
  Optimized Scenario.
  (jsc#SLE-18613)
- add a new instance parameter 'REMOVE_SAP_SOCKETS'.
  It is an optional parameter and defaults to 'true'. Now you can
  control, if the RA should remove the unix domain sockets related
  to sapstartsrv before (re-)start sapstartsrv or if it should try
  to adjust the permissions and ownership of these files instead.
aaa_base
- Drop patches (bsc#1199926 and bsc#1199927)
  git-34-9a1bc15517d6da56d75182338c0f1bc4518b2b75.patch
  git-35-91f496b1f65af29832192bad949685a7bc25da0a.patch
  git-40-d004657a244d75b372a107c4f6097b42ba1992d5.patch
  ping broke in sle15 and sle15sp1 when adding
  the sysctl setting for ping_group_range
- Add patch git-46-78b2a0b29381c16bec6b2a8fc7eabaa9925782d7.patch
  * The wrapper rootsh is not a restricted shell (bsc#1199492)
bind
- Security Fixes:
  * Previously, there was no limit to the number of database lookups
  performed while processing large delegations, which could be abused
  to severely impact the performance of named running as a recursive
  resolver. This has been fixed.
  [bsc#1203614, CVE-2022-2795, bind-CVE-2022-2795.patch]
  * A memory leak was fixed that could be externally triggered in the
  DNSSEC verification code for the ECDSA algorithm.
  [bsc#1203619, CVE-2022-38177, bind-CVE-2022-38177.patch]
  * Memory leaks were fixed that could be externally triggered in the
  DNSSEC verification code for the EdDSA algorithm.
  [bsc#1203620, CVE-2022-38178, bind-CVE-2022-38178.patch]
ca-certificates-mozilla
- Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)
  Added:
  - Certainly Root E1
  - Certainly Root R1
  - DigiCert SMIME ECC P384 Root G5
  - DigiCert SMIME RSA4096 Root G5
  - DigiCert TLS ECC P384 Root G5
  - DigiCert TLS RSA4096 Root G5
  - E-Tugra Global Root CA ECC v3
  - E-Tugra Global Root CA RSA v3
  Removed:
  - Hellenic Academic and Research Institutions RootCA 2011
- Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079)
  Added:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - D-TRUST BR Root CA 1 2020
  - D-TRUST EV Root CA 1 2020
  - GlobalSign ECC Root CA R4
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
  - HiPKI Root CA - G1
  - ISRG Root X2
  - Telia Root CA v2
  - vTrus ECC Root CA
  - vTrus Root CA
  Removed:
  - Cybertrust Global Root
  - DST Root CA X3
  - DigiNotar PKIoverheid CA Organisatie - G2
  - GlobalSign ECC Root CA R4
  - GlobalSign Root CA R2
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
- updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)
- Added CAs:
  + HARICA Client ECC Root CA 2021
  + HARICA Client RSA Root CA 2021
  + HARICA TLS ECC Root CA 2021
  + HARICA TLS RSA Root CA 2021
  + TunTrust Root CA
- Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994)
- Added new root CAs:
  - NAVER Global Root Certification Authority
- Removed old root CA:
  - GeoTrust Global CA
  - GeoTrust Primary Certification Authority
  - GeoTrust Primary Certification Authority - G3
  - GeoTrust Universal CA
  - GeoTrust Universal CA 2
  - thawte Primary Root CA
  - thawte Primary Root CA - G2
  - thawte Primary Root CA - G3
  - VeriSign Class 3 Public Primary Certification Authority - G4
  - VeriSign Class 3 Public Primary Certification Authority - G5
cifs-utils
- CVE-2022-29869: mount.cifs: fix verbose messages on option parsing
  (bsc#1198976, CVE-2022-29869)
  * add cifs-utils-CVE-2022-29869.patch
cloud-regionsrv-client
- Follow up fix to 10.0.4 (bsc#1202706)
  - While the source code was updated to support SLE Micro the spec file
    was not updated for the new locations of the cache and the certs.
    Update the spec file to be consistent with the code implementation.
- Update to version 10.0.5 (bsc#1201612)
  - Handle exception when trying to deregister a system form the server
- Update to version 10.0.4 (bsc#1199668)
  - Store the update server certs in the /etc path instead of /usr to
    accomodate read only setup of SLE-Micro
cups
- cups-branch-2.2-commit-3e4dd41459dabc5d18edbe06eb5b81291885204b.diff
  is 'git show 3e4dd41459dabc5d18edbe06eb5b81291885204b' for
  https://github.com/apple/cups/commit/3e4dd41459dabc5d18edbe06eb5b81291885204b
  (except the not needed hunk for patching CHANGES.md which fails)
  that fixes handling of MaxJobTime 0 (Issue #5438) in the CUPS 2.2 branch
  bsc#1201511:
  Stuck print jobs being cancelled immediately, despite MaxJobTime being set to 0
curl
- Security Fix: [bsc#1204383, CVE-2022-32221]
  * POST following PUT confusion
  * Add curl-CVE-2022-32221.patch
- Security fix: [bsc#1202593, CVE-2022-35252]
  * Control codes in cookie denial of service
  * Add curl-CVE-2022-35252.patch
- Security fix: [bsc#1200735, CVE-2022-32206]
  * HTTP compression denial of service
  * Add curl-CVE-2022-32206.patch
- Security fix: [bsc#1200737, CVE-2022-32208]
  * FTP-KRB bad message verification
  * Add curl-CVE-2022-32208.patch
- Securiy fix: [bsc#1199224, CVE-2022-27782]
  * TLS and SSH connection too eager reuse
  * Add curl-CVE-2022-27782.patch
- Securiy fix: [bsc#1199223, CVE-2022-27781]
  * CERTINFO never-ending busy-loop
  * Add curl-CVE-2022-27781.patch
cyrus-sasl
- bsc#1159635 VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl
  has an out-of-bounds write leading to unauthenticated remote
  denial-of-service in OpenLDAP via a malformed LDAP packet
  o apply upstream patch
- 0001-Fix-587.patch
cyrus-sasl-saslauthd
- bsc#1159635 VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl
  has an out-of-bounds write leading to unauthenticated remote
  denial-of-service in OpenLDAP via a malformed LDAP packet
  o apply upstream patch
- 0001-Fix-587.patch
dbus-1
- Fix a potential crash that could be triggered by an invalid signature.
  (CVE-2022-42010, bsc#1204111)
  * fix-upstream-CVE-2022-42010.patch
- Fix an out of bounds read caused by a fixed length array (CVE-2022-42011,
  bsc#1204112)
  * fix-upstream-CVE-2022-42011.patch
- A message in non-native endianness with out-of-band Unix file descriptors
  would cause a use-after-free and possible memory corruption CVE-2022-42012,
  bsc#1204113)
  * fix-upstream-CVE-2022-42012.patch
- Disable asserts (bsc#1087072)
- Refreshed patches
  * fix-upstream-CVE-2020-35512.patch
docker
- Backport <https://github.com/containerd/fifo/pull/32> to fix a crash-on-start
  issue with dockerd. bsc#1200022
  + 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
expat
- Security fix:
  * (CVE-2022-43680, bsc#1204708) use-after free caused by overeager
    destruction of a shared DTD in XML_ExternalEntityParserCreate in
    out-of-memory situations
  - Added patch expat-CVE-2022-43680.patch
- Security fix:
  * (CVE-2022-40674, bsc#1203438) use-after-free in the doContent
    function in xmlparse.c
  - Added patch expat-CVE-2022-40674.patch
fence-agents
- Azure fence agent doesn’t work correctly on SLES15 SP3 - fence_azure_arm
  fails with error 'MSIAuthentication' object has no attribute 'get_token' - SFSC00334437
  (bsc#1195891)
  - Apply proposed patch
    0001-fix_support_for_sovereign_clouds_and_MSI-439.patch
freetype2
- disable brotli linkage / WOFF2 support for now to keep dependencies
  as before.
- Added patches:
  * CVE-2022-27404.patch
    + fixes bsc#1198830, CVE-2022-27404: Buffer Overflow
  * CVE-2022-27405.patch
    + fixes bsc#1198832, CVE-2022-27405: Segmentation Fault
  * CVE-2022-27406.patch
    + fixes bsc#1198823, CVE-2022-27406: Segmentation violation
- Update to version 2.10.4
  * Fix a heap buffer overflow has been found  in the handling of
    embedded PNG bitmaps, introduced in FreeType version 2.6
    (CVE-2020-15999 bsc#1177914)
  * Minor improvements to the B/W rasterizer.
  * Auto-hinter support for Medefaidrin script.
  * Fix various  memory leaks (mainly  for CFF) and other  issues that
    might cause crashes in rare circumstances.
- Update to version 2.10.2
  * Support for WOFF2 fonts, add BR on pkgconfig(libbrotlidec)
  * Function `FT_Get_Var_Axis_Flags' returned random data for Type 1
    MM fonts.
  * Type 1 fonts with non-integer metrics are now supported by the new
    (CFF) engine introduced in FreeType 2.9.
  * Drop support for Python 2 in Freetype's API reference generator
  * Auto-hinter support for Hanifi Rohingya
  * Document the `FT2_KEEP_ALIVE' debugging environment variable.
gnutls
- Security fix: [bsc#1202020, CVE-2022-2509]
  * Fixed double free during verification of pkcs7 signatures
  * Add gnutls-CVE-2022-2509.patch
- Security fix: [bsc#1196167, CVE-2021-4209]
  * Null pointer dereference in MD_UPDATE
  * Add gnutls-CVE-2021-4209.patch
gpg2
- Security fix [CVE-2022-34903, bsc#1201225]
  - Vulnerable to status injection
  - Added patch gnupg-CVE-2022-34903.patch
icu
- Backport icu-CVE-2020-21913.patch: backport commit 727505bdd
  from upstream, use LocalMemory for cmd to prevent use after free
  (bsc#1193951 CVE-2020-21913).
iputils
- Add fix for ICMP datagram socket ping6-Fix-device-binding.patch
  (bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927).
java-1_8_0-ibm
- Update to Java 8.0 Service Refresh 7 Fix Pack 11 [bsc#1202427]
  [bsc#1201684, CVE-2022-34169] [bsc#1201692, CVE-2022-21541]
  [bsc#1201685, CVE-2022-21549] [bsc#1201694, CVE-2022-21540]
  * Defect Fixes:
  - Java Virtual Machine: Long dely in AttachAPI
- Update to Java 8.0 Service Refresh 7 Fix Pack 10 [bsc#1201643]
  [bsc#1198671, CVE-2022-21476] [bsc#1198670, CVE-2022-21449]
  [bsc#1198673, CVE-2022-21496] [bsc#1198674, CVE-2022-21434]
  [bsc#1198672, CVE-2022-21426] [bsc#1198675, CVE-2022-21443]
  [bsc#1191912, CVE-2021-35561] [bsc#1194931, CVE-2022-21299]
  * Class Libraries:
  - BigDecimal gives incorrect arithmetic results for the add
    and subtract operations on the result of a divide
  * Java Virtual Machine:
  - jstacktrace sub-option of xtrace doesn't print java stack
    while doing method trace
  * Security:
  - 8217633: Configurable Extensions with system properties
  - 8241248: NullPointerException in com.ibm.jsse2.ssl.HKDF.extract
  - 8270344: Session resumption errors
  - 8277967: Validate the SSLLogger object in KeyShareExtension
  - JVM crashes computing Diffie-Hellman shared secrets and JNI
    errors while creating elliptic curve public key using IBMJCEPlus
  - Key Certificate Manager authority key identifier value incorrect
  - SSLv2Hello property value is ignored if specified in
    jdk.tls.disabledAlgorithms and SSLv2Hello is set by
    setEnabledProtocols()
  - There is a memory growth observed during digest operations
    using IBMJCEPlus as the provider.
- Update to Java 8.0 Service Refresh 7 Fix Pack 6
  * Java Virtual Machine: Crash while generating javacore, or
    javacore contains 'Unable to walk in-flight data on call stack'
    instead of java stack
  * JIT Compiler:
  - Java JIT, bad field reference from a tenured object into
    the nursery
  - JIT compiler crash with vmstate=0x0005ff04
  * XML: Fix security vulnerability CVE-2022-21299
kernel-default
- char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops
  (CVE-2022-41848 bsc#1203987).
- commit 4b5f9dc
- net: mana: Add rmb after checking owner bits (git-fixes).
- commit ff59700
- net: mana: Add the Linux MANA PF driver (bug#1201309, jsc#PED-529).
- commit 7299efc
- ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC (CVE-2022-3303
  bsc#1203769).
- Refresh patches.kabi/ALSA-pcm-oss-rw_ref-kabi-fix.patch.
- commit accf4df
- media: dvb-core: Fix UAF due to refcount races at releasing
  (CVE-2022-41218 bsc#1202960).
- commit 231362a
- media: em28xx: initialize refcount before kref_get
  (CVE-2022-3239 bsc#1203552).
- commit 477c587
- x86/bugs: Reenable retbleed=off
  While for older kernels the return thunks are statically built in and
  cannot be dynamically patched out, retbleed=off should still be possible
  to do so that the mitigation can still be disabled on Intel who don't
  use the return thunks but IBRS.
- Update
  patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271).
- Update patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271).
- commit 86274ff
- dm verity: set DM_TARGET_IMMUTABLE feature flag (CVE-2022-2503,
  bsc#1202677).
- commit b644c0f
- Update references:
  - patches.kabi/kabi-return-type-change-of-secure_ipv-46-_port_ephem.patch
  - patches.suse/secure_seq-use-the-64-bits-of-the-siphash-for-port-o.patch
  - patches.suse/tcp-add-small-random-increments-to-the-source-port.patch
  - patches.suse/tcp-drop-the-hash_32-part-from-the-index-calculation.patch
  - patches.suse/tcp-dynamically-allocate-the-perturb-table-used-by-s.patch
  - patches.suse/tcp-increase-source-port-perturb-table-to-2-16.patch
  - patches.suse/tcp-resalt-the-secret-every-10-seconds.patch
  - patches.suse/tcp-use-different-parts-of-the-port_offset-for-index.patch
  (add CVE-2022-32296 bsc#1200288)
- commit 579fd9c
- mmc: block: fix read single on recovery logic (CVE-2022-20008
  bsc#1199564).
- commit 33bc9c9
- mm: Force TLB flush for PFNMAP mappings before unlink_file_vma()
  (CVE-2022-39188, bsc#1203107).
- commit 7df6276
- netfilter: nf_conntrack_irc: Tighten matching on DCC message
  (CVE-2022-2663 bsc#1202097).
- netfilter: nf_conntrack_irc: Fix forged IP logic (CVE-2022-2663
  bsc#1202097).
- commit 7253cd6
- objtool: Track original function across branches (bsc#1202396).
- Refresh
  patches.suse/objtool-clean-instruction-state-before-each-function-validation.patch.
- Refresh
  patches.suse/objtool-make-bp-scratch-register-warning-more-robust.patch.
- commit 605a5ad
- objtool: Don't use ignore flag for fake jumps (bsc#1202396).
- Refresh patches.suse/objtool-add-is_static_jump-helper.patch.
- commit 12eddc4
- objtool: Add --backtrace support (bsc#1202396).
- Refresh
  patches.suse/objtool-clean-instruction-state-before-each-function-validation.patch.
- commit effa706
- objtool: Set insn->func for alternatives (bsc#1202396).
- Refresh patches.suse/objtool-add-is_static_jump-helper.patch.
- Refresh
  patches.suse/objtool-add-relocation-check-for-alternative-sections.patch.
- commit 95cdf2a
- mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
  (git-fixes, bsc#1203098).
  kABI: Fix kABI after "/mm/rmap: Fix anon_vma->degree ambiguity
  leading to double-reuse"/ (git-fixes, bsc#1203098).
- commit 9b79372
- mm/rmap.c: don't reuse anon_vma if we just want a copy
  (git-fixes, bsc#1203098).
- commit d3fffdb
- Update
  patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch.
- Update
  patches.suse/x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch.
  Add missing objtool annotations from upstream commits to fix bsc#1202396.
- commit 295ff2a
- objtool: Allow no-op CFI ops in alternatives (bsc#1202396).
- commit d671632
- objtool: Add support for intra-function calls (bsc#1202396).
- commit af5ea4a
- objtool: Remove INSN_STACK (bsc#1202396).
- commit 33aa32e
- objtool: Make handle_insn_ops() unconditional (bsc#1202396).
- commit 6582ceb
- objtool: Rework allocating stack_ops on decode (bsc#1202396).
- commit 613c1d4
- objtool: Fix ORC vs alternatives (bsc#1202396).
- commit 1510f8a
- objtool: Uniquely identify alternative instruction groups
  (bsc#1202396).
- commit 55eebf6
- objtool: Remove check preventing branches within alternative
  (bsc#1202396).
- commit b9fa125
- objtool: Fix !CFI insn_state propagation (bsc#1202396).
- commit f547c3d
- objtool: Rename struct cfi_state (bsc#1202396).
- commit 5f74a63
- objtool: Support multiple stack_op per instruction
  (bsc#1202396).
- commit 9cac986
- objtool: Support conditional retpolines (bsc#1202396).
- commit 2278221
- objtool: Convert insn type to enum (bsc#1202396).
- commit dd14429
- objtool: Rename elf_open() to prevent conflict with libelf
  from elftoolchain (bsc#1202396).
- commit 5ae25e4
- objtool: Use Elf_Scn typedef instead of assuming struct name
  (bsc#1202396).
- commit c52e4de
- rpm/kernel-source.spec.in: simplify finding of broken symlinks
  "/find -xtype l"/ will report them, so use that to make the search a bit
  faster (without using shell).
- commit 13bbc51
- mkspec: eliminate @NOSOURCE@ macro
  This should be alsways used with @SOURCES@, just include the content
  there.
- commit 403d89f
- kernel-source: include the kernel signature file
  We assume that the upstream tarball is used for released kernels.
  Then we can also include the signature file and keyring in the
  kernel-source src.rpm.
  Because of mkspec code limitation exclude the signature and keyring from
  binary packages always - mkspec does not parse spec conditionals.
- commit e76c4ca
- kernel-binary: move @NOSOURCE@ to @SOURCES@ as in other packages
- commit 4b42fb2
- dtb: Do not include sources in src.rpm - refer to kernel-source
  Same as other kernel binary packages there is no need to carry duplicate
  sources in dtb packages.
- commit 1bd288c
- objtool: Fix sibling call detection (bsc#1202396).
- commit cd4d674
- objtool: Rewrite alt->skip_orig (bsc#1202396).
- commit 69eca79
- af_key: Do not call xfrm_probe_algs in parallel (bsc#1202898
  CVE-2022-3028).
- commit e68eb5b
- Update patch reference for net rds fix (CVE-2022-21385 bsc#1202897)
- commit c9ac9a2
- Update patch reference for net rds fix (CVE-2022-21385 bsc#1202897)
- commit d995183
- cifs: fix error paths in cifs_tree_connect() (bsc#1177440).
- commit 4e1c426
- cifs: report error instead of invalid when revalidating a
  dentry fails (bsc#1177440).
- commit d980344
- Backport causes crashes on all arches so revert the patch until
  I find the root cause
- commit 83c44b2
- check sk_peer_cred pointer before put_cred() call
- commit 78087f4
- tpm: fix reference counting for struct tpm_chip (CVE-2022-2977
  bsc#1202672).
- commit 743f12e
- net: handle kABI change in struct sock (bsc#1194535
  CVE-2021-4203).
- commit c37013b
- Drop the unused function after porting on 4.12
- commit a8cf8a3
- fuse: handle kABI change in struct sock (bsc#1194535
  CVE-2021-4203).
- commit cb0be42
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
  (bsc#1194535 CVE-2021-4203).
- commit cfbed38
- cifs: fix uninitialized pointer in error case in
  dfs_cache_get_tgt_share (bsc#1188944).
- commit a2cd44e
- cifs: skip trailing separators of prefix paths (bsc#1188944).
- commit 080c5db
- net_sched: cls_route: disallow handle of 0 (bsc#1202393).
- commit 8e65d52
- net_sched: cls_route: disallow handle of 0 (bsc#1202393).
- net_sched: cls_route: remove from list when handle is 0
  (CVE-2022-2588 bsc#1202096).
- commit 05c19f7
- lightnvm: Remove lightnvm implemenation (bsc#1191881 bsc#1201420
  ZDI-CAN-17325).
- commit 30cd9be
- ext4: make sure ext4_append() always allocates new block
  (bsc#1198577 CVE-2022-1184).
- commit bc8c541
- ext4: check if directory block is within i_size (bsc#1198577
  CVE-2022-1184).
- commit b9efa04
- ext4: Fix check for block being out of directory size
  (bsc#1198577 CVE-2022-1184).
- commit be40637
- kabi: return type change of secure_ipv_port_ephemeral()
  (CVE-2022-1012 bsc#1199482 bsc#1202335).
- tcp: drop the hash_32() part from the index calculation
  (CVE-2022-1012 bsc#1199482 bsc#1202335).
- tcp: increase source port perturb table to 2^16 (CVE-2022-1012
  bsc#1199482 bsc#1202335).
- tcp: dynamically allocate the perturb table used by source ports
  (CVE-2022-1012 bsc#1199482 bsc#1202335).
- tcp: add small random increments to the source port
  (CVE-2022-1012 bsc#1199482 bsc#1202335).
- tcp: resalt the secret every 10 seconds (CVE-2022-1012
  bsc#1199482 bsc#1202335).
- tcp: use different parts of the port_offset for index and offset
  (CVE-2022-1012 bsc#1199482 bsc#1202335).
- secure_seq: use the 64 bits of the siphash for port offset
  calculation (CVE-2022-1012 bsc#1199482 bsc#1202335).
- tcp: add some entropy in __inet_hash_connect() (bsc#1180153
  bsc#1202335).
- tcp: change source port randomizarion at connect() time
  (bsc#1180153 bsc#1202335).
- commit aef5879
- rpm/kernel-binary.spec.in: move vdso to a separate package (bsc#1202385)
  We do the move only on 15.5+.
- commit 9c7ade3
- rpm/kernel-binary.spec.in: simplify find for usrmerged
  The type test and print line are the same for both cases. The usrmerged
  case only ignores more, so refactor it to make it more obvious.
- commit 583c9be
- xfrm: xfrm_policy: fix a possible double xfrm_pols_put()
  in xfrm_bundle_lookup() (bsc#1201948 CVE-2022-36879).
- commit 6a240fe
- net/packet: fix slab-out-of-bounds access in packet_recvmsg()
  (CVE-2022-20368 bsc#1202346).
- commit bcc8988
- media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers
  across ioctls (bsc#1202347 CVE-2022-20369).
- commit 0cf8c8f
- md/bitmap: don't set sb values if can't pass sanity check
  (bsc#1197158).
- commit 23dc403
- x86/speculation: Add LFENCE to RSB fill sequence (bsc#1201726
  CVE-2022-26373).
- commit f0dc9a3
- x86/speculation: Add RSB VM Exit protections (bsc#1201726
  CVE-2022-26373).
- commit fdf6cad
- x86/speculation: Fill RSB on vmexit for IBRS (bsc#1201726
  CVE-2022-26373).
- commit 730dc3a
- x86/speculation: Change FILL_RETURN_BUFFER to work with objtool
  (bsc#1201726 CVE-2022-26373).
- commit 0637fb7
- net/sched: cls_u32: fix netns refcount changes in u32_change()
  (CVE-2022-29581 bsc#1199665).
- commit ad4e35c
- openvswitch: fix OOB access in reserve_sfa_size() (CVE-2022-2639
  bsc#1202154).
- commit 0d36370
- ipv4: avoid using shared IP generator for connected sockets
  (CVE-2020-36516 bsc#1196616).
- ipv4: tcp: send zero IPID in SYNACK messages (CVE-2020-36516
  bsc#1196616).
- commit df5e606
- Fix parsing of rpm/macros.kernel-source on SLE12 (bsc#1201019).
- commit 9816878
- cifs: fix memory leak of smb3_fs_context_dup::server_hostname
  (bsc#1201926).
- commit 3d2ce6d
- cifs: To match file servers, make sure the server hostname
  matches (bsc#1201926).
- commit 6a5bd2a
- KVM: emulate: do not adjust size of fastop and setcc subroutines
  (bsc#1201930).
- commit 34cfe0a
- kvm/emulate: Fix SETcc emulation function offsets with SLS
  (bsc#1201930).
- Refresh
  patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch.
- commit 73546bb
- netfilter: nf_queue: do not allow packet truncation below
  transport header offset (bsc#1201940 CVE-2022-36946).
- commit 06aa700
- cifs: set a minimum of 120s for next dns resolution
  (bsc#1201926).
- commit 726509e
- cifs: use the expiry output of dns_query to schedule next
  resolution (bsc#1201926).
- commit 5137045
- cifs: On cifs_reconnect, resolve the hostname again
  (bsc#1201926).
- commit 8b80115
- cifs: Simplify reconnect code when dfs upcall is enabled
  (bsc#1201926).
- commit a15e604
- Refresh
  patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch.
- commit 5cd8e8f
- Remove homegrown IBRS implementation
  ... and replace with the upstream one.
- Refresh
  patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch.
- Refresh
  patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch.
- Refresh
  patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- Refresh
  patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch.
- Delete
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Delete
  patches.suse/0002-x86-speculation-Add-inlines-to-control-Indirect-Bran.patch.
- Delete
  patches.suse/0003-x86-idle-Control-Indirect-Branch-Speculation-in-idle.patch.
- Delete
  patches.suse/0004-x86-enter-Create-macros-to-restrict-unrestrict-Indir.patch.
- Delete
  patches.suse/0005-x86-enter-Use-IBRS-on-syscall-and-interrupts.patch.
- Delete patches.suse/IBRS-forbid-shooting-in-foot.patch.
- commit 4b0356c
- kABI workaround for including mm.h in fs/sysfs/file.c
  (bsc#1200598 CVE-2022-20166).
- commit fe1fe6b
- mm: and drivers core: Convert hugetlb_report_node_meminfo to
  sysfs_emit (bsc#1200598 CVE-2022-20166).
- commit 3d23964
- drivers core: Miscellaneous changes for sysfs_emit (bsc#1200598
  CVE-2022-20166).
- commit c8e2e5b
- drivers core: Remove strcat uses around sysfs_emit and neaten
  (bsc#1200598 CVE-2022-20166).
- commit 5cd9512
- drivers core: Use sysfs_emit and sysfs_emit_at for show(device
  * ...) functions (bsc#1200598 CVE-2022-20166).
- commit 7554520
- sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output
  (bsc#1200598 CVE-2022-20166).
- commit c5a70d7
- Refresh
  patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch.
- commit af9c97a
- x86/entry: Remove skip_r11rcx (bsc#1201644).
- Refresh
  patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- commit c154137
- Sort in RETbleed backport into the sorted section
  Now that it is upstream...
- blacklist.conf:
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Refresh
  patches.suse/0002-x86-speculation-Add-inlines-to-control-Indirect-Bran.patch.
- Refresh
  patches.suse/0005-x86-enter-Use-IBRS-on-syscall-and-interrupts.patch.
- Refresh
  patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch.
- Refresh
  patches.suse/documentation-hw-vuln-update-spectre-doc.patch.
- Refresh
  patches.suse/edac-amd64-cache-secondary-chip-select-registers.patch.
- Refresh
  patches.suse/edac-amd64-find-chip-select-memory-size-using-address-mask.patch.
- Refresh
  patches.suse/edac-amd64-initialize-dimm-info-for-systems-with-more-than-two-channels.patch.
- Refresh
  patches.suse/edac-amd64-recognize-dram-device-type-ecc-capability.patch.
- Refresh
  patches.suse/edac-amd64-support-asymmetric-dual-rank-dimms.patch.
- Refresh
  patches.suse/edac-amd64-support-more-than-two-controllers-for-chip-selects-handling.patch.
- Refresh
  patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch.
- Refresh
  patches.suse/sched-topology-Improve-load-balancing-on-AMD-EPYC.patch.
- Refresh patches.suse/x86-Add-magic-AMD-return-thunk.patch.
- Refresh patches.suse/x86-Undo-return-thunk-damage.patch.
- Refresh patches.suse/x86-Use-return-thunk-in-asm-code.patch.
- Refresh
  patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch.
- Refresh patches.suse/x86-bugs-Add-retbleed-ibpb.patch.
- Refresh
  patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch.
- Refresh
  patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch.
- Refresh patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch.
- Refresh
  patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch.
- Refresh
  patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch.
- Refresh
  patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch.
- Refresh
  patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch.
- Refresh
  patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch.
- Refresh
  patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch.
- Refresh
  patches.suse/x86-common-Stamp-out-the-stepping-madness.patch.
- Refresh
  patches.suse/x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch.
- Refresh
  patches.suse/x86-cpu-add-table-argument-to-cpu_matches.patch.
- Refresh patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch.
- Refresh patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch.
- Refresh
  patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch.
- Refresh
  patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- Refresh
  patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch.
- Refresh patches.suse/x86-retpoline-Use-mfunction-return.patch.
- Refresh
  patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch.
- Refresh
  patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch.
- Refresh
  patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch.
- Refresh
  patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch.
- Refresh
  patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch.
- Refresh
  patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch.
- Refresh
  patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch.
- Refresh
  patches.suse/x86-speculation-add-eibrs-retpoline-options.patch.
- Refresh
  patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch.
- Refresh
  patches.suse/x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch.
- Refresh
  patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch.
- Refresh
  patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- Refresh
  patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch.
- Refresh
  patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch.
- Refresh
  patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch.
- Refresh
  patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch.
- commit bc36bfa
- vt: vt_ioctl: fix race in VT_RESIZEX (bsc#1200910
  CVE-2020-36558).
- commit 3c76a1f
- vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
  (bsc#1201429 CVE-2020-36557).
- commit f15e18d
- kernel-obs-build: include qemu_fw_cfg (boo#1201705)
- commit e2263d4
- vt: drop old FONT ioctls (bsc#1201636 CVE-2021-33656).
- commit 704434f
- Refresh patches.suse/fbcon-Prevent-that-screen-size-is-smaller-than-font-.patch
  Fix the build error due to missing is_console_locked()
- commit 39e2064
- fbmem: Check virtual screen sizes in fb_set_var()
  (CVE-2021-33655 bsc#1201635).
- fbcon: Prevent that screen size is smaller than font size
  (CVE-2021-33655 bsc#1201635).
- fbcon: Disallow setting font bigger than screen size
  (CVE-2021-33655 bsc#1201635).
- commit c1a0922
- rpm/kernel-binary.spec.in: Require dwarves >= 1.22 on SLE15-SP3 or newer
  Dwarves 1.22 or newer is required to build kernels with BTF information
  embedded in modules.
- commit ee19e9d
- pty: do tty_flip_buffer_push without port->lock in pty_write
  (bsc#1198829 CVE-2022-1462).
- commit c0b9f34
- tty: use new tty_insert_flip_string_and_push_buffer() in
  pty_write() (bsc#1198829 CVE-2022-1462).
- tty: extract tty_flip_buffer_commit() from
  tty_flip_buffer_push() (bsc#1198829 CVE-2022-1462).
- commit 1b70eb4
- Refresh
  patches.suse/msft-hv-2588-PCI-hv-Do-not-set-PCI_COMMAND_MEMORY-to-reduce-VM-bo.patch.
  Fix a build warning.
- commit 837f0e2
- rpm/check-for-config-changes: ignore GCC12/CC_NO_ARRAY_BOUNDS
  Upstream commit f0be87c42cbd (gcc-12: disable '-Warray-bounds'
  universally for now) added two new compiler-dependent configs:
  * CC_NO_ARRAY_BOUNDS
  * GCC12_NO_ARRAY_BOUNDS
  Ignore them -- they are unset by dummy tools (they depend on gcc version
  == 12), but set as needed during real compilation.
- commit a14607c
- kernel-binary.spec: check s390x vmlinux location
  As a side effect of mainline commit edd4a8667355 ("/s390/boot: get rid of
  startup archive"/), vmlinux on s390x moved from "/compressed"/ subdirectory
  directly into arch/s390/boot. As the specfile is shared among branches,
  check both locations and let objcopy use one that exists.
- commit cd15543
- Add missing recommends of kernel-install-tools to kernel-source-vanilla (bsc#1200442)
- commit 93b1375
- kernel-binary.spec: Support radio selection for debuginfo.
  To disable debuginfo on 5.18 kernel a radio selection needs to be
  switched to a different selection. This requires disabling the currently
  active option and selecting NONE as debuginfo type.
- commit 43b5dd3
- Add dtb-starfive
- commit 85335b1
- rpm/kernel-obs-build.spec.in: Also depend on dracut-systemd (bsc#1195775)
- commit 5d4e32c
- pahole 1.22 required for full BTF features.
  also recommend pahole for kernel-source to make the kernel buildable
  with standard config
- commit 364f54b
- use jobs not processors in the constraints
  jobs is the number of vcpus available to the build, while processors
  is the total processor count of the machine the VM is running on.
- commit a6e141d
- rpm/constraints.in: skip SLOW_DISK workers for kernel-source
- commit e84694f
- rpm/*.spec.in: remove backtick usage
- commit 87ca1fb
- rpm/kernel-obs-build.spec.in: add systemd-initrd and terminfo dracut module (bsc#1195775)
- commit d9a821b
- rpm/kernel-obs-build.spec.in: use default dracut modules (bsc#1195926,
  bsc#1198484)
  Let's iron out the reduced initrd optimisation in Tumbleweed.
  Build full blown dracut initrd with systemd for SLE15 SP4.
- commit ea76821
- Add dtb-microchip
- commit c797107
- rpm/kernel-source.spec.in: temporary workaround for a build failure
  Upstream c6x architecture removal left a dangling link behind which
  triggers openSUSE post-build check in kernel-source, failing
  kernel-source build.
  A fix deleting the danglink link has been submitted but it did not make
  it into 5.12-rc1. Unfortunately we cannot add it as a patch as patch
  utility does not handle symlink removal. Add a temporary band-aid which
  deletes all dangling symlinks after unpacking the kernel source tarball.
  [jslaby] It's not that temporary as we are dragging this for quite some
  time in master. The reason is that this can happen any time again, so
  let's have this in packaging instead.
- commit 52a1ad7
libassuan
- update to 2.5.5:
  * Fix a crash in the logging code
  * Upgrade autoconf
- update to 2.5.4:
  * Fix some minor build annoyances
- Update to 2.5.3:
  * Add a timeout for writing to a SOCKS5 proxy.
  * Add workaround for a problem with LD_LIBRARY_PATH on newer systems.
- qemu-disable-fdpassing-test.patch: remove
-Update to 2.5.2:
  * configure.ac: Bump LT version to C8/A8/R2
  * include libassuan.pc in the spec file
libcroco
- Add libcroco-CVE-2020-12825.patch: limit recursion in block and
  any productions (boo#1171685 CVE-2020-12825).
libjpeg-turbo
  fix CVE-2020-35538 [bsc#1202915], Null pointer dereference in jcopy_sample_rows() function
  + libjpeg-turbo-CVE-2020-35538.patch
- security update
- added patches
libjpeg62-turbo
  fix CVE-2020-35538 [bsc#1202915], Null pointer dereference in jcopy_sample_rows() function
  + libjpeg-turbo-CVE-2020-35538.patch
- security update
- added patches
libksba
- Security fix: [bsc#1204357, CVE-2022-3515]
  * Detect a possible overflow directly in the TLV parser.
  * Add libksba-CVE-2022-3515.patch
libtasn1
- Add libtasn1-CVE-2021-46848.patch: Fixed off-by-one array size check
  that affects asn1_encode_simple_der (CVE-2021-46848, bsc#1204690).
libtirpc
- fix CVE-2021-46828: libtirpc: DoS vulnerability with lots of
  connections (bsc#1201680)
  - backport 0001-Fix-DoS-vulnerability-in-libtirpc.patch
- exclude ipv6 addresses in client protocol 2 code (bsc#1200800)
  - update 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
- fix memory leak in params.r_addr assignement (bsc#1198752)
  - add 0001-fix-parms.r_addr-memory-leak.patch
libxml2
- Security fixes:
  * [CVE-2022-40303, bsc#1204366] Fix integer overflows with
    XML_PARSE_HUGE
    + Added patch libxml2-CVE-2022-40303.patch
  * [CVE-2022-40304, bsc#1204367] Fix dict corruption caused by
    entity reference cycles
    + Added patch libxml2-CVE-2022-40304.patch
- Security fix: [bsc#1201978, CVE-2016-3709]
  * Cross-site scripting vulnerability after commit 960f0e2
  * Add libxml2-CVE-2016-3709.patch
libyajl
- add libyajl-CVE-2022-24795.patch (CVE-2022-24795, bsc#1198405)
libzypp
- Resolver: Fix missing --[no]-recommends initialization in
  update (fixes #openSUSE/zypper#459, bsc#1201972)
- Log ONLY_NAMESPACE_RECOMMENDED because this is what corresponds
  to --[no]-recommends.
- version 17.31.2 (22)
- UsrEtc: Store logrotate files in %{_distconfdir} if defined
  (fixes #402)
- Log backtrace on SIGABRT too.
- Need to explicitly enable building experimental code. Otherwise
  an old Notcurses++ package which happens to be present in the
  buildenv breaks the build (fixes #412).
- Work around libyui/libyui#78 on code 15.4 and older.
- Stop using std::*ary_function; deprecated and removed in c++17.
- Don't expose header files which use types not available in
  c++11.  In 15.3 and older, YAST and PK compile with -std=c++11.
- Remove no longer needed %post code (bsc#1203649)
- Enable zck support for SLE15-SP4 and newer. On Leap it is enabled
  since 15.1 (bsc#1189282)
- version 17.31.1 (22)
- Add PoolItem::statusReinit to reset the status it's initial
  state in the ResPool (might help bsc#1199895)
  This may either be 'KEEP_STATE bySOLVER' or 'LOCKED byUSER' if
  the PoolItem matched a hard lock defined in /etc/zypp/locks.
- Fix building with GCC 13 on i586 (fixes #407, fixes #396)
- Be prepared to receive exceptions from curl_easy_cleanup
  (bsc#1201092)
- Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
- Remove Medianetwork and dependend code.
  This commit removes the MediaNetwork tech preview and all related
  code. First reason for this is that MediaNetwork was just meant
  as a way to test the new CURL based downloader and second: since
  the Provide API is going to completely replace the current media
  backend it would be extra work to ensure that changes on the
  Downloader do not break MediaNetwork.
- version 17.31.0 (22)
- Fix building with GCC 12.x release (#396)
- version 17.30.3 (22)
- appdata plugin: Pass path to the repodata/ directory inside the
  cache (bsc#1197684)
- zypp-rpm: flush rpm script output buffer before sending
  endOfScriptTag.
- version 17.30.2 (22)
- PluginRepoverification: initial version hooked into
  repo::Downloader and repo refresh.
- Immediately start monitoring the download.transfer_timeout.
  Do not wait until the first data arrived. (bsc#1199042)
- singletrans: no dry-run commit if doing just download-only.
- Work around cases where sat repo.start points to an invalid
  solvable.  May happen if (wrong arch) solvables were removed
  at the  beginning of the repo.
- fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER
  (fixes #388)
- version 17.30.1 (22)
lifecycle-data-sle-module-live-patching
- Added data for 4_12_14-150000_150_95, 4_12_14-150000_150_98,
  4_12_14-150100_197_117, 4_12_14-150100_197_120,
  5_14_21-150400_24_11, 5_14_21-150400_24_18,
  5_3_18-150200_24_120, 5_3_18-150200_24_126,
  5_3_18-150300_59_81, 5_3_18-150300_59_87,
  5_3_18-150300_59_90. (bsc#1020320)
- Added data for 4_12_14-150000_150_92, 4_12_14-150100_197_114,
  5_14_21-150400_22, 5_3_18-150200_24_115,
  5_3_18-150300_59_68, 5_3_18-150300_59_71,
  5_3_18-150300_59_76. (bsc#1020320)
logrotate
- Security fix: (bsc#1192449) related to (bsc#1191281, CVE-2021-3864)
  * enforce stricter parsing to avoid CVE-2021-3864
  * Added patch logrotate-enforce-stricter-parsing-and-extra-tests.patch
- Fix "/logrotate emits unintended warning: keyword size not properly
  separated, found 0x3d"/ (bsc#1200278, bsc#1200802):
  * Added patch logrotate-dont_warn_on_size=_syntax.patch
mozilla-nspr
- update to version 4.34.1
  * add file descriptor sanity checks in the NSPR poll function.
- update to version 4.34
  * add an API that returns a preferred loopback IP on hosts that
    have two IP stacks available.
- update to 4.33:
  * fixes to build system and export of private symbols
mozilla-nss
- Require libjitter only for SLE15-SP4 and greater
- update to NSS 3.79.2 (bsc#1204729)
  * bmo#1785846 - Bump minimum NSPR version to 4.34.1.
  * bmo#1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
- Add nss-allow-slow-tests.patch, which allows a timed test to run
  longer than 1s. This avoids turning slow builds into broken
  builds.
- Update nss-fips-approved-crypto-non-ec.patch to allow the use of
  DSA keys (verification only) (bsc#1201298).
- Update nss-fips-constructor-self-tests.patch to add
  sftk_FIPSRepeatIntegrityCheck() to softoken's .def file
  (bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to allow the use of
  longer symmetric keys via the service level indicator
  (bsc#1191546).
- Update nss-fips-constructor-self-tests.patch to hopefully export
  sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to prevent sessions
  from getting flagged as non-FIPS (bsc#1191546).
- Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
- Enable nss-fips-drbg-libjitter.patch now that we have a patched
  libjitter to build with (bsc#1202870).
- Update nss-fips-approved-crypto-non-ec.patch to prevent keys
  from getting flagged as non-FIPS and add remaining TLS mechanisms.
- Add nss-fips-drbg-libjitter.patch to use libjitterentropy for
  entropy. This is disabled until we can avoid the inline assembler
  in the latter's header file that relies on GNU extensions.
- Update nss-fips-constructor-self-tests.patch to fix an abort()
  when both NSS_FIPS and /proc FIPS mode are enabled.
- update to NSS 3.79.1 (bsc#1202645)
  * bmo#1366464 - compare signature and signatureAlgorithm fields in legacy certificate verifier.
  * bmo#1771498 - Uninitialized value in cert_ComputeCertType.
  * bmo#1759794 - protect SFTKSlot needLogin with slotLock.
  * bmo#1760998 - avoid data race on primary password change.
  * bmo#1330271 - check for null template in sec_asn1{d,e}_push_state.
- Update nss-fips-approved-crypto-non-ec.patch to unapprove the
  rest of the DSA ciphers, keeping signature verification only
  (bsc#1201298).
- Update nss-fips-constructor-self-tests.patch to fix compiler
  warning.
- Update nss-fips-constructor-self-tests.patch to add on-demand
  integrity tests through sftk_FIPSRepeatIntegrityCheck()
  (bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to mark algorithms
  as approved/non-approved according to security policy
  (bsc#1191546, bsc#1201298).
- Update nss-fips-approved-crypto-non-ec.patch to remove hard
  disabling of unapproved algorithms. This requirement is now
  fulfilled by the service level indicator (bsc#1200325).
- Remove nss-fips-tls-allow-md5-prf.patch, since we no longer need
  the workaround in FIPS mode (bsc#1200325).
- Remove nss-fips-tests-skip.patch. This is no longer needed since
  we removed the code to short-circuit broken hashes and moved to
  using the SLI.
- Remove upstreamed patches:
  * nss-fips-version-indicators.patch
  * nss-fips-tests-pin-paypalee-cert.patch
- update to NSS 3.79
  - bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
  - bmo#1766907 - Update mercurial in clang-format docker image.
  - bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail.
  - bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
  - bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
  - bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
  - bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
  - bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
  - bmo#1764788 - Correct invalid record inner and outer content type alerts.
  - bmo#1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
  - bmo#1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle.
  - bmo#1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
  - bmo#1769302 - NSS 3.79 should depend on NSPR 4.34
- update to NSS 3.78.1
  * bmo#1767590 - Initialize pointers passed to
    NSS_CMSDigestContext_FinishMultiple
- update to NSS 3.78
    bmo#1755264 - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
    bmo#1294978 - Reworked overlong record size checks and added TLS1.3 specific boundaries.
    bmo#1763120 - Add ECH Grease Support to tstclnt
    bmo#1765003 - Add a strict variant of moz::pkix::CheckCertHostname.
    bmo#1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
    bmo#1760813 - Make SEC_PKCS12EnableCipher succeed
    bmo#1762489 - Update zlib in NSS to 1.2.12.
- update to NSS 3.77
  * Bug 1762244 - resolve mpitests build failure on Windows.
  * bmo#1761779 - Fix link to TLS page on wireshark wiki
  * bmo#1754890 - Add two D-TRUST 2020 root certificates.
  * bmo#1751298 - Add Telia Root CA v2 root certificate.
  * bmo#1751305 - Remove expired explicitly distrusted certificates
    from certdata.txt.
  * bmo#1005084 - support specific RSA-PSS parameters in mozilla::pkix
  * bmo#1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
  * bmo#1756271 - Remove token member from NSSSlot struct.
  * bmo#1602379 - Provide secure variants of mpp_pprime and mpp_make_prime.
  * bmo#1757279 - Support UTF-8 library path in the module spec string.
  * bmo#1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
  * bmo#1760827 - Add a CI Target for gcc-11.
  * bmo#1760828 - Change to makefiles for gcc-4.8.
  * bmo#1741688 - Update googletest to 1.11.0
  * bmo#1759525 - Add SetTls13GreaseEchSize to experimental API.
  * bmo#1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
  * bmo#1755904 - Fix calculation of ECH HRR Transcript.
  * bmo#1758741 - Allow ld path to be set as environment variable.
  * bmo#1760653 - Ensure we don't read uninitialized memory in ssl gtests.
  * bmo#1758478 - Fix DataBuffer Move Assignment.
  * bmo#1552254 - internal_error alert on Certificate Request with
    sha1+ecdsa in TLS 1.3
  * bmo#1755092 - rework signature verification in mozilla::pkix
- Require nss-util in nss.pc and subsequently remove -lnssutil3
- update to NSS 3.76.1
  NSS 3.76.1
  * bmo#1756271 - Remove token member from NSSSlot struct.
  NSS 3.76
  * bmo#1755555 - Hold tokensLock through nssToken_GetSlot calls in
    nssTrustDomain_GetActiveSlots.
  * bmo#1370866 - Check return value of PK11Slot_GetNSSToken.
  * bmo#1747957 - Use Wycheproof JSON for RSASSA-PSS
  * bmo#1679803 - Add SHA256 fingerprint comments to old
    certdata.txt entries.
  * bmo#1753505 - Avoid truncating files in nss-release-helper.py.
  * bmo#1751157 - Throw illegal_parameter alert for illegal extensions
    in handshake message.
- Add nss-util pkgconfig and config files (copied from RH/Fedora)
- update to NSS 3.75
  * bmo#1749030 - This patch adds gcc-9 and gcc-10 to the CI.
  * bmo#1749794 - Make DottedOIDToCode.py compatible with python3.
  * bmo#1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
  * bmo#1748386 - Remove redundant key type check.
  * bmo#1749869 - Update ABI expectations to match ECH changes.
  * bmo#1748386 - Enable CKM_CHACHA20.
  * bmo#1747327 - check return on NSS_NoDB_Init and NSS_Shutdown.
  * bmo#1747310 - real move assignment operator.
  * bmo#1748245 - Run ECDSA test vectors from bltest as part of the CI tests.
  * bmo#1743302 - Add ECDSA test vectors to the bltest command line tool.
  * bmo#1747772 - Allow to build using clang's integrated assembler.
  * bmo#1321398 - Allow to override python for the build.
  * bmo#1747317 - test HKDF output rather than input.
  * bmo#1747316 - Use ASSERT macros to end failed tests early.
  * bmo#1747310 - move assignment operator for DataBuffer.
  * bmo#1712879 - Add test cases for ECH compression and unexpected
    extensions in SH.
  * bmo#1725938 - Update tests for ECH-13.
  * bmo#1725938 - Tidy up error handling.
  * bmo#1728281 - Add tests for ECH HRR Changes.
  * bmo#1728281 - Server only sends GREASE HRR extension if enabled
    by preference.
  * bmo#1725938 - Update generation of the Associated Data for ECH-13.
  * bmo#1712879 - When ECH is accepted, reject extensions which were
    only advertised in the Outer Client Hello.
  * bmo#1712879 - Allow for compressed, non-contiguous, extensions.
  * bmo#1712879 - Scramble the PSK extension in CHOuter.
  * bmo#1712647 - Split custom extension handling for ECH.
  * bmo#1728281 - Add ECH-13 HRR Handling.
  * bmo#1677181 - Client side ECH padding.
  * bmo#1725938 - Stricter ClientHelloInner Decompression.
  * bmo#1725938 - Remove ECH_inner extension, use new enum format.
  * bmo#1725938 - Update the version number for ECH-13 and adjust
    the ECHConfig size.
- update to NSS 3.74
  * bmo#966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in
    OCSP responses
  * bmo#1553612 - Ensure clients offer consistent ciphersuites after HRR
  * bmo#1721426 - NSS does not properly restrict server keys based on policy
  * bmo#1733003 - Set nssckbi version number to 2.54
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate
  * bmo#1735407 - Replace GlobalSign ECC Root CA R4
  * bmo#1733560 - Remove Expired Root Certificates - DST Root CA X3
  * bmo#1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root
    certificates
  * bmo#1741930 - Add renewed Autoridad de Certificacion Firmaprofesional
    CIF A62634068 root certificate
  * bmo#1740095 - Add iTrusChina ECC root certificate
  * bmo#1740095 - Add iTrusChina RSA root certificate
  * bmo#1738805 - Add ISRG Root X2 root certificate
  * bmo#1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
  * bmo#1738028 - Avoid a clang 13 unused variable warning in opt build
  * bmo#1735028 - Check for missing signedData field
  * bmo#1737470 - Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
- update to NSS 3.73.1:
  * Add SHA-2 support to mozilla::pkix's OSCP implementation
- update to NSS 3.73
  * bmo#1735028 - check for missing signedData field.
  * bmo#1737470 - Ensure DER encoded signatures are within size limits.
  * bmo#1729550 - NSS needs FiPS 140-3 version indicators.
  * bmo#1692132 - pkix_CacheCert_Lookup doesn't return cached certs
  * bmo#1738600 - sunset Coverity from NSS
  MFSA 2021-51 (bsc#1193170)
  * CVE-2021-43527 (bmo#1737470)
    Memory corruption via DER-encoded DSA and RSA-PSS signatures
- update to NSS 3.72
  * Remove newline at the end of coreconf.dep
  * bmo#1731911 - Fix nsinstall parallel failure.
  * bmo#1729930 - Increase KDF cache size to mitigate perf
    regression in about:logins
- update to NSS 3.71
  * bmo#1717716 - Set nssckbi version number to 2.52.
  * bmo#1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
  * bmo#1373716 - Import of PKCS#12 files with Camellia encryption is not supported
  * bmo#1717707 - Add HARICA Client ECC Root CA 2021.
  * bmo#1717707 - Add HARICA Client RSA Root CA 2021.
  * bmo#1717707 - Add HARICA TLS ECC Root CA 2021.
  * bmo#1717707 - Add HARICA TLS RSA Root CA 2021.
  * bmo#1728394 - Add TunTrust Root CA certificate to NSS.
- update to NSS 3.70
  * bmo#1726022 - Update test case to verify fix.
  * bmo#1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
  * bmo#1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
  * bmo#1681975 - Avoid using a lookup table in nssb64d.
  * bmo#1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
  * bmo#1714579 - Change default value of enableHelloDowngradeCheck to true.
  * bmo#1726022 - Cache additional PBE entries.
  * bmo#1709750 - Read HPKE vectors from official JSON.
- Update to NSS 3.69.1
  * bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
  * bmo#1720226 (Backout) - integrity checks in key4.db not happening
    on private components with AES_CBC
  NSS 3.69
  * bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again)
  * bmo#1720226 - integrity checks in key4.db not happening on private
    components with AES_CBC (backed out again)
  * bmo#1720235 - SSL handling of signature algorithms ignores
    environmental invalid algorithms.
  * bmo#1721476 - sqlite 3.34 changed it's open semantics, causing
    nss failures.
    (removed obsolete nss-btrfs-sqlite.patch)
  * bmo#1720230 - Gtest update changed the gtest reports, losing gtest
    details in all.sh reports.
  * bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
  * bmo#1720232 - SQLite calls could timeout in starvation situations.
  * bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67
  * bmo#1709817 - Import the NSS documentation from MDN in nss/doc.
  * bmo#1720227 - NSS using a tempdir to measure sql performance not active
- add nss-fips-stricter-dh.patch
- updated existing patches with latest SLE
- Mozilla NSS 3.68.4 (bsc#1200027)
  * Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
    (bmo#1767590)
- Update nss-fips-constructor-self-tests.patch to scan
  LD_LIBRARY_PATH for external libraries to be checksummed.
- Run test suite at build time, and make it pass (bsc#1198486).
  Based on work by Marcus Meissner.
- Add nss-fips-tests-skip.patch to skip algorithms that are hard
  disabled in FIPS mode.
- Add nss-fips-tests-pin-paypalee-cert.patch to prevent expired
  PayPalEE cert from failing the tests.
- Add nss-fips-tests-enable-fips.patch, which enables FIPS during
  test certificate creation and disables the library checksum
  validation during same.
- Update nss-fips-constructor-self-tests.patch to allow
  checksumming to be disabled, but only if we entered FIPS mode
  due to NSS_FIPS being set, not if it came from /proc.
- Add nss-fips-pbkdf-kat-compliance.patch (bsc#1192079). This
  makes the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- Update nss-fips-approved-crypto-non-ec.patch to remove XCBC MAC
  from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
  for build.
- Update nss-fips-approved-crypto-non-ec.patch to claim 3DES
  unapproved in FIPS mode (bsc#1192080).
- Update nss-fips-constructor-self-tests.patch to allow testing
  of unapproved algorithms (bsc#1192228).
- Add nss-fips-version-indicators.patch (bmo#1729550, bsc#1192086).
  This adds FIPS version indicators.
- Add nss-fips-180-3-csp-clearing.patch (bmo#1697303, bsc#1192087).
  Most of the relevant changes are already upstream since NSS 3.60.
ncurses
- Add patch ncurses-bnc1198627.patch
  * Fix bsc#1198627: CVE-2022-29458: ncurses: segfaulting OOB read
openldap2
- bsc#1198341 - Prevent memory reuse which may lead to instability
  * 0243-Change-malloc-to-use-calloc-to-prevent-memory-reuse-.patch
openssl-1_1
- Added openssl-1_1-paramgen-default_to_rfc7919.patch
  * bsc#1180995
  * Default to RFC7919 groups when generating ECDH parameters
    using 'genpkey' or 'dhparam' in FIPS mode.
pacemaker
- scheduler: do not enforce resource stop if any new probe/monitor indicates the resource was not running on the target of a failed migrate_to (bsc#1196340)
  * bsc#1196340-0009-Test-scheduler-do-not-enforce-resource-stop-if-any-n.patch
- scheduler: do not enforce resource stop on a rejoined node that was the target of a failed migrate_to (bsc#1196340)
  * bsc#1196340-0008-Test-scheduler-do-not-enforce-resource-stop-on-a-rej.patch
- scheduler: do not enforce resource stop if any new probe/monitor indicates the resource was not running on the target of a failed migrate_to (bsc#1196340)
  * bsc#1196340-0007-Fix-scheduler-do-not-enforce-resource-stop-if-any-ne.patch
- scheduler: find_lrm_op() to be able to check against a specified target_rc (bsc#1196340)
  * bsc#1196340-0006-Refactor-scheduler-find_lrm_op-to-be-able-to-check-a.patch
- cts-scheduler: fix on_node attribute of lrm_rsc_op entries in the tests (bsc#1196340)
  * bsc#1196340-0005-Test-cts-scheduler-fix-on_node-attribute-of-lrm_rsc_.patch
- scheduler: is_newer_op() to be able to compare lrm_rsc_op entries from different nodes (bsc#1196340)
  * bsc#1196340-0004-Refactor-scheduler-is_newer_op-to-be-able-to-compare.patch
- scheduler: compare ids of lrm_rsc_op entries case-sensitively (bsc#1196340)
  * bsc#1196340-0003-Fix-scheduler-compare-ids-of-lrm_rsc_op-entries-case.patch
- scheduler: functionize comparing which lrm_rsc_op is newer (bsc#1196340)
  * bsc#1196340-0002-Refactor-scheduler-functionize-comparing-which-lrm_r.patch
- scheduler: do not enforce resource stop on a rejoined node that was the target of a failed migrate_to (bsc#1196340)
  * bsc#1196340-0001-Fix-scheduler-do-not-enforce-resource-stop-on-a-rejo.patch
- OCF: controld: Give warning when no-quorum-policy not set as freeze while using DLM (bsc#1129707)
  * bsc#1129707-0001-OCF-controld-Give-warning-when-no-quorum-policy-not-.patch
- Pacemaker high resolution timestamps (bsc#1197668)
  * 0001-Log-all-use-high-resolution-timestamps-in-detail-log.patch
pam
- Update pam_motd to the most current version. This fixes various issues
  and adds support for mot.d directories [jsc#PED-1712].
  * Added: pam-ped1712-pam_motd-directory-feature.patch
pciutils
- Add "/pciutils-Add-PCIe-5.0-data-rate-32-GT-s-support.patch"/ and
  "/pciutils-Add-PCIe-6.0-data-rate-64-GT-s-support.patch"/ to fix
  LnkCap speed recognition in lspci for multi PCIe ports such as
  the ML110 Gen11. [bsc#1192862]
pcre2
- Added pcre2-bsc1199235-CVE-2022-1587.patch
  * CVE-2022-1587 / bsc#1199235
  * Fix out-of-bounds read due to bug in recursions
  * Sourced from:
  - https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0
- Added pcre2-Fix_crash_when_X_is_used_without_UTF_in_JIT.patch
  * CVE-2019-20454 / bsc#1164384
  * Fix crash when X is used in non-UTF mode on certain inputs.
  * Sourced from:
  - https://github.com/PCRE2Project/pcre2/commit/342c16ecd31bd12fc350ee31d2dcc041832ebb3f
  - https://github.com/PCRE2Project/pcre2/commit/e118e60a68f03f38dd2ff3d16ca2e2e0d800e1d9
perl-HTTP-Daemon
- Fix request smuggling in HTTP::Daemon
  (CVE-2022-31081, bsc#1201157)
  * CVE-2022-31081.patch
  * CVE-2022-31081-2.patch
  * CVE-2022-31081-Add-new-test-for-Content-Length-issues.patch
procps
- Add the patches
  * procps-3.3.17-library-bsc1181475.patch
  * procps-3.3.17-top-bsc1181475.patch
  which are backports of current newlib tree to solve bug bsc#1181475
  * 'free' command reports misleading "/used"/ value
python-Babel
- Add CVE-2021-42771-rel-path-traversal.patch fixing
  CVE-2021-42771 by cleaning locale identifiers before loading
  from file (bsc#1185768).
python-M2Crypto
- Add CVE-2020-25657-Bleichenbacher-attack.patch (CVE-2020-25657,
  bsc#1178829), which mitigates the Bleichenbacher timing attacks
  in the RSA decryption API.
- Add python-M2Crypto.keyring to verify GPG signature of tarball.
python-azure-agent
- Add paa_12_sp5_rdma_no_ext_driver.patch (bsc#1203181)
- Update to version 2.8.0.11 (bsc#1203164)
  + Enabled support for Fast Track (faster processing of extensions)
  + Add telemetry for VM Size
  + Add telemetry for environment variables passed to extensions
  + Enforce CPU quota on the Agent on Red Hat and CentOS 7.4+
  + Restore all firewall rules needed for communication with the WireServer
  + Fix false positives reporting processes in the Agent's cgroup
  + Fix false errors when collecting debug logs
  + Don't report incorrect CPU usage data
  + Fetching a goal state with empty certificates property
  + Silence goal state fetch errors after 3 logs
  + Change fast track timestamp default from None to datetime.min
  + Retry HGAP's extensionsArtifact requests on BAD_REQUEST status
  + Support for Rocky Linux
  + RHEL 8
  + RHEL 9
  + Preliminary work to enforce CPU quota on extensions
  + Preliminary work for management of agent self-updates [GA Versioning]
  + Add CentOS 7.9 to end-to-end-tests
  + Add Mariner to end-to-end-tests
- 2.8.0.11 followed 2.7.3.0, no intermediate releases
- Migration to /usr/etc: Saving user changed configuration files
  in /etc and restoring them while an RPM update.
- Update to 2.7.3.0 (jsc#PED-1298)
  + Remove proper_dhcp_config_set.patch included upstream
  + Remove sle_hpc-is-sles.patch included upstream
  + Forward port reset-dhcp-deprovision.patch
  + Retry HGAP's extensionsArtifact requests on BAD_REQUEST status #2622
  + Use 'ip' instead of 'ifdown/ifup' to restart network interface on
    RHEL >= 8.6 #2612 #2624
- From 2.7.1.0
  + hotfix for OOM errors on the log collector
- From 2.7.0.6
  + Increase time of autoupdates after updates are available #2403
  + Send telemetry when upgrade available #2421
  + Enable collection of debugging information #2436, #2453, #2510
  + Add support for Python 2.6 to the debug info collection code #2452
  + Enable CPU/memory data collection on RedHat and CentOS #2450
  + Exclude end-to-end tests from Agent setup #2396, #2402
  + Fix log message in cgroups management #2427
  + Fix parsing of malformed error.json files #2433
  + Allow DNS queries over TCP #2429
  + Dont exit extension handler process if unable to fetch
    first goal state #2440
  + Improvements for Mariner #2407, #2414
  + Add uos support #2420
  + Add support for VMware PhotonOS #2431
- From 2.6.0.2
  + added cloudlinux support (#2344)
  + Enable extensions cpu monitoring (#2357, #2384, #2391)
  + Support Flatcar Container Linux (#2365)
  + Retrieve VmSettings from HostGAPlugin
    (#2378, #2382, #2386, #2394, #2397, #2404)
  + Set Agent's CpuQuota to 75% (#2383)
  + Use handler status if extension status is None when computing
    the ExtensionsSummary (#2358) (#2361)
  + fix bug with dependent extensions with no settings (#2285) (#2362)
  + Create events dir for handlers if ETP enabled (#2366)
  + Report status even if goal state cannot be processed (#2370)
  + Define ExtensionsSummary.eq (#2371) (#2373)
  + Implement ExtensionsSummary.ne in terms of eq (#2375)
- From 2.5.0.2
  + Enable Extension Telemetry Pipeline (#2337, #2339)
  + Enable Periodic Log Collection in systemd distros (#2295,#2289)
  + Implement InitialGoalStatePeriod parameter + improvements in logging
    goal state processing(#2332)
  + Fix operation name in InitializeHostPlugin event(#2338)
  + Mock systemctl stop cmd (#2335)
  + Report transitioning when status file not found (#2330)
  + Dont create default status file for Single-Config extensions (#2318)
  + Do not create placeholder status file for AKS extensions (#2298)
  + Save waagent_status to history folder and add additional details to
    the status file (#2325,#2301,#2270)
  + Rename Debug.FetchVmSettings to Debug.EnableFastTrack (#2324)
  + Update HostGAplugin headers before fetching vmSettings (#2323)
  + Handle HTTP GONE in vmSettings request (#2321)
  + Added log statements to debug issues in vmSettings API(#2317)
  + Remove reference to re.IGNORECASE (#2316)
  + Add and remove extension slice (#2315)
  + FastTrack changes (#2314, #2313,#2306, #2304,#2294, #2293)
  + Helper to handle exception message(#2305)
  + Remove trailing spaces from command name (#2296)
  + Add debug info for systemd-run false positives (#2292)
  + Move Github Actions VMs to Ubuntu 18 (#2291)
  + Onboard redhat82, ubuntu20 (#2290, #2279)
  + Allow systemd-run in the Agent's cgroup (#2287)
  + Use handler status if extension status is None (#2358)
  + Bug Fix :Define ExtensionsSummary.ne (#2371)
- From 2.4.0.2
  + Support for Multi config (#2245, #2261)
  + Support sles 15 sp2 distro (#2272)
  + Cleanup history folder every 30 min (#2258)
  + Updated _read_status_file to include a fragment of status file in
    the exception (#2257)
  + Fix telemetry unicode errors (Re-add #1937) (#2278)
  + Match IPoIB interface with any alphanumeric characters (#2239)
  + Fix bug with dependent extensions with no settings (#2285)
  + Do not create placeholder status file for AKS extensions (#2298)
  + Refactoring of Agent's main loop (#2275)
  + Exception for Linux Patch Extension for creating placeholder
    status file (#2307)
  + Dont create default status file for Single-Config extensions (#2318)
  + Fix bad logging (#2241)
  + Fixed logging of PeriodicOperation (#2263)
  + Log collector broken pipe fix (#2267)
  + Improved logging for Multi config (#2246)
- From 2.3.1.1
  + revert for reducing the time window where we restart the network
    interfaces of the VM
- From 2.3.0.2
  + Enforce CPUQuota on agent #2222, #2226
  + Add support for RequiredFeatures and GoalStateAggregateStatus APIs
    [#2190], #2206, #2209, #2216
  + Added fallback locations for extension manifests #2188
  + Add missing call to str.format() when creating exception #2193
  + Remove helper network service on deprovision #2191
  + Use a helper script to start the network service #2225 #2253
  + Initialize published_hostname using /var/lib/cloud/data/set-hostname #2215
  + Fix utf logging for persist firewall rules #2237
  + Replace firewall-setup unit file if changed #2236
- From 2.2.54
  + PA changes to check cloud-init (#2061)
  + log collector (#2066)
  + cgroups CPU percentage py processor count (#2074)
  + Parse InVMGoalStateMetaData from Extension Config (#2081)
  + iscsi disk support for agent configs (#2073)
  + Add support for VMs with multiple IB devices (#2085)
  + Python 3.9 support (#2082)
  + Add support for CBL-Mariner distro (#2099)
  + Enable Provisioning.MonitorHostName for Ubuntu (#1934)
  + Added supportedFeatures flag in status reporting (#2089)
  + Parse ext runtime settings (#2087)
  + GHA merge validation (#2097)
  + Cgroups improvements
  + renamed the eventsFolder variable for preview and enabled ETP (#2140)
  + Agent slice and custom unit files telemetry (#2150)
  + Make IPoIB interface online (#2116)
  + Add option to disable NetworkConfigurationChanges (#2156)
  + Log network configuration on service start (#2157)
  + Setup persistent firewall rules on service restart (#2154)
  + switched to using run_command (#2060)
  + fixes for chained-comparison and dangerous-default-value pylint
    warnings (#2072)
  + fixed depends on errors (#2059)
  + WireIp env variable added (#2078)
  + Unstick HGAP channel as default (#2046)
  + shellutil.run_command fixes (#2086, #2098)
  + unit test fixes (#2090, #2091, #2108, #2153)
  + fix distro resolution for RedHat (#2083)
  + Read KVP value in binary mode (#2084)
  + Redact protected settings in goal state debug files (#2130)
  + Modify retry logic for empty goal state (#2140)
  + GS no config fix (#2141)
  + CommandExecution.log logrototate config -> custom log management (#2143)
  + binary file for firewall rules (#2147)
  + Refresh host ga plugin periodically (#2155)
  + Disabled custom service (#2166)
  + update test zips (#2167)
- From 2.2.53.1
  + Extension Telemetry Pipeline as a private-preview feature
- From 2.2.53
  + Start exthandler with the same python interpreter (#2007)
  + Verify that the extension status is an array (#2010)
  + Remove enum _UpdateType and retry fetching goal state (#2018)
  + use dd for ext4 as well as xfs (#2042)
  + Fix path for error.json (#2044)
  + Switch to run command changes, + provisioning changes that need to be
    reverted. (#2050)
  + Fix timestamp for goal state archive (#2051)
  + Case insensitive parsing or Plugins and PluginSettings (#2054)
  + Revert "/Fixed delays for HTTP retries rather than exponential
    delays (#1967)"/ (#2065)
  + Fixed bug causing "/MAC verified OK"/ message (#2069)
  + Revert unicode fix manually (#1937) (#2070)
  + Recreate handler environment file on service startup (#1960)
  + Add log collection tool and thread (#1987)
  + Thread interface (#1990)
  + Verify that the CPU and Memory cgroups for the agent are properly
    initialized; disabled cgroups if they are not active. (#2015)
  + SUSE config: use Btrfs LZO compression for ResourceDisk (#2055)
  + Extension telemetry pipeline (#1918)
  + Reformatted the heartbeat event (#2009)
  + Add LIS version to OSInfo.message (#2011)
  + One thread for telemetry (#2019)
  + Limit description character length sent for health report (#2020)
  + Remove Serial Console Logging (#2028)
  + Echo log to /dev/console during provisioning (#2043)
  + Adding telemetry for logrotate (#2045)
  + Report placeholder extension status as an array (#2068)
  + Fix broken link in readme (#2014)
  + Add log collector flags to README (#2029)
- From 2.2.52
  + Do not retrieve users in each goal state (#1935)
  + Fix check for systemd-run failure when invoking extensions (#1943)
  + Fix telemetry unicode errors (#1937)
  + Uninstall unregistered extensions (#1970)
  + Use run_command to execute iptables (#1944)
  + Use run_command for ip route (#1958)
  + Fix handling of gen2 disks with udev rules (#1954)
  + Add API for uploading logs via host plugin (#1902)
  + Fixed delays for HTTP retries rather than exponential delays (#1967)
  + Resolve undefined variable (#1950)
  + Convert owner uid to string (#1949)
  + Fix Travis special checks for distro and remove useless cgroup tests (#1959)
  + Use tmp_dir instead of data_dir (#1968)
- Removed %config flag for files in /usr directory.
- Cleanup spec file:
  - - Removed %{_distconfdir}/logrotate.d from dirlist. It will be
    handled by package filelist now.
  - - %{_distconfdir}/logrotate.d/* can be changed by vendor only.
    So it will be replaced by an RPM update.
- Moved logrotate files from user specific directory /etc/logrotate.d
  to vendor specific directory /usr/etc/logrotate.d.
- require python-rpm-macros to fix build for TW
- do not require test dependencies for build, they are not needed
  (no testsuite run in %check)
python-lxml
- add CVE-2022-2309.patch (bsc#1201253, CVE-2022-2309)
- With the new update to 4.7.1, the old Bugzilla entries are also
  fixed:
  - bsc#1118088 (related to CVE-2018-19787)
  - bsc#1184177 (related to CVE-2021-28957)
- Update to 4.7.1 (officially released 2021-12-13)
  Features added
  - Chunked Unicode string parsing via parser.feed() now encodes the input
    data to the native UTF-8 encoding directly, instead of going through
    Py_UNICODE / wchar_t encoding first, which previously required duplicate
    recoding in most cases.
  Bugs fixed
  - The standard namespace prefixes were mishandled during "/C14N2"/
  serialisation
    on Python 3.
    See
  https://mail.python.org/archives/list/lxml@python.org/thread/
  6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/
  - lxml.objectify previously accepted non-XML numbers with underscores
    (like "/1_000"/) as integers or float values in Python 3.6 and later.
    It now adheres to the number format of the XML spec again.
  - LP#1939031: Static wheels of lxml now contain the header files of zlib
    and libiconv (in addition to the already provided headers of
    libxml2/libxslt/libexslt).
  Other changes
  - Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows).
- Update to 4.7.0 (2021-12-13)
  - Release retracted due to missing files in lxml/includes/.
- UPdate to 4.6.5 (2021-12-12)
  Bugs fixed
  - A vulnerability (GHSL-2021-1038) in the HTML cleaner
  - allowed sneaking script content through SVG images
  - (bnc#1193752, CVE-2021-43818).
  - A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed
  - sneaking script content through CSS imports and other crafted
  - constructs (CVE-2021-43818).
- Update 4.6.4 (2021-11-01)
  Features added
  - GH#317: A new property system_url was added to DTD entities.
  - Patch by Thirdegree.
  - GH#314: The STATIC_* variables in setup.py can now be passed
  - via env vars.
  - Patch by Isaac Jurado.
- Update 4.6.3 (2021-03-21)
  Bugs fixed
  - A vulnerability (CVE-2021-28957) was discovered in the HTML
  - Cleaner by Kevin Chung, which allowed JavaScript to pass through.
  - The cleaner now removes the HTML5 formaction attribute.
- Update 4.6.2 (2020-11-26)
  Bugs fixed
  - A vulnerability (bnc#1179534, CVE-2020-27783) was discovered in the HTML
    Cleaner
  - by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner
  - now removes more sneaky "/style"/ content.
- Update 4.6.1 (2020-10-18)
  Bugs fixed
  - A vulnerability was discovered in the HTML Cleaner by Yaniv Nizry,
  - which allowed JavaScript to pass through. The cleaner now removes
  - more sneaky "/style"/ content.
- Update 4.6.0 (2020-10-17)
  Features added
  - GH#310: lxml.html.InputGetter supports __len__() to count the number
  - of input fields. Patch by Aidan Woolley.
  - lxml.html.InputGetter has a new .items() method to ease processing
  - all input fields.
  - lxml.html.InputGetter.keys() now returns the field names in document
  - order.
  - GH-309: The API documentation is now generated using sphinx-apidoc.
  - Patch by Chris Mayo.
  Bugs fixed
  - LP#1869455: C14N 2.0 serialisation failed for unprefixed attributes
  - when a default namespace was defined.
  - TreeBuilder.close() raised AssertionError in some error cases where
  - it should have raised XMLSyntaxError. It now raises a combined
  - exception to keep up backwards compatibility, while switching to
  - XMLSyntaxError as an interface.
- Update 4.5.2 (2020-07-09)
  Bugs fixed
  - Cleaner() now validates that only known configuration options
  - can be set.
  - LP#1882606: Cleaner.clean_html() discarded comments and PIs
  - regardless of the corresponding configuration option, if
  - remove_unknown_tags was set.
  - LP#1880251: Instead of globally overwriting the document loader
  - in libxml2, lxml now sets it per parser run, which improves the
  - interoperability with other users of libxml2 such as libxmlsec.
  - LP#1881960: Fix build in CPython 3.10 by using Cython 0.29.21.
  - The setup options "/--with-xml2-config"/ and "/--with-xslt-config"/
  - were accidentally renamed to "/--xml2-config"/ and "/--xslt-config"/
  - in 4.5.1 and are now available again.
- Update 4.5.1 (2020-05-19)
  Bugs fixed
  - LP#1570388: Fix failures when serialising documents larger than
  - 2GB in some cases.
  - LP#1865141, GH#298: QName values were not accepted by the
  - el.iter() method. Patch by xmo-odoo.
  - LP#1863413, GH#297: The build failed to detect libraries on Linux
  - that are only configured via pkg-config. Patch by Hugh McMaster.
- Update 4.5.0 (2020-01-29)
  Features added
  - A new function indent() was added to insert tail whitespace for
  - pretty-printing an XML tree.
  Bugs fixed
  - LP#1857794: Tail text of nodes that get removed from a document
    using item deletion disappeared silently instead of sticking with
    the node that was removed.
  Other changes
  - MacOS builds are 64-bit-only by default. Set CFLAGS and LDFLAGS
    explicitly to override it.
  - Linux/MacOS Binary wheels now use libxml2 2.9.10 and libxslt 1.1.34.
  - LP#1840234: The package version number is now available as
    lxml.__version__.
- Update 4.4.3 (2020-01-28)
  Bugs fixed
  - LP#1844674: itertext() was missing tail text of comments and PIs
    since 4.4.0.
- Update to 4.4.2:
  * LP#1835708: ElementInclude incorrectly rejected repeated
    non-recursive includes as recursive.
  * Remove patch lxml-libxml-2.9.10.patch which is now upstream
- Add lxml-libxml-2.9.10.patch: Fix build against libxml 2.9.10.
- Update to 4.4.1:
  * LP#1838252: The order of an OrderedDict was lost in 4.4.0 when passing it as attrib mapping during element creation.
  * LP#1838521: The package metadata now lists the supported Python versions.
- version update to 4.4.0
  * ``Element.clear()`` accepts a new keyword argument ``keep_tail=True`` to
    clear everything but the tail text.  This is helpful in some document-style
    use cases.
  * When creating attributes or namespaces from a dict in Python 3.6+, lxml now
    preserves the original insertion order of that dict, instead of always sorting
    the items by name.  A similar change was made for ElementTree in CPython 3.8.
    See https://bugs.python.org/issue34160
  * Integer elements in ``lxml.objectify`` implement the ``__index__()`` special method.
  * GH#269: Read-only elements in XSLT were missing the ``nsmap`` property.
    Original patch by Jan Pazdziora.
  * ElementInclude can now restrict the maximum inclusion depth via a ``max_depth``
    argument to prevent content explosion.  It is limited to 6 by default.
  * The ``target`` object of the XMLParser can have ``start_ns()`` and ``end_ns()``
    callback methods to listen to namespace declarations.
  * The ``TreeBuilder`` has new arguments ``comment_factory`` and ``pi_factory`` to
    pass factories for creating comments and processing instructions, as well as
    flag arguments ``insert_comments`` and ``insert_pis`` to discard them from the
    tree when set to false.
  * A `C14N 2.0 <https://www.w3.org/TR/xml-c14n2/>`_ implementation was added as
    ``etree.canonicalize()``, a corresponding ``C14NWriterTarget`` class, and
    a ``c14n2`` serialisation method.
  * bugfixes, see CHANGES.txt
- deleted sources
  - lxmldoc-4.3.3.pdf (renamed)
- added sources
  + lxmldoc-4.4.0.pdf
  + world.txt
- Update to 4.3.4
  * Rebuilt with Cython 0.29.10 to support Python 3.8.
    Note: documentation is not updated
- Remove generated files
- Update to 4.3.3:
  * Fix leak of output buffer and unclosed files in ``_XSLTResultTree.write_output()``.
- Update to 4.3.2:
  * Crash in 4.3.1 when appending a child subtree with certain text nodes.
- Update to v4.3.1
  * Fixed crash when appending a child subtree that contains unsubstituted
    entity references
- from v4.3.0
  * Features
    + The module ``lxml.sax`` is compiled using Cython in order to speed it up.
    + lxml.sax.ElementTreeProducer now preserves the namespace prefixes.
    If two prefixes point to the same URI, the first prefix in alphabetical
    order is used.
    + Updated ISO-Schematron implementation to 2013 version (now MIT licensed)
    and the corresponding schema to the 2016 version (with optional "/properties"/).
  * Other
    + Support for Python 2.6 and 3.3 was removed.
    + The minimum dependency versions were raised to libxml2 2.9.2 and libxslt 1.1.27,
    which were released in 2014 and 2012 respectively.
- from v4.2.6
  * Fix a DeprecationWarning in Py3.7+.
  * Import warnings in Python 3.6+ were resolved.
- Remove no longer needed
  0001-Make-test-more-resilient-against-changes-in-latest-l.patch
- Remove superfluous devel dependency for noarch package
- Update to 4.2.5
  * Javascript URLs that used URL escaping were not removed by the HTML cleaner.
    Security problem found by Omar Eissa.
- Fix threading tests patch for 42.3
  * Add 0001-Make-test-more-resilient-against-changes-in-latest-l.patch
  * Remove python-lxml-assert.patch
- Update to 4.2.4 (2018-08-03)
  + Features added
  * GH#259: Allow using ``pkg-config`` for build configuration.
    Patch by Patrick Griffis.
  + Bugs fixed
  * LP#1773749, GH#268: Crash when moving an element to another document with
    ``Element.insert()``.
    Patch by Alexander Weggerle.
- Update to 4.2.3
  + Bugs fixed
  * Reverted GH#265: lxml links against zlib as a shared library again.
- Update to 4.2.2
  + Bugs fixed
  * GH#266: Fix sporadic crash during GC when parse-time schema validation is used
    and the parser participates in a reference cycle.
    Original patch by Julien Greard.
  * GH#265: lxml no longer links against zlib as a shared library, only on static builds.
    Patch by Nehal J Wani.
- Version update to 4.2.1:
  * LP#1755825: iterwalk() failed to return the 'start' event for the initial
    element if a tag selector is used.
  * LP#1756314: Failure to import 4.2.0 into PyPy due to a missing library symbol.
  * LP#1727864, GH#258: Add "/-isysroot"/ linker option on MacOS as needed by XCode 9.
- Version update to 4.2.0:
  * GH#255: ``SelectElement.value`` returns more standard-compliant and
    browser-like defaults for non-multi-selects.  If no option is selected, the
    value of the first option is returned (instead of None).  If multiple options
    are selected, the value of the last one is returned (instead of that of the
    first one).  If no options are present (not standard-compliant)
    ``SelectElement.value`` still returns ``None``.
  * GH#261: The ``HTMLParser()`` now supports the ``huge_tree`` option.
    Patch by stranac.
  * LP#1551797: Some XSLT messages were not captured by the transform error log.
  * LP#1737825: Crash at shutdown after an interrupted iterparse run with XMLSchema
    validation.
- Add patch python-lxml-assert.patch to pass test fail on threading
- update to 4.1.1
  - ElementPath supports text predicates for current node, like "/[.='text']"/.
  - ElementPath allows spaces in predicates.
  - Custom Element classes and XPath functions can now be registered with
    a decorator rather than explicit dict assignments.
  - LP#1722776: Requesting non-Element objects like comments from
    a document with PythonElementClassLookup could fail with a TypeError.
python-paramiko
- update to 2.4.3
  * Fix Ed25519 key handling so certain key comment lengths don't cause
    SSHException("/Invalid key"/) (bsc#1200603)
  * Add support for the modern (as of Python 3.3) import location of
    MutableMapping (used in host key management) to avoid the old location
    becoming deprecated in Python 3.8.
- refresh add-support-for-new-OpenSSH-private-key-format.patch
- refresh paramiko-test_extend_timeout.patch
- refresh support-cryptography-25-and-above.patch
  * Fix exploit (CVE-2018-1000805) in Paramiko's server mode (not client mode)
    (bsc#1111151)
python-py
- Update in SLE-15 (bsc#1195916, bsc#1196696, jsc#PM-3356, jsc#SLE-23972)
- Drop CVE-2020-29651.patch, issue fixed upstream in 1.10.0
- Update to 1.10.0
  * Fix a regular expression DoS vulnerability in the py.path.svnwc
    SVN blame functionality (CVE-2020-29651)
- Devendor apipkg and iniconfig
- Add pr_222.patch to activate test suite
- Update to 1.9.0
  * Add type annotation stubs
python3
- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix
  bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer
  overflow in hashlib.sha3_* implementations (originally from the
  XKCP library).
- Add CVE-2020-10735-DoS-no-limit-int-size.patch to fix
  CVE-2020-10735 (bsc#1203125) to limit amount of digits
  converting text to int and vice vera (potential for DoS).
  Originally by Victor Stinner of Red Hat.
- Add patch CVE-2021-28861-double-slash-path.patch:
  * http.server: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- Remove merged patch CVE-2020-8492-urllib-ReDoS.patch,
  CRLF_injection_via_host_part.patch, and
  CVE-2019-18348-CRLF_injection_via_host_part.patch.
resource-agents
- ECO: Maint: Azure Events RA can not handle AV Zones (jsc#PED-2000)
  Add upstream patch:
    0001-azure-events-az-new-resource-agent-1774.patch
- RA aws-vpc-move-ip is lacking the possibility to assign a label to an interface.
  (bsc#1199766)  Include upsteam patch:
    0001-aws-vpc-move-ip-Allow-to-set-the-interface-label.patch
rsync
- Add support for --trust-sender parameter (patch by Jie Gong in
  bsc#1202970). (related to CVE-2022-29154, bsc#1201840)
  * Added patch rsync-CVE-2022-29154-trust-sender-1.patch
  * Added patch rsync-CVE-2022-29154-trust-sender-2.patch
- Apply "/rsync-CVE-2022-29154.patch"/ to fix a security vulnerability
  in the do_server_recv() function. [bsc#1201840, CVE-2022-29154]
ruby2
- Update suse.patch to 41adc98ad1:
  - Cookie Prefix Spoofing in CGI::Cookie.parse (boo#1193081 CVE-2021-41819)
- add back some lost chunks to the suse.patch
rubygem-activesupport-5_1
- Add patch to fix CVE-2022-27777 (bsc#1199060)
  CVE-2022-27777.patch
rubygem-kramdown
- security update
- added patches
  fix CVE-2020-14001 [bsc#1174297], processing template options inside documents allows unintended read access or embedded Ruby code execution
  + rubygem-kramdown-CVE-2020-14001.patch
rubygem-loofah
- Added patch CVE-2019-15587.patch to fix CVE-2019-15587 (bsc#1154751)
rubygem-puma
- updated to version 4.3.12
  * fix bsc#1197818, CVE-2022-24790
  rubygem-puma: HTTP request smuggling if proxy is not RFC7230 compliant
rubygem-rack
  fix CVE-2020-8184 [bsc#1173351], percent-encoded cookies can be used to overwrite existing prefixed cookie names
  + rubygem-rack-CVE-2020-8184.patch
  fix CVE-2020-8161 [bsc#1172037], directory traversal in Rack:Directory
  + rubygem-rack-CVE-2020-8161.patch
- security update
- added patches
rubygem-rails-html-sanitizer
- Add patch 0001_CVE-2022-32209.patch
  This patch fixes CVE-2022-32209 (bsc#1201183)
rubygem-tzinfo
- security update
- added patches
  fix CVE-2022-31163 [bsc#1201835], Relative path traversal vulnerability allows TZInfo::Timezone.get to load arbitrary files
  + rubygem-tzinfo-CVE-2022-31163.patch
runc
- Update to runc v1.1.4. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.4.
  * Fix mounting via wrong proc fd. When the user and mount namespaces are
    used, and the bind mount is followed by the cgroup mount in the spec,
    the cgroup was mounted using the bind mount's mount fd.
  * Switch kill() in libcontainer/nsenter to sane_kill().
  * Fix "/permission denied"/ error from runc run on noexec fs.
  * Fix failed exec after systemctl daemon-reload. Due to a regression
    in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and
    was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded.
    (boo#1202821)
- Update to runc v1.1.4. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.4.
  bsc#1202021
  * Fix mounting via wrong proc fd. When the user and mount namespaces are
    used, and the bind mount is followed by the cgroup mount in the spec,
    the cgroup was mounted using the bind mount's mount fd.
  * Switch kill() in libcontainer/nsenter to sane_kill().
  * Fix "/permission denied"/ error from runc run on noexec fs.
  * Fix failed exec after systemctl daemon-reload. Due to a regression
    in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and
    was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded.
    (boo#1202821)
samba
- CVE-2022-32742:SMB1 code does not correct verify SMB1write,
  SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085);
  (bsc#1201496).
sqlite3
- update to 3.39.3:
  * Use a statement journal on DML statement affecting two or more
    database rows if the statement makes use of a SQL functions
    that might abort.
  * Use a mutex to protect the PRAGMA temp_store_directory and
    PRAGMA data_store_directory statements, even though they are
    decremented and documented as not being threadsafe.
- update to 3.39.2:
  * Fix a performance regression in the query planner associated
    with rearranging the order of FROM clause terms in the
    presences of a LEFT JOIN.
  * Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and
    1345947, forum post 3607259d3c, and other minor problems
    discovered by internal testing. [boo#1201783]
- update to 3.39.1:
  * Fix an incorrect result from a query that uses a view that
    contains a compound SELECT in which only one arm contains a
    RIGHT JOIN and where the view is not the first FROM clause term
    of the query that contains the view
  * Fix a long-standing problem with ALTER TABLE RENAME that can
    only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set
    to a very small value.
  * Fix a long-standing problem in FTS3 that can only arise when
    compiled with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time
    option.
  * Fix the initial-prefix optimization for the REGEXP extension so
    that it works correctly even if the prefix contains characters
    that require a 3-byte UTF8 encoding.
  * Enhance the sqlite_stmt virtual table so that it buffers all of
    its output.
- update to 3.39.0:
  * Add (long overdue) support for RIGHT and FULL OUTER JOIN
  * Add new binary comparison operators IS NOT DISTINCT FROM and
    IS DISTINCT FROM that are equivalent to IS and IS NOT,
    respective, for compatibility with PostgreSQL and SQL standards
  * Add a new return code (value "/3"/) from the sqlite3_vtab_distinct()
    interface that indicates a query that has both DISTINCT and
    ORDER BY clauses
  * Added the sqlite3_db_name() interface
  * The unix os interface resolves all symbolic links in database
    filenames to create a canonical name for the database before
    the file is opened
  * Defer materializing views until the materialization is actually
    needed, thus avoiding unnecessary work if the materialization
    turns out to never be used
  * The HAVING clause of a SELECT statement is now allowed on any
    aggregate query, even queries that do not have a GROUP BY
    clause
  * Many microoptimizations collectively reduce CPU cycles by about
    2.3%.
- drop sqlite-src-3380100-atof1.patch, included upstream
- add sqlite-src-3390000-func7-pg-181.patch to skip float precision
  related test failures on 32 bit
- update to 3.38.5:
  * Fix a blunder in the CLI of the 3.38.4 release
- includes changes from 3.38.4:
  * fix a byte-code problem in the Bloom filter pull-down
    optimization added by release 3.38.0 in which an error in the
    byte code causes the byte code engine to enter an infinite loop
    when the pull-down optimization encounters a NULL key
- update to 3.38.3:
  * Fix a case of the query planner be overly aggressive with
    optimizing automatic-index and Bloom-filter construction,
    using inappropriate ON clause terms to restrict the size of the
    automatic-index or Bloom filter, and resulting in missing rows
    in the output.
  * Other minor patches. See the timeline for details.
- update to 3.38.2:
  * Fix a problem with the Bloom filter optimization that might
    cause an incorrect answer when doing a LEFT JOIN with a WHERE
    clause constraint that says that one of the columns on the
    right table of the LEFT JOIN is NULL.
  * Other minor patches.
- Remove obsolete configure flags
- Package the Tcl bindings here again so that we only ship one copy
  of SQLite (bsc#1195773).
- update to 3.38.1:
  * Fix problems with the new Bloom filter optimization that might
    cause some obscure queries to get an incorrect answer.
  * Fix the localtime modifier of the date and time functions so
    that it preserves fractional seconds.
  * Fix the sqlite_offset SQL function so that it works correctly
    even in corner cases such as when the argument is a virtual
    column or the column of a view.
  * Fix row value IN operator constraints on virtual tables so that
    they work correctly even if the virtual table implementation
    relies on bytecode to filter rows that do not satisfy the
    constraint.
  * Other minor fixes to assert() statements, test cases, and
    documentation. See the source code timeline for details.
- add upstream patch to run atof1 tests only on x86_64
  sqlite-src-3380100-atof1.patch
- update to 3.38.0
  * Add the -> and ->> operators for easier processing of JSON
  * The JSON functions are now built-ins
  * Enhancements to date and time functions
  * Rename the printf() SQL function to format() for better
    compatibility, with alias for backwards compatibility.
  * Add the sqlite3_error_offset() interface for helping localize
    an SQL error to a specific character in the input SQL text
  * Enhance the interface to virtual tables
  * CLI columnar output modes are enhanced to correctly handle tabs
    and newlines embedded in text, and add options like "/--wrap N"/,
    "/--wordwrap on"/, and "/--quote"/ to the columnar output modes.
  * Query planner enhancements using a Bloom filter to speed up
    large analytic queries, and a balanced merge tree to evaluate
    UNION or UNION ALL compound SELECT statements that have an
    ORDER BY clause.
  * The ALTER TABLE statement is changed to silently ignores
    entries in the sqlite_schema table that do not parse when
    PRAGMA writable_schema=ON
- update to 3.37.2:
  * Fix a bug introduced in version 3.35.0 (2021-03-12) that can
    cause database corruption if a SAVEPOINT is rolled back while
    in PRAGMA temp_store=MEMORY mode, and other changes are made,
    and then the outer transaction commits
  * Fix a long-standing problem with ON DELETE CASCADE and ON
    UPDATE CASCADE in which a cache of the bytecode used to
    implement the cascading change was not being reset following a
    local DDL change
- update to 3.37.1:
  * Fix a bug introduced by the UPSERT enhancements of version
    3.35.0 that can cause incorrect byte-code to be generated for
    some obscure but valid SQL, possibly resulting in a NULL-
    pointer dereference.
  * Fix an OOB read that can occur in FTS5 when reading corrupt
    database files.
  * Improved robustness of the --safe option in the CLI.
  * Other minor fixes to assert() statements and test cases.
- SQLite3 3.37.0:
  * STRICT tables provide a prescriptive style of data type
    management, for developers who prefer that kind of thing.
  * When adding columns that contain a CHECK constraint or a
    generated column containing a NOT NULL constraint, the
    ALTER TABLE ADD COLUMN now checks new constraints against
    preexisting rows in the database and will only proceed if no
    constraints are violated.
  * Added the PRAGMA table_list statement.
  * Add the .connection command, allowing the CLI to keep multiple
    database connections open at the same time.
  * Add the --safe command-line option that disables dot-commands
    and SQL statements that might cause side-effects that extend
    beyond the single database file named on the command-line.
  * CLI: Performance improvements when reading SQL statements that
    span many lines.
  * Added the sqlite3_autovacuum_pages() interface.
  * The sqlite3_deserialize() does not and has never worked
    for the TEMP database. That limitation is now noted in the
    documentation.
  * The query planner now omits ORDER BY clauses on subqueries and
    views if removing those clauses does not change the semantics
    of the query.
  * The generate_series table-valued function extension is modified
    so that the first parameter ("/START"/) is now required. This is
    done as a way to demonstrate how to write table-valued
    functions with required parameters. The legacy behavior is
    available using the -DZERO_ARGUMENT_GENERATE_SERIES
    compile-time option.
  * Added new sqlite3_changes64() and sqlite3_total_changes64()
    interfaces.
  * Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
  * Use less memory to hold the database schema.
  * bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert
    extension when a column has no collating sequence.
sudo
- Added sudo-1-8-27-bsc1201462-ignore-no-sudohost.patch
  * Ignore entries when converting LDAP to sudoers. Prevents empty
    host list being treated as "/ALL"/ wildcard.
  * bsc#1201462
  * Sourced from https://www.sudo.ws/repos/sudo/rev/484d0d3b892e
supportutils-plugin-ha-sap
- Update to version 0.0.4+git.1663748456.ad13e75:
  * fix basic support for saptune
    add saptune version 3 awareness and add a hint for the new
    saptune supportconfig plugin delivered within the saptune
    package >= 3.x
    (bsc#1203202)
- Update to version 0.0.3+git.1659022100.39bfcd6:
  * Update README.md
  * Replace spaces to tabs.
  * Search for other groups too.
  * Include /etc/group in plugin-ha_sap.txt (bsc#1201831)
  * Update ha_sap
  * Update pacemaker.log location change
  * suppress link path in Readme.md
  * add section 'Additional information' to the Readme.md
  * change release status of the project
  * Update README.md
  * Update ha_sap
systemd
- Import commit 5183646e041a0ac78107bc4e5b06594e3a27657f
  8187a5e5f6 Allow control characters in environment variable values (bsc#1200170)
  da394cc0b0 test-env-util: Verify that r is disallowed in env var values
  da0120492d test-env-util: print function headers
  0702ce5b4e basic/env-util: Allow newlines in values of environment variables
  6fda9a8c7b udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
  52174bfc1a man: tweak description of auto/noauto (bsc#1191502)
  8a57b62f90 shared/install: ignore failures for auxiliary files
  86079f3522 systemctl: supress enable/disable messages when -q is given (#7067)
  aa4b7b7925 shared/install: fix error codes returned by install_context_apply()
  ce671cf6e3 shared/install: avoid overwriting 'r' counter with a partial result (bsc#1148309)
systemd-presets-common-SUSE
- enable ignition-delete-config by default (bsc#1199524)
- Modify branding-preset-states to fix systemd-presets-common-SUSE
  not enabling new user systemd service preset configuration just
  as it handles system service presets. By passing an (optional)
  second parameter "/user"/, the save/apply-changes commands now
  work with user services instead of system ones (boo#1200485)
- Add the wireplumber user service preset to enable it by default
  in SLE15-SP4 where it replaced pipewire-media-session, but keep
  pipewire-media-session preset so we don't have to branch the
  systemd-presets-common-SUSE package for SP4 (boo#1200485)
tar
- bsc1200657.patch was previously incomplete leading to deadlocks
  * bsc#1202436
  * bsc1200657.patch updated
- Fix race condition while creating intermediate subdirectories,
  bsc#1200657
  * bsc1200657.patch
telnet
- Fix CVE-2022-39028, NULL pointer dereference in telnetd
  (CVE-2022-39028, bsc#1203759)
  CVE-2022-39028.patch
tiff
- security update:
  * CVE-2022-2519 [bsc#1202968]
  * CVE-2022-2520 [bsc#1202973]
  * CVE-2022-2521 [bsc#1202971]
    + tiff-CVE-2022-2519,CVE-2022-2520,CVE-2022-2521.patch
  * CVE-2022-2867 [bsc#1202466]
  * CVE-2022-2868 [bsc#1202467]
  * CVE-2022-2869 [bsc#1202468]
    + tiff-CVE-2022-2867,CVE-2022-2868,CVE-2022-2869.patch
- CVE-2022-34266 [bsc#1201971] and [bsc#1201723]:
  Rename tiff-CVE-2022-0561.patch to
  tiff-CVE-2022-0561,CVE-2022-34266.patch
  This CVE is actually a duplicate.
- security update:
  * CVE-2022-34526 [bsc#1202026]
    + tiff-CVE-2022-34526.patch
- security update
  * CVE-2022-2056 [bsc#1201176]
  * CVE-2022-2057 [bsc#1201175]
  * CVE-2022-2058 [bsc#1201174]
    + tiff-CVE-2022-2056,CVE-2022-2057,CVE-2022-2058.patch
tigervnc
- U_Handle-pending-data-in-TLS-buffers.patch
  * Vncclient wasn't refreshing screen correctly due to an issue on
    TLS stream buffers.
  * bsc#1199477
timezone
- Update to reflect new Chile DST change, bsc#1202310
  * bsc1202310.patch
unzip
- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string
  to a local string (CVE-2022-0530, bsc#1196177)
  * CVE-2022-0530.patch
- Fix CVE-2022-0529, Heap out-of-bound writes and reads during
  conversion of wide string to local string (CVE-2022-0529, bsc#1196180)
  * CVE-2022-0529.patch
util-linux
- su: Change owner and mode for pty (bsc#1200842,
  util-linux-login-move-generic-setting-to-ttyutils.patch,
  util-linux-su-change-owner-and-mode-for-pty.patch).
- mesg: use only stat() to get the current terminal status
  (bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
  util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
  in utab (bsc#1198731,
  util-linux-libmount-moving-mount-point-sub-mounts.patch,
  util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
util-linux-systemd
- su: Change owner and mode for pty (bsc#1200842,
  util-linux-login-move-generic-setting-to-ttyutils.patch,
  util-linux-su-change-owner-and-mode-for-pty.patch).
- mesg: use only stat() to get the current terminal status
  (bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
  util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
  in utab (bsc#1198731,
  util-linux-libmount-moving-mount-point-sub-mounts.patch,
  util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
vim
- Updated to version 9.0 with patch level 0313, fixes the following problems
  * Fixing bsc#1200884 Vim: Error on startup
  * Fixing bsc#1200902 VUL-0: CVE-2022-2183: vim: Out-of-bounds Read through get_lisp_indent() Mon 13:32
  * Fixing bsc#1200903 VUL-0: CVE-2022-2182: vim: Heap-based Buffer Overflow through parse_cmd_address() Tue 08:37
  * Fixing bsc#1200904 VUL-0: CVE-2022-2175: vim: Buffer Over-read through cmdline_insert_reg() Tue 08:37
  * Fixing bsc#1201249 VUL-0: CVE-2022-2304: vim: stack buffer overflow in spell_dump_compl()
  * Fixing bsc#1201356 VUL-1: CVE-2022-2343: vim: Heap-based Buffer Overflow in GitHub repository vim prior to 9.0.0044
  * Fixing bsc#1201359 VUL-1: CVE-2022-2344: vim: Another Heap-based Buffer Overflow vim prior to 9.0.0045
  * Fixing bsc#1201363 VUL-1: CVE-2022-2345: vim: Use After Free in GitHub repository vim prior to 9.0.0046.
  * Fixing bsc#1201620 PUBLIC SUSE Linux Enterprise Server 15 SP4 Basesystem zbalogh@suse.com NEW --- SLE-15-SP4-Full-x86_64-GM-Media1 and vim-plugin-tlib-1.27-bp154.2.18.noarch issue
  * Fixing bsc#1202414 VUL-1: CVE-2022-2819: vim: Heap-based Buffer Overflow in compile_lock_unlock()
  * Fixing bsc#1202552 VUL-1: CVE-2022-2874: vim: NULL Pointer Dereference in generate_loadvar()
  * Fixing bsc#1200270 VUL-1: CVE-2022-1968: vim: use after free in utf_ptr2char
  * Fixing bsc#1200697 VUL-1: CVE-2022-2124: vim: out of bounds read in current_quote()
  * Fixing bsc#1200698 VUL-1: CVE-2022-2125: vim: out of bounds read in get_lisp_indent()
  * Fixing bsc#1200700 VUL-1: CVE-2022-2126: vim: out of bounds read in suggest_trie_walk()
  * Fixing bsc#1200701 VUL-1: CVE-2022-2129: vim: out of bounds write in vim_regsub_both()
  * Fixing bsc#1200732 VUL-1: CVE-2022-1720: vim: out of bounds read in grab_file_name()
  * Fixing bsc#1201132 VUL-1: CVE-2022-2264: vim: out of bounds read in inc()
  * Fixing bsc#1201133 VUL-1: CVE-2022-2284: vim: out of bounds read in utfc_ptr2len()
  * Fixing bsc#1201134 VUL-1: CVE-2022-2285: vim: negative size passed to memmove() due to integer overflow
  * Fixing bsc#1201135 VUL-1: CVE-2022-2286: vim: out of bounds read in ins_bytes()
  * Fixing bsc#1201136 VUL-1: CVE-2022-2287: vim: out of bounds read in suggest_trie_walk()
  * Fixing bsc#1201150 VUL-1: CVE-2022-2231: vim: null pointer dereference skipwhite()
  * Fixing bsc#1201151 VUL-1: CVE-2022-2210: vim: out of bounds read in ml_append_int()
  * Fixing bsc#1201152 VUL-1: CVE-2022-2208: vim: null pointer dereference in diff_check()
  * Fixing bsc#1201153 VUL-1: CVE-2022-2207: vim: out of bounds read in ins_bs()
  * Fixing bsc#1201154 VUL-1: CVE-2022-2257: vim: out of bounds read in msg_outtrans_special()
  * Fixing bsc#1201155 VUL-1: CVE-2022-2206: vim: out of bounds read in msg_outtrans_attr()
  * Fixing bsc#1201863 VUL-1: CVE-2022-2522: vim: out of bounds read via nested autocommand
  * Fixing bsc#1202046 VUL-1: CVE-2022-2571: vim: Heap-based Buffer Overflow related to ins_comp_get_next_word_or_line()
  * Fixing bsc#1202049 VUL-1: CVE-2022-2580: vim: Heap-based Buffer Overflow related to eval_string()
  * Fixing bsc#1202050 VUL-1: CVE-2022-2581: vim: Out-of-bounds Read related to cstrchr()
  * Fixing bsc#1202051 VUL-1: CVE-2022-2598: vim: Undefined Behavior for Input to API related to diff_mark_adjust_tp() and ex_diffgetput()
  * Fixing bsc#1202420 VUL-1: CVE-2022-2817: vim: Use After Free in f_assert_fails()
  * Fixing bsc#1202421 VUL-1: CVE-2022-2816: vim: Out-of-bounds Read in check_vim9_unlet()
  * Fixing bsc#1202511 VUL-1: CVE-2022-2862: vim: use-after-free in compile_nested_function()
  * Fixing bsc#1202512 VUL-1: CVE-2022-2849: vim: Invalid memory access related to mb_ptr2len()
  * Fixing bsc#1202515 VUL-1: CVE-2022-2845: vim: Buffer Over-read related to display_dollar()
  * Fixing bsc#1202599 VUL-1: CVE-2022-2889: vim: use-after-free in find_var_also_in_script() in evalvars.c
  * Fixing bsc#1202687 VUL-1: CVE-2022-2923: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240
  * Fixing bsc#1202689 VUL-1: CVE-2022-2946: vim: use after free in function vim_vsnprintf_typval
  * Fixing bsc#1202862 VUL-1: CVE-2022-3016: vim: Use After Free in vim prior to 9.0.0285 Mon 12:00
yast2-sap-ha
- YaST2 sap_ha tool does not allow digits at the beginning of site names
  (bsc#1200427)
- 1.0.15
- Introduce a new function refresh_all_proposals.
  This reads the proposal for the modules watchdog and fence.
  This is neccessary when reading an earlier configuration.
- Use .gsub instead of File.basename to find all modules files.
  Replace tab with spaces.
  (bsc#1197290)
- 1.0.14
- system/watchdog.rb searches watchdog modules with .ko extension
  but we ship .ko.xz  (bsc#1197290)
- 1.0.13
- softdog missing in Yast while configuring HA for SAP Products
  (bsc#1199029)
- 1.0.12
- kmod-compat has broken dependencies (bsc#1186618)
  Update requirement
- 1.0.11
- "/SUSE SAP HA Yast wizard for HANA doesn´t configure the HANA hooks.
  (bsc#1190774)
  Add SAPHanaSR via global.ini as proposed in
  https://documentation.suse.com/sbp/all/html/SLES4SAP-hana-sr-guide-PerfOpt-15/index.html#id-1.10.6.6"/
- 1.0.10
- bsc#1158843 hana-*: Broken gettext support
- 1.0.9
zlib
- Fix heap-based buffer over-read or buffer overflow in inflate via
  large gzip header extra field (bsc#1202175, CVE-2022-37434,
  CVE-2022-37434-extra-header-1.patch,
  CVE-2022-37434-extra-header-2.patch).
zypper
- BuildRequires:  libzypp-devel >= 17.31.2.
- Fix --[no]-allow-vendor-change feedback in install command
  (bsc#1201972)
- version 1.14.57
- UsrEtc: Store logrotate files in %{_distconfdir} if defined
  (fixes #441, fixes #444)
- Remove unneeded code to compute the PPP status.
  Since libzypp 17.23.0 the PPP status is auto established. No
  extra solver run is needed.
- Make sure 'up' respects solver related CLI options (bsc#1201972)
- Fix tests to use locale "/C.UTF-8"/ rather than "/en_US"/.
- Fix man page (fixes #451)
- version 1.14.56
- lr: Allow shortening the Name column if table is wider than the
  terminal (bsc#1201638)
- Don't accepts install/remove modifier without argument
  (bsc#1201576)
- zypper-download: Set correct ExitInfoCode when failing to
  resolve argument.
- zypper-download: Handle unresolvable arguments as error.
  This commit changes zypper-download such that it behaves more
  consistent to zypper-install when an argument can't be resolved.
- version 1.14.55
- Fix building with GCC 13 (fixes #448)
- Put signing key supplying repository name in quotes.
- version 1.14.54
- Basic JobReport for "/cmdout/monitor"/.
- versioncmp: if verbose, also print the edition 'parts' which are
  compared.
- Make sure MediaAccess is closed on exception (bsc#1194550)
- Display plus-content hint conditionally (fixes #433)
- Honor the NO_COLOR environment variable when auto-detecting
  whether to use color (fixes #432)
- Define table columns which should be sorted natural [case
  insensitive] (fixes #391, closes #396, fixes #424)
- lr/ls: Use highlight color on name and alias as well.
- version 1.14.53