HANA-Firewall
- Missing SCR Agent for reading and writing /etc/sysconfig/hana-firewall from yast2
  (bsc#1210981)
SAPHanaSR
- Version bump to 0.162.1
  * fix for SAPHanaTopology failing with error code 1
    (OCF_ERR_GENERIC) during a normal stop action
    (bsc#1207466)
  * set srhook attribute to PRIM during a probe so that we do not
    need to wait for the first srConnectionChanged() to set the
    attribute
    (bsc#1205535)

- Version bump to 0.162.0
  * add improvements from SAP to the RA scripts regarding the
    handling of the SAP tools 'HDB version', 'HDBSettings.sh' and
    'pycd' and the SAPHana log filter handling
    (jsc#PED-1739, jsc#PED-2608)
  * fix for SAPHanaSR-monitor reporting "LPA status of one node is
    missing"
    (bsc#1192963, bsc#1203973)
  * SAPHanaSRTools.pm: shows terminate node attribute too
- remove patch:
    0001-bsc-1192963.patch
aaa_base
- Add patch git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
  * respect /etc/update-alternatives/java when setting JAVA_HOME
    (bsc#1215434,bsc#1107342)
autofs
- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch
  Fix off-by-one error in recursive map handling. (bsc#1209653)
autoyast2
- Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)
- 4.3.106

- Properly install the selected products, do not lose them after
  resetting the package manager internally (bsc#1202234)
- 4.3.105

- Process the <ask-list/> section in an installed system once the
  <general/> section is imported in the (bsc#1201953).
- 4.3.104

- Revert the modification done in version 4.3.97 running the
  initscripts before systed-user-sessions service again once
  systemd fixed logind (bsc#1195059, bsc#1200780)
- 4.3.103
azure-cli-core
- Relax version dependency for python-humanfriendly in Requires
bind
- Security Fix:
  * Previously, sending a specially crafted message over the
    control channel could cause the packet-parsing code to run out
    of available stack memory, causing named to terminate
    unexpectedly. This has been fixed.
  [bsc#1215472, CVE-2023-3341, bind-CVE-2023-3341.patch]

- Add libs as requires because they may need to be updated when
  installing bind
  [bsc#1213748]

- Add dnstap support
  [jsc#PED-4852]

- Security Fix:
  * The overmem cleaning process has been improved, to prevent the
    cache from significantly exceeding the configured
    max-cache-size limit.
  [bsc#1212544, CVE-2023-2828, bind-CVE-2023-2828.patch]

- Security Fix:
  * An UPDATE message flood could cause named to exhaust all
    available memory. This flaw was addressed by adding a new
    update-quota option that controls the maximum number of
    outstanding DNS UPDATE messages that named can hold in a queue
    at any given time (default: 100).
  [bsc#1207471, CVE-2022-3094, bind-CVE-2022-3094.patch]

- Add systemd drop-in directory for named service
  [bsc#1201689, bind.spec]
binutils
- Update to version 2.41 [PED-5778]:
  * The MIPS port now supports the Sony Interactive Entertainment Allegrex
  processor, used with the PlayStation Portable, which implements the MIPS
  II ISA along with a single-precision FPU and a few implementation-specific
  integer instructions.
  * Objdump's --private option can now be used on PE format files to display the
  fields in the file header and section headers.
  * New versioned release of libsframe: libsframe.so.1.  This release introduces
  versioned symbols with version node name LIBSFRAME_1.0.  This release also
  updates the ABI in an incompatible way: this includes removal of
  sframe_get_funcdesc_with_addr API, change in the behavior of
  sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs.
  * SFrame Version 2 is now the default (and only) format version supported by
  gas, ld, readelf and objdump.
  * Add command-line option, --strip-section-headers, to objcopy and strip to
  remove ELF section header from ELF file.
  * The RISC-V port now supports the following new standard extensions:
  - Zicond (conditional zero instructions)
  - Zfa (additional floating-point instructions)
  - Zvbb, Zvbc, Zvkg, Zvkned, Zvknh[ab], Zvksed, Zvksh, Zvkn, Zvknc, Zvkng,
    Zvks, Zvksc, Zvkg, Zvkt (vector crypto instructions)
  * The RISC-V port now supports the following vendor-defined extensions:
  - XVentanaCondOps
  * Add support for Intel FRED, LKGS and AMX-COMPLEX instructions.
  * A new .insn directive is recognized by x86 gas.
  * Add SME2 support to the AArch64 port.
  * The linker now accepts a command line option of --remap-inputs
  <PATTERN>=<FILE> to relace any input file that matches <PATTERN> with
  <FILE>.  In addition the option --remap-inputs-file=<FILE> can be used to
  specify a file containing any number of these remapping directives.
  * The linker command line option --print-map-locals can be used to include
  local symbols in a linker map.  (ELF targets only).
  * For most ELF based targets, if the --enable-linker-version option is used
  then the version of the linker will be inserted as a string into the .comment
  section.
  * The linker script syntax has a new command for output sections: ASCIZ "string"
  This will insert a zero-terminated string at the current location.
  * Add command-line option, -z nosectionheader, to omit ELF section
  header.
- Removed obsolete patches: binutils-2.40-branch.diff.gz,
  riscv-dynamic-tls-reloc-pie.patch, riscv-pr22263-1.patch,
  extensa-gcc-4_3-fix.diff .
- Add binutils-2.41-branch.diff.gz .
- Add binutils-old-makeinfo.diff for SLE-12 and older.
- Rebased aarch64-common-pagesize.patch and binutils-revert-rela.diff .
- Contains fixes for these non-CVEs (not security bugs per upstreams
  SECURITY.md):
  * bsc#1209642 aka CVE-2023-1579 aka PR29988
  * bsc#1210297 aka CVE-2023-1972 aka PR30285
  * bsc#1210733 aka CVE-2023-2222 aka PR29936
  * bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc)
  * bsc#1214565 aka CVE-2020-19726 aka PR26240
  * bsc#1214567 aka CVE-2022-35206 aka PR29290
  * bsc#1214579 aka CVE-2022-35205 aka PR29289
  * bsc#1214580 aka CVE-2022-44840 aka PR29732
  * bsc#1214604 aka CVE-2022-45703 aka PR29799
  * bsc#1214611 aka CVE-2022-48065 aka PR29925
  * bsc#1214619 aka CVE-2022-48064 aka PR29922
  * bsc#1214620 aka CVE-2022-48063 aka PR29924
  * bsc#1214623 aka CVE-2022-47696 aka PR29677
  * bsc#1214624 aka CVE-2022-47695 aka PR29846
  * bsc#1214625 aka CVE-2022-47673 aka PR29876

- Add binutils-disable-dt-relr.sh for an compatibility problem
  caused by binutils-revert-rela.diff in SLE codestreams.
  Needed for update of glibc as that would otherwise pick up
  the broken relative relocs support.  [bsc#1213282, PED-1435]
- This only existed only for a very short while in SLE-15, as the main
  variant in devel:gcc subsumed this in binutils-revert-rela.diff.
  Hence:
- Remove binutils-disable-dt-relr.sh as subsumed.

- riscv-dynamic-tls-reloc-pie.patch: Backport for PR ld/22263 and PR
  ld/25694
- riscv-pr22263-1.patch: Backport for PR ld/22263

- Rebase branch patch (includes fix for PR30281).

- Document fixed CVEs:
  * bnc#1208037 aka CVE-2023-25588 aka PR29677
  * bnc#1208038 aka CVE-2023-25587 aka PR29846
  * bnc#1208040 aka CVE-2023-25585 aka PR29892
  * bnc#1208409 aka CVE-2023-0687 aka PR29444

- Enable bpf-none cross target and add bpf-none to the multitarget
  set of supported targets.

- Disable packed-relative-relocs for old codestreams.  They generate
  buggy relocations when binutils-revert-rela.diff is active.
  [bsc#1206556]

- Disable ZSTD debug section compress by default.

- Enable zstd compression algorithm (instead of zlib)
  for debug info sections by default.

- Pack libgprofng only for supported platforms.

- Remove upstreamed patch binutils-maxpagesize.diff.

- Rebase binutils-2.40-branch.diff.gz as it includes fix for PR30043.
- Move libgprofng-related libraries to the proper locations (packages).
- Add --without=bootstrap for skipping of bootstrap (faster testing
  of the package).

- Remove broken arm32-avoid-copyreloc.patch to fix [gcc#108515]

- Update to version 2.40:
  * Objdump has a new command line option --show-all-symbols which will make it
  display all symbols that match a given address when disassembling.  (Normally
  only the first symbol that matches an address is shown).
  * Add --enable-colored-disassembly configure time option to enable colored
  disassembly output by default, if the output device is a terminal.  Note,
  this configure option is disabled by default.
  * DCO signed contributions are now accepted.
  * objcopy --decompress-debug-sections now supports zstd compressed debug
  sections.  The new option --compress-debug-sections=zstd compresses debug
  sections with zstd.
  * addr2line and objdump --dwarf now support zstd compressed debug sections.
  * The dlltool program now accepts --deterministic-libraries and
  - -non-deterministic-libraries as command line options to control whether or
  not it generates deterministic output libraries.  If neither of these options
  are used the default is whatever was set when the binutils were configured.
  * readelf and objdump now have a newly added option --sframe which dumps the
  SFrame section.
  * Add support for Intel RAO-INT instructions.
  * Add support for Intel AVX-NE-CONVERT instructions.
  * Add support for Intel MSRLIST instructions.
  * Add support for Intel WRMSRNS instructions.
  * Add support for Intel CMPccXADD instructions.
  * Add support for Intel AVX-VNNI-INT8 instructions.
  * Add support for Intel AVX-IFMA instructions.
  * Add support for Intel PREFETCHI instructions.
  * Add support for Intel AMX-FP16 instructions.
  * gas now supports --compress-debug-sections=zstd to compress
  debug sections with zstd.
  * Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}
  that selects the default compression algorithm
  for --enable-compressed-debug-sections.
  * Add support for various T-Head extensions (XTheadBa, XTheadBb, XTheadBs,
  XTheadCmo, XTheadCondMov, XTheadFMemIdx, XTheadFmv, XTheadInt, XTheadMemIdx,
  XTheadMemPair, XTheadMac, and XTheadSync) from version 2.0 of the T-Head
  ISA manual, which are implemented in the Allwinner D1.
  * Add support for the RISC-V Zawrs extension, version 1.0-rc4.
  * Add support for Cortex-X1C for Arm.
  * New command line option --gsframe to generate SFrame unwind information
  on x86_64 and aarch64 targets.
  * The linker has a new command line option to suppress the generation of any
  warning or error messages.  This can be useful when there is a need to create
  a known non-working binary.  The option is -w or --no-warnings.
  * ld now supports zstd compressed debug sections.  The new option
  - -compress-debug-sections=zstd compresses debug sections with zstd.
  * Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}
  that selects the default compression algorithm
  for --enable-compressed-debug-sections.
  * Remove support for -z bndplt (MPX prefix instructions).
- Rebased patches: add-ulp-section.diff, ld-relro.diff, binutils-revert-plt32-in-branches.diff,
  cross-avr-size.patch.
- Removed patch: binutils-pr29482.diff.
- New patch: extensa-gcc-4_3-fix.diff.
- Includes fixes for these CVEs:
  * bnc#1206080 aka CVE-2022-4285 aka PR29699
- Enable by default: --enable-colored-disassembly.

- fix build on x86_64_vX platforms

- Add binutils-maxpagesize.diff for a problem on old code
  streams, where we would generate too large binaries.

- s390-pic-dso.diff: use %pB instead of %B

- SLE toolchain update of binutils.  Update to 2.39 from 2.37,
  which means obsoleting and hence removing these patches:
  binutils-add-efi-aarch64-1.diff, binutils-add-efi-aarch64-2.diff,
  binutils-add-efi-aarch64-3.diff, binutils-fix-keepdebug.diff,
  binutils-add-z16-name.diff.
  Implements [jsc#SLE-25046, jsc#PED-2029, jsc#PED-2035, jsc#PED-2033,
  jsc#PED-2030, jsc#PED-2038, jsc#PED-2032, jsc#PED-2034, jsc#PED-2031,
  jsc#SLE-25047]
- This fixes these CVEs relative to 2.37:
  [bsc#1188374, bsc#1185597] aka (GCC) PR99935 aka CVE-2021-3648
  [bsc#1193929] aka PR28694 aka CVE-2021-45078
  [bsc#1194783] aka (GCC) PR98886 aka CVE-2021-46195
  [bsc#1197592] aka (GCC) PR105039 aka CVE-2022-27943
  [bsc#1202966] aka PR29289 aka CVE-2022-38126
  [bsc#1202967] aka PR29290 aka CVE-2022-38127
  [bsc#1202969] aka CVE-2021-3826

- add arm32-avoid-copyreloc.patch for PR16177 (bsc#1200962)

- Add binutils-pr29482.diff for PR29482, aka CVE-2022-38533
  [bsc#1202816]

- Rebase binutils-2.39-branch.diff.gz that contains fix for PR29451.

- Add binutils-2.39-branch.diff.gz.
- Explicitly enable --enable-warn-execstack=yes and	--enable-warn-rwx-segments=yes.
- Add gprofng subpackage.

- Update to binutils 2.39:
  * The ELF linker will now generate a warning message if the stack is made
    executable.  Similarly it will warn if the output binary contains a
    segment with all three of the read, write and execute permission
    bits set.  These warnings are intended to help developers identify
    programs which might be vulnerable to attack via these executable
    memory regions.
    The warnings are enabled by default but can be disabled via a command
    line option.  It is also possible to build a linker with the warnings
    disabled, should that be necessary.
  * The ELF linker now supports a --package-metadata option that allows
    embedding a JSON payload in accordance to the Package Metadata
    specification.
  * In linker scripts it is now possible to use TYPE=<type> in an output
    section description to set the section type value.
  * The objdump program now supports coloured/colored syntax
    highlighting of its disassembler output for some architectures.
    (Currently: AVR, RiscV, s390, x86, x86_64).
  * The nm program now supports a --no-weak/-W option to make it ignore
    weak symbols.
  * The readelf and objdump programs now support a -wE option to prevent
    them from attempting to access debuginfod servers when following
    links.
  * The objcopy program's --weaken, --weaken-symbol, and
  - -weaken-symbols options now works with unique symbols as well.
- Rebase binutils-compat-old-behaviour.diff, binutils-revert-hlasm-insns.diff,
  binutils-revert-plt32-in-branches.diff and remove binutils-2.38-branch.diff.gz.
- For now use --disable-gprofng.
- Includes fixes for these CVEs:
  bnc#1142579 aka CVE-2019-1010204 aka PR23765

(Fake entry from SLE for tracking purposes:)
blog
- Add patch blog.dif
  * Fix big endian cast problems to be able to read commands
    and ansers (blogctl) as well as passphrases (blogd)
ca-certificates-mozilla
- Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248)
  Added:
  - Atos TrustedRoot Root CA ECC G2 2020
  - Atos TrustedRoot Root CA ECC TLS 2021
  - Atos TrustedRoot Root CA RSA G2 2020
  - Atos TrustedRoot Root CA RSA TLS 2021
  - BJCA Global Root CA1
  - BJCA Global Root CA2
  - LAWtrust Root CA2 (4096)
  - Sectigo Public Email Protection Root E46
  - Sectigo Public Email Protection Root R46
  - Sectigo Public Server Authentication Root E46
  - Sectigo Public Server Authentication Root R46
  - SSL.com Client ECC Root CA 2022
  - SSL.com Client RSA Root CA 2022
  - SSL.com TLS ECC Root CA 2022
  - SSL.com TLS RSA Root CA 2022
  Removed CAs:
  - Chambers of Commerce Root
  - E-Tugra Certification Authority
  - E-Tugra Global Root CA ECC v3
  - E-Tugra Global Root CA RSA v3
  - Hongkong Post Root CA 1

- Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622)
  Removed CAs:
  - Global Chambersign Root
  - EC-ACC
  - Network Solutions Certificate Authority
  - Staat der Nederlanden EV Root CA
  - SwissSign Platinum CA - G2
  Added CAs:
  - DIGITALSIGN GLOBAL ROOT ECDSA CA
  - DIGITALSIGN GLOBAL ROOT RSA CA
  - Security Communication ECC RootCA1
  - Security Communication RootCA3
  Changed trust:
  - TrustCor certificates only trusted up to Nov 30 (bsc#1206212)
- Removed CAs (bsc#1206212) as most code does not handle "valid before nov 30 2022"
  and it is not clear how many certs were issued for SSL middleware by TrustCor:
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - TrustCor ECA-1
  Patch: remove-trustcor.patch
catatonit
- Update to catatont v0.1.7
- This release adds the ability for catatonit to be used as the only
  process in a pause container, by passing the -P flag (in this mode no
  subprocess is spawned and thus no signal forwarding is done).

- Add 99bb9048f.patch: configure.ac: call AM_INIT_AUTOMAKE only
  once. Fix build with autocnf 2.71 / automake 1.16.5.

- Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to
  socket activation or features somewhat adjacent to socket activation (such as
  passing file descriptors).
- Update catatonit-rpmlintrc in order to cover that static binaries are now an
  error not a warning.
cloud-init
- Update cloud-init-write-routes.patch (bsc#1212879)
  + Add necessary import statement
- Enable flake8 linting, fix up patches
  + cloud-init-cve-2023-1786-redact-instance-data-json-main.patch
  + cloud-init-power-rhel-only.patch
  + cloud-init-write-routes.patch
  + datasourceLocalDisk.patch

- Add cloud-init-power-rhel-only.patch (bsc#1210273)
  + Config module cc_refresh_rmc_and_interface is implemented such that
    it will only work on RH distros. Set the module availability accordingly.

- Sensitive data exposure (bsc#1210277, CVE-2023-1786)
  + Add hidesensitivedata
  + Add cloud-init-cve-2023-1786-redact-inst-data.patch
  + Do not expose sensitive data gathered from the CSP

- Update to version 23.1
  + Remove patches included upstream:
  - cloud-init-btrfs-queue-resize.patch
  - cloud-init-micro-is-suse.patch
  - cloud-init-suse-afternm.patch
  - cloud-init-prefer-nm.patch
  - cloud-init-transact-up.patch
  + Forward port
  - cloud-init-write-routes.patch
  + Added
  - cloud-init-fix-ca-test.patch
  + Support transactional-updates for SUSE based distros (#1997)
    [Robert Schweikert]
  + Set ownership for new folders in Write Files Module (#1980)
    [Jack] (LP: #1990513)
  + add OpenCloudOS and TencentOS support (#1964) [wynnfeng]
  + lxd: Retry if the server isn't ready (#2025)
  + test: switch pycloudlib source to pypi (#2024)
  + test: Fix integration test deprecation message (#2023)
  + Recognize opensuse-microos, dev tooling fixes [Robert Schweikert]
  + sources/azure: refactor imds handler into own module (#1977)
    [Chris Patterson]
  + docs: deprecation generation support [1/2] (#2013)
  + add function is_virtual to distro/FreeBSD (#1957) [Mina Galić]
  + cc_ssh: support multiple hostcertificates (#2018) (LP: #1999164)
  + Fix minor schema validation regression and fixup typing (#2017)
  + doc: Reword user data debug section (#2019)
  + Overhaul/rewrite of certificate handling as follows: (#1962)
    [dermotbradley] (LP: #1931174)
  + disk_setup: use byte string when purging the partition table (#2012)
    [Stefan Prietl]
  + cli: schema also validate vendordata*.
  + ci: sort and add checks for cla signers file [Stefan Prietl]
  + Add "ederst" as contributor (#2010) [Stefan Prietl]
  + readme: add reference to packages dir (#2001)
  + docs: update downstream package list (#2002)
  + docs: add google search verification (#2000) [s-makin]
  + docs: fix 404 render use default notfound_urls_prefix in RTD conf (#2004)
  + Fix OpenStack datasource detection on bare metal (#1923)
    [Alexander Birkner] (LP: #1815990)
  + docs: add themed RTD 404 page and pointer to readthedocs-hosted (#1993)
  + schema: fix gpt labels, use type string for GUID (#1995)
  + cc_disk_setup: code cleanup (#1996)
  + netplan: keep custom strict perms when 50-cloud-init.yaml exists
  + cloud-id: better handling of change in datasource files
    [d1r3ct0r] (LP: #1998998)
  + tests: Remove restart check from test
  + Ignore duplicate macs from mscc_felix and fsl_enetc (LP: #1997922)
  + Warn on empty network key (#1990)
  + Fix Vultr cloud_interfaces usage (#1986) [eb3095]
  + cc_puppet: Update puppet service name (#1970) [d1r3ct0r] (LP: #2002969)
  + docs: Clarify networking docs (#1987)
  + lint: remove httpretty (#1985) [sxt1001]
  + cc_set_passwords: Prevent traceback when restarting ssh (#1981)
  + tests: fix lp1912844 (#1978)
  + tests: Skip ansible test on bionic (#1984)
  + Wait for NetworkManager (#1983) [Robert Schweikert]
  + docs: minor polishing (#1979) [s-makin]
  + CI: migrate integration-test to GH actions (#1969)
  + Fix permission of SSH host keys (#1971) [Ron Gebauer]
  + Fix default route rendering on v2 ipv6 (#1973) (LP: #2003562)
  + doc: fix path in net_convert command (#1975)
  + docs: update net_convert docs (#1974)
  + doc: fix dead link
  + cc_set_hostname: ignore /var/lib/cloud/data/set-hostname if it's empty
    (#1967) [Emanuele Giuseppe Esposito]
  + distros/rhel.py: _read_hostname() missing strip on "hostname" (#1941)
    [Mark Mielke]
  + integration tests: add  IBM VPC support (SC-1352) (#1915)
  + machine-id: set to uninitialized to trigger regeneration on clones
    (LP: #1999680)
  + sources/azure: retry on connection error when fetching metdata (#1968)
    [Chris Patterson]
  + Ensure ssh state accurately obtained (#1966)
  + bddeb: drop dh-systemd dependency on newer deb-based releases [d1r3ct0r]
  + doc: fix `config formats` link in cloudsigma.rst (#1960)
  + Fix wrong subp syntax in cc_set_passwords.py (#1961)
  + docs: update the PR template link to readthedocs (#1958) [d1r3ct0r]
  + ci: switch unittests to gh actions (#1956)
  + Add mount_default_fields for PhotonOS. (#1952) [Shreenidhi Shedi]
  + sources/azure: minor refactor for metadata source detection logic
    (#1936) [Chris Patterson]
  + add "CalvoM" as contributor (#1955) [d1r3ct0r]
  + ci: doc to gh actions (#1951)
  + lxd: handle 404 from missing devices route for LXD 4.0 (LP: #2001737)
  + docs: Diataxis overhaul (#1933) [s-makin]
  + vultr: Fix issue regarding cache and region codes (#1938) [eb3095]
  + cc_set_passwords: Move ssh status checking later (SC-1368) (#1909)
    (LP: #1998526)
  + Improve Wireguard module idempotency (#1940) [Fabian Lichtenegger-Lukas]
  + network/netplan: add gateways as on-link when necessary (#1931)
    [Louis Sautier] (LP: #2000596)
  + tests: test_lxd assert features.networks.zones when present (#1939)
  + Use btrfs enquque when available (#1926) [Robert Schweikert]
  + sources/azure: drop description for report_failure_to_fabric() (#1934)
    [Chris Patterson]
  + cc_disk_setup.py: fix MBR single partition creation (#1932)
    [dermotbradley] (LP: #1851438)
  + Fix typo with package_update/package_upgrade (#1927) [eb3095]
  + sources/azure: fix device driver matching for net config (#1914)
    [Chris Patterson]
  + BSD: fix duplicate macs in Ifconfig parser (#1917) [Mina Galić]
  + test: mock dns calls (#1922)
  + pycloudlib: add lunar support for integration tests (#1928)
  + nocloud: add support for dmi variable expansion for seedfrom URL
    (LP: #1994980)
  + tools: read-version drop extra call to git describe --long
  + doc: improve cc_write_files doc (#1916)
  + read-version: When insufficient tags, use cloudinit.version.get_version
  + mounts: document weird prefix in schema (#1913)
  + add utility function test cases (#1910) [sxt1001]
  + test: mock file deletion in dhcp tests (#1911)
  + Ensure network ready before cloud-init service runs on RHEL (#1893)
    (LP: #1998655)
  + docs: add copy button to code blocks (#1890) [s-makin]
  + netplan: define features.NETPLAN_CONFIG_ROOT_READ_ONLY flag
  + azure: fix support for systems without az command installed (#1908)
  + Networking Clarification (#1892)
  + Fix the distro.osfamily output problem in the openEuler system. (#1895)
    [sxt1001] (LP: #1999042)
  + pycloudlib: bump commit dropping azure api smoke test
  + net: netplan config root read-only as wifi config can contain creds
  + autoinstall: clarify docs for users
  + sources/azure: encode health report as utf-8 (#1897) [Chris Patterson]
  + Add back gateway4/6 deprecation to docs (#1898)
  + networkd: Add support for multiple [Route] sections (#1868)
    [Nigel Kukard]
  + doc: add qemu tutorial (#1863)
  + lint: fix tip-flake8 and tip-mypy (#1896)
  + Add support for setting uid when creating users on FreeBSD (#1888)
    [einsibjarni]
  + Fix exception in BSD networking code-path (#1894) [Mina Galić]
  + Append derivatives to is_rhel list in cloud.cfg.tmpl (#1887) [Louis Abel]
  + FreeBSD init: use cloudinit_enable as only rcvar (#1875) [Mina Galić]
  + feat: add support aliyun metadata security harden mode (#1865)
    [Manasseh Zhou]
  + docs: uprate analyze to performance page [s-makin]
  + test: fix lxd preseed managed network config (#1881)
  + Add support for static IPv6 addresses for FreeBSD (#1839) [einsibjarni]
  + Make 3.12 failures not fail the build (#1873)
  + Docs: adding relative links [s-makin]
  + Update read-version
  + Fix setup.py to align with PEP 440 versioning replacing trailing
  + travis: promote 3.11-dev to 3.11 (#1866)
  + test_cloud_sigma: delete useless test (#1828) [sxt1001]
  + Add "nkukard" as contributor (#1864) [Nigel Kukard]
  + tests: ds-id mocks for vmware-rpctool as utility may not exist in env
  + doc: add how to render new module doc (#1855)
  + doc: improve module creation explanation (#1851)
  + Add Support for IPv6 metadata to OpenStack (#1805)
    [Marvin Vogt] (LP: #1906849)
  + add xiaoge1001 to .github-cla-signers (#1854) [sxt1001]
  + network: Deprecate gateway{4,6} keys in network config v2 (#1794)
    (LP: #1992512)
  + VMware: Move Guest Customization transport from OVF to VMware (#1573)
    [PengpengSun]
  + doc: home page links added (#1852) [s-makin]
  From 22.4.2
  + status: handle ds not defined in status.json (#1876) (LP: #1997559)
  From 22.4.1
  + net: skip duplicate mac check for netvsc nic and its VF (#1853)
    [Anh Vo] (LP: #1844191)
  + ChangeLog: whitespace cleanup (#1850)
  + changelog: capture 22.3.1-4 releases

- Add cloud-init-transact-up.patch to support transactional-updates

- Add cloud-init-prefer-nm.patch
  + Prefer NetworkManager of sysconfig when available

- Update to version 22.4
  + Remove patches included upstream:
  - cloud-init-vmware-test.patch
  - cloud-init-sysctl-not-in-bin.patch
  + Forward port:
  - cloud-init-write-routes.patch
  - cloud-init-break-resolv-symlink.patch
  - cloud-init-sysconf-path.patch
  - cloud-init-no-tempnet-oci.patch
  + Add cloud-init-btrfs-queue-resize.patch (bsc#1171511)
  + Add cloud-init-micro-is-suse.patch (bsc#1203393) [Martin Petersen]
  + Add cloud-init-suse-afternm.patch
  + test: fix pro integration test [Alberto Contreras]
  + cc_disk_setup: pass options in correct order to utils (#1829)
    [dermotbradley]
  + tests: text_lxd basic_preseed verify_clean_log (#1826)
  + docs: switch sphinx theme to furo (SC-1327) (#1821) [Alberto Contreras]
  + tests: activate Ubuntu Pro tests (only on Jenkins) (#1777)
    [Alberto Contreras]
  + tests: test_lxd assert features.storage.buckets when present (#1827)
  + tests: replace missed ansible install-method with underscore (#1825)
  + tests: replace ansible install-method with underscore
  + ansible: standardize schema keys
  + ci: run json tool on 22.04 rather than 20.04 (#1823)
  + Stop using devices endpoint for LXD network config (#1819)
  + apport: address new curtin log and config locations (#1812)
  + cc_grub: reword docs for clarity (#1818)
  + tests: Fix preseed test (#1820)
  + Auto-format schema (#1810)
  + Ansible Control Module (#1778)
  + Fix last reported event possibly not being sent (#1796) (LP: #1993836)
  + tests: Ignore unsupported lxd project keys (#1817) [Alberto Contreras]
  + udevadm settle should handle non-udev system gracefully (#1806)
    [dermotbradley]
  + add mariner support (#1780) [Minghe Ren]
  + Net: add BSD ifconfig(8) parser and state class (#1779) [Mina Galić]
  + adding itjamie to .github-cla-signers [Jamie (Bear) Murphy]
  + Fix inconsistency between comment and statement (#1809) [Guillaume Gay]
  + Update .github-cla-signers (#1811) [Guillaume Gay]
  + alpine.py: Add Alpine-specific manage_service function and update tests
    (#1804) [dermotbradley]
  + test: add 3.12-dev to Travis CI (#1798) [Alberto Contreras]
  + add NWCS datasource (#1793) [shell-skrimp]
  + Adding myself as CLA signer (#1799) [s-makin]
  + apport: fix some data collection failures due to symlinks (#1797)
    [Dan Bungert]
  + read-version: Make it compatible with bionic (#1795) [Alberto Contreras]
  + lxd: add support for lxd preseed config(#1789)
  + Enable hotplug for LXD datasource (#1787)
  + cli: collect logs and apport subiquity support
  + add support for Container-Optimized OS (#1748) [vteratipally]
  + test: temporarily disable failing integration test (#1792)
  + Fix LXD/nocloud detection on lxd vm tests (#1791)
  + util: Implement __str__ and __iter__ for Version (#1790)
  + cc_ua: consume ua json api for enable commands [Alberto Contreras]
  + Add clarity to cc_final_message docs (#1788)
  + cc_ntp: add support for BSDs (#1759) [Mina Galić] (LP: #1990041)
  + make Makefile make agnostic (#1786) [Mina Galić]
  + Remove hardcoding and unnecessary overrides in Makefile (#1783)
    [Joseph Mingrone]
  + Add my username (Jehops) to .github-cla-signers (#1784) [Joseph Mingrone]
  + Temporarily remove broken test (#1781)
  + Create reference documentation for base config
  + cc_ansible: add support for galaxy install (#1736)
  + distros/manage_services: add support to disable service (#1772)
    [Mina Galić] (LP: #1991024)
  + OpenBSD: remove pkg_cmd_environ function (#1773)
    [Mina Galić] (LP: 1991567)
  + docs: Correct typo in the FAQ (#1774) [Maximilian Wörner]
  + tests: Use LXD metadata to determine NoCloud status (#1776)
  + analyze: use init-local as start of boot record (#1767) [Chris Patterson]
  + docs: use opensuse for distro name in package doc (#1771)
  + doc: clarify packages as dev only (#1769) [Alberto Contreras]
  + Distro manage service: Improve BSD support (#1758)
    [Mina Galić] (LP: #1990070)
  + testing: check logs for critical errors (#1765) [Chris Patterson]
  + cc_ubuntu_advantage: Handle already attached on Pro [Alberto Contreras]
  + doc: Add configuration explanation (SC-1169)
  + Fix Oracle DS primary interface when using IMDS (#1757) (LP: #1989686)
  + style: prefer absolute imports over relative imports [Mina Galić]
  + tests: Fix ip log during instance destruction (#1755) [Alberto Contreras]
  + cc_ubuntu_advantage: add ua_config in auto-attach [Alberto Contreras]
  + apt configure: sources write/append mode (#1738)
    [Fabian Lichtenegger-Lukas]
  + networkd: Add test and improve typing. (#1747) [Alberto Contreras]
  + pycloudlib: bump commit for gce cpu architecture support (#1750)
  + commit ffcb29bc8315d1e1d6244eeb1cbd8095958f7bad (LP: #1307667)
  + testing: workaround LXD vendor data (#1740)
  + support dhcp{4,6}-overrides in networkd renderer (#1710) [Aidan Obley]
  + tests: Drop httpretty in favor of responses (#1720) [Alberto Contreras]
  + cc_ubuntu_advantage: Implement custom auto-attach behaviors (#1583)
    [Alberto Contreras]
  + Fix Oracle DS not setting subnet when using IMDS (#1735) (LP: #1989686)
  + testing: focal lxd datasource discovery (#1734)
  + cc_ubuntu_advantage: Redact token from logs (#1726) [Alberto Contreras]
  + docs: make sure echo properly evaluates the string (#1733) [Mina Galić]
  + net: set dhclient lease and pid files (#1715)
  + cli: status machine-readable output --format yaml/json (#1663)
    (LP: #1883122)
  + tests: Simplify does_not_raise (#1731) [Alberto Contreras]
  + Refactor: Drop inheritance from object (#1728) [Alberto Contreras]
  + testing: LXD datasource now supported on Focal (#1732)
  + Allow jinja templating in /etc/cloud (SC-1170) (#1722) (LP: #1913461)
  + sources/azure: ensure instance id is always correct (#1727)
    [Chris Patterson]
  + azure: define new attribute for pre-22.3 pickles (#1725)
  + doc: main page Diátaxis rewording (SC-967) (#1701)
  + ubuntu advantage: improved idempotency, enable list is now strict
  + [Fabian Lichtenegger-Lukas]
  + test: bump pycloudlib (#1724) [Alberto Contreras]
  + cloud.cfg.tmpl: make sure "centos" settings are identical to "rhel"
    (#1639) [Emanuele Giuseppe Esposito]
  + lxd: fetch 1.0/devices content (#1712) [Alberto Contreras]
  + Update docs according to ad8f406a (#1719)
  + testing: Port unittests/analyze to pytest (#1708) [Alberto Contreras]
  + doc: Fix rtd builds. (#1718) [Alberto Contreras]
  + testing: fully mock noexec calls (#1717) [Alberto Contreras]
  + typing: Add types to cc_<module>.handle (#1700) [Alberto Contreras]
  + Identify 3DS Outscale Datasource as Ec2 (#1686) [Maxime Dufour]
  + config: enable bootstrapping pip in ansible (#1707)
  + Fix cc_chef typing issue (#1716)
  + Refactor instance json files to use Paths (SC-1238) (#1709)
  + tools: read-version check GITHUB_REF and git branch --show-current
    (#1677)
  + net: Ensure a tmp with exec permissions for dhcp (#1690)
    [Alberto Contreras] (LP: #1962343)
  + testing: Fix test regression in test_combined (#1713) [Alberto Contreras]
  + Identify Huawei Cloud as OpenStack (#1689) [huang xinjie]
  + doc: add reporting suggestion to FAQ (SC-1236) (#1698)
  From 22.3
  + sources: obj.pkl cache should be written anyime get_data is run (#1669)
  + schema: drop release number from version file (#1664)
  + pycloudlib: bump to quiet azure HTTP info logs (#1668)
  + test: fix wireguard integration tests (#1666)
  + Github is deprecating the 18.04 runner starting 12.1 (#1665)
  + integration tests: Ensure one setup for all tests (#1661)
  + tests: ansible test fixes (#1660)
  + Prevent concurrency issue in test_webhook_hander.py (#1658)
  + Workaround net_setup_link race with udev (#1655) (LP: #1983516)
  + test: drop erroneous lxd assertion, verify command succeeded (#1657)
  + Fix Chrony usage on Centos Stream (#1648) [Sven Haardiek] (LP: #1885952)
  + sources/azure: handle network unreachable errors for savable PPS (#1642)
    [Chris Patterson]
  + Return cc_set_hostname to PER_INSTANCE frequency (#1651) (LP: #1983811)
  + test: Collect integration test time by default (#1638)
  + test: Drop forced package install hack in lxd integration test (#1649)
  + schema: Resolve user-data if --system given (#1644)
    [Alberto Contreras] (LP: #1983306)
  + test: use fake filesystem to avoid file removal (#1647)
    [Alberto Contreras]
  + tox: Fix tip-flake8 and tip-mypy (#1635) [Alberto Contreras]
  + config: Add wireguard config module (#1570) [Fabian Lichtenegger-Lukas]
  + tests: can run without azure-cli, tests expect inactive ansible (#1643)
  + typing: Type UrlResponse.contents (#1633) [Alberto Contreras]
  + testing: fix references to `DEPRECATED.` (#1641) [Alberto Contreras]
  + ssh_util: Handle sshd_config.d folder [Alberto Contreras] (LP: #1968873)
  + schema: Enable deprecations in cc_update_etc_hosts (#1631)
    [Alberto Contreras]
  + Add Ansible Config Module (#1579)
  + util: Support Idle process state in get_proc_ppid() (#1637)
  + schema: Enable deprecations in cc_growpart (#1628) [Alberto Contreras]
  + schema: Enable deprecations in cc_users_groups (#1627)
    [Alberto Contreras]
  + util: Fix error path and parsing in get_proc_ppid()
  + main: avoid downloading full contents cmdline urls (#1606)
    [Alberto Contreras] (LP: #1937319)
  + schema: Enable deprecations in cc_scripts_vendor (#1629)
    [Alberto Contreras]
  + schema: Enable deprecations in cc_set_passwords (#1630)
    [Alberto Contreras]
  + sources/azure: add experimental support for preprovisioned os disks
    (#1622) [Chris Patterson]
  + Remove configobj a_to_u calls (#1632) [Stefano Rivera]
  + cc_debug: Drop this module (#1614) [Alberto Contreras]
  + schema: add aggregate descriptions in anyOf/oneOf (#1636)
  + testing: migrate test_sshutil to pytest (#1617) [Alberto Contreras]
  + testing: Fix test_ca_certs integration test (#1626) [Alberto Contreras]
  + testing: add support for pycloudlib's pro images (#1604)
    [Alberto Contreras]
  + testing: migrate test_cc_set_passwords to pytest (#1615)
    [Alberto Contreras]
  + network: add system_info network activator cloud.cfg overrides (#1619)
    (LP: #1958377)
  + docs: Align git remotes with uss-tableflip setup (#1624)
    [Alberto Contreras]
  + testing: cover active config module checks (#1609) [Alberto Contreras]
  + lxd: lvm avoid thinpool when kernel module absent
  + lxd: enable MTU configuration in cloud-init
  + doc: pin doc8 to last passing version
  + cc_set_passwords fixes (#1590)
  + Modernise importer.py and type ModuleDetails (#1605) [Alberto Contreras]
  + config: Def activate_by_schema_keys for t-z (#1613) [Alberto Contreras]
  + config: define activate_by_schema_keys for p-r mods (#1611)
    [Alberto Contreras]
  + clean: add param to remove /etc/machine-id for golden image creation
  + config: define `activate_by_schema_keys` for a-f mods (#1608)
    [Alberto Contreras]
  + config: define activate_by_schema_keys for s mods (#1612)
    [Alberto Contreras]
  + sources/azure: reorganize tests for network config (#1586)
  + [Chris Patterson]
  + config: Define activate_by_schema_keys for g-n mods (#1610)
    [Alberto Contreras]
  + meta-schema: add infra to skip inapplicable modules [Alberto Contreras]
  + sources/azure: don't set cfg["password"] for default user pw (#1592)
    [Chris Patterson]
  + schema: activate grub-dpkg deprecations (#1600) [Alberto Contreras]
  + docs: clarify user password purposes (#1593)
  + cc_lxd: Add btrfs and lvm lxd storage options (SC-1026) (#1585)
  + archlinux: Fix distro naming[1] (#1601) [Kristian Klausen]
  + cc_ubuntu_autoinstall: support live-installer autoinstall config
  + clean: allow third party cleanup scripts in /etc/cloud/clean.d (#1581)
  + sources/azure: refactor chassis asset tag handling (#1574)
    [Chris Patterson]
  + Add "netcho" as contributor (#1591) [Kaloyan Kotlarski]
  + testing: drop impish support (#1596) [Alberto Contreras]
  + black: fix missed formatting issue which landed in main (#1594)
  + bsd: Don't assume that root user is in root group (#1587)
  + docs: Fix comment typo regarding use of packages (#1582)
    [Peter Mescalchin]
  + Update govc command in VMWare walkthrough (#1576) [manioo8]
  + Update .github-cla-signers (#1588) [Daniel Mullins]
  + Rename the openmandriva user to omv (#1575) [Bernhard Rosenkraenzer]
  + sources/azure: increase read-timeout to 60 seconds for wireserver
    (#1571) [Chris Patterson]
  + Resource leak cleanup (#1556)
  + testing: remove appereances of FakeCloud (#1584) [Alberto Contreras]
  + Fix expire passwords for hashed passwords (#1577)
    [Sadegh Hayeri] (LP: #1979065)
  + mounts: fix suggested_swapsize for > 64GB hosts (#1569) [Steven Stallion]
  + Update chpasswd schema to deprecate password parsing (#1517)
  + tox: Remove entries from default envlist (#1578) (LP: #1980854)
  + tests: add test for parsing static dns for existing devices (#1557)
    [Jonas Konrad]
  + testing: port cc_ubuntu_advantage test to pytest (#1559)
    [Alberto Contreras]
  + Schema deprecation handling (#1549) [Alberto Contreras]
  + Enable pytest to run in parallel (#1568)
  + sources/azure: refactor ovf-env.xml parsing (#1550) [Chris Patterson]
  + schema: Force stricter validation (#1547)
  + ubuntu advantage config: http_proxy, https_proxy (#1512)
    [Fabian Lichtenegger-Lukas]
  + net: fix interface matching support (#1552) (LP: #1979877)
  + Fuzz testing jsonchema (#1499) [Alberto Contreras]
  + testing: Wait for changed boot-id in test_status.py (#1548)
  + CI: Fix GH pinned-format jobs (#1558) [Alberto Contreras]
  + Typo fix (#1560) [Jaime Hablutzel]
  + tests: mock dns lookup that causes long timeouts (#1555)
  + tox: add unpinned env for do_format and check_format (#1554)
  + cc_ssh_import_id: Substitute deprecated warn (#1553) [Alberto Contreras]
  + Remove schema errors from log (#1551) (LP: #1978422) (CVE-2022-2084)
  + Update WebHookHandler to run as background thread (SC-456) (#1491)
    (LP: #1910552)
  + testing: Don't run custom cloud dir test on Bionic (#1542)
  + bash completion: update schema command (#1543) (LP: #1979547)
  + CI: add non-blocking run against the linters tip versions (#1531)
    [Paride Legovini]
  + Change groups within the users schema to support lists and strings
    (#1545) [RedKrieg]
  + make it clear which username should go in the contributing doc (#1546)
  + Pin setuptools for Travis (SC-1136) (#1540)
  + Fix LXD datasource crawl when BOOT enabled (#1537)
  + testing: Fix wrong path in dual stack test (#1538)
  + cloud-config: honor cloud_dir setting (#1523)
    [Alberto Contreras] (LP: #1976564)
  + Add python3-debconf to pkg-deps.json Build-Depends (#1535)
    [Alberto Contreras]
  + redhat spec: udev/rules.d lives under /usr/lib on rhel-based systems
    (#1536)
  + tests/azure: add test coverage for DisableSshPasswordAuthentication
    (#1534) [Chris Patterson]
  + summary: Add david-caro to the cla signers (#1527) [David Caro]
  + Add support for OpenMandriva (https://openmandriva.org/) (#1520)
    [Bernhard Rosenkraenzer]
  + tests/azure: refactor ovf creation (#1533) [Chris Patterson]
  + Improve DataSourceOVF error reporting when script disabled (#1525) [rong]
  + tox: integration-tests-jenkins: softfail if only some test failed
    (#1528) [Paride Legovini]
  + CI: drop linters from Travis CI (moved to GH Actions) (#1530)
    [Paride Legovini]
  + sources/azure: remove unused encoding support for customdata (#1526)
    [Chris Patterson]
  + sources/azure: remove unused metadata captured when parsing ovf (#1524)
    [Chris Patterson]
  + sources/azure: remove dscfg parsing from ovf-env.xml (#1522)
    [Chris Patterson]
  + Remove extra space from ec2 dual stack crawl message (#1521)
  + tests/azure: use namespaces in generated ovf-env.xml documents (#1519)
    [Chris Patterson]
  + setup.py: adjust udev/rules default path (#1513)
    [Emanuele Giuseppe Esposito]
  + Add python3-deconf dependency (#1506) [Alberto Contreras]
  + Change match macadress param for network v2 config (#1518)
    [Henrique Caricatti Capozzi]
  + sources/azure: remove unused userdata property from ovf (#1516)
    [Chris Patterson]
  + sources/azure: minor refactoring to network config generation (#1497)
    [Chris Patterson]
  + net: Implement link-local ephemeral ipv6
  + Rename function to avoid confusion (#1501)
  + Fix cc_phone_home requiring 'tries' (#1500) (LP: #1977952)
  + datasources: replace networking functions with stdlib and cloudinit.net
  + code
  + Remove xenial references (#1472) [Alberto Contreras]
  + Oracle ds changes (#1474) [Alberto Contreras] (LP: #1967942)
  + improve runcmd docs (#1498)
  + add 3.11-dev to Travis CI (#1493)
  + Only run github actions on pull request (#1496)
  + Fix integration test client creation (#1494) [Alberto Contreras]
  + tox: add link checker environment, fix links (#1480)
  + cc_ubuntu_advantage: Fix doc (#1487) [Alberto Contreras]
  + cc_yum_add_repo: Fix repo id canonicalization (#1489)
    [Alberto Contreras] (LP: #1975818)
  + Add linitio as contributor in the project (#1488) [Kevin Allioli]
  + net-convert: use yaml.dump for debugging python NetworkState obj (#1484)
    (LP: #1975907)
  + test_schema: no relative $ref URLs, replace $ref with local path (#1486)
  + cc_set_hostname: do not write "localhost" when no hostname is given
  + (#1453) [Emanuele Giuseppe Esposito]
  + Update .github-cla-signers (#1478) [rong]
  + schema: write_files defaults, versions $ref full URL and add vscode
    (#1479)
  + docs: fix external links, add one more to the list (#1477)
  + doc: Document how to change module frequency (#1481)
  + tests: bump pycloudlib (#1482)
  + tests: bump pycloudlib pinned commit for kinetic Azure (#1476)
  + testing: fix test_status.py (#1475)
  + integration tests: If KEEP_INSTANCE = True, log IP (#1473)
  + Drop mypy excluded files (#1454) [Alberto Contreras]
  + Docs additions (#1470)
  + Add "formatting tests" to Github Actions
  + Remove unused arguments in function signature (#1471)
  + Changelog: correct errant classification of LP issues as GH (#1464)
  + Use Network-Manager and Netplan as default renderers for RHEL and Fedora
    (#1465) [Emanuele Giuseppe Esposito]
  From 22.2
  + Fix test due to caplog incompatibility (#1461) [Alberto Contreras]
  + Align rhel custom files with upstream (#1431)
    [Emanuele Giuseppe Esposito]
  + cc_write_files: Improve schema. (#1460) [Alberto Contreras]
  + cli: Redact files with permission errors in commands (#1440)
  + [Alberto Contreras] (LP: #1953430)
  + Improve cc_set_passwords. (#1456) [Alberto Contreras]
  + testing: make fake cloud-init wait actually wait (#1459)
  + Scaleway: Fix network configuration for netplan 0.102 and later (#1455)
    [Maxime Corbin]
  + Fix 'ephmeral' typos in disk names(#1452) [Mike Hucka]
  + schema: version schema-cloud-config-v1.json (#1424)
  + cc_modules: set default meta frequency value when no config available
    (#1457)
  + Log generic warning on non-systemd systems. (#1450) [Alberto Contreras]
  + cc_snap.maybe_install_squashfuse no longer needed in Bionic++. (#1448)
    [Alberto Contreras]
  + Drop support of *-sk keys in cc_ssh (#1451) [Alberto Contreras]
  + testing: Fix console_log tests (#1437)
  + tests: cc_set_passoword update for systemd, non-systemd distros  (#1449)
  + Fix bug in url_helper/dual_stack() logging (#1426)
  + schema: render schema paths from _CustomSafeLoaderWithMarks (#1391)
  + testing: Make integration tests kinetic friendly (#1441)
  + Handle error if SSH service no present. (#1422)
    [Alberto Contreras] (LP: #1969526)
  + Fix network-manager activator availability and order (#1438)
  + sources/azure: remove reprovisioning marker (#1414) [Chris Patterson]
  + upstart: drop vestigial support for upstart (#1421)
  + testing: Ensure NoCloud detected in test (#1439)
  + Update .github-cla-signers kallioli [Kevin Allioli]
  + Consistently strip top-level network key (#1417) (LP: #1906187)
  + testing: Fix LXD VM metadata test (#1430)
  + testing: Add NoCloud setup for NoCloud test (#1425)
  + Update linters and adapt code for compatibility (#1434) [Paride Legovini]
  + run-container: add support for LXD VMs (#1428) [Paride Legovini]
  + integration-reqs: bump pycloudlib pinned commit (#1427) [Paride Legovini]
  + Fix NoCloud docs (#1423)
  + Docs fixes (#1406)
  + docs: Add docs for module creation (#1415)
  + Remove cheetah from templater (#1416)
  + tests: verify_ordered_items fallback to re.escape if needed (#1420)
  + Misc module cleanup (#1418)
  + docs: Fix doc warnings and enable errors (#1419)
    [Alberto Contreras] (LP: #1876341)
  + Refactor cloudinit.sources.NetworkConfigSource to enum (#1413)
    [Alberto Contreras] (LP: #1874875)
  + Don't fail if IB and Ethernet devices 'collide' (#1411)
  + Use cc_* module meta defintion over hardcoded vars (SC-888) (#1385)
  + Fix cc_rsyslog.py initialization (#1404) [Alberto Contreras]
  + Promote cloud-init schema from devel to top level subcommand (#1402)
  + mypy: disable missing imports warning for httpretty (#1412)
    [Chris Patterson]
  + users: error when home should not be created AND ssh keys provided
    [Jeffrey 'jf' Lim]
  + Allow growpart to resize encrypted partitions (#1316)
  + Fix typo in integration_test.rst (#1405) [Alberto Contreras]
  + cloudinit.net refactor: apply_network_config_names (#1388)
    [Alberto Contreras] (LP: #1884602)
  + tests/azure: add fixtures for hardcoded paths (markers and data_dir)
    (#1399) [Chris Patterson]
  + testing: Add responses workaround for focal/impish (#1403)
  + cc_ssh_import_id: fix is_key_in_nested_dict to avoid early False
  + Fix ds-identify not detecting NoCloud seed in config (#1381)
    (LP: #1876375)
  + sources/azure: retry dhcp for failed processes (#1401) [Chris Patterson]
  + Move notes about refactorization out of CONTRIBUTING.rst (#1389)
  + Shave ~8ms off generator runtime (#1387)
  + Fix provisioning dhcp timeout to 20 minutes (#1394) [Chris Patterson]
  + schema: module example strict testing fix seed_random
  + cc_set_hostname: examples small typo (perserve vs preserve)
    [Wouter Schoot]
  + sources/azure: refactor http_with_retries to remove **kwargs (#1392)
    [Chris Patterson]
  + declare dependency on ssh-import-id (#1334)
  + drop references to old dependencies and old centos script
  + sources/azure: only wait for primary nic to be attached during restore
    (#1378) [Anh Vo]
  + cc_ntp: migrated legacy schema to cloud-init-schema.json (#1384)
  + Network functions refactor and bugfixes (#1383)
  + schema: add JSON defs for modules cc_users_groups (#1379)
    (LP: #1858930)
  + Fix doc typo (#1382) [Alberto Contreras]
  + Add support for dual stack IPv6/IPv4 IMDS to Ec2 (#1160)
  + Fix KeyError when rendering sysconfig IPv6 routes (#1380) (LP: #1958506)
  + Return a namedtuple from subp() (#1376)
  + Mypy stubs and other tox maintenance (SC-920) (#1374)
  + Distro Compatibility Fixes (#1375)
  + Pull in Gentoo patches (#1372)
  + schema: add json defs for modules U-Z (#1360)
    (LP: #1858928, #1858929, #1858931, #1858932)
  + util: atomically update sym links to avoid Suppress FileNotFoundError
  + when reading status (#1298) [Adam Collard] (LP: #1962150)
  + schema: add json defs for modules scripts-timezone (SC-801) (#1365)
  + docs: Add first tutorial (SC-900) (#1368)
  + BUG 1473527: module ssh-authkey-fingerprints fails Input/output error…
    (#1340) [Andrew Lee] (LP: #1473527)
  + add arch hosts template (#1371)
  + ds-identify: detect LXD for VMs launched from host with > 5.10 kernel
    (#1370) (LP: #1968085)
  + Support EC2 tags in instance metadata (#1309) [Eduardo Dobay]
  + schema: add json defs for modules e-install (SC-651) (#1366)
  + Improve "(no_create_home|system): true" test (#1367) [Jeffrey 'jf' Lim]
  + Expose https_proxy env variable to ssh-import-id cmd (#1333)
    [Michael Rommel]
  + sources/azure: remove bind/unbind logic for hot attached nic (#1332)
    [Chris Patterson]
  + tox: add types-* packages to check_format env (#1362)
  + tests: python 3.10 is showing up in cloudimages (#1364)
  + testing: add additional mocks to test_net tests (#1356) [yangzz-97]
  + schema: add JSON schema for mcollective, migrator and mounts modules
    (#1358)
  + Honor system locale for RHEL (#1355) [Wei Shi]
  + doc: Fix typo in cloud-config-run-cmds.txt example (#1359) [Ali Shirvani]
  + ds-identify: also discover LXD by presence from DMI board_name = LXD
    (#1311)
  + black: bump pinned version to 22.3.0 to avoid click dependency issues
    (#1357)
  + Various doc fixes (#1330)
  + testing: Add missing is_FreeBSD mock to networking test (#1353)
  + Add --no-update to add-apt-repostory call (SC-880) (#1337)
  + schema: add json defs for modules K-L (#1321)
    (LP: #1858899, #1858900, #1858901, #1858902)
  + docs: Re-order readthedocs install (#1354)
  + Stop cc_ssh_authkey_fingerprints from ALWAYS creating home (#1343)
    [Jeffrey 'jf' Lim]
  + docs: add jinja2 pin (#1352)
  + Vultr: Use find_candidate_nics, use ipv6 dns (#1344) [eb3095]
  + sources/azure: move get_ip_from_lease_value out of shim (#1324)
    [Chris Patterson]
  + Fix cloud-init status --wait when no datasource found (#1349)
    (LP: #1966085)
  + schema: add JSON defs for modules resize-salt (SC-654) (#1341)
  + Add myself as a future contributor (#1345) [Neal Gompa (ニール・ゴンパ)]
  + Update .github-cla-signers (#1342) [Jeffrey 'jf' Lim]
  + add Requires=cloud-init-hotplugd.socket in cloud-init-hotplugd.service
  + file (#1335) [yangzz-97]
  + Fix sysconfig render when set-name is missing (#1327)
    [Andrew Kutz] (LP: #1855945)
  + Refactoring helper funcs out of NetworkState (#1336) [Andrew Kutz]
  + url_helper: add tuple support for readurl timeout (#1328)
    [Chris Patterson]
  + Make fs labels match for ds-identify and docs (#1329)
  + Work around bug in LXD VM detection (#1325)
  + Remove redundant generator logs (#1318)
  + tox: set verbose flags for integration tests (#1323) [Chris Patterson]
  + net: introduce find_candidate_nics() (#1313) [Chris Patterson]
  + Revert "Ensure system_cfg read before ds net config on Oracle (#1174)"
    (#1326)
  + Add vendor_data2 support for ConfigDrive source (#1307) [cvstealth]
  + Make VMWare data source test host independent and expand testing (#1308)
    [Robert Schweikert]
  + Add json schemas for modules starting with P
  + sources/azure: remove lease file parsing (#1302) [Chris Patterson]
  + remove flaky test from ci (#1322)
  + ci: Switch to python 3.10 in Travis CI (#1320)
  + Better interface handling for Vultr, expect unexpected DHCP servers
    (#1297) [eb3095]
  + Remove unused init local artifact (#1315)
  + Doc cleanups (#1317)
  + docs improvements (#1312)
  + add support for jinja do statements, add unit test (#1314)
    [Paul Bruno] (LP: #1962759)
  + sources/azure: prevent tight loops for DHCP retries (#1285)
    [Chris Patterson]
  + net/dhcp: surface type of DHCP lease failure to caller (#1276)
    [Chris Patterson]
  + Stop hardcoding systemctl location (#1278) [Robert Schweikert]
  + Remove python2 syntax from docs (#1310)
  + [tools/migrate-lp-user-to-github] Rename master branch to main (#1301)
    [Adam Collard]
  + redhat: Depend on "hostname" package (#1288) [Lubomir Rintel]
  + Add native NetworkManager support (#1224) [Lubomir Rintel]
  + Fix link in CLA check to point to contribution guide. (#1299)
    [Adam Collard]
  + check for existing symlink while force creating symlink (#1281)
    [Shreenidhi Shedi]
  + Do not silently ignore integer uid (#1280) (LP: #1875772)
  + tests: create a IPv4/IPv6 VPC in Ec2 integration tests (#1291)
  + Integration test fix ppa  (#1296)
  + tests: on official EC2. cloud-id actually startswith aws not ec2 (#1289)
  + test_ppa_source: accept both http and https URLs (#1292)
    [Paride Legovini]
  + Fix apt test on azure
  + add "lkundrak" as contributor [Lubomir Rintel]
  + Holmanb/integration test fix ppa (#1287)
  + Include missing subcommand in manpage (#1279)
  + Clean up artifacts from pytest, packaging, release with make clean
    (#1277)
  + sources/azure: ensure retries on IMDS request failure (#1271)
    [Chris Patterson]
  + sources/azure: removed unused savable PPS paths (#1268) [Chris Patterson]
  + integration tests: fix Azure failures (#1269)
  From 22.1
  + sources/azure: report ready in local phase (#1265) [Chris Patterson]
  + sources/azure: validate IMDS network configuration metadata (#1257)
    [Chris Patterson]
  + docs: Add more details to runcmd docs (#1266)
  + use PEP 589 syntax for TypeDict (#1253)
  + mypy: introduce type checking (#1254) [Chris Patterson]
  + Fix extra ipv6 issues, code reduction and simplification (#1243) [eb3095]
  + tests: when generating crypted password, generate in target env (#1252)
  + sources/azure: address mypy/pyright typing complaints (#1245)
    [Chris Patterson]
  + Docs for x-shellscript* userdata (#1260)
  + test_apt_security: azure platform has specific security URL overrides
    (#1263)
  + tests: lsblk --json output changes mountpoint key to mountpoinst []
    (#1261)
  + mounts: fix mount opts string for ephemeral disk (#1250)
    [Chris Patterson]
  + Shell script handlers by freq (#1166) [Chris Lalos]
  + minor improvements to documentation (#1259) [Mark Esler]
  + cloud-id: publish /run/cloud-init/cloud-id-<cloud-type> files (#1244)
  + add "eslerm" as contributor (#1258) [Mark Esler]
  + sources/azure: refactor ssh key handling (#1248) [Chris Patterson]
  + bump pycloudlib (#1256)
  + sources/hetzner: Use EphemeralDHCPv4 instead of static configuration
    (#1251) [Markus Schade]
  + bump pycloudlib version (#1255)
  + Fix IPv6 netmask format for sysconfig (#1215) [Harald] (LP: #1959148)
  + sources/azure: drop debug print (#1249) [Chris Patterson]
  + tests: do not check instance.pull_file().ok() (#1246)
  + sources/azure: consolidate ephemeral DHCP configuration (#1229)
    [Chris Patterson]
  + cc_salt_minion freebsd fix for rc.conf (#1236)
  + sources/azure: fix metadata check in _check_if_nic_is_primary() (#1232)
    [Chris Patterson]
  + Add _netdev option to mount Azure ephemeral disk (#1213) [Eduardo Otubo]
  + testing: stop universally overwriting /etc/cloud/cloud.cfg.d (#1237)
  + Integration test changes (#1240)
  + Fix Gentoo Locales (#1205)
  + Add "slingamn" as contributor (#1235) [Shivaram Lingamneni]
  + integration: do not LXD bind mount /etc/cloud/cloud.cfg.d (#1234)
  + Integration testing docs and refactor (#1231)
  + vultr: Return metadata immediately when found (#1233) [eb3095]
  + spell check docs with spellintian (#1223)
  + docs: include upstream python version info (#1230)
  + Schema a d (#1211)
  + Move LXD to end ds-identify DSLIST (#1228) (LP: #1959118)
  + fix parallel tox execution (#1214)
  + sources/azure: refactor _report_ready_if_needed and _poll_imds (#1222)
    [Chris Patterson]
  + Do not support setting up archive.canonical.com as a source (#1219)
    [Steve Langasek] (LP: #1959343)
  + Vultr: Fix lo being used for DHCP, try next on cmd fail (#1208) [eb3095]
  + sources/azure: refactor _should_reprovision[_after_nic_attach]() logic
    (#1206) [Chris Patterson]
  + update ssh logs to show ssh private key gens pub and simplify code
    (#1221) [Steve Weber]
  + Remove mitechie from stale PR github action (#1217)
  + Include POST format in cc_phone_home docs (#1218) (LP: #1959149)
  + Add json parsing of ip addr show (SC-723) (#1210)
  + cc_rsyslog: fix typo in docstring (#1207) [Louis Sautier]
  + Update .github-cla-signers (#1204) [Chris Lalos]
  + sources/azure: drop unused case in _report_failure() (#1200)
    [Chris Patterson]
  + sources/azure: always initialize _ephemeral_dhcp_ctx on unpickle (#1199)
    [Chris Patterson]
  + Add support for gentoo templates and cloud.cfg (#1179) [vteratipally]
  + sources/azure: unpack ret tuple in crawl_metadata() (#1194)
    [Chris Patterson]
  + tests: focal caplog has whitespace indentation for multi-line logs
    (#1201)
  + Seek interfaces, skip dummy interface, fix region codes (#1192) [eb3095]
  + integration: test against the Ubuntu daily images (#1198)
    [Paride Legovini]
  + cmd: status and cloud-id avoid change in behavior for 'not run' (#1197)
  + tox: pass PYCLOUDLIB_* env vars into integration tests when present
    (#1196)
  + sources/azure: set ovf_is_accessible when OVF is read successfully
    (#1193) [Chris Patterson]
  + Enable OVF environment transport via ISO in example (#1195) [Megian]
  + sources/azure: consolidate DHCP variants to EphemeralDHCPv4WithReporting
    (#1190) [Chris Patterson]
  + Single JSON schema validation in early boot (#1175)
  + Add DatasourceOVF network-config propery to Ubuntu OVF example (#1184)
    [Megian]
  + testing: support pycloudlib config file (#1189)
  + Ensure system_cfg read before ds net config on Oracle (SC-720) (#1174)
    (LP: #1956788)
  + Test Optimization Proposal (SC-736) (#1188)
  + cli: cloud-id report not-run or disabled state as cloud-id (#1162)
  + Remove distutils usage (#1177) [Shreenidhi Shedi]
  + add .python-version to gitignore (#1186)
  + print error if datasource import fails (#1170)
    [Emanuele Giuseppe Esposito]
  + Add new config module to set keyboard layout (#1176)
    [maxnet] (LP: #1951593)
  + sources/azure: rename metadata_type -> MetadataType (#1181)
    [Chris Patterson]
  + Remove 3.5 and xenial support (SC-711) (#1167)
  + tests: mock LXD datasource detection in ds-identify on LXD containers
    (#1178)
  + pylint: silence errors on compat code for old jsonschema (#1172)
    [Paride Legovini]
  + testing: Add 3.10 Test Coverage (#1173)
  + Remove unittests from integration test job in travis (#1141)
  + Don't throw exceptions for empty cloud config (#1130)
  + bsd/resolv.d/ avoid duplicated entries (#1163) [Gonéri Le Bouder]
  + sources/azure: do not persist failed_desired_api_version flag (#1159)
    [Chris Patterson]
  + Update cc_ubuntu_advantage calls to assume-yes (#1158)
    [John Chittum] (LP: #1954842)
  + openbsd: properly restart the network on 7.0 (#1150) [Gonéri Le Bouder]
  + Add .git-blame-ignore-revs (#1161)
  + Adopt Black and isort (SC-700) (#1157)
  + Include dpkg frontend lock in APT_LOCK_FILES (#1153)
  + tests/cmd/query: fix test run as root and add coverage for defaults
    (#1156) [Chris Patterson] (LP: #1825027)
  + Schema processing changes (SC-676) (#1144)
  + Add dependency workaround for impish in bddeb (#1148)
  + netbsd: install new dep packages (#1151) [Gonéri Le Bouder]
  + find_devs_with_openbsd: ensure we return the last entry (#1149)
    [Gonéri Le Bouder]
  + sources/azure: remove unnecessary hostname bounce (#1143)
    [Chris Patterson]
  + find_devs/openbsd: accept ISO on disk (#1132)
    [Gonéri Le Bouder]
  + Improve error log message when mount failed (#1140) [Ksenija Stanojevic]
  + add KsenijaS as a contributor (#1145) [Ksenija Stanojevic]
  + travis - don't run integration tests if no deb (#1139)
  + factor out function for getting top level directory of cloudinit (#1136)
  + testing: Add deterministic test id (#1138)
  + mock sleep() in azure test (#1137)
  + Add miraclelinux support (#1128) [Haruki TSURUMOTO]
  + docs: Make MACs lowercase in network config (#1135) (LP: #1876941)
  + Add Strict Metaschema Validation (#1101)
  + update dead link (#1133)
  + cloudinit/net: handle two different routes for the same ip (#1124)
    [Emanuele Giuseppe Esposito]
  + docs: pin mistune dependency (#1134)
  + Reorganize unit test locations under tests/unittests (#1126)
  + Fix exception when no activator found (#1129) (LP: #1948681)
  + jinja: provide and document jinja-safe key aliases in instance-data
    (SC-622) (#1123)
  + testing: Remove date from final_message test (SC-638) (#1127)
  + Move GCE metadata fetch to init-local (SC-502) (#1122)
  + Fix missing metadata routes for vultr (#1125) [eb3095]
  + cc_ssh_authkey_fingerprints.py: prevent duplicate messages on console
    (#1081) [dermotbradley]
  + sources/azure: remove unused remnants related to agent command (#1119)
    [Chris Patterson]
  + github: update PR template's contributing URL (#1120) [Chris Patterson]
  + docs: Rename HACKING.rst to CONTRIBUTING.rst (#1118)
  + testing: monkeypatch system_info call in unit tests (SC-533) (#1117)
  + Fix Vultr timeout and wait values (#1113) [eb3095]
  + lxd: add preference for LXD cloud-init.* config keys over user keys
    (#1108)
  + VMware: source /etc/network/interfaces.d/* on Debian
    [chengcheng-chcheng] (LP: #1950136)
  + Add cjp256 as contributor (#1109) [Chris Patterson]
  + integration_tests: Ensure log directory exists before symlinking to it
    (#1110)
  + testing: add growpart integration test (#1104)
  + integration_test: Speed up CI run time (#1111)
  + Some miscellaneous integration test fixes (SC-606) (#1103)
  + tests: specialize lxd_discovery test for lxd_vm vendordata (#1106)
  + Add convenience symlink to integration test output (#1105)
  + Fix for set-name bug in networkd renderer (#1100)
    [Andrew Kutz] (LP: #1949407)
  + Wait for apt lock (#1034) (LP: #1944611)
  + testing: stop chef test from running on openstack (#1102)
  + alpine.py: add options to the apk upgrade command (#1089) [dermotbradley]
cloud-netconfig
- Update to version 1.8:
  + Fix Azure metadata check (bsc#1214715)
  + Fix cleanup on ifdown

- Update to version 1.7:
  + Overhaul policy routing setup (issue #19)
  + Support alias IPv4 ranges (issue #14)
  + Add support for NetworkManager (bsc#1204549)
  + Remove dependency on netconfig
  + Install into libexec directory
  + Clear stale ifcfg files for accelerated NICs (bsc#1199853)
  + More debug messages
  + Documentation update

- /etc/netconfig.d/ moved to /usr/libexec/netconfig/netconfig.d/ in
  Tumbleweed, update path (poo#116221)
cloud-regionsrv-client
- Update to version 10.1.3 (bsc#1214801)
  + Add a warning if we detect a Python package cert bundle for certifi
    This will help with debugging and point to potential issues when
    using SUSE images in AWS, Azure, and GCE

- Update to version 10.1.2 (bsc#1211282)
  + Properly handle Ipv6 when checking update server responsiveness. If not
    available fall back and use IPv4 information
  + Use systemd_ordered to allow use in a container without pulling systemd
    into the container as a requirement

- Update to version 10.1.1 (bsc#1210020, bsc#1210021)
  + Clean up the system if baseproduct registraion fails to leave the
    system in prestine state
  + Log when the registercloudguest command is invoked with --clean

- Update to version 10.1.0 (bsc#1207133, bsc#1208097, bsc#1208099 )
  - Removes a warning about system_token entry present in the credentials
  file.
  - Adds logrotate configuration for log rotation.

- Update to version 10.1.0 (bsc#1207133, bsc#1208097, bsc#1208099 )
  - Removes a warning about system_token entry present in the credentials
  file.
  - Adds logrotate configuration for log rotation.

- Update to version 10.0.8 (bsc#1206428)
  - Fix regression introduced by 10.0.7. When the hosts file was modified
    such that there is no empty line at the end of the file the content
    after removing the registration data does not match the content prior
    to registration. The update fixes the issue triggered by an index
    logic error.

- Guard dmidecode dependency (bsc#1206082)

- Update to version 10.0.7 (bsc#1191880, bsc#1195925, bsc#1195924)
  - Implement functionality to detect if an update server has a new cert.
    Import the new cert when it is detected.
  - Forward port fix-for-sles12-disable-ipv6.patch
- From 10.0.6 (bsc#1205089)
  - Credentials are equal when username and password are the same ignore
    other entries in the credentials file
  - Handle multiple zypper names in process table, zypper and Zypp-main
    to properly detect the running process

- Add patch to block IPv6 on SLE12 (bsc#1203382)
cluster-glue
- ibmhmc stonith needs to be aware of HMC version - ref:_00D1igLOd._5005qAMc5b:ref
  (bsc#1203635)
  * Add upstream patch:
    38.patch
kernel-default
- net: mana: Configure hwc timeout from hardware (bsc#1214037).
- net: mana: Fix MANA VF unload when hardware is unresponsive
  (bsc#1214764).
- commit b006ee9

- Call flush_delayed_fput() from nfsd main-loop (bsc#1217408).
- commit f407bf4

- powerpc: Don't clobber f0/vs0 during fp|altivec register save
  (bsc#1217780).
- commit 96932d7

- netfilter: conntrack: dccp: copy entire header to stack buffer,
  not just basic one (CVE-2023-39197 bsc#1216976).
- commit 5e51ad1

- kernel-binary: suse-module-tools is also required when installed
  Requires(pre) adds dependency for the specific sciptlet.
  However, suse-module-tools also ships modprobe.d files which may be
  needed at posttrans time or any time the kernel is on the system for
  generating ramdisk. Add plain Requires as well.
- commit 8c12816

- net/tls: do not free tls_rec on async operation in
  bpf_exec_tx_verdict() (bsc#1217332 CVE-2023-6176).
- commit 20678d9

- ALSA: hda: Disable power-save on KONTRON SinglePC (bsc#1217140).
- commit ad1e507

- README.SUSE: fix patches.addon use
  It's series, not series.conf in there.
  And make it more precise on when the patches are applied.
- commit cb8969c

- Do not store build host name in initrd
  Without this patch, kernel-obs-build stored the build host name
  in its .build.initrd.kvm
  This patch allows for reproducible builds of kernel-obs-build and thus
  avoids re-publishing the kernel-obs-build.rpm when nothing changed.
  Note that this has no influence on the /etc/hosts file
  that is used during other OBS builds.
  https://bugzilla.opensuse.org/show_bug.cgi?id=1084909
- commit fd3a75e

- Ensure ia32_emulation is always enabled for kernel-obs-build
  If ia32_emulation is disabled by default, ensure it is enabled
  back for OBS kernel to allow building 32bit binaries (jsc#PED-3184)
  [ms: Always pass the parameter, no need to grep through the config which
  may not be very reliable]
- commit 56a2c2f

- kobject: Fix slab-out-of-bounds in fill_kobj_path() (bsc#1216058
  CVE-2023-45863).
- commit 1b6a097

- rpm: Define git commit as macro
- commit bcc92c8

- kernel-source: Move provides after sources
- commit dbbf742

- patches.suse/0003-btrfs-tree-checker-Refactor-prev_key-check-for-ino-i.patch:
  (bsc#1215371).
- commit 39aefaa

- patches.suse/0002-btrfs-tree-checker-Add-check-for-INODE_REF.patch:
  (bsc#1215371).
- commit d3fc74a

- patches.suse/0001-btrfs-tree-checker-Try-to-detect-missing-INODE_ITEM.patch:
  (bsc#1215371).
- commit b772e7a

- rpm/check-for-config-changes: add HAVE_SHADOW_CALL_STACK to IGNORED_CONFIGS_RE
  Not supported by our compiler.
- commit eb32b5a

- igb: set max size RX buffer when store bad packet is enabled
  (bsc#1216259 CVE-2023-45871).
- commit 9445d70

- drm/qxl: fix UAF on handle creation (CVE-2023-39198
  bsc#1216965).
- commit a0819bc

- Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in
  HCIUARTGETPROTO (bsc#1210780 CVE-2023-31083).
- commit 7f7eb62

- perf/core: Fix potential NULL deref (bsc#1216584 CVE-2023-5717).
- commit dbf3f79

- perf: Disallow mis-matched inherited group reads (bsc#1216584 CVE-2023-5717).
  Implement KABI fix for above
- commit c397b9e

- rpm/check-for-config-changes: add AS_WRUSS to IGNORED_CONFIGS_RE
  Add AS_WRUSS as an IGNORED_CONFIGS_RE entry in check-for-config-changes
  to fix build on x86_32.
  There was a fix submitted to upstream but it was not accepted:
  https://lore.kernel.org/all/20231031140504.GCZUEJkMPXSrEDh3MA@fat_crate.local/
  So carry this in IGNORED_CONFIGS_RE instead.
- commit 7acca37

- Fix patches.suse/io_uring-used-cached-copies-of-sq-dropped-and-cq-ove.patch. (bsc#1214344)
  To protect itself against userspace corrupting the counter of io_uring
  dropped submission entries, the kernel relies on a cache of the counter
  instead of reading the counter directly.  But, the stable patch that was
  brought to SP3 implementing the this mechanism was done incorrectly, and
  let's the kernel read from the userspace value instead of the cache in
  one situation. This allows userspace to subvert the counter, hanging the
  application forever. Fix the backport to read from the cached value.
  5.3 stable is long dead, so there is nothing to fix upstream or in
  - stable.
- commit 2f88408

- nvme-fc: Prevent null pointer dereference in
  nvme_fc_io_getuuid() (bsc#1214842).
- commit b96c59b

- ubi: Refuse attaching if mtd's erasesize is 0 (CVE-2023-31085
  bsc#1210778).
- commit cf2c572

- bpf: propagate precision in ALU/ALU64 operations (git-fixes).
- commit 3cd9fd7

- USB: ene_usb6250: Allocate enough memory for full object
  (bsc#1216051 CVE-2023-45862).
- commit 850ea88

- bpf: Fix incorrect verifier pruning due to missing register
  precision taints (bsc#1215518 CVE-2023-2163).
- commit 37a3998

- netfilter: nf_tables: skip bound chain on rule flush
  (CVE-2023-3777 bsc#1215095).
- commit 5558be6

- xen/events: replace evtchn_rwlock with RCU (bsc#1215745,
  xsa-441, cve-2023-34324).
- commit 4227b23

- KVM: x86: fix sending PV IPI (git-fixes, bsc#1210853,
  bsc#1216134).
- commit 8704b8e

- netfilter: nfnetlink_osf: avoid OOB read (bsc#1216046
  CVE-2023-39189).
- commit c154d64

- btrfs: unset reloc control if transaction commit fails in prepare_to_relocate() (bsc#1212051 CVE-2023-3111).
- commit 2048118

- doc/README.PATCH-POLICY.SUSE: Convert the document to Markdown
  (jsc#PED-5021)
- commit c05cfc9

- doc/README.SUSE: Convert the document to Markdown (jsc#PED-5021)
- commit bff5e3e

- Update
  patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch
  (bsc#1211592 CVE-2023-2860).
- commit 267cf38

- net: xfrm: Fix xfrm_address_filter OOB read (CVE-2023-39194
  bsc#1215861).
- commit 1bf7dab

- netfilter: xt_sctp: validate the flag_info count (CVE-2023-39193
  bsc#1215860).
- commit 6fc23b4

- netfilter: xt_u32: validate user space input (CVE-2023-39192
  bsc#1215858).
- commit 5f8a021

- ipv4: fix null-deref in ipv4_link_failure (CVE-2023-42754
  bsc#1215467).
- commit ecc7c7a

- btrfs: fix root ref counts in error handling in
  btrfs_get_root_ref (bsc#1214351 CVE-2023-4389).
- commit 14e72e8

- Revert rwsem backport (bsc#1207270 jsc#PED-4567)
  The rwsem backport enabled database software to run on largest VMs in
  Azure (M416v2, M832v2). It is reportedly no longer needed:
- Delete patches.suse/lockdep-Add-preemption-enabled-disabled-assertion-AP.patch.
- Delete patches.suse/locking-Add-missing-__sched-attributes.patch.
- Delete patches.suse/locking-Remove-rcu_read_-un-lock-for-preempt_-dis-en.patch.
- Delete patches.suse/locking-rwsem-Add-__always_inline-annotation-to-__do.patch.
- Delete patches.suse/locking-rwsem-Allow-slowpath-writer-to-ignore-handof.patch.
- Delete patches.suse/locking-rwsem-Always-try-to-wake-waiters-in-out_nolo.patch.
- Delete patches.suse/locking-rwsem-Better-collate-rwsem_read_trylock.patch.
- Delete patches.suse/locking-rwsem-Conditionally-wake-waiters-in-reader-w.patch.
- Delete patches.suse/locking-rwsem-Disable-preemption-for-spinning-region.patch.
- Delete patches.suse/locking-rwsem-Disable-preemption-in-all-down_read-an.patch.
- Delete patches.suse/locking-rwsem-Disable-preemption-in-all-down_write-a.patch.
- Delete patches.suse/locking-rwsem-Disable-preemption-while-trying-for-rw.patch.
- Delete patches.suse/locking-rwsem-Enable-reader-optimistic-lock-stealing.patch.
- Delete patches.suse/locking-rwsem-Fix-comment-typo.patch.
- Delete patches.suse/locking-rwsem-Fix-comments-about-reader-optimistic-l.patch.
- Delete patches.suse/locking-rwsem-Fold-__down_-read-write.patch.
- Delete patches.suse/locking-rwsem-Introduce-rwsem_write_trylock.patch.
- Delete patches.suse/locking-rwsem-Make-handoff-bit-handling-more-consist.patch.
- Delete patches.suse/locking-rwsem-No-need-to-check-for-handoff-bit-if-wa.patch.
- Delete patches.suse/locking-rwsem-Optimize-down_read_trylock-under-highl.patch.
- Delete patches.suse/locking-rwsem-Pass-the-current-atomic-count-to-rwsem.patch.
- Delete patches.suse/locking-rwsem-Prevent-non-first-waiter-from-spinning.patch.
- Delete patches.suse/locking-rwsem-Prevent-potential-lock-starvation.patch.
- Delete patches.suse/locking-rwsem-Remove-an-unused-parameter-of-rwsem_wa.patch.
- Delete patches.suse/locking-rwsem-Remove-reader-optimistic-spinning.patch.
- Delete patches.suse/rwsem-Implement-down_read_interruptible.patch.
- Delete patches.suse/rwsem-Implement-down_read_killable_nested.patch.
- blacklist.conf: add a rwsem patch that causes lockups
  Restore the patch disabling optimistic spinning for readers:
- locking/rwsem: Disable reader optimistic spinning (bnc#1176588).
  Add down_read_interruptible and down_read_killable_nested, which were
  exported symbols added by the patchset being reverted, to kabi/severities.
- commit ae06a1f

- doc/README.PATCH-POLICY.SUSE: Remove the list of links (jsc#PED-5021)
  All links have been incorporated into the text. Remove now unnecessary
  list at the end of the document.
- commit 43d62b1

- doc/README.SUSE: Adjust heading style (jsc#PED-5021)
  * Underscore all headings as a preparation for Markdown conversion.
  * Use title-style capitalization for the document name and
  sentence-style capitalization for section headings, as recommended in
  the current SUSE Documentation Style Guide.
- commit 11e3267

- netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro
  for ip_set_hash_netportnet.c (CVE-2023-42753 bsc#1215150).
- commit c0f449e

- tcp: Reduce chance of collisions in inet6_hashfn()
  (CVE-2023-1206 bsc#1212703).
- commit fdc3ce8

- scsi: qedf: Add synchronization between I/O completions and
  abort (bsc#1210658).
- commit 9be81b4

- Refresh
  patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch.
- commit dc11875

- doc/README.PATCH-POLICY.SUSE: Reflow text to 80-column width
  (jsc#PED-5021)
- commit be0158c

- doc/README.PATCH-POLICY.SUSE: Update information about the tools
  (jsc#PED-5021)
  * Replace bugzilla.novell.com with bugzilla.suse.com and FATE with Jira.
  * Limit the range of commits in the exportpatch example to prevent it
  from running for too long.
  * Incorporate URLs directly into the text.
  * Fix typos and improve some wording, in particular avoid use of "there
  is/are" and prefer the present tense over the future one.
- commit c0bea0c

- doc/README.PATCH-POLICY.SUSE: Update information about the patch
  format (jsc#PED-5021)
  * Replace bugzilla.novell.com with bugzilla.suse.com and FATE with Jira.
  * Remove references to links to the patchtools and kernel source. They
  are incorporated in other parts of the text.
  * Use sentence-style capitalization for section headings, as recommended
  in the current SUSE Documentation Style Guide.
  * Fix typos and some wording, in particular avoid use of "there is/are".
- commit ce98345

- doc/README.PATCH-POLICY.SUSE: Update the summary and background
  (jsc#PED-5021)
  * Drop information about patches being split into directories per
  a subsystem because that is no longer the case.
  * Remove the mention that the expanded tree is present since SLE11-SP2
  as that is now only a historical detail.
  * Incorporate URLs and additional information in parenthenses directly
  into the text.
  * Fix typos and improve some wording.
- commit 640988f

- net: sched: sch_qfq: Fix UAF in qfq_dequeue() (CVE-2023-4921
  bsc#1215275).
- commit b3e4331

- kernel-binary: Move build-time definitions together
  Move source list and build architecture to buildrequires to aid in
  future reorganization of the spec template.
- commit 30e2cef

- bnx2x: new flag for track HW resource allocation (bsc#1202845
  bsc#1215322).
- commit 9c9c729

- x86/srso: Fix srso_show_state() side effect (git-fixes).
- commit a76a23f

- x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes).
- commit 184fe4b

- x86/srso: Don't probe microcode in a guest (git-fixes).
- commit 1dd85db

- x86/srso: Set CPUID feature bits independently of bug or mitigation  status (git-fixes).
- commit 4dac766

- Update
  patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch.
  (bsc#1207036 CVE-2023-23454)
  Fold downstream fixup of caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12.
- commit bd0b138

- kernel-binary: python3 is needed for build
  At least scripts/bpf_helpers_doc.py requires python3 since Linux 4.18
  Other simimlar scripts may exist.
- commit c882efa

- netfilter: nft_set_pipapo: fix improper element removal
  (bsc#1213812 CVE-2023-4004).
- commit 593f458

- af_unix: Fix null-ptr-deref in unix_stream_sendpage()
  (CVE-2023-4622 bsc#1215117).
- commit bd1d942

- net/sched: sch_hfsc: Ensure inner classes have fsc curve
  (CVE-2023-4623 bsc#1215115).
- commit 0cd315e

- cec-api: prevent leaking memory through hole in structure
  (CVE-2020-36766 bsc#1215299).
- commit d226bc0

- doc/README.SUSE: Reflow text to 80-column width (jsc#PED-5021)
- commit e8f2c67

- doc/README.SUSE: Minor content clean up (jsc#PED-5021)
  * Mark the user's build directory as a variable, not a command:
  'make -C $(your_build_dir)' -> 'make -C $YOUR_BUILD_DIR'.
  * Unify how to get the current directory: 'M=$(pwd)' -> 'M=$PWD'.
  * 'GIT' / 'git' -> 'Git'.
- commit 1cb4ec8

- doc/README.SUSE: Update information about module paths
  (jsc#PED-5021)
  * Use version variables to describe names of the
  /lib/modules/$VERSION-$RELEASE-$FLAVOR/... directories
  instead of using specific example versions which get outdated quickly.
  * Note: Keep the /lib/modules/ prefix instead of using the new
  /usr/lib/modules/ location for now. The updated README is expected to
  be incorporated to various branches that are not yet usrmerged.
- commit 7eba2f0

- doc/README.SUSE: Update information about custom patches
  (jsc#PED-5021)
  * Replace mention of various patches.* directories with only
  patches.suse as the typical location for patches.
  * Replace i386 with x86_64 in the example how to define a config addon.
  * Fix some typos and wording.
- commit 2997d22

- x86/pkeys: Revert a5eff7259790 ("x86/pkeys: Add PKRU value to init_fpstate") (bsc#1215356).
- commit 012d8e6

- 9p/xen : Fix use after free bug in xen_9pfs_front_remove due
  to race condition (bsc#1215206, CVE-2023-1859).
- commit fe5b126

- doc/README.SUSE: Update information about config files
  (jsc#PED-5021)
  * Use version variables to describe a name of the /boot/config-... file
  instead of using specific example versions which get outdated quickly.
  * Replace removed silentoldconfig with oldconfig.
  * Mention that oldconfig can automatically pick a base config from
  "/boot/config-$(uname -r)".
  * Avoid writing additional details in parentheses, incorporate them
  instead properly in the text.
- commit cba5807

- sctp: leave the err path free in sctp_stream_init to
  sctp_stream_free (CVE-2023-2177 bsc#1210643).
- commit 2ef1e9d

- netfilter: nftables: exthdr: fix 4-byte stack OOB write
  (CVE-2023-4881 bsc#1215221).
- commit 780699b

- doc/README.SUSE: Update the patch selection section
  (jsc#PED-5021)
  * Make the steps how to obtain expanded kernel source more generic in
  regards to version numbers.
  * Use '#' instead of '$' as the command line indicator to signal that
  the steps need to be run as root.
  * Update the format of linux-$SRCVERSION.tar.bz2 to xz.
  * Improve some wording.
- commit e14852c

- doc/README.SUSE: Update information about (un)supported modules
  (jsc#PED-5021)
  * Update the list of taint flags. Convert it to a table that matches the
  upstream documentation format and describe specifically flags that are
  related to module support status.
  * Fix some typos and wording.
- commit e46f0df

- doc/README.SUSE: Bring information about compiling up to date
  (jsc#PED-5021)
  * When building the kernel, don't mention to initially change the
  current directory to /usr/src/linux because later description
  discourages it and specifies to use 'make -C /usr/src/linux'.
  * Avoid writing additional details in parentheses, incorporate them
  instead properly in the text.
  * Fix the obsolete name of /etc/modprobe.d/unsupported-modules ->
  /etc/modprobe.d/10-unsupported-modules.conf.
  * Drop a note that a newly built kernel should be added to the boot
  manager because that normally happens automatically when running
  'make install'.
  * Update a link to the Kernel Module Packages Manual.
  * When preparing a build for external modules, mention use of the
  upstream recommended 'make modules_prepare' instead of a pair of
  'make prepare' + 'make scripts'.
  * Fix some typos+grammar.
- commit b9b7e79

- doc/README.SUSE: Bring the overview section up to date
  (jsc#PED-5021)
  * Update information in the overview section that was no longer
  accurate.
  * Improve wording and fix some typos+grammar.
- commit 798c075

- doc/README.SUSE: Update the references list (jsc#PED-5021)
  * Remove the reference to Linux Documentation Project. It has been
  inactive for years and mostly contains old manuals that aren't
  relevant for contemporary systems and hardware.
  * Update the name and link to LWN.net. The original name "Linux Weekly
  News" has been deemphasized over time by its authors.
  * Update the link to Kernel newbies website.
  * Update the reference to The Linux Kernel Module Programming Guide. The
  document has not been updated for over a decade but it looks its
  content is still relevant for today.
  * Point Kernel Module Packages Manual to the current version.
  * Add a reference to SUSE SolidDriver Program.
- commit 0edac75

- doc/README.SUSE: Update title information (jsc#PED-5021)
  * Drop the mention of kernel versions from the readme title.
  * Remove information about the original authors of the document. Rely as
  in case of other readmes on Git metadata to get information about all
  contributions.
  * Strip the table of contents. The document is short and easy to
  navigate just by scrolling through it.
- commit 06f5139

- doc/README.SUSE: Update information about DUD (jsc#PED-5021)
  Remove a dead link to description of Device Update Disks found
  previously on novell.com. Replace it with a short section summarizing
  what DUD is and reference the mkdud + mksusecd tools and their
  documentation for more information.
- commit 7eeba4e

- Delete patches.suse/genksyms-add-override-flag.diff.
  The override flag is no longer used in kernel-binary.
- commit 79d5655

- rpm/kernel-binary.spec.in: Drop use of KBUILD_OVERRIDE=1
  Genksyms has functionality to specify an override for each type in
  a symtypes reference file. This override is then used instead of an
  actual type and allows to preserve modversions (CRCs) of symbols that
  reference the type. It is kind of an alternative to doing kABI fix-ups
  with '#ifndef __GENKSYMS__'. The functionality is hidden behind the
  genksyms --preserve option which primarily tells the tool to strictly
  verify modversions against a given reference file or fail.
  Downstream patch patches.suse/genksyms-add-override-flag.diff which is
  present in various kernel-source branches separates the override logic.
  It allows it to be enabled with a new --override flag and used without
  specifying the --preserve option. Setting KBUILD_OVERRIDE=1 in the spec
  file is then a way how the build is told that --override should be
  passed to all invocations of genksyms. This was needed for SUSE kernels
  because their build doesn't use --preserve but instead resulting CRCs
  are later checked by scripts/kabi.pl.
  However, this override functionality was not utilized much in practice
  and the only use currently to be found is in SLE11-SP1-LTSS. It means
  that no one should miss this option and KBUILD_OVERRIDE=1 together with
  patches.suse/genksyms-add-override-flag.diff can be removed.
  Notes for maintainers merging this commit to their branches:
  * Downstream patch patches.suse/genksyms-add-override-flag.diff can be
  dropped after merging this commit.
  * Branch SLE11-SP1-LTSS uses the mentioned override functionality and
  this commit should not be merged to it, or needs to be reverted
  afterwards.
- commit 4aa02b8

- Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
  (bsc#1214233 CVE-2023-40283).
- commit 11dc4cc

- Refresh patches.suse/powerpc-Move-DMA64_PROPNAME-define-to-a-header.patch.
- commit d263157

- x86/speculation: Mark all Skylake CPUs as vulnerable to GDS (git-fixes).
- commit a3ff58c

- drm/vmwgfx: Test shader type against SVGA3d_SHADERTYPE_MIN (bsc#1203517 CVE-2022-36402)
- commit 5b2dbae

- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
  CVE-2023-1192).
- commit 87f52bf

- powerpc/rtas: remove ibm_suspend_me_token (bsc#1023051).
- commit 4f01e57

- Do not add and remove genksyms ifdefs
- Refresh patches.kabi/lockdown-kABI-workaround-for-lockdown_reason-changes.patch.
- Refresh patches.suse/lockdown-also-lock-down-previous-kgdb-use.patch.
- commit e497b88

- powerpc/rtas: move syscall filter setup into separate function
  (bsc#1023051).
- commit a36442d

- rpm/mkspec-dtb: support for nested subdirs
  Commit 724ba6751532 ("ARM: dts: Move .dts files to vendor
  sub-directories") moved the dts to nested subdirs, add a support for
  that. That is, generate a %dir entry in %files for them.
- commit 6484eda

- x86/speculation: Add cpu_show_gds() prototype (git-fixes).
- commit 5d94fff

- x86: Move gds_ucode_mitigated() declaration to header (git-fixes).
- commit 5ab0096

- blacklist.conf: Blacklist redundant docu patch
- commit 1c6d737

- Sort recent hw security-related patches
  Move them to the sorted section and adjust patches accordingly.
- Refresh patches.suse/kvm-add-gds_no-support-to-kvm.patch.
- Refresh
  patches.suse/x86-speculation-add-force-option-to-gds-mitigation.patch.
- Refresh
  patches.suse/x86-speculation-add-gather-data-sampling-mitigation.patch.
- Refresh
  patches.suse/x86-speculation-add-kconfig-option-for-gds.patch.
- Refresh
  patches.suse/x86-srso-add-a-speculative-ras-overflow-mitigation.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 5c87dd7

- Input: cyttsp4_core - change del_timer_sync() to
  timer_shutdown_sync() (bsc#1213971 CVE-2023-4134).
- commit 3ffe891

- powerpc/rtas: block error injection when locked down
  (bsc#1023051).
  Refresh patches.kabi/lockdown-kABI-workaround-for-lockdown_reason-changes.patch
- commit 3bd253d

- powerpc/rtas: mandate RTAS syscall filtering (bsc#1023051).
- commit 3251f7a

- powerpc: Move DMA64_PROPNAME define to a header (bsc#1214297
  ltc#197503).
- commit c36e5b8

- x86/CPU/AMD: Fix the DIV(0) initial fix attempt (bsc#1213927, CVE-2023-20588).
- commit 48fc5d8

- x86/CPU/AMD: Do not leak quotient data after a division by 0 (bsc#1213927, CVE-2023-20588).
- commit 5e5738e

- old-flavors: Drop 2.6 kernels.
  2.6 based kernels are EOL, upgrading from them is no longer suported.
- commit 7bb5087

- net: vmxnet3: fix possible NULL pointer dereference in
  vmxnet3_rq_cleanup() (bsc#1214451 CVE-2023-4459).
- commit 1ac9015

- net: nfc: Fix use-after-free caused by nfc_llcp_find_local
  (bsc#1213601 CVE-2023-3863).
- nfc: llcp: simplify llcp_sock_connect() error paths (bsc#1213601
  CVE-2023-3863).
- nfc: llcp: nullify llcp_sock->dev on connect() error paths
  (bsc#1213601 CVE-2023-3863).
- commit 9d4529d

- kabi/severities: Ignore newly added SRSO mitigation functions
- commit 95ed32f

- x86/srso: Correct the mitigation status when SMT is disabled (git-fixes).
- commit 309af7f

- x86/srso: Explain the untraining sequences a bit more (git-fixes).
- commit fa09ab7

- x86/cpu/kvm: Provide UNTRAIN_RET_VM (git-fixes).
- commit 5038558

- x86/cpu: Cleanup the untrain mess (git-fixes).
- commit eda7e6d

- x86/cpu: Rename srso_(.*)_alias to srso_alias_\1 (git-fixes).
- commit 6e5dea6

- xfrm: add NULL check in xfrm_update_ae_params (bsc#1213666
  CVE-2023-3772).
- commit fdc40c6

- x86/cpu: Rename original retbleed methods (git-fixes).
- commit 554babe

- x86/srso: Disable the mitigation on unaffected configurations (git-fixes).
- commit a99796e

- x86/retpoline: Don't clobber RFLAGS during srso_safe_ret() (git-fixes).
- commit 2b91cd9

- Update config files. Drop the dpt_i2o kernel module.
  For: jsc#PED-4579, CVE-2023-2007
- commit 6a43698

- fs: jfs: fix possible NULL pointer dereference in dbFree() (bsc#1214348 CVE-2023-4385).
- commit ee83171

- xfs: fix sb write verify for lazysbcount (bsc#1214275).
- commit 37c728c

- xfs: update superblock counters correctly for !lazysbcount
  (bsc#1214275).
- commit 2b6e01d

- xfs: gut error handling in xfs_trans_unreserve_and_mod_sb()
  (bsc#1214275).
- commit e55f7c6

- mkspec: Allow unsupported KMPs (bsc#1214386)
- commit 55d8b82

- pseries/iommu/ddw: Fix kdump to work in absence of
  ibm,dma-window (bsc#1214297 ltc#197503).
- commit ea499bc

- check-for-config-changes: ignore BUILTIN_RETURN_ADDRESS_STRIPS_PAC (bsc#1214380).
  gcc7 on SLE 15 does not support this while later gcc does.
- commit 5b41c27

- net: vmxnet3: fix possible use-after-free bugs in
  vmxnet3_rq_alloc_rx_buf() (bsc#1214350 CVE-2023-4387).
- commit 0fa208f

- e1000: Remove unnecessary use of kmap_atomic() (jsc#PED-5738).
- commit dfa3fd7

- intel/e1000:fix repeated words in comments (jsc#PED-5738).
- commit e5d93d0

- e1000: Fix typos in comments (jsc#PED-5738).
- commit 64fd6bc

- e1000: switch to napi_consume_skb() (jsc#PED-5738).
- commit 1ad8d9c

- intel: remove checker warning (jsc#PED-5738).
- commit c3ad152

- net: e1000: remove repeated words for e1000_hw.c (jsc#PED-5738).
- commit ace3bf9

- net: e1000: remove repeated word "slot" for e1000_main.c
  (jsc#PED-5738).
- commit cfd4849

- e1000: Fix fall-through warnings for Clang (jsc#PED-5738).
- commit 7817f78

- e1000: drop unneeded assignment in e1000_set_itr()
  (jsc#PED-5738).
- commit d2ba4db

- io_uring: Acquire completion_lock around io_get_deferred_req
  (bsc#1213272 CVE-2023-21400).
- commit 84db304

- kernel-binary: Common dependencies cleanup
  Common dependencies are copied to a subpackage, there is no need for
  copying defines or build dependencies there.
- commit 254b03c

- kernel-binary: Drop code for kerntypes support
  Kerntypes was a SUSE-specific feature dropped before SLE 12.
- commit 2c37773

- md/raid0: Fix performance regression for large sequential writes
  (bsc#1213916).
- md/raid0: Factor out helper for mapping and submitting a bio
  (bsc#1213916).
- commit b0544bd

- media: usb: siano: Fix warning due to null work_func_t function
  pointer (bsc#1213969 CVE-2023-4132).
- commit c44d7c3

- media: usb: siano: Fix use after free bugs caused by
  do_submit_urb (bsc#1213969 CVE-2023-4132).
- commit a27f430

- net/sched: cls_route: No longer copy tcf_result on update  to
  avoid use-after-free (bsc#1214149 CVE-2023-4128).
- net/sched: cls_fw: No longer copy tcf_result on update to
  avoid use-after-free (bsc#1214149 CVE-2023-4128).
- net/sched: cls_u32: No longer copy tcf_result on update  to
  avoid use-after-free (bsc#1214149 CVE-2023-4128).
- commit ea3bad4

- exfat: check if filename entries exceeds max filename length
  (bsc#1214120 CVE-2023-4273).
- commit d8c4244

- series.conf: resort
- commit b2ee92a

- netfilter: nf_tables: disallow rule addition to bound chain
  via NFTA_RULE_CHAIN_ID (CVE-2023-4147 bsc#1213968).
- commit 1258138

- cxgb4: fix use after free bugs caused by circular dependency
  problem (bsc#1213970 CVE-2023-4133).
- timers: Provide timer_shutdown[_sync]() (bsc#1213970).
- timers: Add shutdown mechanism to the internal functions
  (bsc#1213970).
- timers: Split [try_to_]del_timer[_sync]() to prepare for
  shutdown mode (bsc#1213970).
- timers: Silently ignore timers with a NULL function
  (bsc#1213970).
- timers: Rename del_timer() to timer_delete() (bsc#1213970).
- timers: Rename del_timer_sync() to timer_delete_sync()
  (bsc#1213970).
- timers: Use del_timer_sync() even on UP (bsc#1213970).
- timers: Update kernel-doc for various functions (bsc#1213970).
- timers: Replace BUG_ON()s (bsc#1213970).
- clocksource/drivers/sp804: Do not use timer namespace for
  timer_shutdown() function (bsc#1213970).
- clocksource/drivers/arm_arch_timer: Do not use timer namespace
  for timer_shutdown() function (bsc#1213970).
- ARM: spear: Do not use timer namespace for timer_shutdown()
  function (bsc#1213970).
- commit 6a1c404

- xen/netback: Fix buffer overrun triggered by unusual packet
  (CVE-2023-34319, XSA-432, bsc#1213546).
- commit 3617080

- x86/srso: Tie SBPB bit setting to microcode patch detection (bsc#1213287, CVE-2023-20569).
- commit 3f35ab4

- net: tun_chr_open(): set sk_uid from current_fsuid()
  (CVE-2023-4194 bsc#1214019).
- commit 25c979d

- net: tap_open(): set sk_uid from current_fsuid() (CVE-2023-4194
  bsc#1214019).
- commit b03d1d8

- x86/microcode/AMD: Make stub function static inline
  (bsc#1213868).
- Refresh patches.suse/x86-cpu-amd-add-a-zenbleed-fix.patch.
- commit f587833

- mm: Move mm_cachep initialization to mm_init() (bsc#1206418, CVE-2022-40982).
- commit 487512d

- bpf: add missing header file include (bsc#1211738
  CVE-2023-0459).
- commit 0e6ab49

- locking/rwsem: Add __always_inline annotation to
  __down_read_common() and inlined callers (bsc#1207270
  jsc#PED-4567).
- commit 9e46337

- locking/rwsem: Disable preemption in all down_write*() and
  up_write() code paths (bsc#1207270 jsc#PED-4567).
- commit e8b39d0

- locking/rwsem: Disable preemption in all down_read*() and
  up_read() code paths (bsc#1207270 jsc#PED-4567).
- commit f20a53f

- locking/rwsem: Prevent non-first waiter from spinning in
  down_write() slowpath (bsc#1207270 jsc#PED-4567).
- commit 9c40fdf

- locking/rwsem: Disable preemption while trying for rwsem lock
  (bsc#1207270 jsc#PED-4567).
- commit d6741e8

- locking/rwsem: Allow slowpath writer to ignore handoff bit if
  not set by first waiter (bsc#1207270 jsc#PED-4567).
- commit 22681e5

- locking/rwsem: Always try to wake waiters in out_nolock path
  (bsc#1207270 jsc#PED-4567).
- commit 2dd13e8

- locking/rwsem: Conditionally wake waiters in reader/writer
  slowpaths (bsc#1207270 jsc#PED-4567).
- commit c20a7d3

- locking/rwsem: No need to check for handoff bit if wait queue
  empty (bsc#1207270 jsc#PED-4567).
- commit 7d6a2e9

- locking: Add missing __sched attributes (bsc#1207270
  jsc#PED-4567).
- commit 0f7a2d1

- locking/rwsem: Optimize down_read_trylock() under highly
  contended case (bsc#1207270 jsc#PED-4567).
- commit 46658e6

- locking/rwsem: Make handoff bit handling more consistent
  (bsc#1207270 jsc#PED-4567).
- commit e47427d

- locking/rwsem: Fix comments about reader optimistic lock
  stealing conditions (bsc#1207270 jsc#PED-4567).
- commit 4a0d7cf

- locking: Remove rcu_read_{,un}lock() for preempt_{dis,en}able()
  (bsc#1207270 jsc#PED-4567).
- commit ee007db

- lockdep: Add preemption enabled/disabled assertion APIs
  (bsc#1207270 jsc#PED-4567).
- commit 1386d93

- locking/rwsem: Disable preemption for spinning region
  (bsc#1207270 jsc#PED-4567).
- commit 0fad749

- locking/rwsem: Remove an unused parameter of rwsem_wake()
  (bsc#1207270 jsc#PED-4567).
- commit b255b46

- locking/rwsem: Fix comment typo (bsc#1207270 jsc#PED-4567).
- commit 0ac673a

- locking/rwsem: Remove reader optimistic spinning (bsc#1207270
  jsc#PED-4567).
- commit 4b129c1

- locking/rwsem: Enable reader optimistic lock stealing
  (bsc#1207270 jsc#PED-4567).
- commit 7c0e82a

- locking/rwsem: Prevent potential lock starvation (bsc#1207270
  jsc#PED-4567).
- commit 00b076e

- locking/rwsem: Pass the current atomic count to
  rwsem_down_read_slowpath() (bsc#1207270 jsc#PED-4567).
- commit 1d2b5fa

- locking/rwsem: Fold __down_{read,write}*() (bsc#1207270
  jsc#PED-4567).
- commit fd0b8b5

- locking/rwsem: Introduce rwsem_write_trylock() (bsc#1207270
  jsc#PED-4567).
- commit daa9d5f

- locking/rwsem: Better collate rwsem_read_trylock() (bsc#1207270
  jsc#PED-4567).
- commit 23252c2

- rwsem: Implement down_read_interruptible (bsc#1207270
  jsc#PED-4567).
- commit 07e26fd

- rwsem: Implement down_read_killable_nested (bsc#1207270
  jsc#PED-4567).
- commit 42f4ca4

- locking/rwsem: Prepare for a rwsem backport
  The rwsem backport will enable the kernel to run on large VMs in Azure
  (M416v2, M832v2). The rwsem code is going to be updated with newest
  features one of which disables optimistic spinning for readers.
- blacklist.conf: Remove an entry that is part of the backported
  patch set.
- Delete
  patches.suse/locking-rwsem-Disable-reader-optimistic-spinning.patch.
- commit d354394

- ipv6: rpl: Fix Route of Death (CVE-2023-2156 bsc#1211131).
- commit 5601bfa

- x86/srso: Add IBPB on VMEXIT (bsc#1213287, CVE-2023-20569).
- commit f2c709c

- x86/srso: Add IBPB (bsc#1213287, CVE-2023-20569).
- commit ef6bc71

- x86/srso: Add SRSO_NO support (bsc#1213287, CVE-2023-20569).
- commit a905016

- x86/cpu, kvm: Add support for CPUID_80000021_EAX (bsc#1213287, CVE-2023-20569).
- Refresh patches.suse/x86-cpufeatures-add-kabi-padding.patch.
- commit f39cd8f

- x86/srso: Add IBPB_BRTYPE support (bsc#1213287, CVE-2023-20569).
- commit 5d6a6a0

- x86: Sanitize linker script (bsc#1213287, CVE-2023-20569).
- commit 8ff4f99

- x86/retbleed: Add __x86_return_thunk alignment checks (bsc#1213287, CVE-2023-20569).
- commit e623809

- x86/srso: Add a Speculative RAS Overflow mitigation (bsc#1213287, CVE-2023-20569).
- commit 707be59

- kernel-binary.spec.in: Remove superfluous %% in Supplements
  Fixes: 02b7735e0caf ("rpm/kernel-binary.spec.in: Add Enhances and Supplements tags to in-tree KMPs")
- commit 264db74

- net/sched: sch_qfq: account for stab overhead in qfq_enqueue
  (CVE-2023-3611 bsc#1213585).
- net/sched: sch_qfq: refactor parsing of netlink parameters
  (bsc#1213585).
- blacklist follow-up commit 158810b261d0 ("net/sched: sch_qfq: reintroduce
  lmax bound check for MTU") as unlike the original upstream commit, our
  backport does not remove the check
- commit 609da2e

- net/sched: cls_u32: Fix reference counter leak leading to
  overflow (CVE-2023-3609 bsc#1213586).
- commit b22e9b9

- net/sched: cls_fw: Fix improper refcount update leads to
  use-after-free (CVE-2023-3776 bsc#1213588).
- commit b7fc513

- vc_screen: don't clobber return value in vcs_read (bsc#1213167
  CVE-2023-3567).
- vc_screen: modify vcs_size() handling in vcs_read() (bsc#1213167
  CVE-2023-3567).
- vc_screen: move load of struct vc_data pointer in vcs_read()
  to avoid UAF (bsc#1213167 CVE-2023-3567).
- commit da930b7

- block, bfq: Fix division by zero error on zero wsum
  (bsc#1213653).
- commit 67879a5

- x86/xen: Fix secondary processors' FPU initialization (bsc#1206418, CVE-2022-40982).
- commit 8a9c409

- x86/fpu: Move FPU initialization into arch_cpu_finalize_init() (bsc#1206418, CVE-2022-40982).
- commit d9e45bd

- x86/fpu: Mark init functions __init (bsc#1206418, CVE-2022-40982).
- commit 613212d

- x86/fpu: Remove cpuinfo argument from init functions (bsc#1206418).
- commit 82c61db

- init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init() (bsc#1206418).
- commit 6fb5f8f

- init: Invoke arch_cpu_finalize_init() earlier (bsc#1206418).
- commit 8ef61c6

- init: Remove check_bugs() leftovers (bsc#1206418).
- commit a639423

- ARM: cpu: Switch to arch_cpu_finalize_init() (bsc#1206418).
- commit cbb96e9

- x86/cpu: Switch to arch_cpu_finalize_init() (bsc#1206418).
- commit 7fa4777

- x86/mm: Initialize text poking earlier (bsc#1206418, CVE-2022-40982).
- Refresh patches.suse/init-provide-arch_cpu_finalize_init.patch.
- commit 9784a5e

- init: Provide arch_cpu_finalize_init() (bsc#1206418).
- commit f81d332

- x86/mm: fix poking_init() for Xen PV guests (bsc#1206418, CVE-2022-40982).
- commit b12d1bf

- x86/mm: Use mm_alloc() in poking_init() (bsc#1206418, CVE-2022-40982).
- commit 9a1d45f

- rpm/mkspec-dtb: add riscv64 dtb-allwinner subpackage
- commit ec82ffc

- net: tun: fix bugs for oversize packet when napi frags enabled
  (bsc#1213543 CVE-2023-3812).
- commit 5e9be17

- netfilter: nf_tables: do not ignore genmask when looking up
  chain by id (CVE-2023-31248 bsc#1213061).
- commit 414921d

- netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
  (CVE-2023-35001 bsc#1213059).
- commit b0acbe2

- uaccess: Add speculation barrier to copy_from_user()
  (bsc#1211738 CVE-2023-0459).
- commit 93eec59

- netfilter: nf_tables: incorrect error path handling with
  NFT_MSG_NEWRULE (CVE-2023-3390 CVE-2023-3117 bsc#1212846
  bsc#1213245).
- commit 176a7df

- KVM: Add GDS_NO support to KVM (bsc#1206418, CVE-2022-40982).
- commit 6550823

- x86/speculation: Add Kconfig option for GDS (bsc#1206418, CVE-2022-40982).
- commit eb94624

- x86/speculation: Add force option to GDS mitigation (bsc#1206418, CVE-2022-40982).
- commit 79691d3

- x86/speculation: Add Gather Data Sampling mitigation (bsc#1206418, CVE-2022-40982).
- commit 74a70bc

- ocfs2: fix defrag path triggering jbd2 ASSERT (bsc#1199304).
- ocfs2: fix a deadlock when commit trans (bsc#1199304).
- jbd2: export jbd2_journal_[grab|put]_journal_head (bsc#1199304).
- ocfs2: fix race between searching chunks and release
  journal_head from buffer_head (bsc#1199304).
- commit f86bdfe

- Refresh
  patches.suse/keys-Fix-linking-a-duplicate-key-to-a-keyring-s-asso.patch.
- commit d8b8cf8

- x86/cpu/amd: Add a Zenbleed fix (bsc#1213286, CVE-2023-20593).
- commit c2a9155

- x86/cpu/amd: Move the errata checking functionality up (bsc#1213286, CVE-2023-20593).
- commit d7a9bc3

- rpm: Update dependency to match current kmod.
- commit d687dc3

- keys: Do not cache key in task struct if key is requested from
  kernel thread (bsc#1213354).
- commit 0121b9a

- net: mana: Add support for vlan tagging (bsc#1212301).
- commit 613e87e

- fs: hfsplus: fix UAF issue in hfsplus_put_super  (bsc#1211867, CVE-2023-2985).
- commit e01b911

- rpm/check-for-config-changes: ignore also RISCV_ISA_* and DYNAMIC_SIGFRAME
  They depend on CONFIG_TOOLCHAIN_HAS_*.
- commit 1007103

- ubi: Fix failure attaching when vid_hdr offset equals to
  (sub)page size (bsc#1210584).
- ubi: ensure that VID header offset + VID header size <= alloc,
  size (bsc#1210584).
- commit 8f5f025

- Remove more packaging cruft for SLE < 12 SP3
- commit a16781c

- Get module prefix from kmod (bsc#1212835).
- commit f6691b0

- rpm/check-for-config-changes: ignore also PAHOLE_HAS_*
  We now also have options like CONFIG_PAHOLE_HAS_LANG_EXCLUDE.
- commit 86b52c1

- usrmerge: Adjust module path in the kernel sources (bsc#1212835).
  With the module path adjustment applied as source patch only
  ALP/Tumbleweed kernel built on SLE/Leap needs the path changed back to
  non-usrmerged.
- commit dd9a820

- ipvlan:Fix out-of-bounds caused by unclear skb->cb (bsc#1212842
  CVE-2023-3090).
- commit ddb6922

- x86/build: Avoid relocation information in final vmlinux
  (bsc#1187829).
- commit 88b515e

- Refresh
  patches.suse/cifs-fix-open-leaks-in-open_cached_dir.patch.
  s/sync_hdr/hdr/ - fix build breakage on CONFIG_CIFS_DEBUG2=y.
- commit c3cb631

- kernel-docs: Use python3 together with python3-Sphinx (bsc#1212741).
- commit 95a40a6

- HID: intel_ish-hid: Add check for ishtp_dma_tx_map (git-fixes
  bsc#1212606 CVE-2023-3358).
- commit 7077c4f

- usb: gadget: udc: renesas_usb3: Fix use after free bug
  in renesas_usb3_remove due to race condition (bsc#1212513
  CVE-2023-35828).
- commit 1f06f62

- binfmt_elf: Take the mmap lock when walking the VMA list
  (bsc#1209039 CVE-2023-1249).
- commit 3f46ff2

- bluetooth: Perform careful capability checks in hci_sock_ioctl()
  (bsc#1210533 CVE-2023-2002).
- commit cb86eb0

- relayfs: fix out-of-bounds access in relay_file_read
  (bsc#1212502 CVE-2023-3268).
- kernel/relay.c: fix read_pos error when multiple readers
  (bsc#1212502 CVE-2023-3268).
- commit 73e4027

- media: dm1105: Fix use after free bug in dm1105_remove due to
  race condition (bsc#1212501 CVE-2023-35824).
- commit 0c9d507

- media: saa7134: fix use after free bug in saa7134_finidev due
  to race condition (bsc#1212494 CVE-2023-35823).
- commit 61b38d8

- net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
  (CVE-2023-35788 bsc#1212504).
- commit 865936b

- Drop a buggy dvb-core fix patch (bsc#1205758)
  Also the kabi workaround is dropped, too
- commit 7ace3fb

- cifs: fix open leaks in open_cached_dir() (bsc#1209342).
- commit 82c30e2

- kernel-docs: Add buildrequires on python3-base when using python3
  The python3 binary is provided by python3-base.
- commit c5df526

- fbcon: Check font dimension limits (CVE-2023-3161 bsc#1212154).
- commit 6f6d21f

- Move setting %%build_html to config.sh
- commit 3f65cd5

- memstick: r592: Fix UAF bug in r592_remove due to race condition
  (CVE-2023-3141 bsc#1212129 bsc#1211449).
- commit 4d760e7

- firewire: fix potential uaf in outbound_phy_packet_callback()
  (CVE-2023-3159 bsc#1212128).
- commit 444321d

- Fix missing top level chapter numbers on SLE12 SP5 (bsc#1212158).
- commit 7ebcbd5

- Move setting %%split_optional to config.sh
- commit 4519250

- Move setting %%supported_modules_check to config.sh
- commit d9c64aa

- rpm/kernel-docs.spec.in: pass PYTHON=python3 to fix build error (bsc#1160435)
- commit 799f050

- rpm/kernel-binary.spec.in: Fix compatibility wth newer rpm
- commit 334fb4d

- Also include kernel-docs build requirements for ALP
- commit 114d088

- Move the kernel-binary conflicts out of the spec file.
  Thie list of conflicting packages varies per release.
  To reduce merge conflicts move the list out of the spec file.
- commit 4d81125

- sched/rt: pick_next_rt_entity(): check list_entry (bsc#1208600 CVE-2023-1077)
- commit a8f82d0

- Avoid unsuported tar parameter on SLE12
- commit f11765a

- gve: Remove the code of clearing PBA bit (bsc#1211519).
- gve: Secure enough bytes in the first TX desc for all TCP pkts
  (bsc#1211519).
- gve: Cache link_speed value from device (bsc#1211519).
- gve: Handle alternate miss completions (bsc#1211519).
- gve: Adding a new AdminQ command to verify driver (bsc#1211519).
- gve: Fix error return code in gve_prefill_rx_pages()
  (bsc#1211519).
- gve: Reduce alloc and copy costs in the GQ rx path
  (bsc#1211519).
- gve: Fix GFP flags when allocing pages (bsc#1211519).
- google/gve:fix repeated words in comments (bsc#1211519).
- gve: Fix spelling mistake "droping" -> "dropping" (bsc#1211519).
- gve: enhance no queue page list detection (bsc#1211519).
- commit 5088617

- Move obsolete KMP list into a separate file.
  The list of obsoleted KMPs varies per release, move it out of the spec
  file.
- commit 016bc55

- Trim obsolete KMP list.
  SLE11 is out of support, we do not need to handle upgrading from SLE11
  SP1.
- commit 08819bb

- Generalize kernel-doc build requirements.
- commit 23b058f

- kernel-binary: Add back kernel-default-base guarded by option
  Add configsh option for splitting off kernel-default-base, and for
  not signing the kernel on non-efi
- commit 28c22af

- net: rpl: fix rpl header size calculation (CVE-2023-2156
  bsc#1211131).
- commit 884cd15

- Drivers: hv: vmbus: Optimize vmbus_on_event (bsc#1211622).
- commit 6cf7013

- usrmerge: Compatibility with earlier rpm (boo#1211796)
- commit 2191d32

- Fix usrmerge error (boo#1211796)
- commit da84579

- Update References
  patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch
  (bsc#1198400 bsc#1209779 CVE-2023-1637).
- commit 23e11e7

- tcp: Fix data races around icsk->icsk_af_ops (bsc#1204405
  CVE-2022-3566).
- commit d1f836b

- Remove usrmerge compatibility symlink in buildroot (boo#1211796)
  Besides Makefile depmod.sh needs to be patched to prefix /lib/modules.
  Requires corresponding patch to kmod.
- commit b8e00c5

- Update
  patches.suse/netfilter-x_tables-use-correct-memory-barriers.patch
  (bsc#1184208 CVE-2021-29650 bsc#1211596 CVE-2020-36694).
- commit 0092ed2

- HID: asus: use spinlock to safely schedule workers (bsc#1208604
  CVE-2023-1079).
- commit df4ce9a

- HID: asus: use spinlock to protect concurrent accesses
  (bsc#1208604 CVE-2023-1079).
- commit 4b7a2e4

- ipv6: sr: fix out-of-bounds read when setting HMAC data
  (bsc#1211592).
- commit f37c1a1

- power: supply: bq24190: Fix use after free bug in bq24190_remove
  due to race condition (CVE-2023-33288 bsc#1211590).
- commit 3e2047c

- kernel-source: Remove unused macro variant_symbols
- commit 915ac72

- media: dvb_net: kABI workaround (CVE-2022-45886 bsc#1205760).
- media: dvb_frontend: kABI workaround (CVE-2022-45885
  bsc#1205758).
- commit c99685c

- media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
  (CVE-2022-45887 bsc#1205762).
- media: dvb-core: Fix use-after-free due to race condition at
  dvb_ca_en50221 (CVE-2022-45919 bsc#1205803).
- media: dvb-core: Fix use-after-free due to race at
  dvb_register_device() (CVE-2022-45884 bsc#1205756).
- media: dvb-core: Fix use-after-free due on race condition at
  dvb_net (CVE-2022-45886 bsc#1205760).
- media: dvb-core: Fix kernel WARNING for blocking operation in
  wait_event*() (CVE-2023-31084 bsc#1210783).
- media: dvb-core: Fix use-after-free on race condition at
  dvb_frontend (CVE-2022-45885 bsc#1205758).
- commit f5d1bea

- media: dvbdev: fix error logic at dvb_register_device()
  (CVE-2022-45884 bsc#1205756).
- media: dvbdev: Fix memleak in dvb_register_device
  (CVE-2022-45884 bsc#1205756).
- media: media/dvb: Use kmemdup rather than duplicating its
  implementation (CVE-2022-45884 bsc#1205756).
- commit fa580d0

- net: sched: sch_qfq: prevent slab-out-of-bounds in
  qfq_activate_agg (bsc#1210940 CVE-2023-31436).
- commit eeb865d

- i2c: xgene-slimpro: Fix out-of-bounds bug in
  xgene_slimpro_i2c_xfer() (bsc#1210715 CVE-2023-2194).
- commit e9b03ca

- netrom: Fix use-after-free caused by accept on already
  connected socket (bsc#1211186 CVE-2023-32269).
- commit e76516d

- SUNRPC: Ensure the transport backchannel association
  (bsc#1211203).
- commit db18275

- rpm/constraints.in: Increase disk size constraint for riscv64 to 52GB
- commit 1c1a4cd

- netfilter: nf_tables: deactivate anonymous set from preparation
  phase (CVE-2023-32233 bsc#1211043).
- commit 8d253dc

- act_mirred: use the backlog for nested calls to mirred ingress
  (CVE-2022-4269 bsc#1206024).
- net/sched: act_mirred: better wording on protection against
  excessive stack growth (CVE-2022-4269 bsc#1206024).
- net/sched: act_mirred: refactor the handle of xmit
  (CVE-2022-4269 bsc#1206024).
- commit c36d39a

- wifi: brcmfmac: slab-out-of-bounds read in
  brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380).
- commit 238a208

- Remove obsolete rpm spec constructs
  defattr does not need to be specified anymore
  buildroot does not need to be specified anymore
- commit c963185

- kernel-spec-macros: Fix up obsolete_rebuilds_subpackage to generate
  obsoletes correctly (boo#1172073 bsc#1191731).
  rpm only supports full length release, no provides
- commit c9b5bc4

- ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h
  (bsc#1206878 bsc#1211105 CVE-2023-2513).
- commit 2a8658b

- ext4: fix use-after-free in ext4_xattr_set_entry (bsc#1206878
  bsc#1211105 CVE-2023-2513).
- commit 880db90

- kernel-binary: install expoline.o (boo#1210791 bsc#1211089)
- commit d6c8c20

- net: qcom/emac: Fix use after free bug in emac_remove due to
  race condition (bsc#1211037 CVE-2023-2483).
- commit d3abec2

- Update patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch
  Fix the missing the bsc# prefix for the bug number in the References tag.
- commit 704a6c4

- timens: Forbid changing time namespace for an io_uring process
  (bsc#1208474 CVE-2023-23586).
- commit 89cf4b3

- s390,dcssblk,dax: Add dax zero_page_range operation to dcssblk
  driver (bsc#1199636).
- commit 6a9faa3

- xfs: verify buffer contents when we skip log replay (bsc#1210498
  CVE-2023-2124).
- commit 8eed3d3

- io_uring: prevent race on registering fixed files (1210414
  CVE-2023-1872).
- commit e53cfa3

- KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS
  (bsc#1206992 CVE-2022-2196).
- commit f66a218

- keys: Fix linking a duplicate key to a keyring's assoc_array
  (bsc#1207088).
- commit 527a5be

- xirc2ps_cs: Fix use after free bug in xirc2ps_detach
  (bsc#1209871 CVE-2023-1670).
- commit cfec974

- Drivers: vmbus: Check for channel allocation before looking
  up relids (git-fixes).
- commit de13f74

- scsi: iscsi_tcp: Fix UAF during login when accessing the shost
  ipaddress (bsc#1210647 CVE-2023-2162).
- commit d0a859e

- RDMA/core: Refactor rdma_bind_addr (bsc#1210629 CVE-2023-2176)
- commit 5886145

- RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests (bsc#1210629 CVE-2023-2176)
- commit 8b6288f

- RDMA/cma: Do not change route.addr.src_addr outside state checks (bsc#1210629 CVE-2023-2176)
- commit c706a03

- RDMA/cma: Make the locking for automatic state transition more clear (bsc#1210629 CVE-2023-2176)
- commit 7a43827

- vmxnet3: use gro callback when UPT is enabled (bsc#1209739).
- commit f513a6e

- x86/speculation: Allow enabling STIBP with legacy IBRS
  (bsc#1210506 CVE-2023-1998).
- commit d03ef09

- cifs: fix negotiate context parsing (bsc#1210301).
- commit 5d87bbe

- power: supply: da9150: Fix use after free bug in
  da9150_charger_remove due to race condition (CVE-2023-30772
  bsc#1210329).
- commit 61aa622

- k-m-s: Drop Linux 2.6 support
- commit 22b2304

- Remove obsolete KMP obsoletes (bsc#1210469).
- commit 7f325c6

- udmabuf: add back sanity check (git-fixes bsc#1210453
  CVE-2023-2008).
- commit b2b9158

- hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove
  due to race condition (CVE-2023-1855 bsc#1210202).
- commit 4401c6f

- netlink: limit recursion depth in policy validation
  (CVE-2020-36691 bsc#1209613).
- Refresh
  patches.suse/netlink-prevent-potential-spectre-v1-gadgets.patch.
- commit 374a1af

- nfc: st-nci: Fix use after free bug in ndlc_remove due to race
  condition (git-fixes bsc#1210337 CVE-2023-1990).
- commit 775e632

- Bluetooth: btsdio: fix use after free bug in btsdio_remove
  due to unfinished work (CVE-2023-1989 bsc#1210336).
- commit e27c00d

- Update
  patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch
  (bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
  patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch
  (bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
  patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch
  (bsc#1205128 CVE-2022-43945 bsc#1210124).
  Fix performance problem with these patches - bsc@1210124
- commit 4dbd22d

- btrfs: fix race between quota disable and quota assign ioctls
  (CVE-2023-1611 bsc#1209687).
- commit 3fdcd22

- Fix double fget() in vhost_net_set_backend() (bsc#1210203
  CVE-2023-1838).
- commit 7e671a8

- Define kernel-vanilla as source variant
  The vanilla_only macro is overloaded. It is used for determining if
  there should be two kernel sources built as well as for the purpose of
  determmioning if vanilla kernel should be used for kernel-obs-build.
  While the former can be determined at build time the latter needs to be
  baked into the spec file template. Separate the two while also making
  the latter more generic.
  $build_dtbs is enabled on every single rt and azure branch since 15.3
  when the setting was introduced, gate on the new $obs_build_variant
  setting as well.
- commit 36ba909

- series.conf: cleanup
- update upstream references and resort:
  - patches.suse/wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch
- commit 9bae747

- net/ulp: use consistent error code when blocking ULP
  (CVE-2023-0461 bsc#1208787).
- net/ulp: prevent ULP without clone op from entering the LISTEN
  status (CVE-2023-0461 bsc#1208787).
- commit 028f0fd

- rpm/constraints.in: increase the disk size for armv6/7 to 24GB
  It grows and the build fails recently on SLE15-SP4/5.
- commit 41ac816

- rpm/check-for-config-changes: add TOOLCHAIN_NEEDS_* to IGNORED_CONFIGS_RE
  This new form was added in commit e89c2e815e76 ("riscv: Handle
  zicsr/zifencei issues between clang and binutils").
- commit 234baea

- seq_buf: Fix overflow in seq_buf_putmem_hex() (bsc#1209549
  CVE-2023-28772).
- commit 5c5e4d3

- PCI: hv: Add a per-bus mutex state_lock (bsc#1209785).
- Revert "PCI: hv: Fix a timing issue which causes kdump to fail
  occasionally" (bsc#1209785).
- PCI: hv: Remove the useless hv_pcichild_state from struct
  hv_pci_dev (bsc#1209785).
- PCI: hv: Fix a race condition in hv_irq_unmask() that can
  cause panic (bsc#1209785).
- PCI: hv: fix a race condition bug in hv_pci_query_relations()
  (bsc#1209785).
- commit 6b9e385

- kvm: initialize all of the kvm_debugregs structure before
  sending it to userspace (bsc#1209532 CVE-2023-1513).
- commit bd9c11d

- Bluetooth: Fix double free in hci_conn_cleanup (bsc#1209052
  CVE-2023-28464).
- commit 677d920

- net: tls: fix possible race condition between
  do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
  (bsc#1209366 CVE-2023-28466).
- commit 5f7c4a6

- Move ENA upstream fix to sorted section.
- commit aff6c71

- RDMA/core: Don't infoleak GRH fields (bsc#1209778 CVE-2021-3923)
- commit 50ba48b

- tipc: fix NULL deref in tipc_link_xmit() (bsc#1209289
  CVE-2023-1390).
- commit b2c1533

- tun: avoid double free in tun_free_netdev (bsc#1209635
  CVE-2022-4744).
- commit c5cf205

- net/sched: tcindex: update imperfect hash filters respecting
  rcu (CVE-2023-1281 bsc#1209634).
- commit 97b3f9d

- fs/proc: task_mmu.c: don't read mapcount for migration entry
  (CVE-2023-1582, bsc#1209636).
- commit 35d5c42

- af_unix: Get user_ns from in_skb in unix_diag_get_exact()
  (bsc#1209290 CVE-2023-28327).
- commit 000517c

- netlink: prevent potential spectre v1 gadgets (bsc#1209547
  CVE-2017-5753).
- commit cec3f24

- tipc: add an extra conn_get in tipc_conn_alloc (bsc#1209288
  CVE-2023-1382).
- commit 6a58da4

- tipc: set con sock in tipc_conn_alloc (bsc#1209288
  CVE-2023-1382).
- commit 06eaf34

- Refresh
  patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch.
- commit 890554b

- media: dvb-usb: az6027: fix null-ptr-deref in  az6027_i2c_xfer()
  (bsc#1209291 CVE-2023-28328).
- commit af7b7eb

- rpm/group-source-files.pl: Fix output difference when / is in location
  While previous attempt to fix group-source-files.pl in 6d651362c38
  "rpm/group-source-files.pl: Deal with {pre,post}fixed / in location"
  breaks the infinite loop, it does not properly address the issue. Having
  prefixed and/or postfixed forward slash still result in different
  output.
  This commit changes the script to use the Perl core module File::Spec
  for proper path manipulation to give consistent output.
- commit 4161bf9

- Require suse-kernel-rpm-scriptlets at all times.
  The kernel packages call scriptlets for each stage, add the dependency
  to make it clear to libzypp that the scriptlets are required.
  There is no special dependency for posttrans, these scriptlets run when
  transactions are resolved. The plain dependency has to be used to
  support posttrans.
- commit 56c4dbe

- Replace mkinitrd dependency with dracut (bsc#1202353).
  Also update mkinitrd refrences in documentation and comments.
- commit e356c9b

- prlimit: do_prlimit needs to have a speculation check
  (bsc#1209256 CVE-2017-5753).
- commit a2ac7fb

- rpm/kernel-obs-build.spec.in: Remove SLE11 cruft
- commit 871eeb4

- rds: rds_rm_zerocopy_callback() correct order for
  list_add_tail() (CVE-2023-1078 bsc#1208601).
- rds: rds_rm_zerocopy_callback() use list_first_entry()
  (CVE-2023-1078 bsc#1208601).
- commit ec0c93c

- net/tls: tls_is_tx_ready() checked list_entry (CVE-2023-1075
  bsc#1208598).
- commit d651270

- tap: tap_open(): correctly initialize socket uid (CVE-2023-1076
  bsc#1208599).
- tun: tun_chr_open(): correctly initialize socket uid
  (CVE-2023-1076 bsc#1208599).
- net: add sock_init_data_uid() (CVE-2023-1076 bsc#1208599).
- netfilter: nf_tables: fix null deref due to zeroed list head
  (CVE-2023-1095 bsc#1208777).
- commit b65b67b

- cifs: fix use-after-free caused by invalid pointer `hostname`
  (bsc#1208971).
- commit d1a37f1

- HID: bigben: use spinlock to safely schedule workers
  (CVE-2023-25012 bsc#1207560).
- HID: bigben_worker() remove unneeded check on report_field
  (CVE-2023-25012 bsc#1207560).
- HID: bigben: use spinlock to protect concurrent accesses
  (CVE-2023-25012 bsc#1207560).
- commit 3c79258

- malidp: Fix NULL vs IS_ERR() checking (bsc#1208843
  CVE-2023-23004).
- commit a8f9557

- Do not sign the vanilla kernel (bsc#1209008).
- commit cee4d89

- rpm/group-source-files.pl: Deal with {pre,post}fixed / in location
  When the source file location provided with -L is either prefixed or
  postfixed with forward slash, the script get stuck in a infinite loop
  inside calc_dirs() where $path is an empty string.
  user@localhost:/tmp> perl "$HOME/group-source-files.pl" -D devel.files -N nondevel.files -L /usr/src/linux-5.14.21-150500.41/
  ...
  path = /usr/src/linux-5.14.21-150500.41/Documentation/Kconfig
  path = /usr/src/linux-5.14.21-150500.41/Documentation
  path = /usr/src/linux-5.14.21-150500.41
  path = /usr/src
  path = /usr
  path =
  path =
  path =
  ... # Stuck in an infinite loop
  This workarounds the issue by breaking out the loop once path is an
  empty string. For a proper fix we'd want something that
  filesystem-aware, but this workaround should be enough for the rare
  occation that this script is ran manually.
  Link: http://mailman.suse.de/mlarch/SuSE/kernel/2023/kernel.2023.03/msg00024.html
- commit 6d65136

- media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
  (CVE-2023-1118 bsc#1208837).
- phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node
  function (CVE-2023-23000 bsc#1208816).
- commit 52c897a

- scsi: qla2xxx: Add option to disable FC2 Target support
  (bsc#1198438 bsc#1206103).
- Delete
  patches.suse/revert-scsi-qla2xxx-Changes-to-support-FCP2-Target.patch.
- commit 5959f82

- drm/virtio: Fix NULL vs IS_ERR checking in
  virtio_gpu_object_shmem_init (bsc#1208776 CVE-2023-22998).
- commit 2fd8a08

- net/mlx5: DR, Fix NULL vs IS_ERR checking in
  dr_domain_init_resources (bsc#1208845 CVE-2023-23006).
- commit 14082ec

- mm/slub: fix panic in slab_alloc_node() (bsc#1208023).
- commit b092aa9

- kernel-module-subpackage: Fix expansion with -b parameter (bsc#1208179).
  When -b is specified the script is prefixed with KMP_NEEDS_MKINITRD=1
  which sets the variable for a simple command.
  However, the script is no longer a simple command. Export the variable
  instead.
- commit 152a069

- README.BRANCH: Update
  Relieve Ivan Ivanov of his duties as branch maintainer as I am back.
- commit 1da55f1

- usb: dwc3: dwc3-qcom: Add missing platform_device_put() in
  dwc3_qcom_acpi_register_core (bsc#1208741 CVE-2023-22995).
- commit 7a31d48

- net: mpls: fix stale pointer if allocation fails during device
  rename (bsc#1208700 CVE-2023-26545).
- commit 18d9ec7

- s390/kexec: fix ipl report address for kdump (bsc#1207575).
- commit 7a62f13

- x86/mm: Randomize per-cpu entry area (bsc#1207845
  CVE-2023-0597).
- commit 3a695c7

- vmxnet3: move rss code block under eop descriptor (bsc#1208212).
- commit f589074

- usb: rndis_host: Secure rndis_query check against int overflow
  (CVE-2023-23559 bsc#1207051).
- commit d9a137b

- net: mana: Assign interrupts to CPUs based on NUMA nodes
  (bsc#1208153).
- Refresh
  patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch.
- commit 342fb4d

- net: mana: Fix accessing freed irq affinity_hint (bsc#1208153).
- genirq: Provide new interfaces for affinity hints (bsc#1208153).
- commit 4d24191

- drm/vmwgfx: Avoid NULL-ptr deref in vmw_cmd_dx_define_query() (bsc#1203331 CVE-2022-38096)
- commit 1f21d95

- module: Don't wait for GOING modules (bsc#1196058, bsc#1186449,
  bsc#1204356, bsc#1204662).
- commit 77af0b0

- drm/vmwgfx: Validate the box size for the snooped cursor (bsc#1203332 CVE-2022-36280)
- commit f246cad

- Refresh
  patches.kabi/scsi-kABI-fix-for-eh_should_retry_cmd.patch (bsc#1206351).
  The former kABI fix only move the newly added member to scsi_host_template to
  the end of the struct. But that is usually allocated statically, even by 3rd
  party modules relying on kABI. Before we use the member we need to signalize
  that it is to be expected. As we only expect it to be allocated by in-tree
  modules that we can control, we can use a space in the bitfield to signalize
  that.
- commit 0e772e8

- net: mana: Fix IRQ name - add PCI and queue number
  (bsc#1207875).
- commit f2c8c19

- x86/bugs: Flush IBP in ib_prctl_set() (bsc#1207773
  CVE-2023-0045).
- commit baf6bec

- net: ena: optimize data access in fast-path code (bsc#1208137).
- commit 09cfdc0

- net: sched: fix race condition in qdisc_graft() (CVE-2023-0590
  bsc#1207795).
- net_sched: add __rcu annotation to netdev->qdisc (CVE-2023-0590
  bsc#1207795).
- commit c6f042b

- Update
  patches.suse/net-mlx5-Allocate-individual-capability.patch
  (bsc#1195175).
- Update
  patches.suse/net-mlx5-Dynamically-resize-flow-counters-query-buff.patch
  (bsc#1195175).
- Update
  patches.suse/net-mlx5-Fix-flow-counters-SF-bulk-query-len.patch
  (bsc#1195175).
- Update
  patches.suse/net-mlx5-Reduce-flow-counters-bulk-query-buffer-size.patch
  (bsc#1195175).
- Update
  patches.suse/net-mlx5-Reorganize-current-and-maximal-capabilities.patch
  (bsc#1195175).
- Update
  patches.suse/net-mlx5-Use-order-0-allocations-for-EQs.patch
  (bsc#1195175).
  Fixed bugzilla reference.
- commit e56868b

- watchdog: diag288_wdt: do not use stack buffers for hardware
  data (bsc#1207497).
- commit f31eb64

- watchdog: diag288_wdt: fix __diag288() inline assembly
  (bsc#1207497).
- commit 2f246cf

- RDMA/core: Fix ib block iterator counter overflow (bsc#1207878).
- commit 64f6682

- libbpf: Fix null-pointer dereference in find_prog_by_sec_insn()
  (bsc#1204502 CVE-2022-3606).
- commit eef9e8d

- cifs: do not include page data when checking signature
  (bsc#1200217).
- commit 89d2457

- config.conf: Drop armv7l, Leap 15.3 is EOL.
- Delete config/armv7hl/default.
- Delete config/armv7hl/lpae.
- commit 022c807

- mm: /proc/pid/smaps_rollup: fix no vma's null-deref
  (bsc#1207769).
- commit be9727c

- scsi: mpi3mr: Refer CONFIG_SCSI_MPI3MR in Makefile (git-fixes).
- scsi: snic: Fix possible UAF in snic_tgt_create() (git-fixes).
- scsi: fcoe: Fix transport not deattached when fcoe_if_init()
  fails (git-fixes).
- scsi: ipr: Fix WARNING in ipr_init() (git-fixes).
- scsi: scsi_debug: Fix possible name leak in
  sdebug_add_host_helper() (git-fixes).
- scsi: fcoe: Fix possible name leak when device_register()
  fails (git-fixes).
- scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
  (git-fixes).
- scsi: hpsa: Fix error handling in hpsa_add_sas_host()
  (git-fixes).
- scsi: mpt3sas: Fix possible resource leaks in
  mpt3sas_transport_port_add() (git-fixes).
- scsi: hpsa: Fix possible memory leak in hpsa_init_one()
  (git-fixes).
- scsi: scsi_debug: Fix a warning in resp_write_scat()
  (git-fixes).
- scsi: core: Fix a race between scsi_done() and scsi_timeout()
  (git-fixes).
- scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper()
  (git-fixes).
- scsi: core: Restrict legal sdev_state transitions via sysfs
  (git-fixes).
- scsi: 3w-9xxx: Avoid disabling device if failing to enable it
  (git-fixes).
- scsi: qedf: Fix a UAF bug in __qedf_probe() (git-fixes).
- scsi: megaraid_sas: Fix double kfree() (git-fixes).
- scsi: Revert "scsi: qla2xxx: Fix disk failure to rediscover"
  (git-fixes).
- commit 25cb1e4

- dm thin: Use last transaction's pmd->root when commit failed
  (git-fixes).
- dm thin: resume even if in FAIL mode (git-fixes).
- dm cache: set needs_check flag after aborting metadata
  (git-fixes).
- dm cache: Fix ABBA deadlock between shrink_slab and
  dm_cache_metadata_abort (git-fixes).
- dm thin: Fix ABBA deadlock between shrink_slab and
  dm_pool_abort_metadata (git-fixes).
- dm integrity: Fix UAF in dm_integrity_dtr() (git-fixes).
- dm cache: Fix UAF in destroy() (git-fixes).
- dm clone: Fix UAF in clone_dtr() (git-fixes).
- dm thin: Fix UAF in run_timer_softirq() (git-fixes).
- blktrace: Fix output non-blktrace event when blk_classic option
  enabled (git-fixes).
- dm integrity: flush the journal on suspend (git-fixes).
- dm ioctl: fix misbehavior if list_versions races with module
  loading (git-fixes).
- md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d (git-fixes).
- bcache: fix set_at_max_writeback_rate() for multiple attached
  devices (git-fixes).
- nbd: Fix hung when signal interrupts nbd_start_device_ioctl()
  (git-fixes).
- md: Flush workqueue md_rdev_misc_wq in md_alloc() (git-fixes).
- drivers:md:fix a potential use-after-free bug (git-fixes).
- null_blk: fix ida error handling in null_add_dev() (git-fixes).
- md: Notify sysfs sync_completed in md_reap_sync_thread()
  (git-fixes).
- nbd: fix io hung while disconnecting device (git-fixes).
- nbd: fix race between nbd_alloc_config() and module removal
  (git-fixes).
- nbd: call genl_unregister_family() first in nbd_cleanup()
  (git-fixes).
- md: protect md_unregister_thread from reentrancy (git-fixes).
- nbd: Fix hung on disconnect request if socket is closed before
  (git-fixes).
- dm ioctl: prevent potential spectre v1 gadget (git-fixes).
- loop: use sysfs_emit() in the sysfs xxx show() (git-fixes).
- dm space map common: add bounds check to sm_ll_lookup_bitmap()
  (git-fixes).
- dm btree: add a defensive bounds check to insert_at()
  (git-fixes).
- commit 223b9c6

- nbd: Fix incorrect error handle when first_minor is illegal
  in nbd_dev_add (git-fixes).
- Refresh for the above change,
  patches.suse/0019-nbd-fix-possible-overflow-on-first_minor-in-nbd_dev_.patch.
- commit 9c00c1c

- nbd: fix max value for 'first_minor' (git-fixes).
- Refresh for the above change,
  patches.suse/0012-nbd-fix-possible-overflow-for-first_minor-in-nbd_dev.patch.
- commit dd126a5

- dm space maps: don't reset space map allocation cursor when
  committing (git-fixes).
- dm verity: fix require_signatures module_param permissions
  (git-fixes).
- dm integrity: fix flush with external metadata device
  (git-fixes).
- dm integrity: select CRYPTO_SKCIPHER (git-fixes).
- dm verity: skip verity work if I/O error when system is shutting
  down (git-fixes).
- dm table: Remove BUG_ON(in_interrupt()) (git-fixes).
- nbd: make the config put is called before the notifying the
  waiter (git-fixes).
- nbd: restore default timeout when setting it to zero
  (git-fixes).
- loop: unset GENHD_FL_NO_PART_SCAN on LOOP_CONFIGURE (git-fixes).
- blktrace: ensure our debugfs dir exists (git-fixes).
- commit 50ca764

- rbd: work around -Wuninitialized warning (git-fixes).
- Refresh for the above change,
  patches.suse/rbd-export-some-functions-used-by-lio-rbd-backend.patch.
- commit e923159

- blacklist.conf: add git-fixes commits which won't be backported
- commit 4601d33

- blacklist.conf: removing SCSI git-fix mistakenly added
  This fix was labelled as already present in our
  code base, but it was not.
- commit bcd8cfe

- scsi: pmcraid: Fix missing resource cleanup in error case
  (git-fixes).
- scsi: ipr: Fix missing/incorrect resource cleanup in error case
  (git-fixes).
- scsi: vmw_pvscsi: Expand vcpuHint to 16 bits (git-fixes).
- scsi: myrb: Fix up null pointer access on myrb_cleanup()
  (git-fixes).
- scsi: megaraid: Fix error check return value of
  register_chrdev() (git-fixes).
- scsi: qedi: Fix failed disconnect handling (git-fixes).
- scsi: megaraid_sas: Target with invalid LUN ID is deleted
  during scan (git-fixes).
- scsi: mvsas: Add PCI ID of RocketRaid 2640 (git-fixes).
- scsi: libfc: Fix use after free in fc_exch_abts_resp()
  (git-fixes).
- scsi: aha152x: Fix aha152x_setup() __setup handler return value
  (git-fixes).
- scsi: pm8001: Fix pm8001_mpi_task_abort_resp() (git-fixes).
- scsi: bfa: Replace snprintf() with sysfs_emit() (git-fixes).
- scsi: mvsas: Replace snprintf() with sysfs_emit() (git-fixes).
- scsi: myrs: Fix crash in error case (git-fixes).
- scsi: qedf: Fix refcount issue when LOGO is received during TMF
  (git-fixes).
- scsi: sr: Don't use GFP_DMA (git-fixes).
- scsi: vmw_pvscsi: Set residual data length conditionally
  (git-fixes).
- scsi: libiscsi: Fix UAF in
  iscsi_conn_get_param()/iscsi_conn_teardown() (git-fixes).
- scsi: core: sysfs: Fix setting device state to SDEV_RUNNING
  (git-fixes).
- scsi: core: sysfs: Fix hang when device state is set via sysfs
  (git-fixes).
- scsi: iscsi: Unblock session then wake up error handler
  (git-fixes).
- scsi: advansys: Fix kernel pointer leak (git-fixes).
- scsi: core: Fix shost->cmd_per_lun calculation in
  scsi_add_host_with_dma() (git-fixes).
- scsi: virtio_scsi: Fix spelling mistake "Unsupport" ->
  "Unsupported" (git-fixes).
- scsi: ses: Fix unsigned comparison with less than zero
  (git-fixes).
- scsi: ufs: Fix illegal offset in UPIU event trace (git-fixes).
- scsi: ses: Retry failed Send/Receive Diagnostic commands
  (git-fixes).
- scsi: sd: Free scsi_disk device via put_device() (git-fixes).
- scsi: core: Fix hang of freezing queue between blocking and
  running device (git-fixes).
- scsi: core: Fix capacity set to zero after offlinining device
  (git-fixes).
- scsi: sr: Return correct event when media event code is 3
  (git-fixes).
- scsi: core: Avoid printing an error if target_alloc() returns
  - ENXIO (git-fixes).
- scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach()
  (git-fixes).
- scsi: megaraid_mm: Fix end of loop tests for
  list_for_each_entry() (git-fixes).
- scsi: qedf: Add check to synchronize abort and flush
  (git-fixes).
- scsi: libsas: Add LUN number check in .slave_alloc callback
  (git-fixes).
- scsi: aic7xxx: Fix unintentional sign extension issue on left
  shift of u8 (git-fixes).
- scsi: scsi_dh_alua: Fix signedness bug in alua_rtpg()
  (git-fixes).
- scsi: scsi_dh_alua: Check for negative result value (git-fixes).
- scsi: qedi: Fix null ref during abort handling (git-fixes).
- scsi: iscsi: Fix shost->max_id use (git-fixes).
- scsi: iscsi: Add iscsi_cls_conn refcount helpers (git-fixes).
- scsi: megaraid_sas: Handle missing interrupts while re-enabling
  IRQs (git-fixes).
- scsi: megaraid_sas: Early detection of VD deletion through
  RaidMap update (git-fixes).
- scsi: megaraid_sas: Fix resource leak in case of probe failure
  (git-fixes).
- scsi: core: Cap scsi_host cmd_per_lun at can_queue (git-fixes).
- scsi: hisi_sas: Propagate errors in interrupt_init_v1_hw()
  (git-fixes).
- scsi: sr: Return appropriate error code when disk is ejected
  (git-fixes).
- scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated
  irq (git-fixes).
- scsi: vmw_pvscsi: Set correct residual data length (git-fixes).
- scsi: bnx2fc: Return failure if io_req is already in ABTS
  processing (git-fixes).
- scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic
  (git-fixes).
- scsi: libfc: Fix a format specifier (git-fixes).
- scsi: mpt3sas: Block PCI config access from userspace during
  reset (git-fixes).
- scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg()
  (git-fixes).
- scsi: st: Fix a use after free in st_open() (git-fixes).
- scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling
  (git-fixes).
- scsi: fnic: Fix memleak in vnic_dev_init_devcmd2 (git-fixes).
- scsi: ufs: Fix tm request when non-fatal error happens
  (git-fixes).
- scsi: sd: Suppress spurious errors when WRITE SAME is being
  disabled (git-fixes).
- scsi: scsi_transport_spi: Set RQF_PM for domain validation
  commands (git-fixes).
- scsi: ufs-pci: Ensure UFS device is in PowerDown mode for
  suspend-to-disk ->poweroff() (git-fixes).
- scsi: ufs: Fix wrong print message in dev_err() (git-fixes).
- scsi: mpt3sas: Increase IOCInit request timeout to 30s
  (git-fixes).
- commit cf6a959

- scsi: ufs: Make sure clk scaling happens only when HBA is
  runtime ACTIVE (git-fixes).
- scsi: ufs: Fix unbalanced scsi_block_reqs_cnt caused by
  ufshcd_hold() (git-fixes).
- scsi: mpt3sas: Fix timeouts observed while reenabling IRQ
  (git-fixes).
- scsi: hpsa: Fix memory leak in hpsa_init_one() (git-fixes).
- scsi: core: Don't start concurrent async scan on same host
  (git-fixes).
- scsi: mvumi: Fix error return in mvumi_io_attach() (git-fixes).
- scsi: qedf: Return SUCCESS if stale rport is encountered
  (git-fixes).
- scsi: qedi: Protect active command list to avoid list corruption
  (git-fixes).
- scsi: qedi: Fix list_del corruption while removing active I/O
  (git-fixes).
- scsi: ufs: ufs-qcom: Fix race conditions caused by
  ufs_qcom_testbus_config() (git-fixes).
- commit 0335e79

- sctp: fail if no bound addresses can be used for a given scope
  (bsc#1206677).
- commit dcee4fd

- scsi: ufs: Clean up completed request without interrupt
  notification (git-fixes).
- Refresh
  patches.suse/scsi-ufs-Properly-release-resources-if-a-task-is-aborted-successfully.
- commit 0e26434

- KVM: VMX: fix crash cleanup when KVM wasn't used (bsc#1207508).
- Refresh
  patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch.
- commit 8d5e108

- scsi: ufs: Improve interrupt handling for shared interrupts
  (git-fixes).
- scsi: ufs: Fix interrupt error message for shared interrupts
  (git-fixes).
- scsi: ufs: Fix possible infinite loop in ufshcd_hold
  (git-fixes).
- scsi: iscsi: Do not put host in iscsi_set_flashnode_param()
  (git-fixes).
- scsi: ufs: Add DELAY_BEFORE_LPM quirk for Micron devices
  (git-fixes).
- scsi: scsi_transport_spi: Fix function pointer check
  (git-fixes).
- scsi: sr: Fix sr_probe() missing deallocate of device minor
  (git-fixes).
- scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj
  (git-fixes).
- scsi: hisi_sas: Do not reset phy timer to wait for stray phy up
  (git-fixes).
- scsi: cxlflash: Fix error return code in cxlflash_probe()
  (git-fixes).
- scsi: core: free sgtables in case command setup fails
  (git-fixes).
- scsi: pm: Balance pm_only counter of request queue during
  system resume (git-fixes).
- scsi: iscsi: Report unbind session event when the target has
  been removed (git-fixes).
- scsi: iscsi: Don't destroy session if there are outstanding
  connections (git-fixes).
- scsi: ufs: Fix a race condition in the tracing code (git-fixes).
- scsi: ufs: Make ufshcd_add_command_trace() easier to read
  (git-fixes).
- scsi: aic7xxx: Adjust indentation in ahc_find_syncrate
  (git-fixes).
- scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func
  (git-fixes).
- scsi: iscsi: Don't send data to unbound connection (git-fixes).
- scsi: NCR5380: Add disconnect_mask module parameter (git-fixes).
- scsi: scsi_debug: num_tgts must be >= 0 (git-fixes).
- scsi: ufs: Fix error handing during hibern8 enter (git-fixes).
- scsi: ufs: Fix irq return code (git-fixes).
- scsi: ufs: Fix up auto hibern8 enablement (git-fixes).
- scsi: atari_scsi: sun3_scsi: Set sg_tablesize to 1 instead of
  SG_NONE (git-fixes).
- scsi: ufs: fix potential bug which ends in system hang
  (git-fixes).
- scsi: hisi_sas: Check sas_port before using it (git-fixes).
- scsi: fnic: fix use after free (git-fixes).
- scsi: ufs: delete redundant function ufshcd_def_desc_sizes()
  (git-fixes).
- scsi: hisi_sas: Delete the debugfs folder of hisi_sas when
  the probe fails (git-fixes).
- commit e77b62a

- scsi: hisi_sas: Replace in_softirq() check in
  hisi_sas_task_exec() (git-fixes).
- Refresh patches.suse/scsi-hisi_sas-Remove-preemptible.
- commit ce7bed3

- blacklist.conf: add git-fixes to be skipped
- commit cb4a471

- netfilter: nft_payload: incorrect arithmetics when fetching
  VLAN header bits (CVE-2023-0179 bsc#1207034).
- commit 9fe77eb

- HID: check empty report_list in hid_validate_values()
  (git-fixes, bsc#1206784).
- commit 028641d

- HID: check empty report_list in bigben_probe() (git-fixes,
  bsc#1206784).
- commit c479b33

- HID: betop: check shape of output reports (git-fixes,
  bsc#1207186).
- commit f6860d6

- ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent
  UAF (CVE-2023-0266 bsc#1207134).
- commit 9014493

- sctp: sysctl: make extra pointers netns aware (bsc#1204760).
- commit 580597a

- net: sched: disallow noqueue for qdisc classes (bsc#1207237
  CVE-2022-47929).
- commit e015217

- blacklist.conf: 461ab10ef7e6 ("ceph: switch to vfs_inode_has_locks() to fix file lock bug")
- commit b165b65

- ceph: avoid putting the realm twice when decoding snaps fails
  (bsc#1207198).
- ceph: do not update snapshot context when there is no new
  snapshot (bsc#1207218).
- commit 2f13b5a

- ipv6: raw: Deduct extension header length in
  rawv6_push_pending_frames (bsc#1207168).
- commit ad4a091

- rpm/mkspec-dtb: add riscv64 dtb-renesas subpackage
- commit 6020754

- Update
  patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch
  (bsc#1207036 CVE-2023-23454).
- commit 88c4e72

- Update
  patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch
  (bsc#1207125 CVE-2023-23455).
- commit e595908

- SLE15-SP3 went to LTSS, hand over to L3
- commit c5e6bf0

- mm/memcg: optimize memory.numa_stat like memory.stat
  (bsc#1206663).
- commit d7619da

- drbd: destroy workqueue when drbd device was freed (git-fixes).
- drbd: use after free in drbd_create_device() (git-fixes).
- drbd: remove usage of list iterator variable after loop
  (git-fixes).
- commit ebdddc5

- powerpc/rtas: avoid scheduling in rtas_os_term() (bsc#1065729).
- powerpc/rtas: avoid device tree lookups in rtas_os_term()
  (bsc#1065729).
- commit da7ea39

- net: sched: atm: dont intepret cls results when asked to drop
  (bsc#1207036).
- commit 49dc51c

- net: sched: cbq: dont intepret cls results when asked to drop
  (bsc#1207036).
- commit 0726009

- ibmveth: Always stop tx queues during close (bsc#1065729).
- commit 8b8572d

- Refresh
  patches.suse/btrfs-avoid-unnecessary-lock-and-leaf-splits-when-up.patch.
  For bsc#1206904, see:
  https://bugzilla.suse.com/show_bug.cgi?id=1206904#c6
- commit dfcd116

- README.BRANCH: Added myself as co-maintainer
  And drop Oscars name.
- commit 0607a55

- ipv4: Handle attempt to delete multipath route when fib_info
  contains an nh reference (bsc#1204171 CVE-2022-3435).
- commit d2a1bb2

- net: ipv4: fix route with nexthop object delete warning
  (bsc#1204171 CVE-2022-3435).
- commit 51fb670

- module: avoid *goto*s in module_sig_check() (git-fixes).
- commit 95dc2c1

- module: merge repetitive strings in module_sig_check()
  (git-fixes).
- commit e890371

- module: set MODULE_STATE_GOING state when a module fails to load
  (git-fixes).
- commit bbf8a43

- modules: lockdep: Suppress suspicious RCU usage warning
  (git-fixes).
- commit a75abac

- module: Remove accidental change of module_enable_x()
  (git-fixes).
- commit c1799c7

- tracing: Verify if trace array exists before destroying it
  (git-fixes).
- commit 484ce03

- powerpc/powernv: add missing of_node_put (bsc#1065729).
- powerpc/boot: Fixup device-tree on little endian (bsc#1065729).
- powerpc/pseries: Stop calling printk in rtas_stop_self()
  (bsc#1065729).
- powerpc: Force inlining of cpu_has_feature() to avoid build
  failure (bsc#1065729).
- powerpc: improve handling of unrecoverable system reset
  (bsc#1065729).
- powerpc: sysdev: add missing iounmap() on error in
  mpic_msgr_probe() (bsc#1065729).
- powerpc/powernv/smp: Fix spurious DBG() warning (bsc#1065729).
- powerpc/crashkernel: Take "mem=" option into account
  (bsc#1065729).
- powerpc/64s/pgtable: fix an undefined behaviour (bsc#1065729).
- powerpc/eeh: Only dump stack once if an MMIO loop is detected
  (bsc#1065729).
- powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV
  (bsc#1065729).
- powerpc/powernv/iov: Ensure the pdn for VFs always contains
  a valid PE number (bsc#1065729).
- commit f1282a1

- blacklist.conf: Add reverted commit
- commit 1048706

- powerpc: Ensure that swiotlb buffer is allocated from low memory
  (bsc#1156395).
- commit 6657d5f

- powerpc/powernv: Avoid re-registration of imc debugfs directory
  (bsc#1156395).
- powerpc/book3s/mm: Update Oops message to print the correct
  translation in use (bsc#1156395).
- commit 1967b85

- powerpc/pseries/cmm: Implement release() function for sysfs
  device (bsc#1065729).
- commit eef87f7

- rpm/kernel-binary.spec.in: Add Enhances and Supplements tags to in-tree KMPs
  This makes in-tree KMPs more consistent with externally built KMPs and
  silences several rpmlint warnings.
- commit 02b7735

- mm: fix race between MADV_FREE reclaim and blkdev direct IO read
  (bsc#1204989,bsc#1205601).
- commit b1fad8e

- rpm/check-for-config-changes: add OBJTOOL and FTRACE_MCOUNT_USE_*
  Dummy gcc pretends to support -mrecord-mcount option but actual gcc on
  ppc64le does not. Therefore ppc64le builds of 6.2-rc1 and later in OBS
  enable FTRACE_MCOUNT_USE_OBJTOOL and OBJTOOL config options, resulting in
  check failure.
  As we already have FTRACE_MCOUNT_USE_CC and FTRACE_MCOUNT_USE_RECORDMCOUNT
  in the exception list, replace them with a general pattern. And add OBJTOOL
  as well.
- commit 887416f

- powerpc/xive/spapr: correct bitmap allocation size (fate#322438
  git-fixes).
- powerpc/xive: Add a check for memory allocation failure
  (fate#322438 git-fixes).
- commit 2423c59

- arm64: memory: Add missing brackets to untagged_addr() macro (git-fixes)
- commit 5dff1e5

- arm64: tags: Preserve tags for addresses translated via TTBR1 (git-fixes)
- commit 822d824

- blacklist.conf: ("arm64: lse: Fix LSE atomics with LLVM")
- commit 22e012e

- arm64: dts: rockchip: add reg property to brcmf sub-nodes (git-fixes)
- commit 82f0058

- arm64: dts: rockchip: fix dwmmc clock name for px30 (git-fixes)
- commit 2d24fe0

- arm64: dts: allwinner: H5: Add PMU node (git-fixes)
- commit 5f7b503

- arm64: dts: allwinner: H6: Add PMU mode (git-fixes)
- commit 3c56f93

- arm64: dts: rockchip: Fix NanoPC-T4 cooling maps (git-fixes)
- commit 10890a5

- blacklist.conf: ("arm64: fix alternatives with LLVM's integrated assembler")
- commit a642f3b

- blacklist.conf: ("arm64: lse: fix LSE atomics with LLVM's integrated assembler")
- commit 76593cf

- blacklist.conf: ("arm64: dts: allwinner: a64: olinuxino: Fix eMMC supply regulator")
- commit 1caef50

- Refresh
  patches.suse/NFS-Handle-missing-attributes-in-OPEN-reply.patch.
  Update commit log to prevent patch and quilt from thinking it should apply the
  example hunks and fail.
- commit 78fab3f

- NFS: Handle missing attributes in OPEN reply (bsc#1203740).
- commit 75c0f21

- NFSv4.x: Fail client initialisation if state manager thread
  can't run (git-fixes).
- SUNRPC: Fix missing release socket in rpc_sockname()
  (git-fixes).
- xprtrdma: Fix regbuf data not freed in rpcrdma_req_create()
  (git-fixes).
- NFS: Fix an Oops in nfs_d_automount() (git-fixes).
- NFSv4: Fix a deadlock between nfs4_open_recover_helper()
  and delegreturn (git-fixes).
- NFSv4.2: Fix initialisation of struct nfs4_label (git-fixes).
- NFSv4.2: Fix a memory stomp in decode_attr_security_label
  (git-fixes).
- NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding
  (git-fixes).
- SUNRPC: Don't leak netobj memory when gss_read_proxy_verf()
  fails (git-fixes).
- nfsd: don't call nfsd_file_put from client states seqfile
  display (git-fixes).
- nfs4: Fix kmemleak when allocate slot failed (git-fixes).
- NFSv4.2: Fixup CLONE dest file size for zero-length count
  (git-fixes).
- NFSv4: Retry LOCK on OLD_STATEID during delegation return
  (git-fixes).
- NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot
  (git-fixes).
- NFSv4.1: Handle RECLAIM_COMPLETE trunking errors (git-fixes).
- NFSv4/pNFS: Always return layout stats on layout return for
  flexfiles (git-fixes).
- NFSD: Return nfserr_serverfault if splice_ok but buf->pages
  have data (git-fixes).
- NFSD: Fix handling of oversized NFSv4 COMPOUND requests
  (git-fixes).
- NFSv4/pnfs: Fix a use-after-free bug in open (git-fixes).
- xprtrdma: treat all calls not a bcall when bc_serv is NULL
  (git-fixes).
- NFSv4: Don't hold the layoutget locks across multiple RPC calls
  (git-fixes).
- SUNRPC: Fix socket waits for write buffer space (git-fixes).
- NFSv4: Protect the state recovery thread against direct reclaim
  (git-fixes).
- NFSv4 expose nfs_parse_server_name function (git-fixes).
- NFSv4 remove zero number of fs_locations entries error check
  (git-fixes).
- NFSv4.1: Fix uninitialised variable in devicenotify (git-fixes).
- nfs: nfs4clinet: check the return value of kstrdup()
  (git-fixes).
- NFSv4 only print the label when its queried (git-fixes).
- NFSD: Keep existing listeners on portlist error (git-fixes).
- lockd: lockd server-side shouldn't set fl_ops (git-fixes).
- rpc: fix gss_svc_init cleanup on failure (git-fixes).
- NFS: nfs_find_open_context() may only select open files
  (git-fixes).
- NFSD: fix error handling in NFSv4.0 callbacks (git-fixes).
- rpc: fix NULL dereference on kmalloc failure (git-fixes).
- fs: nfsd: fix kconfig dependency warning for NFSD_V4
  (git-fixes).
- nfs: we don't support removing system.nfs4_acl (git-fixes).
- nfs: fix PNFS_FLEXFILE_LAYOUT Kconfig default (git-fixes).
- SUNRPC: Handle 0 length opaque XDR object data properly
  (git-fixes).
- SUNRPC: Move simple_get_bytes and simple_get_netobj into
  private header (git-fixes).
- pNFS/NFSv4: Try to return invalid layout in
  pnfs_layout_process() (git-fixes).
- NFSv4: Fix a pNFS layout related use-after-free race when
  freeing the inode (git-fixes).
- NFS4: Fix oops when copy_file_range is attempted with NFS4.0
  source (git-fixes).
- SUNRPC: Mitigate cond_resched() in xprt_transmit() (git-fixes).
- SUNRPC: stop printk reading past end of string (git-fixes).
- NFS: Zero-stateid SETATTR should first return delegation
  (git-fixes).
- NFSv4.1 handle ERR_DELAY error reclaiming locking state on
  delegation recall (git-fixes).
- svcrdma: Fix another Receive buffer leak (git-fixes).
- NFS: nfs_xdr_status should record the procedure name
  (git-fixes).
- net: sunrpc: Fix off-by-one issues in 'rpc_ntop6' (git-fixes).
- nfsd: safer handling of corrupted c_type (git-fixes).
- nfsd: Fix svc_xprt refcnt leak when setup callback client failed
  (git-fixes).
- sunrpc: check that domain table is empty at module unload
  (git-fixes).
- svcrdma: Fix backchannel return code (git-fixes).
- SUNRPC: Don't start a timer on an already queued rpc task
  (git-fixes).
- NFS: Fix memory leaks in nfs_pageio_stop_mirroring()
  (git-fixes).
- NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context
  fails (git-fixes).
- NFSv4.2: error out when relink swapfile (git-fixes).
- NFSv4: Fix races between open and dentry revalidation
  (git-fixes).
- sunrpc: Fix potential leaks in sunrpc_cache_unhash()
  (git-fixes).
- nfsd: Clone should commit src file metadata too (git-fixes).
- NFS: Fix memory leaks (git-fixes).
- commit 5b3ba89

- memcg, kmem: further deprecate kmem.limit_in_bytes
  (bsc#1206896).
- commit c8d19aa

- blacklist.conf: blacklist 6fcbcec9cfc7
- commit de669f1

- arm64: cpu_errata: Add Hisilicon TSV110 to spectre-v2 safe list (git-fixes)
- commit b310aa7

- blacklist.conf: ("arm64: dts: ls1028a: fix typo in TMU calibration data")
- commit 716a28c

- blacklist.conf: ("arm64: Validate tagged addresses in access_ok() called from kernel")
- commit 9dd7e12

- blacklist.conf: ("arm64: insn: consistently handle exit text")
- commit f816334

- blacklist.conf: blacklist 5c099c4fd
- commit 5b0fa49

- blacklist.conf: blacklist c3497fd009ef
- commit 359f3b8

- blacklist.conf: blacklist c915fb80eaa
- commit 02b35f9

- ext4: avoid BUG_ON when creating xattrs (bsc#1205496).
- commit b1bfe2a

- ext4: fix uninititialized value in 'ext4_evict_inode'
  (bsc#1206893).
- commit ff976a4

- ext4: fix corruption when online resizing a 1K bigalloc fs
  (bsc#1206891).
- commit 140cef5

- ext4: fix undefined behavior in bit shift for
  ext4_check_flag_values (bsc#1206890).
- commit 0696f69

- ext4: silence the warning when evicting inode with
  dioread_nolock (bsc#1206889).
- commit 8d66379

- ext4: fix use-after-free in ext4_ext_shift_extents
  (bsc#1206888).
- commit 027bd53

- ext4: fix warning in 'ext4_da_release_space' (bsc#1206887).
- commit 5134642

- ext4: fix BUG_ON() when directory entry has invalid rec_len
  (bsc#1206886).
- commit 7d14bba

- Update tags in
  patches.suse/ext4-Fix-check-for-block-being-out-of-directory-size.patch.
- commit b651ac6

- ext4: make ext4_lazyinit_thread freezable (bsc#1206885).
- commit f8a1109

- ext4: fix null-ptr-deref in ext4_write_info (bsc#1206884).
- commit 100f2b7

- ext4: avoid crash when inline data creation follows DIO write
  (bsc#1206883).
- commit 05e8ed4

- ext4: continue to expand file system when the target size
  doesn't reach (bsc#1206882).
- commit 1b01bae

- ext4: fix bug in extents parsing when eh_entries == 0 and
  eh_depth > 0 (bsc#1206881).
- commit f1f3d4f

- blacklist.conf: blacklist 613c5a85898d
- commit 48dfb5e

- ext4: avoid resizing to a partial cluster size (bsc#1206880).
- commit f96243f

- blacklist.conf: blacklist b24e77ef1c6d
- commit 7ecc9d3

- ext4: correct the misjudgment in ext4_iget_extra_inode
  (bsc#1206878).
- commit b931654

- ext4: correct max_inline_xattr_value_size computing
  (bsc#1206878).
- commit fde0a78

- ext4: fix use-after-free in ext4_xattr_set_entry (bsc#1206878).
- commit a4c76a4

- ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h
  (bsc#1206878).
- commit ecac58a

- ext4: fix extent status tree race in writeback error recovery
  path (bsc#1206877).
- commit 35c3734

- ext4: update s_overhead_clusters in the superblock during an
  on-line resize (bsc#1206876).
- commit 4ca9666

- ext4: correct the error path of ext4_write_inline_data_end()
  (bsc#1206875).
- commit 9ad9468

- blacklist.conf: blacklist 5dccdc5a1916
- commit 8417a93

- blacklist.conf: blacklist efc61345274d
- commit 8078536

- blacklist.conf: blacklist 5a3b590d4b2d
- commit 5590cb0

- ext4: Detect already used quota file early (bsc#1206873).
- commit 0136eeb

- blacklist.conf: Blacklist 0f5bde1db174
- commit 66ece1b

- blacklist.conf: blacklist f25391ebb475
- commit b3ab927

- ext4: avoid race conditions when remounting with options that
  change dax (bsc#1206860).
  Refresh patches.suse/ext4-dont-warn-when-enabling-DAX.patch
- commit 89b7d84

- blacklist.conf: Add ppc ddw fix only applicable to 5.15
- commit ce185e4

- ext4: convert BUG_ON's to WARN_ON's in mballoc.c (bsc#1206859).
- commit c933ca2

- blacklist.conf: blacklist a17a9d935dc4
- commit 267ec30

- ext4: use matching invalidatepage in ext4_writepage
  (bsc#1206858).
- commit 9adbb3f

- ext4: mark block bitmap corrupted when found instead of BUGON
  (bsc#1206857).
- commit 0b7c7d5

- ext4: fix a data race at inode->i_disksize (bsc#1206855).
- commit 6032d35

- ext4: choose hardlimit when softlimit is larger than hardlimit
  in ext4_statfs_project() (bsc#1206854).
- commit 1fdf2d9

- blacklist.conf: blacklist 4068664e3cd2
- commit 3a30037

- blacklist.conf: Add active memory.high throttling fixups
- d397a45fc741 mm, memcg: fix corruption on 64-bit divisor in memory.high throttling
- e26733e0d0ec mm, memcg: throttle allocators based on ancestral memory.high
- 9b8b17541f13 mm, memcg: do not high throttle allocators based on wraparound
- commit 0508c0b

- sched/psi: Fix sampling error and rare div0 crashes with
  cgroups and high uptime (bsc#1206841).
- commit d518fcd

- scsi: lpfc: Remove linux/msi.h include (jsc#PED-1445).
- scsi: lpfc: Update lpfc version to 14.2.0.9 (jsc#PED-1445).
- scsi: lpfc: Fix crash involving race between FLOGI timeout
  and devloss handler (jsc#PED-1445).
- scsi: lpfc: Fix MI capability display in cmf_info sysfs
  attribute (jsc#PED-1445).
- scsi: lpfc: Correct bandwidth logging during receipt of
  congestion sync WCQE (jsc#PED-1445).
- scsi: lpfc: Fix WQ|CQ|EQ resource check (jsc#PED-1445).
- scsi: lpfc: Use memset_startat() helper (jsc#PED-1445).
- scsi: lpfc: Remove redundant pointer 'lp' (jsc#PED-1445).
- string.h: Introduce memset_startat() for wiping trailing
  members and padding (jsc#PED-1445).
- commit 76decfc

- scsi: qla2xxx: Fix crash when I/O abort times out (jsc#PED-568).
- scsi: qla2xxx: Initialize vha->unknown_atio_[list, work]
  for NPIV hosts (jsc#PED-568).
- scsi: qla2xxx: Remove duplicate of vha->iocb_work initialization
  (jsc#PED-568).
- scsi: qla2xxx: Remove unused variable 'found_devs'
  (jsc#PED-568).
- scsi: qla2xxx: Fix set-but-not-used variable warnings
  (jsc#PED-568).
- commit b04c714

- blacklist.conf: pSeries and powernv get dt from firmware
- commit 47ec098

- powerpc/pseries/eeh: use correct API for error log size
  (bsc#1065729).
- powerpc/perf: callchain validate kernel stack pointer bounds
  (bsc#1065729).
- powerpc/xive: add missing iounmap() in error path in
  xive_spapr_populate_irq_data() (fate#322438 git-fixes).
- powerpc/pci: Fix get_phb_number() locking (bsc#1065729).
- powerpc/64: Init jump labels before parse_early_param()
  (bsc#1065729).
- commit 3405c6d

- powerpc/pseries: unregister VPA when hot unplugging a CPU
  (bsc#1205695 ltc#200603).
- commit 3d8dab2

- Fix kABI breakage in usb.h: struct usb_device:
  hide new member (bsc#1206664 CVE-2022-4662).
- commit a53ec27

- USB: core: Prevent nested device-reset calls (bsc#1206664
  CVE-2022-4662).
- commit 2d03a85

- drm: mali-dp: potential dereference of null pointer
  (CVE-2022-3115 bsc#1206393).
- commit 9246c67

- wifi: wilc1000: validate pairwise and authentication suite
  offsets (CVE-2022-47520 bsc#1206515).
- commit 10a48d9

- kabi/severities: ignore kABI change for meson driver fix (CVE-2022-3112 bsc#1206399)
- commit cecc04a

- media: meson: vdec: potential dereference of null pointer
  (CVE-2022-3112 bsc#1206399).
- commit 32c7d25

- Bluetooth: L2CAP: Fix use-after-free caused by
  l2cap_reassemble_sdu (CVE-2022-3564 bsc#1206073).
- commit 5495793

- Update patch reference for BT fix (CVE-2022-3564 bsc#1206073)
- commit a5136f0

- udf: Fix a slab-out-of-bounds write bug in udf_find_entry()
  (bsc#1206649).
- commit 81eb278

- udf_get_extendedattr() had no boundary checks (bsc#1206648).
- commit 2ff0ceb

- udf: Fix iocharset=utf8 mount option (bsc#1206647).
- commit 6d30f6e

- udf: Fix NULL pointer dereference in udf_symlink function
  (bsc#1206646).
- commit aa42b50

- udf: fix silent AED tagLocation corruption (bsc#1206645).
- commit a3bf788

- udf: fix the problem that the disc content is not displayed
  (bsc#1206644).
- commit baed6fa

- udf: Limit sparing table size (bsc#1206643).
- commit 10a39e1

- udf: Avoid accessing uninitialized data on failed inode read
  (bsc#1206642).
- commit 8c98e30

- udf: Fix free space reporting for metadata and virtual
  partitions (bsc#1206641).
- commit 0743d18

- quota: Check next/prev free block number after reading from
  quota file (bsc#1206640).
- commit f8fb63e

- blacklist.conf: Blacklist dd5532a4994b
- commit 836bdfa

- blacklist.conf: Blacklist dfc2d2594e4a
- commit dd5297d

- blacklist.conf: Blacklist f4c2d372b89a
- commit fc7d11b

- ext4: iomap that extends beyond EOF should be marked dirty
  (bsc#1206637).
- commit e1b2dad

- blacklist.conf: Blacklist 02f03c4206c1
- commit bb8f69f

- isofs: joliet: Fix iocharset=utf8 mount option (bsc#1206636).
- commit 9374be1

- mm/filemap.c: clear page error before actual read (bsc#1206635).
- commit 5e80ff2

- lib/notifier-error-inject: fix error when writing -errno to
  debugfs file (bsc#1206634).
- commit dea9978

- libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
  (bsc#1206634).
- commit 2504e98

- blacklist.conf: Blacklist 9066e151c379
- commit 966d217

- sbitmap: fix lockup while swapping (bsc#1206602).
- commit 008171d

- struct usbnet: move new members to end (git-fixes).
- commit f647bb2

- net: usb: cdc_ncm: don't spew notifications (git-fixes).
- Refresh
  patches.suse/0002-Add-a-void-suse_kabi_padding-placeholder-to-some-USB.patch.
- commit 6bb9cb6

- blacklist.conf: ("arm64: dts: armada-3720-turris-mox: add firmware node")
- commit 77ea716

- arm64: dts: marvell: Add AP806-dual missing CPU clocks (git-fixes)
- commit 954a96f

- blacklist.conf: ("crypto: arm64/aes-neonbs - add return value of skcipher_walk_done()")
- commit 8dcdb26

- arm64: tegra: Fix 'active-low' warning for Jetson Xavier regulator (git-fixes)
- commit c3c7089

- arm64: psci: Reduce the waiting time for cpu_psci_cpu_kill() (git-fixes).
- commit ae4388c

- net: usb: qmi_wwan: add u-blox 0x1342 composition (git-fixes).
- commit 47e48bc

- rtc: pcf85063: Fix reading alarm (git-fixes).
- commit 3b1fc33

- efi: Add iMac Pro 2017 to uefi skip cert quirk (git-fixes).
- commit 1dc7c8f
containerd
- Update to containerd v1.7.8. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.8> bsc#1200528
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- Update to containerd v1.7.7. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.7>
- Add patch to fix build on SLE-12:
  + 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- Update to containerd v1.7.6 for Docker v24.0.6-ce. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.6> bsc#1215323

- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
  Kubernetes packages

- Update to containerd v1.6.21 for Docker v23.0.6-ce. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.6.21> bsc#1211578
- Require a minimum Go version explicitly rather than using golang(API).
  Fixes the change for bsc#1210298.

[ This was only released in SLE. ]
- unversion to golang requires to always use the current default go.
  (bsc#1210298)

- Update to containerd v1.6.20 for Docker v23.0.4-ce. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.6.20>

- Update to containerd v1.6.19 for Docker v23.0.2-ce. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.6.19>
  Includes fixes for:
  - CVE-2023-25153 bsc#1208423
  - CVE-2023-25173 bsc#1208426

- Re-build containerd to use updated golang-packaging. jsc#1342

- Update to containerd v1.6.16 for Docker v23.0.1-ce. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.6.16>

- Update to containerd v1.6.12 to fix CVE-2022-23471 bsc#1206235. Upstream
  release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.6.12>

- Update to containerd v1.6.11. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.6.11>

- Update to containerd v1.6.9 for Docker v20.10.21-ce. Also includes a fix for
  CVE-2022-27191. boo#1206065 bsc#1197284 Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.6.9>

- add devel subpackage, which is needed by open-vm-tools
corosync
Deleted:
  bsc#1189680-cancel_hold_on_retransmit-option.patch
  bsc#1192467_dont-block-local-socket-pair.patch
  bug-1163460-totemip-Add-support-for-sin6_scope_id.patch
  bug-1166899-quorumtool-Fix-exit-status-codes.patch
- Update to version 2.4.6:
  * totemsrp: More informative messages
  * icmap: fix the icmap_get_*_r functions
  * stats: Add basic schedule-miss stats to needle
  * icmap: icmap_init_r() leaks if trie_create() fails
  * test: Fix cpgtest
  * pkgconfig: Add libqb dependency
  * man: votequorum.5: use proper single quotes
  * cpg: Change downlist log level
  * totem: Increase ring_id seq after load
  * totempg: Check sanity (length) of received message
  * totemsrp: Reduce MTU to left room second mcast
  * qnetd: Rename qnetd-log.c to log.c
  * qnetd: Fix double -d description
  * qnetd: Check log initialization error
  * qnetd: Add function to set log target
  * qdevice: Use log instead of libqb log
  * qdevice: Import log instead of qdevice-log
  * qdevice: Merge msg_decode_error functions
  * qnetd: Use log-common for nodelist debug dump
  * qdevice: Configurable log priority bump
  * tests: Add utils_parse_bool_str test
  * qdevice: Free memory used by log
  * qdevice: Add log test
  * qdevice: Add header files to list of test sources
  * qdevice: Add chk variant of vsyslog to test-log
  * qdevice: Add prototype of __vsyslog_chk
  * votequorum: Ignore the icmap_get_* return value
  * logconfig: Remove double free of value
  * cmap: Assert copied string length
  * sync: Assert sync_callbacks.name length
  * votequorum: Assert copied strings length
  * cpghum: Remove unused time variables and functions
  * cfgtool: Remove unused callbacks
  * cmapctl: Free bin_value on error
  * quorumtool: Assert copied string length
  * votequorum: Reflect runtime change of 2Node to WFA
  * main: Add schedmiss timestamp into message
  * votequorum: Change check of expected_votes
  * quorumtool: Fix exit status codes
  * quorumtool: exit on invalid expected votes
  * votequorum: set wfa status only on startup
  * Revert "totemip: Add support for sin6_scope_id"
  * Revert "totemip: compare sin6_scope_id and interface_num"
  * main: Make schedmiss in cmap and log equal
  * totemip: Add support for sin6_scope_id
  * qnetd: Do not call ffsplit_do on shutdown
  * qdevice: Fix connect heuristics result callback
  * qdevice: Fix connect heuristics result callback
  * qdevice: Log adds newline automatically
  * qnetd: Fix dpd timer
  * qnetd: Add support for keep active partition vote
  * common_lib: Remove trailing spaces in cs_strerror
  * totemsrp: Move token received callback
  * tests: Use CS_DISPATCH_BLOCKING instead of cycle
  * qnetd: Fix NULL dereference of client
  * qnetd: Simplify KAP Tie-breaker logic
  * totem: Add cancel_hold_on_retransmit config option
  * logsys: Unlock config mutex on error
  * totemsrp: Switch totempg buffers at the right time
  * totemudpu: Don't block local socketpair
  * configure.ac: fix pkgconfig issue of rdma
  * totemip: Add support for sin6_scope_id
  * totemip: compare sin6_scope_id and interface_num
  * qdevice: Change log level to NOTICE on PASS
  * cfgtool: output error messages to stderr
  * tools: use util_strtonum for options checking
  * cmapctl: return EXIT_FAILURE on failure
  * quorumtool: Help shouldn't require running service
  * quorumtool: strict check for -o option
  * cmapctl: check NULL for key type and value for -p
  * man: adjust description about interface section
  * qnetd: sort by node_id when add new client
  * man: replace votequorum_poll for actually used fn
crmsh
- Update to version 4.3.1+20230424.76f78edb:
  * Fix: help: Long time to load and parse crm.8.adoc (bsc#1210198)

- Update to version 4.3.1+20221230.4c344416:
  * Fix: report: Catch read exception (bsc#1206606)

- Update to version 4.3.1+20221205.3e7b59aa:
  * Fix: pacemaker: As a workaroud, use getchildren instead of xpath to avoid segfault (bsc#1204565)
  * Fix: qdevice: Adjust SBD_WATCHDOG_TIMEOUT when configuring qdevice not using stage (bsc#1205727)
  * Fix: bootstrap: Use crmsh.parallax instead of parallax module directly (bsc#1202006)
  * Dev: bootstrap: Don't sync csync2 when peer node's csync2 service not ready
cryptsetup
- luksFormat: Handle system with low memory and no swap space [bsc#1211079]
  * Check for physical memory available also in PBKDF benchmark.
  * Try to avoid OOM killer on low-memory systems without swap.
  * Use only half of detected free memory on systems without swap.
  * Add patches:
  - cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch
  - cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch
  - cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch
samba
- CVE-2023-4091: samba: Client can truncate file with read-only
  permissions; (bsc#1215904); (bso#15439).
- CVE-2023-42669: samba: rpcecho, enabled and running in AD DC,
  allows blocking sleep on request; (bso#1215905); (bso#15474).
- CVE-2023-4154: samba: dirsync allows SYSTEM access with only
  "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES;
  (bsc#1215908); (bso#15424).

- Move libcluster-samba4.so from samba-libs to samba-client-libs;
  (bsc#1213940);

- secure channel faulty since Windows 10/11 update 07/2023;
  (bso#15418); (bsc#1213384).

- CVE-2022-2127: lm_resp_len not checked properly in
  winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174).
- CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite
  Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173).
- CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type
  Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172).
- CVE-2023-34968: Spotlight server-side Share Path Disclosure;
  (bso#15388); (bsc#1213171).

- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords
  in cleartext; (bso#15315); (bsc#1209481).
- CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be
  deleted by unprivileged authenticated users; (bso#15276);
  (bsc#1209483).
- CVE-2023-0614: samba: Access controlled AD LDAP attributes can
  be discovered; (bso#15270); (bsc#1209485).

- Prevent use after free of messaging_ctdb_fde_ev structs;
  (bso#15293); (bsc#1207416).

- CVE-2022-38023 Additional patches for the PDC role's netlogon
  server; (bso#15240); (bsc#1206504);

- CVE-2021-20251: samba: Bad password count not incremented
  atomically; (bso#14611); (bsc#1206546).

- Update to 4.15.13
  * CVE-2022-37966 rc4-hmac Kerberos session keys issued to
    modern servers; (bso#15237); (bsc#1205385);
  * CVE-2022-37967 Kerberos constrained delegation ticket forgery
    possible against Samba AD DC; (bso#15231); (bsc#1205386);
  * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak
    and should be avoided; (bso#15240); (bsc#1206504);
  * filter-subunit is inefficient with large numbers of
    knownfails; (bso#15258);
  * The KDC logic arround msDs-supportedEncryptionTypes differs
    from Windows; (bso#13135);
  * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue;
    (bso#15197);
- Remove the systemd drop-in file for named service to allow
  read/write access to the DLZ directory as bind is not using
  systemd filesystem namespaces but bind-chrootenv; (bsc#1205946);

- Install a systemd drop-in file for named service to allow
  read/write access to the DLZ directory; (bsc#1201689);

- Update to 4.15.12
  * CVE-2022-42898: samba: heimdal: Samba buffer overflow
    vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126).
- Update to 4.15.11
  * Allow rebuild of Centos 8 images after move to vault for
    Samba 4.15; (bso#15193).
  * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3();
    (bso#15134); (bsc#1204254)

- Update to 4.15.10
  * Possible use after free of connection_struct when iterating
    smbd_server_connection->connections; (bso#15128);
    (bsc#1200102).
  * smbXsrv_connection_shutdown_send result leaked; (bso#15174).
  * Spotlight RPC service returns wrong response when Spotlight
    is disabled on a share; (bso#15086).
  * acl_xattr VFS module may unintentionally use filesystem
    permissions instead of ACL from xattr; (bso#15126).
  * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1;
    (bso#15153).
  * assert failed: !is_named_stream(smb_fname)") at
    ../../lib/util/fault.c:197; (bso#15161).
  * Missing READ_LEASE break could cause data corruption;
    (bso#15148).
  * rpcclient can crash using setuserinfo(2); (bso#15124).
  * Samba fails to build with glibc 2.36 caused by including
    <sys/mount.h> in libreplace; (bso#15132).
  * SMB1 negotiation can fail to handle connection errors;
    (bso#15152).
  * samba-tool domain join segfault when joining a samba ad
    domain; (bso#15078).
- Update to 4.15.9
  * CVE-2022-32742:SMB1 code does not correct verify SMB1write,
    SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085);
    (bsc#1201496).
  * CVE-2022-32746: samba: Use-after-free occurring in database
    audit logging; (bso#15009); (bso#15096); (bsc#1201490).
  * CVE-2022-2031: samba, ldb: AD users can bypass certain
    restrictions associated with changing passwords; (bso#15047);
    (bsc#1201495);
  * CVE-2022-32745: samba: ldb: AD users can crash the server
    process with an LDAP add or modify request; (bso#15008);
    (bso#15096); (bsc#1201492).
  * CVE-2022-2031: samba, ldb: AD users can bypass certain
    restrictions associated with changing passwords; (bso#15047);
    (bsc#1201495);
  * CVE-2022-32744: samba, ldb: AD users can forge password change
    requests for any user; (bso#15074); (bso#15047); (bsc#1201493).

- CVE-2022-1615: Do not ignore errors in random number generation;
  (bso#15103); (bsc#1202976);
- CVE-2022-32743: Implement validated dnsHostName write rights;
  (bso#14833); (bsc#1202803);

- Fix Use after free when iterating
  smbd_server_connection->connections after tree disconnect
  failure; (bso#15128); (bsc#1200102).
cups
- cups-2.2.7-CVE-2023-4504.patch fixes CVE-2023-4504
  "CUPS PostScript Parsing Heap Overflow"
  https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
  bsc#1215204

- cups-2.2.7-CVE-2023-32360.patch fixes CVE-2023-32360
  "Information leak through Cups-Get-Document operation"
  by requiring authentication for CUPS-Get-Document in cupsd.conf
  https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
  https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
  bsc#1214254
- cups-2.2.7-additional_policies.patch is an updated version
  of cups-2.0.3-additional_policies.patch that replaces it
  to add the 'allowallforanybody' policy to cupsd.conf
  after cups-2.2.7-CVE-2023-32360.patch was applied

- cups-2.2.7-CVE-2023-34241.patch fixes CVE-2023-34241
  "use-after-free in cupsdAcceptClient()"
  https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
  bsc#1212230

- cups-2.2.7-CVE-2023-32324.patch fixes CVE-2023-32324
  "Heap buffer overflow in cupsd"
  https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
  bsc#1211643

- 0001-cups-dests.c-cupsGetNamedDest-set-IPP_STATUS_ERROR_N.patch
  improves logging on 'IPP_STATUS_ERROR_NOT_FOUND' error
  that fixes bsc#1191467, bsc#1198932:
  "lpr reports 'No such file or directory' for missing catalogue files"
  "/usr/bin/lpr: No such file or directory"
- after-network_target-sssd_service.patch
  is derived from https://github.com/apple/cups/issues/5550 with its
  https://github.com/apple/cups/commit/aaebca5660fdd7f7b6f30461f0788d91ef6e2fee
  and SUSE PTF:24471 cups.SUSE_SLE-15_Update cups-2.2.7-wait-for-network.patch
  to add "After=network.target sssd.service" to the systemd unit
  source files cupsd.service.in and cups.cups-lpdAT.service.in
  to fix bsc#1201234, bsc#1200321:
  "Missing network dependency in systemd unit for cups-2.2.7"
  "CUPS may not always start if sssd is in use"

- cups-branch-2.2-commit-876fdc1c90a885a58644c8757bc1283c9fd5bcb7.diff
  is https://github.com/OpenPrinting/cups/commit/876fdc1c90a885a58644c8757bc1283c9fd5bcb7
  which belongs to https://github.com/OpenPrinting/cups/issues/308
  that fixes bsc#1191525, bsc#1203446:
  "Print jobs on cups.sock return with EAGAIN (Resource temporarily unavailable)"
  "/usr/bin/lpr: Error - The printer or class does not exist."
curl
- Security fixes:
  * [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass
  * Add patches:
  - curl-http-lowercase-headernames-for-HTTP-2-and-HTTP-3.patch
  - curl-CVE-2023-46218.patch

- Security fix: [bsc#1215889, CVE-2023-38546]
  * Cookie injection with none file
  * Add curl-CVE-2023-38546.patch

- Security fixes:
  * [bsc#1211231, CVE-2023-28320] siglongjmp race condition
  - Add curl-CVE-2023-28320.patch
  * [bsc#1211232, CVE-2023-28321] IDN wildcard matching
  - Add curl-CVE-2023-28321.patch [bsc#1211339]
  * [bsc#1211233, CVE-2023-28322] POST-after-PUT confusion
  - Add curl-CVE-2023-28322.patch

- Security fixes:
  * [bsc#1209209, CVE-2023-27533] TELNET option IAC injection
    Add curl-CVE-2023-27533-no-sscanf.patch curl-CVE-2023-27533.patch
  * [bsc#1209210, CVE-2023-27534] SFTP path ~ resolving discrepancy
    Add curl-CVE-2023-27534.patch curl-CVE-2023-27534-dynbuf.patch
  * [bsc#1209211, CVE-2023-27535] FTP too eager connection reuse
    Add curl-CVE-2023-27535.patch
  * [bsc#1209212, CVE-2023-27536] GSS delegation too eager connection re-use
    Add curl-CVE-2023-27536.patch
  * [bsc#1209214, CVE-2023-27538] SSH connection too eager reuse still
    Add curl-CVE-2023-27538.patch

- Security Fix: [bsc#1207992, CVE-2023-23916]
  * HTTP multi-header compression denial of service
  * Add curl-CVE-2023-23916.patch

- Security Fix: [bsc#1206309, CVE-2022-43552]
  * HTTP Proxy deny use-after-free
  * Add curl-CVE-2022-43552.patch
dbus-1
- Sometimes unprivileged users were able to crash dbus-daemon
  (CVE-2023-34969, bsc#1212126)
  * fix-upstream-CVE-2023-34969.patch
lvm2
- blkdeactivate calls wrong mountpoint cmd (bsc#1214071)
  + bug-1214071-blkdeactivate_calls_wrong_mountpoint.patch

- killed lvmlockd doesn't clear/adopt locks leading to inability to start volume group (bsc#1203216)
  - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch

- dracut-initqueue timeouts with 5.3.18-150300.59.63 kernel on ppc64le (bsc#1199074)
  - in lvm2.spec, change device_mapper_version from 1.02.163 to %{lvm2_version}_1.02.163

- lvm2.spec %post deletes libdevmapper and triggers kernel panic (bsc#1198523)
  - change %post behaviour, only do deleting job for non-link folder
dhcp
- bsc#1203988, CVE-2022-2928, dhcp-CVE-2022-2928.patch:
  An option refcount overflow exists in dhcpd
- bsc#1203989, CVE-2022-2929, dhcp-CVE-2022-2929.patch:
  DHCP memory leak
dmidecode
- use-read_file-to-read-from-dump.patch: Fix an old harmless bug
  which would prevent root from using the --from-dump option since
  the latest security fixes (bsc#1210418).

Security fixes (CVE-2023-30630)
- dmidecode-split-table-fetching-from-decoding.patch: dmidecode:
  Clean up function dmi_table so that it does only one thing
  (bsc#1210418).
- dmidecode-write-the-whole-dump-file-at-once.patch: When option
  - -dump-bin is used, write the whole dump file at once, instead of
  opening and closing the file separately for the table and then
  for the entry point (bsc#1210418).
- dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch:
  Make sure that the file passed to option --dump-bin does not
  already exist (bsc#1210418).
- ensure-dev-mem-is-a-character-device-file.patch: Add a safety
  check on the type of the mem device file we are asked to read
  from, if we are root (bsc#1210418).
  3 recommended fixes from upstream:
- dmidecode-fortify-entry-point-length-checks.patch: Ensure that
  the SMBIOS entry point is long enough to include all the fields
  we need.
- dmidecode-fix-the-alignment-of-type-25-name.patch: Drop a stray
  tabulation before the name of DMI record type 25.
- dmidecode-print-type-33-name-unconditionally.patch: Display the
  name of DMI record type 33 even if we can't decode it.
docker
- update to Docker 24.0.5-ce. See upstream changelong online at
  <https://docs.docker.com/engine/release-notes/24.0/#2405>. bsc#1213229

- Update to Docker 24.0.4-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/24.0/#2404>. bsc#1213500

- Update to Docker 24.0.3-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/24.0/#2403>. bsc#1213120
- Rebase patches:
  * cli-0001-docs-include-required-tools-in-source-tree.patch

- Recommend docker-rootless-extras instead of Require(ing) it, given
  it's an additional functionality and not inherently required for
  docker to function.

- Add docker-rootless-extras subpackage
  (https://docs.docker.com/engine/security/rootless)

- Update to Docker 24.0.2-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/24.0/#2402>. bsc#1212368
  * Includes the upstreamed fix for the mount table pollution issue.
    bsc#1210797
- Add Recommends for docker-buildx, and add /usr/lib/docker/cli-plugins as
  being provided by this package.
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch

- Update to Docker 23.0.6-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/23.0/#2306>. bsc#1211578
- Rebase patches:
  * cli-0001-docs-include-required-tools-in-source-tree.patch
- Re-unify packaging for SLE-12 and SLE-15.
- Add patch to fix build on SLE-12 by switching back to libbtrfs-devel headers
  (the uapi headers in SLE-12 are too old).
  + 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- Re-numbered patches:
  - 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  + 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch`

- Update to Docker 23.0.5-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/23.0/#2305>.
- Rebase patches:
  * cli-0001-docs-include-required-tools-in-source-tree.patch

- Update to Docker 23.0.4-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/23.0/#2304>. bsc#1208074
- Fixes:
  * bsc#1214107 - CVE-2023-28840
  * bsc#1214108 - CVE-2023-28841
  * bsc#1214109 - CVE-2023-28842
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Renumbered patches:
  - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Remove upstreamed patches:
  - 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
  - 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
  - 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- Backport <https://github.com/docker/cli/pull/4228> to allow man pages to be
  built without internet access in OBS.
  + cli-0001-docs-include-required-tools-in-source-tree.patch

- update to 20.10.23-ce.
  * see upstream changelog at https://docs.docker.com/engine/release-notes/#201023
- drop kubic flavor as kubic is EOL. this removes:
  kubelet.env docker-kubic-service.conf 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch

- Update to Docker 20.10.21-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#201021>. bsc#1206065
  bsc#1205375 CVE-2022-36109
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
  * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
  * 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- The PRIVATE-REGISTRY patch will now output a warning if it is being used (in
  preparation for removing the feature). This feature was never meant to be
  used by users directly (and is only available in the -kubic/CaaSP version of
  the package anyway) and thus should not affect any users.

- Fix wrong After: in docker.service, fixes bsc#1188447

- Add apparmor-parser as a Recommends to make sure that most users will end up
  with it installed even if they are primarily running SELinux.

- Fix syntax of boolean dependency

- Allow to install container-selinux instead of apparmor-parser.

- Change to using systemd-sysusers
dracut
- Update to version 049.1+suse.257.gf94c3fd1:
  * fix(udev-rules): Correct network device naming (bsc#1192986)

- Update to version 049.1+suse.255.g19bd61fd:
  * fix(dracut.sh): exit if resolving executable dependencies fails (bsc#1214081)

- Update to version 049.1+suse.253.g1008bf13:
  * fix(network-legacy): handle do_dhcp calls without arguments (bsc#1210640)

- Update to version 049.1+suse.251.g0b8dad5:
  * fix(dracut.sh): omission is an addition to other omissions in conf files (bsc#1208929)
  * fix(nfs): chown using rpc default group (bsc#1204929)

- Update to version 049.1+suse.247.gfb7df05c:
  * fix(systemd): add missing modprobe@.service (bsc#1203749)
  * fix(i18n): do not fail if FONT in /etc/vconsole.conf has the file extension (bsc#1203267)
  * fix(drm): consider also drm_dev_register when looking for gpu driver (bsc#1195618)
  * fix(integrity): do not display any error if there is no IMA certificate (bsc#1187654)
elfutils
- 0001-libelf-Fixup-SHF_COMPRESSED-sh_addralign-in-elf_upda.patch:
  make debuginfo extraction from go1.19 built binaries work again.
  (bsc#1203599)
firewalld
- Fix firewalld does not longer understand IPv4 network masks
  of type `255.255.255.0`
  Added following patch (boo#1212974)
  [+ 0004-fix_rich_source_address_with_netmask.patch]

- Fix firewall-offline-cmd fails with ERROR: Calling pre func
  Added following patch (bsc#1206928)
  [+ 0003-firewall-offline-cmd-fail-fix.patch]
fonts-config
- get the homedir from getpwuid when no $ENV{"HOME"} set
- added patches
  fix bsc#1210700
  + fonts-config-homedir-getpwuid.patch
gawk
- format-tree-positional-arg.patch: Validate index into argument list
  (CVE-2023-4156, bsc#1214025)
glib2
- Update glib2-fix-normal-form-handling-in-gvariant.patch:
  Backported from upstream to fix regression on s390x.
  (bsc#1210135, glgo#GNOME/glib!2978)

- Add glib2-fix-normal-form-handling-in-gvariant.patch: Backported
  from upstream to fix normal form handling in GVariant.
  (CVE-2023-24593, CVE-2023-25180, bsc#1209714, bsc#1209713,
  glgo#GNOME/glib!3125)
glibc
- dl-map-segment-align-munmap.patch: elf: Align argument of __munmap to
  page size (bsc#1215891, BZ #28676)

- gai-merge-continue-actions.patch: Simplify allocations and fix merge and
  continue actions (CVE-2023-4813, bsc#1215286, BZ #28931)

- gb18030-2022.patch: add GB18030-2022 charmap (jsc#PED-4908, BZ #30243)

- nscd-netlink-cache-invalidation.patch: nscd: Fix netlink cache
  invalidation if epoll is used (bsc#1212910, BZ #29415)

- nss-files-hosts-v4mapped.patch: Restore lookup of IPv4 mapped addresses
  in files database (bsc#1212819, BZ #25457)

- remove-excessive-p-align-check.patch: elf: Remove excessive p_align
  check on PT_LOAD segments (bsc#1211829, BZ #28688)
- segment-align.patch: elf: Properly align PT_LOAD segments (bsc#1211829,
  BZ #28676)
- ld-so-always-use-map-copy.patch: ld.so: Always use MAP_COPY to map the
  first segment (BZ #30452)

- resolv-conf-lock.patch: resolv_conf: release lock on allocation failure
  (bsc#1211828, BZ #30527)

- ulp-prologue-into-asm-functions.patch: Add support for livepatches
  in ASM written functions (bsc#1211726)

- getlogin-no-loginuid.patch: getlogin_r: fix missing fallback if loginuid
  is unset (bsc#1209229, BZ #30235)

- Exclude static archives from preparation for live patching (bnc#1208721)

- amd-cacheinfo.patch: x86: Cache computation for AMD architecture
  (bsc#1207957)

- gmon-hash-table-size.patch: gmon: Fix allocated buffer overflow
  (CVE-2023-0687, bsc#1207975, BZ #29444)

- strncmp-avx2-boundary.patch: Fix avx2 strncmp offset compare condition
  check (bsc#1208358, BZ #25933)

- dlopen-filter-object.patch: elf: Allow dlopen of filter object to work
  (bsc#1207571, BZ #16272)
- powerpc-tst-ucontext.patch: powerpc: Fix unrecognized instruction errors
  with recent GCC
gnutls
- Security Fix: [bsc#1208143, CVE-2023-0361]
  * Bleichenbacher oracle in TLS RSA key exchange
  * Add gnutls-CVE-2023-0361.patch

- Validate input when calling fmemopen() [bsc#1204511]
  * Add gnutls-check-system_priority_buf-input.patch
gpg2
- Suppress error message on trial reading as PEM format when using
  dirmngr to validate broken DER encoded files (bsc#1217212)
  * Add patches:
  - gnupg-dirmngr-Suppress-error-message-on-trial-reading-as-PEM.patch
  - gnupg-dirmngr-Clear-the-error-count-to-try-certificate-as-binary.patch
grub2
- Fix CVE-2023-4692 (bsc#1215935)
- Fix CVE-2023-4693 (bsc#1215936)
  * 0001-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
  * 0002-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
  * 0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
  * 0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
  * 0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
  * 0006-fs-ntfs-Make-code-more-readable.patch
- Bump upstream SBAT generation to 4

- grub2-once: Fix 'sh: terminal_output: command not found' error (bsc#1204563)

- Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064)
  (bsc#1209234)
  * 0001-grub-core-modify-sector-by-sysfs-as-disk-sector.patch
- Fix installation over serial console ends up in infinite boot loop
  (bsc#1187810) (bsc#1209667) (bsc#1209372)
  * 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch

- Fix aarch64 kiwi image's file not found due to '/@' prepended to path in
  btrfs filesystem. (bsc#1209165)
  * grub2-btrfs-05-grub2-mkconfig.patch

- Make grub more robust against storage race condition causing system boot
  failures (bsc#1189036)
  * 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch

- Make grub.cfg invariant to efi and legacy platforms (bsc#1205200)
- Removed patch linuxefi
  * grub2-secureboot-provide-linuxefi-config.patch
  * grub2-secureboot-use-linuxefi-on-uefi-in-os-prober.patch
  * grub2-secureboot-use-linuxefi-on-uefi.patch
- Rediff
  * grub2-btrfs-05-grub2-mkconfig.patch
  * grub2-efi-xen-cmdline.patch
  * grub2-s390x-05-grub2-mkconfig.patch
  * grub2-suse-remove-linux-root-param.patch

- Move unsupported zfs modules into 'extras' packages
  (bsc#1205554) (PED-2947)

- Security fixes and hardenings
  * 0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
  * 0002-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
- Fix CVE-2022-2601 (bsc#1205178)
  * 0003-font-Fix-several-integer-overflows-in-grub_font_cons.patch
  * 0004-font-Remove-grub_font_dup_glyph.patch
  * 0005-font-Fix-integer-overflow-in-ensure_comb_space.patch
  * 0006-font-Fix-integer-overflow-in-BMP-index.patch
  * 0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch
  * 0008-fbutil-Fix-integer-overflow.patch
- Fix CVE-2022-3775 (bsc#1205182)
  * 0009-font-Fix-an-integer-underflow-in-blit_comb.patch
  * 0010-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
  * 0011-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
  * 0012-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
- Bump upstream SBAT generation to 3
hawk2
- Update sass-ansible dependency in the hawk2.spec:
  * Unable to activate sass-rails-5.1.0 (bsc#1208533)

- Update to version 2.6.4+git.1667244108.7a0cffe:
  * Fix detection of partial upgrade (bsc#1196673,bsc#1203367)
  * Improve handling of unmatched paths (bsc#1199258)
  * Set HttpOnly by HAWK_COOKIE_HTTP_ONLY=true (bsc#1198647)
hwinfo
- merge gh#openSUSE/hwinfo#132
- avoid linking problems with libsamba (bsc#1212756)
- 21.85

- merge gh#openSUSE/hwinfo#127
- create xen usb controller device if necessary (bsc#1204294)
- 21.84

- merge gh#openSUSE/hwinfo#115
- improve treatment of NVME devices (bsc#1200975)
- fix compiler warnings
- 21.83
ipmitool
- ipmitool duplicates the timestamp (bsc#1213390)
  A    Fix-time-format-for-sel-list-v.patch
irqbalance
- Last changes log was wrong, this part has been added to SP4
  changes but were missing in SP2/SP3 and are added now (bsc#1208717):
  Fix segfault from previous update (bsc#1206668)
  A Fix-uninitialized-variable.patch

- Fix segfault from previous update (bsc#1206668)
- Fix version - Maintainer forgot to increase version to 1.4.0
  A fix_version_1_4_0
- Add mainline fixes (bnc#1204961):
  The first 2 patches are cleanup patches which should not have any
  functional change, but make life easier to backport the real fix.
  All patches are mainline:
  A    Update-classify.c.patch
  A    irqbalance-properly-check-if-irq-is-banned.patch
  A    remove-unused-path-in-check_for_irq_ban.patch
open-iscsi
- Branched SLE-15-SP3 from Factory. No longer in sync with
  Tumbleweed.
- Backported upstream commit, which sets 'safe_logout' and
  'startup' in iscsid.conf, to address bsc#1207157
- Updated year in SPEC file
issue-generator
- Update to version 1.13
  - SELinux: Do not call agetty --reload [bsc#1186178]

- Update to version 1.12
  - Update manual page
  - Use python3 instead of python 2.x

- Update to version 1.11
  - Don't display issue.d/*.issue files, agetty will do that [bsc#1177891]
  - Ignore /run/issue.d in issue-generator.path, else issue-generator will
    be called too fast too often [bsc#1177865]
  - Ignore *.bak, *~ and *.rpm* files [bsc#1118862]

- Handle the .path unit in scriptlets as well

- Update to version 1.10
  - Display wlan interfaces [bsc#1169070]

- Update to version 1.9
  - Fix path for systemd files

- Update to version 1.8
  - Handle network interface renames
krb5
- Ensure array count consistency in kadm5 RPC; (bsc#1214054);
  (CVE-2023-36054);
- Added patches:
  * 0011-Ensure-array-count-consistency-in-kadm5-RPC.patch

- Fix integer overflows in PAC parsing; (CVE-2022-42898);
  (bso#15203), (bsc#1205126).
- Added patches:
  * 0010-Fix-integer-overflows-in-PAC-parsing.patch
resource-agents
- ECO: Maint: Remove ocf_heartbeat_ZFS (jsc#PED-2841)
  Add patch:
    remove-zfs-support.patch

- SAPInstance can break if kill.sap includes unexpected content.
  (bsc#1206100)
  Include upstream patch:
    1825.patch
- ECO: Maint: AWS EFS Support in Filesystem OCF required
  (jsc#PED-2794)
  Include upstream patch:
    0001-Filesystem-Add-support-for-Amazon-EFS-mount-helper.patch

- Pacemaker should provide a dynamic option to specify a logfile
  (jsc#PED-121)
  Add upstream patch:
    1739.patch
libqt5-qtbase
- Add patch from upstream to fix a bug that allows to trigger a
  DoS in the SQL ODBC driver with a specifically crafted string
  (CVE-2023-24607, bsc#1209616):
  * CVE-2023-24607-qtbase-5.15.diff

- Add patch from upstream (backport taken from Qt5PatchCollection)
  to fix certificate validation for TLS which does not always
  consider whether the root of a chain is a configured CA
  certificate (CVE-2023-34410, bsc#1211994):
  * 0001-Ssl-Copy-the-on-demand-cert-loading-bool-from-default-config.patch
- Add patch from upstream to fix a buffer overflow in QDnsLookup
  (CVE-2023-33285, bsc#1211642):
  * CVE-2023-33285-qtbase-5.15.diff
- Add patch from upstream to fix QtNetwork to parse the
  strict-transport-security (HSTS) header case-insensitively
  (CVE-2023-32762, QTBUG-113392, bsc#1211797):
  * 0001-Hsts-match-header-names-case-insensitively.patch
- Add rebased patch from upstream to fix infinite loops in
  QXmlStreamReader and raise error on unexpected tokens
  which is a new behaviour (CVE-2023-38197, QTBUG-92113,
  QTBUG-95188, bsc#1213326):
  * 0001-QXmlStreamReader-Raise-error-on-unexpected-tokens.patch

- Add rebased patch from upstream to fix an overflow in QTextLayout
  (CVE-2023-32763, QTBUG-113337, bsc#1211798):
  * 0001-Fix-specific-overflow-in-qtextlayout-CVE-2023-32763.patch
- Remove wrong comment about patch not being merged yet (it was)
  and add links to the patch comment for reference:
  * 0001-QProcess-Unix-ensure-we-don-t-accidentally-execute-s.patch
libqt5-qtsvg
- Add patch from upsteam to fix a missing variable initialization
  of QSvgFont's m_unitsPerEm and remove two unused variable in
  that private class (CVE-2023-32573, bsc#1211298):
  * 0001-QSvgFont-Initialize-used-member-remove-unused.patch

- Add patch from upstream to fix an out-of-bounds write that may
  lead to a DoS (bsc#1196654, CVE-2021-45930, QTBUG-96044):
  * 0001-Do-stricter-error-checking-when-parsing-path-nodes.patch
libX11
- U_0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
  U_0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
  U_0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch
  U_0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
  U_0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
  * CVE-2023-43785 libX11: out-of-bounds memory access in
    _XkbReadKeySyms() (boo#1215683)
  * CVE-2023-43786 libX11: stack exhaustion from infinite recursion
  in PutSubImage() (boo#1215684)
  * CVE-2023-43787 libX11: integer overflow in XCreateImage()
    leading to a heap overflow (boo#1215685)

- U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
  * Buffer overflows in InitExt.c (boo#1212102, CVE-2023-3138)

- U_Don-t-try-to-destroy-NULL-condition-variables.patch
  * fixes regression introduced with security update for
    CVE-2022-3555 (bsc#1204425, bsc#1208881)

- U_fix-a-memory-leak-in-XRegisterIMInstantiateCallback.patch
  * security update for CVE-2022-3554 (bsc#1204422)
- U_Fix-two-memory-leaks-in-_XFreeX11XCBStructure.patch
  * security update for CVE-2022-3555 (bsc#1204425)
libXpm
- U_0000-test-Add-unit-tests-using-glib-framework.patch
  U_0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
  U_0002-test-Add-test-case-for-CVE-2023-43789-corrupt-colorm.patch
  U_0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
  * fixes CVE-2023-43788 libXpm: out of bounds read in
    XpmCreateXpmImageFromBuffer() (boo#1215686)
  * fixes CVE-2023-43789 libXpm: out of bounds read on XPM with
    corrupted colormap (boo#1215687)
- U_0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch
  U_0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch
  U_0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch
  U_0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch
  * avoids to trigger CVE-2023-43786,CVE-2023-43787 (boo#1215684,
    boo#1215685); see changelog in libX11 update ...

- U_regression2-bug1207029_1207030_1207031.patch
  * second regression fix: Use gzip -d instead of gunzip

- U_regression-bug1207029_1207030_1207031.patch
  * regression fix for above patches

- U_0000-Update-README-for-gitlab-migration.patch
  * needed by U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch
- U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch
  * needed by U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
- U_0002-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
  * libXpm: Infinite loop on unclosed comments (CVE-2022-46285,
    bsc#1207029)
- U_0004-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
  * libXpm: Runaway loop on width of 0 and enormous height
    (CVE-2022-44617, bsc#1207030)
- U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
  * libXpm: compression commands depend on $PATH (CVE-2022-4883,
    bsc#1207031)
avahi
- Add avahi-CVE-2023-1981.patch: emit error if requested service
  is not found (boo#1210328 CVE-2023-1981).

- Add avahi-bsc1163683.patch: do not cache responses generated
  locally (bsc#1163683).
util-linux
- Add upstream patch fix-lib-internal-cache-size.patch
  bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9

- Fix tests not passing when '@' character is in build path:
  Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).
- Add util-linux-fix-tests-when-at-symbol-in-path.patch

- libuuid continuous clock handling for time based UUIDs:
  Prevent use of the new libuuid ABI by uuidd %post before update
  of libuuid1 (bsc#1205646).
- util-linux-uuidd-prevent-root-owning.patch: Use chown --quiet
  to prevent error message if /var/lib/libuuid/clock.txt does not
  exist.

- Fix file conflict during upgrade (boo#1204211).

- libuuid improvements (bsc#1201959, PED-1150):
  * libuuid: Fix range when parsing UUIDs
    (util-linux-libuuid-uuid_parse-overrun.patch).
  * Improve cache handling for short running applications-increment
    the cache size over runtime
    (util-linux-libuuid-improve-cache-handling.patch).
  * Implement continuous clock handling for time based UUIDs
    (util-linux-libuuid-continuous-clock-handling.patch).
  * Check clock value from clock file to provide seamless libuuid
    update (util-linux-libuuid-check-clock-value.patch).
libcap
- Fixed integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup()
  (bsc#1211419 / CVE-2023-2603) CVE-2023-2603.patch
c-ares
- Update to version 1.19.1
  Security:
  * CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
    (bsc#1211604)
  * CVE-2023-31147 Moderate. Insufficient randomness in generation
    of DNS query IDs (bsc#1211605)
  * CVE-2023-31130. Moderate. Buffer Underwrite in
    ares_inet_net_pton() (bsc#1211606)
  * CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE
    during cross compilation (bsc#1211607)
  Bug fixes:
  * Fix uninitialized memory warning in test
  * ares_getaddrinfo() should allow a port of 0
  * Fix memory leak in ares_send() on error
  * Fix comment style in ares_data.h
  * Fix typo in ares_init_options.3
  * Sync ax_pthread.m4 with upstream
  * Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support

- Update to version 1.19.0
  Security:
  * Low. Stack overflow in ares_set_sortlist() which is used
    during c-ares initialization and typically provided by an
    administrator and not an end user.
    (bsc#1208067, CVE-2022-4904)
  Changes:
  * Add ARES_OPT_HOSTS_FILE similar to ARES_OPT_RESOLVCONF for
    specifying a custom hosts file location.
  Bug fixes:
  * Fix memory leak in reading /etc/hosts when using localhost
    fallback.
  * Fix chain building c-ares when libresolv is already included by
    another project.
  * File lookup should not immediately abort as there may be other
    tries due to search criteria.
  * Asterisks should be allowed in host validation as CNAMEs may
    reference wildcard domains.
  * AutoTools build system referenced bad STDC_HEADERS macro.
  * Even if one address class returns a failure for
    ares_getaddrinfo() we should still return the results we have.
  * Fix ares_getaddrinfo() numerical address resolution with
    AF_UNSPEC
  * Fix tools and help information.
  * Various documentation fixes and cleanups.
  * Add include guards to ares_data.h
  * c-ares could try to exceed maximum number of iovec entries
    supported by system.
  * The RFC6761 6.3 states localhost subdomains must be offline too

- update to 1.18.1. Changes since 1.17.2:
  * Allow '/' as a valid character for a returned name for
    CNAME in-addr.arpa delegation
  * no longer forwards requests for localhost resolution per RFC6761
  * During a domain search, treat ARES_ENODATA as ARES_NXDOMAIN so
    that the search process will continue to the next domain
    in the search.
  * Provide ares_nameser.h as a public interface as needed by NodeJS
  * Add support for URI(Uniform Resource Identifier) records via
    ares_parse_uri_reply()
- disable unit tests for SLE12 since GCC compiler too old to build
  unit tests
- 5c995d5.patch: upstreamed
- disable-live-tests.patch: refreshed

- new upstream website
- drop multibuild - tests do not require static library anymore
- spec file cleanup
- drop sources that were re-added to upstream distibution
  (c-ares-config.cmake.in ares_dns.h libcares.pc.cmake)
libeconf
- Additional info for version 0.5.2:
  * Fixed a stack-buffer-overflow vulnerability in "econf_writeFile"
    function. (CVE-2023-30078, CVE-2023-32181, bsc#1211078)
  * Fixed a stack-buffer-overflow vulnerability in "read_file"
    function. (CVE-2023-30079, CVE-2023-22652, bsc#1211078)

- Update to version 0.5.2:
  * Fixed build for aarch64 and gcc13.
  * Making the output verbose when a test fails.
  * Fixed a stack-buffer-overflow vulnerability in "econf_writeFile"
    function.
  * Fixed a stack-buffer-overflow vulnerability in "read_file"
    function.
  * Added new feature: econf_set_conf_dirs (const char **dir_postfix_list)
    Sets a list of directory structures (with order) which describes
    the directories in which the files have to be parsed.
    E.G. with the given list: {"/conf.d/", ".d/", "/", NULL} files in following
    directories will be parsed:
    "<default_dirs>/<project_name>.<suffix>.d/"
    "<default_dirs>/<project_name>/conf.d/"
    "<default_dirs>/<project_name>.d/"
    "<default_dirs>/<project_name>/"
    The entry "<default_dirs>/<project_name>.<suffix>.d/" will be added
    automatically.
  * General code cleanup.

- Update to version 0.5.1:
  * Reading files in /usr/_vendor_/_example_._suffix_.d/* regardless
    there is a /etc/_example_._suffix_ file. (#175)

- Update to version 0.5.0:
  * API calls econf_read*WithCallback supporting a general (void *)
    argument for user defined data with which the callback function is
    called.
  * Tagged following functions deprecated:
    econf_requireOwner, econf_requireGroup, econf_requirePermissions,
    econf_followSymlinks, econf_reset_security_settings
    Use one of the econf_read*WithCallback functions instead.

- Update to version 0.4.9:
  * libeconf.h: added missing sys/types.h header (#171)
  * new API calls: econf_readFileWithCallback,
    econf_readDirsWithCallback, econf_readDirsHistoryWithCallback (#172)
  * Checking NULL comment parameter in the parsing functions.

- Update to version 0.4.8+git20221114.7ff7704:
  * Parsing files which are containing keys only (#170)
    All delimiters are allowed now : "", " =", " ", "=". But the
    user should use "" in order to be distinct.
  * /usr/etc/shells.d/<file_name> will not be parsed if
    /etc/shells.d/<file_name> is defined too.
  * Lto build fixed (#168)
  * New calls: econf_comment_tag, econf_delimiter_tag, econf_set_comment_tag,
    econf_set_delimiter_tag
  * Checking UID,GroupID, permissions,... of the parsed files (#165)
    New calls: econf_requireOwner, econf_requireGroup, econf_requirePermissions,
    econf_followSymlinks
  * Ignoring Group without brackets; Do not hold brackets in the internal data structure. (#164)
  * Error handling improved for nums and booleans (#163)

- Update to version 0.4.6+git20220427.3016f4e:
  * econftool:
  * * Parsing error: Reporting file and line nr.
  * * --delimeters=spaces Taking all kind of spaces for delimiter
  * libeconf:
    Fixed bsc#1198165: Parsing files correctly which have space characters
    AND none space characters as delimiters.

- Update to version 0.4.5+git20220406.c9658f2:
  * econftool:
  * * New call "syntax" for checking the configuration files only.
    Returns an error string with line number if an error occurs.
  * * New options "--comment" and "--delimeters"
  * * Parsing one file only if needed.
mozilla-nss
- update to NSS 3.90
  * bmo#1623338 - ride along: remove a duplicated doc page
  * bmo#1623338 - remove a reference to IRC
  * bmo#1831983 - clang-format lib/freebl/stubs.c
  * bmo#1831983 - Add a constant time select function
  * bmo#1774657 - Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
  * bmo#1830973 - output early build errors by default
  * bmo#1804505 - Update the technical constraints for KamuSM
  * bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates
  * bmo#1790763 - Enable default UBSan Checks
  * bmo#1786018 - Add explicit handling of zero length records
  * bmo#1829391 - Tidy up DTLS ACK Error Handling Path
  * bmo#1786018 - Refactor zero length record tests
  * bmo#1829112 - Fix compiler warning via correct assert
  * bmo#1755267 - run linux tests on nss-t/t-linux-xlarge-gcp
  * bmo#1806496 - In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
  * bmo#1784163 - Fix reading raw negative numbers
  * bmo#1748237 - Repairing unreachable code in clang built with gyp
  * bmo#1783647 - Integrate Vale Curve25519
  * bmo#1799468 - Removing unused flags for Hacl*
  * bmo#1748237 - Adding a better error message
  * bmo#1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
  * bmo#1782980 - Fall back to the softokn when writing certificate trust
  * bmo#1806010 - FIPS-104-3 requires we restart post programmatically
  * bmo#1826650 - cmd/ecperf: fix dangling pointer warning on gcc 13
  * bmo#1818766 - Update ACVP dockerfile for compatibility with debian package changes
  * bmo#1815796 - Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
  * bmo#1819958 - Removed deprecated sprintf function and replaced with snprintf
  * bmo#1822076 - fix rst warnings in nss doc
  * bmo#1821997 - Fix incorrect pygment style
  * bmo#1821292 - Change GYP directive to apply across platforms
  * Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
- Add nss-fix-bmo1836925.patch to fix build-errors
- Merge the libfreebl3-hmac and libsoftokn3-hmac packages
  into the respective libraries. (bsc#1185116)
- update to NSS 3.89.1
  * bmo#1804505 - Update the technical constraints for KamuSM.
  * bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates.
- update to NSS 3.89
  * bmo#1820834 - revert freebl/softoken RSA_MIN_MODULUS_BITS increase
  * bmo#1820175 - PR_STATIC_ASSERT is cursed
  * bmo#1767883 - Need to add policy control to keys lengths for signatures
  * bmo#1820175 - Fix unreachable code warning in fuzz builds
  * bmo#1820175 - Fix various compiler warnings in NSS
  * bmo#1820175 - Enable various compiler warnings for clang builds
  * bmo#1815136 - set PORT error after sftk_HMACCmp failure
  * bmo#1767883 - Need to add policy control to keys lengths for signatures
  * bmo#1804662 - remove data length assertion in sec_PKCS7Decrypt
  * bmo#1804660 - Make high tag number assertion failure an error
  * bmo#1817513 - CKM_SHA384_KEY_DERIVATION correction maximum key
    length from 284 to 384
  * bmo#1815167 - Tolerate certificate_authorities xtn in ClientHello
  * bmo#1789436 - Fix build failure on Windows
  * bmo#1811337 - migrate Win 2012 tasks to Azure
  * bmo#1810702 - fix title length in doc
  * bmo#1570615 - Add interop tests for HRR and PSK to GREASE suite
  * bmo#1570615 - Add presence/absence tests for TLS GREASE
  * bmo#1804688 - Correct addition of GREASE value to ALPN xtn
  * bmo#1789436 - CH extension permutation
  * bmo#1570615 - TLS GREASE (RFC8701)
  * bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
  * bmo#1815870 - use a different treeherder symbol for each docker
    image build task
  * bmo#1815868 - pin an older version of the ubuntu:18.04 and
    20.04 docker images
  * bmo#1810702 - remove nested table in rst doc
  * bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag
  * bmo#1812671 - build failure while implicitly casting SECStatus
    to PRUInt32
- update to NSS 3.88.1
  * bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
- update to NSS 3.88
  * bmo#1815870 - use a different treeherder symbol for each docker
    image build task
  * bmo#1815868 - pin an older version of the ubuntu:18.04 and
    20.04 docker images
  * bmo#1810702 - remove nested table in rst doc
  * bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag.
  * bmo#1812671 - build failure while implicitly casting SECStatus
    to PRUInt32
  * bmo#1212915 - Add check for ClientHello SID max length
  * bmo#1771100 - Added EarlyData ALPN test support to BoGo shim
  * bmo#1790357 - ECH client - Discard resumption TLS < 1.3
    Session(IDs|Tickets) if ECH configs are setup
  * bmo#1714245 - On HRR skip PSK incompatible with negotiated
    ciphersuites hash algorithm
  * bmo#1789410 - ECH client: Send ech_required alert on server
    negotiating TLS 1.2. Fixed misleading Gtest,
    enabled corresponding BoGo test
  * bmo#1771100 - Added Bogo ECH rejection test support
  * bmo#1771100 - Added ECH 0Rtt support to BoGo shim
  * bmo#1747957 - RSA OAEP Wycheproof JSON
  * bmo#1747957 - RSA decrypt Wycheproof JSON
  * bmo#1747957 - ECDSA Wycheproof JSON
  * bmo#1747957 - ECDH Wycheproof JSON
  * bmo#1747957 - PKCS#1v1.5 wycheproof json
  * bmo#1747957 - Use X25519 wycheproof json
  * bmo#1766767 - Move scripts to python3
  * bmo#1809627 - Properly link FuzzingEngine for oss-fuzz.
  * bmo#1805907 - Extending RSA-PSS bltest test coverage
    (Adding SHA-256 and SHA-384)
  * bmo#1804091 - NSS needs to move off of DSA for integrity checks
  * bmo#1805815 - Add initial testing with ACVP vector sets using
    acvp-rust
  * bmo#1806369 - Don't clone libFuzzer, rely on clang instead
- update to NSS 3.87
  * bmo#1803226 - NULL password encoding incorrect
  * bmo#1804071 - Fix rng stub signature for fuzzing builds
  * bmo#1803595 - Updating the compiler parsing for build
  * bmo#1749030 - Modification of supported compilers
  * bmo#1774654 - tstclnt crashes when accessing gnutls server
    without a user cert in the database.
  * bmo#1751707 - Add configuration option to enable source-based
    coverage sanitizer
  * bmo#1751705 - Update ECCKiila generated files.
  * bmo#1730353 - Add support for the LoongArch 64-bit architecture
  * bmo#1798823 - add checks for zero-length RSA modulus to avoid
    memory errors and failed assertions later
  * bmo#1798823 - Additional zero-length RSA modulus checks
- Remove nss-fix-bmo1774654.patch which is now upstream
- update to NSS 3.86
  * bmo#1803190 - conscious language removal in NSS
  * bmo#1794506 - Set nssckbi version number to 2.60
  * bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
    CKA_NSS_EMAIL_DISTRUST_AFTER for 3
    TrustCor Root Certificates
  * bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS
  * bmo#1797559 - Remove EC-ACC root cert from NSS
  * bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS
  * bmo#1794495 - Remove Network Solutions Certificate Authority
  * bmo#1802331 - compress docker image artifact with zstd
  * bmo#1799315 - Migrate nss from AWS to GCP
  * bmo#1800989 - Enable static builds in the CI
  * bmo#1765759 - Removing SAW docker from the NSS build system
  * bmo#1783231 - Initialising variables in the rsa blinding code
  * bmo#320582 - Implementation of the double-signing of the message
    for ECDSA
  * bmo#1783231 - Adding exponent blinding for RSA.
- update to NSS 3.85
  * bmo#1792821 - Modification of the primes.c and dhe-params.c in
    order to have better looking tables
  * bmo#1796815 - Update zlib in NSS to 1.2.13
  * bmo#1796504 - Skip building modutil and shlibsign when building
    in Firefox
  * bmo#1796504 - Use __STDC_VERSION__ rather than __STDC__ as a guard
  * bmo#1796407 - Fix -Wunused-but-set-variable warning from clang 15
  * bmo#1796308 - Fix -Wtautological-constant-out-of-range-compare
    and -Wtype-limits warnings
  * bmo#1796281 - Followup: add missing stdint.h include
  * bmo#1796281 - Fix -Wint-to-void-pointer-cast warnings
  * bmo#1796280 - Fix -Wunused-{function,variable,but-set-variable}
    warnings on Windows
  * bmo#1796079 - Fix -Wstring-conversion warnings
  * bmo#1796075 - Fix -Wempty-body warnings
  * bmo#1795242 - Fix unused-but-set-parameter warning
  * bmo#1795241 - Fix unreachable-code warnings
  * bmo#1795222 - Mark _nss_version_c unused on clang-cl
  * bmo#1795668 - Remove redundant variable definitions in lowhashtest
  * Add note about python executable to build instructions.
- update to NSS 3.84
  * bmo#1791699 - Bump minimum NSPR version to 4.35
  * bmo#1792103 - Add a flag to disable building libnssckbi.
- update to NSS 3.83
  * bmo#1788875 - Remove set-but-unused variables from
    SEC_PKCS12DecoderValidateBags
  * bmo#1563221 - remove older oses that are unused part3/ BeOS
  * bmo#1563221 - remove older unix support in NSS part 3 Irix
  * bmo#1563221 - remove support for older unix in NSS part 2 DGUX
  * bmo#1563221 - remove support for older unix in NSS part 1 OSF
  * bmo#1778413 - Set nssckbi version number to 2.58
  * bmp#1785297 - Add two SECOM root certificates to NSS
  * bmo#1787075 - Add two DigitalSign root certificates to NSS
  * bmo#1778412 - Remove Camerfirma Global Chambersign Root from NSS
  * bmo#1771100 - Added bug reference and description to disabled
    UnsolicitedServerNameAck bogo ECH test
  * bmo#1779361 - Removed skipping of ECH on equality of private and
    public server name
  * bmo#1779357 - Added comment and bug reference to
    ECHRandomHRRExtension bogo test
  * bmo#1779370 - Added Bogo shim client HRR test support. Fixed
    overwriting of CHInner.random on HRR
  * bmo#1779234 - Added check for server only sending ECH extension
    with retry configs in EncryptedExtensions and if not
    accepting ECH. Changed config setting behavior to
    skip configs with unsupported mandatory extensions
    instead of failing
  * bmo# 1771100 - Added ECH client support to BoGo shim. Changed
    CHInner creation to skip TLS 1.2 only extensions to
    comply with BoGo
  * bmo#1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH
    server accept_confirmation bugs
  * bmo#1771100 - Update BoGo tests to recent BoringSSL version
  * bmo#1785846 - Bump minimum NSPR version to 4.34.1
- update to NSS 3.82
  * bmo#1330271 - check for null template in sec_asn1{d,e}_push_state
  * bmo#1735925 - QuickDER: Forbid NULL tags with non-zero length
  * bmo#1784724 - Initialize local variables in
    TlsConnectTestBase::ConnectAndCheckCipherSuite
  * bmo#1784191 - Cast the result of GetProcAddress
  * bmo#1681099 - pk11wrap: Tighten certificate lookup based on
    PKCS #11 URI.
- update to NSS 3.81
  * bmo#1762831 - Enable aarch64 hardware crypto support on OpenBSD
  * bmo#1775359 - make NSS_SecureMemcmp 0/1 valued
  * bmo#1779285 - Add no_application_protocol alert handler and
    test client error code is set
  * bmo#1777672 - Gracefully handle null nickname in
    CERT_GetCertNicknameWithValidity
  * required for Firefox 104
- raised NSPR requirement to 4.34.1
- changing some Requires from (pre) to generic as (pre) is not
  sufficient (boo#1202118)
- update to NSS 3.80
  * bmo#1774720 - Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
  * bmo#1617956 - Add support for asynchronous client auth hooks.
  * bmo#1497537 - nss-policy-check: make unknown keyword check optional.
  * bmo#1765383 - GatherBuffer: Reduced plaintext buffer allocations
    by allocating it on initialization. Replaced
    redundant code with assert. Debug builds: Added
    buffer freeing/allocation for each record.
  * bmo#1773022 - Mark 3.79 as an ESR release.
  * bmo#1764206 - Bump nssckbi version number for June.
  * bmo#1759815 - Remove Hellenic Academic 2011 Root.
  * bmo#1770267 - Add E-Tugra Roots.
  * bmo#1768970 - Add Certainly Roots.
  * bmo#1764392 - Add DigitCert Roots.
  * bmo#1759794 - Protect SFTKSlot needLogin with slotLock.
  * bmo#1366464 - Compare signature and signatureAlgorithm fields in
    legacy certificate verifier.
  * bmo#1771497 - Uninitialized value in cert_VerifyCertChainOld.
  * bmo#1771495 - Unchecked return code in sec_DecodeSigAlg.
  * bmo#1771498 - Uninitialized value in cert_ComputeCertType.
  * bmo#1760998 - Avoid data race on primary password change.
  * bmo#1769063 - Replace ppc64 dcbzl intrinisic.
  * bmo#1771036 - Allow LDFLAGS override in makefile builds.

- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) with
  fixes to PBKDF2 parameter validation.

- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) to
  validate extra PBKDF2 parameters according to FIPS 140-3.

- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546) to
  update session->lastOpWasFIPS before destroying the key after
  derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE,
  CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256,
  CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases.
- Update nss-fips-pct-pubkeys.patch (bsc#1207209) to remove some
  excess code.

- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546).

- Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency
  checks. Thanks to Martin for the DHKey parts.

- Add manpages to mozilla-nss-tools (bsc#1208242)

- update to NSS 3.79.4 (bsc#1208138)
  * Bug 1804640 - improve handling of unknown PKCS#12 safe bag types.
    (CVE-2023-0767)

- Add upstream patch nss-fix-bmo1774654.patch to fix CVE-2022-3479
  (bsc#1204272)

- update to NSS 3.79.3 (bsc#1207038)
  * Bug 1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
    CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
    (CVE-2022-23491)

- Update nss-fips-approved-crypto-non-ec.patch to disapprove the
  creation of DSA keys, i.e. mark them as not-fips (bsc#1201298)

- Update nss-fips-approved-crypto-non-ec.patch to allow the use SHA
  keygen mechs (bsc#1191546).
- Update nss-fips-constructor-self-tests.patch to ensure abort() is
  called when the repeat integrity check fails (bsc#1198980).
freetype2
- Added patch:
  * CVE-2023-2004.patch
    + fixes bsc#1210419, CVE-2023-2004: Integer overflow
graphite2
- fixed license string [bsc#1207676]:
  LGPL-2.1-or-later OR MPL-2.0 OR GPL-2.0-or-later
harfbuzz
- Add CVE-2023-25193.patch: limit how far we skip when looking
  back (bsc#1207922 CVE-2023-25193).
libjansson
- Update to 2.14 (boo#1201817):
  * New Features:
    + Add `json_object_getn`, `json_object_setn`, `json_object_deln`, and the
    corresponding `nocheck` functions.
    + Add jansson_version_str() and jansson_version_cmp() for runtime
    version checking
    + Add json_object_update_new(), json_object_update_existing_new()
    and json_object_update_missing_new() functions
    + Add json_object_update_recursive()
    + Add `json_pack()` format specifiers s*, o* and O* for values
    that can be omitted if null (#339).
    + Add `json_error_code()` to retrieve numeric error codes
    (#365, #380, #381).
    + Enable thread safety for `json_dump()` on all systems.
    Enable thread safe `json_decref()` and `json_incref()` for
    modern compilers (#389).
    + Add `json_sprintf()` and `json_vsprintf()` (#393).
  * Fixes:
    + Handle `sprintf` corner cases.
    + Add infinite loop check in json_deep_copy()
    + Enhance JANSSON_ATTRS macro to support earlier C standard(C89)
    + Update version detection for sphinx-build
    + Fix error message in `json_pack()` for NULL object (#409).
    + Avoid invalid memory read in `json_pack()` (#421).
    + Call va_end after va_copy in `json_vsprintf()` (#427).
    + Improve handling of formats with '?' and '*' in `json_pack()`
    (#438).
    + Remove inappropriate `jsonp_free()` which caused
    segmentation fault in error handling (#444).
    + Fix incorrect report of success from `json_dump_file()` when
    an error is returned by `fclose()` (#359).
    + Make json_equal() const-correct (#344).
    + Fix incomplete stealing of references by `json_pack()` (#374)
- Use GitHub as source URLs: Release hasn't been uploaded to digip.org.
- Add check section.
libksba
- Security fix: [bsc#1206579, CVE-2022-47629]
  * Integer overflow in the CRL signature parser.
  * Add libksba-CVE-2022-47629.patch
openldap2
- bsc#1212260 - crash in libldap when non-ldap data responds
  * 0245-ITS-9803-Drop-connection-when-receiving-non-LDAP-dat.patch

- bsc#1211795 - CVE-2023-2953 - Null pointer deref in ber_memalloc_x
  * 0244-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
ldb
- Remove no longer needed ldb-memory-bug-15096-4.15-ldbonly.patch
- Add cve-2023-0614.patch: Address CVE-2023-0614
- CVE-2023-0614: samba: Access controlled AD LDAP attributes can be
  discovered; (bsc#1209485); (bso#15270);
- Update to version 2.4.4
  + CVE-2022-32746 ldb: db: Use-after-free occurring in
    database audit logging module; (bso#15009); (bsc#1201490).
liblognorm
- Upgrade to liblognorm v2.0.6 (jsc#PED-4883)
  * 2018-11-02: nitfixes: issues deteced by CodeFactor.com
  * 2018-11-01: more cleanup of shell scripting
  * 2018-10-31: cleanup shell scripting
  * 2018-10-26: implement Checkpoint LEA transfer format
  * 2018-10-31: fix mising shebangs in test scripts
  * 2018-10-30: fix some bash style nits
  * 2018-07-15: fix very theoretic misadressing (gcc-8 warning)
  * 2018-06-26: string parser: add "lazy" matching mode
  * 2018-05-30: Update lognormalizer.c
  * 2018-05-30: Update lognormalizer.c to support case fallthrough
  * 2018-05-30: Update README
  * 2018-05-10: Fix for #229 (cisco-interface-spec at end of line)
  * 2018-03-21: Suppress invalid param error for name to fix #270
- Upgrade to liblognorm v2.0.5
  * 2018-04-25: fix potential NULL pointer addressing
  * 2018-04-07: Add test for nested user types
  * 2018-04-07: Fix use after free with nested user types (#235)
  * 2018-04-25: build system: fix gcc warning
  * 2018-04-25: make "make check" "succeed" on solaris 10
  * 2018-04-16: fix build warnings with some newer compilers
  * 2018-04-16: remove dead code
  * 2018-04-16: fix potential memory leaks during config processing
  * 2018-04-16: fix memory leak during config processing
  * 2018-04-16: csv encoder: fix format error when processing arrays
  * 2018-03-29: Explicitly list supported whitespace characters
  * 2018-03-28: "fix" return type of unused dummy function
  - replaces liblognorm-2.0.4-no-return-in-nonvoid-function.patch
  * 2018-03-21: Suppress invalid param error for name to fix #270
  * 2018-03-19: fix header guard
  * 2018-03-06: Correct CLI options in the docs
  * 2018-01-13: AIX port : added compatibility and modified lognormalizer for AIX.
  * 2017-11-29: codestyle: correct line length to 120
  * 2017-11-29: codestyle: set max line length to 120
  * 2017-11-25: fix some very bad line length violations
  * 2017-11-25: travis: temporarily permit longer line length
  * 2017-10-19: make build with gcc7
  * 2017-10-05: es_str2cstr leak in string-to v1 parse
ncurses
- Modify patch ncurses-6.1.dif
  * Secure writing terminfo entries by setfs[gu]id in s[gu]id
    (boo#1210434, CVE-2023-29491)
  * Reading is done since 2000/01/17
nftables
- add 0001-evaluate-reject-support-ethernet-as-L2-protocol-for-.patch: this
  fixes a crash in nftables if layer2 reject rules are processed (e.g.
  Ethernet MAC address based reject rich rule in firewalld, bsc#1210773).
nghttp2
- security update
- added patches
  fix CVE-2023-44487 [bsc#1216123], HTTP/2 Rapid Reset Attack
  + nghttp2-CVE-2023-44487.patch

- Fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be
  sent, and nghttp2_on_stream_close_callback fails with a fatal error.
  [CVE-2023-35945 bsc#1215713]
  + nghttp2-CVE-2023-35945.patch
openssl-1_1
- Security fix: [bsc#1216922, CVE-2023-5678]
  * Fix excessive time spent in DH check / generation with large Q
    parameter value.
  * Applications that use the functions DH_generate_key() to generate
    an X9.42 DH key may experience long delays. Likewise,
    applications that use DH_check_pub_key(), DH_check_pub_key_ex
    () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
    DH parameters may experience long delays. Where the key or
    parameters that are being checked have been obtained from an
    untrusted source this may lead to a Denial of Service.
  * Add openssl-CVE-2023-5678.patch

- Displays "fips" in the version string (bsc#1215215)
  * Add openssl-1_1-fips-bsc1215215_fips_in_version_string.patch

- Security fix: (bsc#1213853, CVE-2023-3817)
  * Fix excessive time spent checking DH q parameter value
    (bsc#1213853, CVE-2023-3817). The function DH_check() performs
    various checks on DH parameters. After fixing CVE-2023-3446 it
    was discovered that a large q parameter value can also trigger
    an overly long computation during some of these checks. A
    correct q value, if present, cannot be larger than the modulus
    p parameter, thus it is unnecessary to perform these checks if
    q is larger than p. If DH_check() is called with such q parameter
    value, DH_CHECK_INVALID_Q_VALUE return flag is set and the
    computationally intensive checks are skipped.
  * Add openssl-1_1-CVE-2023-3817.patch

- Dont pass zero length input to EVP_Cipher because assembler
  optimized AES cannot handle zero size. [bsc#1213517]
  * Add openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch

- Security fix: [bsc#1213487, CVE-2023-3446]
  * Fix DH_check() excessive time with over sized modulus.
  * The function DH_check() performs various checks on DH parameters.
    One of those checks confirms that the modulus ("p" parameter) is
    not too large. Trying to use a very large modulus is slow and
    OpenSSL will not normally use a modulus which is over 10,000 bits
    in length.
    However the DH_check() function checks numerous aspects of the
    key or parameters that have been supplied. Some of those checks
    use the supplied modulus value even if it has already been found
    to be too large.
    A new limit has been added to DH_check of 32,768 bits. Supplying
    a key/parameters with a modulus over this size will simply cause
    DH_check() to fail.
  * Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch

- Security Fix: [bsc#1207534, CVE-2022-4304]
  * Reworked the Fix for the Timing Oracle in RSA Decryption
    The previous fix for this timing side channel turned out to cause
    a severe 2-3x performance regression in the typical use case
    compared to 1.1.1s.
  * Add openssl-CVE-2022-4304.patch
  * Removed patches:
  - openssl-CVE-2022-4304-1of2.patch
  - openssl-CVE-2022-4304-2of2.patch
  * Refreshed openssl-CVE-2023-0286.patch

- Update further expiring certificates that affect tests [bsc#1201627]
  * Add openssl-Update-further-expiring-certificates.patch

- Security Fix: [CVE-2023-2650, bsc#1211430]
  * Possible DoS translating ASN.1 object identifiers
  * Add openssl-CVE-2023-2650.patch

- Security Fix: [CVE-2023-0465, bsc#1209878]
  * Invalid certificate policies in leaf certificates are silently ignored
  * Add openssl-CVE-2023-0465.patch
- Security Fix: [CVE-2023-0466, bsc#1209873]
  * Certificate policy check not enabled
  * Add openssl-CVE-2023-0466.patch

- Security Fix: [CVE-2023-0464, bsc#1209624]
  * Excessive Resource Usage Verifying X.509 Policy Constraints
  * Add openssl-CVE-2023-0464.patch

- Security Fix: [bsc#1207533, CVE-2023-0286]
  * Fix X.400 address type confusion in X.509 GENERAL_NAME_cmp
    for x400Address
  * Add openssl-CVE-2023-0286.patch
- Security Fix: [bsc#1207536, CVE-2023-0215]
  * Use-after-free following BIO_new_NDEF()
  * Add patches:
  - openssl-CVE-2023-0215-1of4.patch
  - openssl-CVE-2023-0215-2of4.patch
  - openssl-CVE-2023-0215-3of4.patch
  - openssl-CVE-2023-0215-4of4.patch
- Security Fix: [bsc#1207538, CVE-2022-4450]
  * Double free after calling PEM_read_bio_ex()
  * Add patches:
  - openssl-CVE-2022-4450-1of2.patch
  - openssl-CVE-2022-4450-2of2.patch
- Security Fix: [bsc#1207534, CVE-2022-4304]
  * Timing Oracle in RSA Decryption
  * Add patches:
  - openssl-CVE-2022-4304-1of2.patch
  - openssl-CVE-2022-4304-2of2.patch

- FIPS: list only FIPS approved public key algorithms
  [bsc#1121365, bsc#1198472]
  * Add openssl-1_1-fips-list-only-approved-pubkey-algorithms.patch
pacemaker
- controller: update node state correctly based on any existing node cache entry (bsc#1198767, bsc#1202177, bsc#1206268, bsc#1208380, bsc#1211098)
  * bsc#1198767-0006-Fix-controller-update-node-state-correctly-based-on-.patch
- libcrmcluster: internal functions for getting a node cache entry by uuid instead of id (bsc#1198767, bsc#1202177, bsc#1206268, bsc#1208380, bsc#1211098)
  * bsc#1198767-0005-Refactor-libcrmcluster-internal-functions-for-gettin.patch
- libcrmcluster: ability to search for a node cache entry by uuid instead of id (bsc#1198767, bsc#1202177, bsc#1206268, bsc#1208380, bsc#1211098)
  * bsc#1198767-0004-Refactor-libcrmcluster-ability-to-search-for-a-node-.patch
- cts-scheduler: update regression test about not fencing a pending node that doesn't have an uname in node state yet (bsc#1198767, bsc#1202177, bsc#1206268, bsc#1208380, bsc#1211098)
  * bsc#1198767-0003-Test-cts-scheduler-update-regression-test-about-not-.patch
- scheduler: Do not fence a pending node that doesn't have an uname in node state yet (bsc#1198767, bsc#1202177, bsc#1206268, bsc#1208380, bsc#1211098)
  * bsc#1198767-0002-Fix-scheduler-Do-not-fence-a-pending-node-that-doesn.patch
- cts-scheduler: add regression test about a pending node that doesn't have an uname in node state yet (bsc#1198767, bsc#1202177, bsc#1206268, bsc#1208380, bsc#1211098)
  * bsc#1198767-0001-Test-cts-scheduler-add-regression-test-about-a-pendi.patch

- rpm: build with --enable-legacy-links only for suse_version < 1600
- rpm: build with --with-nagios=true only for suse_version < 1600
- agents: create symlink ocf:pacemaker:NodeUtilization only for suse_version < 1600 in favor of ocf:heartbeat:NodeUtilization (bsc#1070347)

- rpm: avoid bare wildcards under shared directories in spec

- fencer: fencing timeout sent to peer takes no delay into account (bsc#1210074)
  * bsc#1210074-0011-Fix-fencer-fencing-timeout-sent-to-peer-takes-no-del.patch
- libpacemaker: initial timeout for fencing callback takes any requested fencing delay into account (bsc#1210074)
  * bsc#1210074-0010-Fix-libpacemaker-initial-timeout-for-fencing-callbac.patch
- controller: use "target" terminology consistently (bsc#1210074)
  * bsc#1210074-0009-Log-controller-use-target-terminology-consistently.patch
- controller: log fencing timeout consistently in seconds as priority fencing delay (bsc#1210074)
  * bsc#1210074-0008-Log-controller-log-fencing-timeout-consistently-in-s.patch
- controller: initial timeout for fencing callback takes any priority fencing delay into account (bsc#1210074)
  * bsc#1210074-0007-Fix-controller-initial-timeout-for-fencing-callback-.patch
- fencer: apply requested fencing delay only for the first device (bsc#1210074)
  * bsc#1210074-0006-Fix-fencer-apply-requested-fencing-delay-only-for-th.patch
- fencer: fencing timeouts take any pcmk_delay_base into account (bsc#1210074)
  * bsc#1210074-0005-Fix-fencer-fencing-timeouts-take-any-pcmk_delay_base.patch
- fencer: add correct values of pcmk_delay_base/max to query rely (bsc#1210074)
  * bsc#1210074-0004-Fix-fencer-add-correct-values-of-pcmk_delay_base-max.patch
- fencer: per-operation fencing timeout takes any requested fencing delay into account (bsc#1210074)
  * bsc#1210074-0003-Fix-fencer-per-operation-fencing-timeout-takes-any-r.patch
- fencer: total fencing timeout takes any requested fencing delay into account (bsc#1210074)
  * bsc#1210074-0002-Fix-fencer-total-fencing-timeout-takes-any-requested.patch
- cts-fencing: regression test for fencing timeouts taking fencing delays into account (bsc#1210074)
  * bsc#1210074-0001-Test-cts-fencing-regression-test-for-fencing-timeout.patch

- cts-fencing: update expected total timeouts
  * 0001-Test-cts-fencing-update-expected-total-timeouts.patch
- fenced: Correctly log the total fencing timeout.
  * 0001-Low-fenced-Correctly-log-the-total-fencing-timeout.patch

- controller: avoid use-after-free when disconnecting proxy IPCs during shutdown (bsc#1209640)
  * bsc#1209640-0001-Fix-controller-avoid-use-after-free-when-disconnecti.patch

- controller: Delay join finalization if a transition is in progress
  * 0001-Fix-controller-Delay-join-finalization-if-a-transiti.patch

- extra/resources/SysInfo.in: This calculation of cpu_load returns an incorrect value in Darwin and Linux
  * 0001-Fix-extra-resources-SysInfo.in-This-calculation-of-c.patch

- tools: avoid memory leaks in crm_mon (bsc#1211678)
  * bsc#1211678-0008-Fix-tools-avoid-memory-leaks-in-crm_mon.patch
- tools: avoid (insignificant) memory leaks (bsc#1211678)
  * bsc#1211678-0007-Low-tools-avoid-insignificant-memory-leaks.patch

- tools: Free --resource=/--node= memory in crm_mon. (bsc#1211678)
  * bsc#1211678-0006-Fix-tools-Free-resource-node-memory-in-crm_mon.patch
- scheduler: Free the result of pe__node_display_name in one place. (bsc#1211678)
  * bsc#1211678-0005-Fix-scheduler-Free-the-result-of-pe__node_display_na.patch
- tools: Free command-line related memory. (bsc#1211678)
  * bsc#1211678-0004-Fix-tools-Free-command-line-related-memory.patch
- libcrmcommon: Don't leak memory in pcmk__cmdline_preproc. (bsc#1211678)
  * bsc#1211678-0003-Fix-libcrmcommon-Don-t-leak-memory-in-pcmk__cmdline_.patch
- libcrmcommon: Free the results in various test cases. (bsc#1211678)
  * bsc#1211678-0002-Fix-libcrmcommon-Free-the-results-in-various-test-ca.patch
- libpe_rules, libcrmcommon: Free the whole xml doc, not just the node. (bsc#1211678)
  * bsc#1211678-0001-Test-libpe_rules-libcrmcommon-Free-the-whole-xml-doc.patch

- Revert "Fix: libpacemaker: ensure any pending recurring monitor gets updated if it fails" (bsc#1206263)
  * Drop obsolete bsc#1206263-0004-Fix-libpacemaker-ensure-any-pending-recurring-monito.patch
- tool: update crm_mon synopsis (bsc#1208868)
  * bsc#1208868-0001-Fix-tool-update-crm_mon-synopsis.patch

- libcrmcommon: Don't parse "-INFINITY" as a list of cmdline options (CLBZ#5509)
  * CLBZ#5509-0001-Fix-libcrmcommon-Don-t-parse-INFINITY-as-a-list-of-c.patch
- tools: crm_shadow --commit now works with CIB_file
  * 0001-Fix-tools-crm_shadow-commit-now-works-with-CIB_file.patch

- libcrmcommon: Fix an IPC-related memory leak. (bsc#1208544)
  * bsc#1208544-0001-Low-libcrmcommon-Fix-an-IPC-related-memory-leak.patch

- fencer: Prevent double g_source_remove of op_timer_one (rh#2166967)
  * rh#2166967-0001-Fix-fencer-Prevent-double-g_source_remove-of-op_time.patch

- libpacemaker: avoid assertion failure if a node_state entry doesn't have an uname yet (bsc#1207319)
  * bsc#1207319-0002-Fix-libpacemaker-avoid-assertion-failure-if-a-node_s.patch
- libpacemaker: unify bailing out in pcmk__inject_node() (bsc#1207319)
  * bsc#1207319-0001-Refactor-libpacemaker-unify-bailing-out-in-pcmk__inj.patch

- tools: Fix a segfault in error handling in crm_resource. (clbz#5496, bsc#1206761)
  * bsc#1206761-0001-High-tools-Fix-a-segfault-in-error-handling-in-crm_r.patch

- cts-scheduler: update test for preventing inactive instances from starting if probe is unrunnable on any nodes (bsc#1206263)
  * bsc#1206263-0006-Test-cts-scheduler-update-test-for-preventing-inacti.patch
- scheduler: prevent inactive instances from starting if probe is unrunnable on any nodes (bsc#1206263)
  * bsc#1206263-0005-Fix-scheduler-prevent-inactive-instances-from-starti.patch
- libpacemaker: ensure any pending recurring monitor gets updated if it fails (bsc#1206263)
  * bsc#1206263-0004-Fix-libpacemaker-ensure-any-pending-recurring-monito.patch
- cts-scheduler: update test for preventing a leftover pending monitor from causing unexpected stop of other instances (bsc#1206263)
  * bsc#1206263-0003-Test-cts-scheduler-update-test-for-preventing-a-left.patch
- scheduler: prevent a leftover pending monitor from causing unexpected stop of other instances (bsc#1206263)
  * bsc#1206263-0002-Fix-scheduler-prevent-a-leftover-pending-monitor-fro.patch
- cts-scheduler: add test for preventing a leftover pending monitor from causing unexpected stop of other instances (bsc#1206263)
  * bsc#1206263-0001-Test-cts-scheduler-add-test-for-preventing-a-leftove.patch

- tools: fix syntax on resetting options in crm_resource (bsc#1198409)
  * bsc#1198409-0001-Fix-tools-fix-syntax-on-resetting-options-in-crm_res.patch

- controller: log an info instead of a warning for a stonith/shutdown that is unknown to the new DC (bsc#1198715)
  * bsc#1198715-0001-Log-controller-log-an-info-instead-of-a-warning-for-.patch

- controller: record CRM feature set as a transient attribute (bsc#1196673, bsc#1203367, fate#320759)
  * bsc#1196673-0001-Feature-controller-record-CRM-feature-set-as-a-trans.patch
parted
- fix null pointer dereference (bsc#1193412)
  - add: parted-fix-check-diskp-in-do_name.patch
- update mkpart options in manpage (bsc#1182142)
  - add: parted-mkpart-manpage.patch
pciutils
- Apply "lspci-Fixed-buffer-overflows-in-ls-tree.c.patch" to fix a
  buffer overflow error that would cause lspci to crash on systems
  with complex topologies. [bsc#1215265]
- Add "pciutils.keyring" so that the tarball's signature can be
  verified at build time.
- Use "%license" tag instead of "%doc" to install the package's
  license file.
pcre2
- Security fix: [bsc#1213514, CVE-2022-41409]
  * Integer overflow vulnerability in pcre2test before 10.41
    allows attackers to cause a denial of service or other
    unspecified impacts via negative input.
  * Add pcre2-CVE-2022-41409.patch
pixman
- Add pixman-CVE-2022-44638.patch: avoid an integer overflow
  (boo#1205033 CVE-2022-44638).
procps
- Add patch CVE-2023-4016.patch
  * CVE-2023-4016: ps buffer overflow (bsc#1214290)

- Add patch bsc1209122-a6c0795d.patch
  * Fix for bsc#1209122 to allow `-´ as leading character to ignore
    possible errors on systctl entries

- Extend patch procps-3.3.17-library-bsc1181475.patch (bsc#1206412)
- Make sure that correct library version is installed (bsc#1206412)
python3
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
  gh#python/cpython#108310, backport from upstream patch
  gh#python/cpython#108315
  (bsc#1214692, CVE-2023-40217)

- Add 99366-patch.dict-can-decorate-async.patch fixing
  gh#python/cpython#98086 (backport from Python 3.10 patch in
  gh#python/cpython!99366), fixing bsc#1211158.

- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
  CVE-2007-4559 (bsc#1203750) by adding the filter for
  tarfile.extractall (PEP 706).

- Use python3 modules to build the documentation.

- Add bpo-44434-libgcc_s-for-pthread_cancel.patch
  which eliminates unnecessary and dangerous calls to
  PyThread_exit_thread() (bsc#1203355).

- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters

- Add bpo27321-email-no-replace-header.patch to stop
  email.generator.py from replacing a non-existent header
  (bsc#1208443, gh#python/cpython#71508).

- Add bsc1188607-pythreadstate_clear-decref.patch to fix crash in
  the garbage collection (bsc#1188607).

- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
  CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
  extremely long domain names.

- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix
  bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer
  overflow in hashlib.sha3_* implementations (originally from the
  XKCP library).

- Add CVE-2020-10735-DoS-no-limit-int-size.patch to fix
  CVE-2020-10735 (bsc#1203125) to limit amount of digits
  converting text to int and vice vera (potential for DoS).
  Originally by Victor Stinner of Red Hat.
libqb
- log: fix potential overflow with long log messages (CVE-2023-39976, bsc#1214066)
  * bsc#1214066-fix-potential-overflow-with-long-log-messages.patch
libsodium
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

-  Revert previous change about cpuid as previous change rejected
  in https://build.opensuse.org/request/show/724809
-  Disable LTO as bypass boo#1148184

-  Add libsodium_configure_cpuid_chg.patch and call autoconf
  to regenerate configure script with proper CPUID checking.
  Required at least for PowerPC and ARM now that LTO enabled.

- Update to 1.0.18
  - Enterprise versions of Visual Studio are now supported.
  - Visual Studio 2019 is now supported.
  - 32-bit binaries for Visual Studio 2010 are now provided.
  - A test designed to trigger an OOM condition didn't work on
    Linux systems with memory overcommit turned on. It has been
    removed in order to fix Ansible builds.
  - Emscripten: print and printErr functions are overridden to send
    errors to the console, if there is one.
  - Emscripten: UTF8ToString() is now exported since
    Pointer_stringify() has been deprecated.
  - Libsodium version detection has been fixed in the CMake recipe.
  - Generic hashing got a 10% speedup on AVX2.
  - New target: WebAssembly/WASI
    (compile with dist-builds/wasm32-wasi.sh).
  - New functions to map a hash to an edwards25519 point
    or get a random point:
    core_ed25519_from_hash() and core_ed25519_random().
  - crypto_core_ed25519_scalar_mul() has been implemented for
    scalar*scalar (mod L) multiplication.
  - Support for the Ristretto group has been implemented for
    interoperability with wasm-crypto.
  - Improvements have been made to the test suite.
  - Portability improvements have been made.
  - getentropy() is now used on systems providing this system call.
  - randombytes_salsa20 has been renamed to randombytes_internal.
  - Support for NativeClient has been removed.
  - Most ((nonnull)) attributes have been relaxed to allow 0-length
    inputs to be NULL.
  - The -ftree-vectorize and -ftree-slp-vectorize compiler switches
    are now used, if available, for optimized builds.

- Update to 1.0.17
  - Bug fix: sodium_pad() didn't properly support block sizes
    >= 256 bytes.
  - JS/WebAssembly: some old iOS versions can't instantiate the
    WebAssembly module; fall back to Javascript on these.
  - JS/WebAssembly: compatibility with newer Emscripten versions.
  - Bug fix: crypto_pwhash_scryptsalsa208sha256_str_verify() and
    crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()didn't
    returnEINVAL` on input strings with a short length, unlike
    their high-level counterpart.
  - Added a workaround for Visual Studio 2010 bug causing CPU
    features not to be detected.
  - Portability improvements.
  - Test vectors from Project Wycheproof have been added.
  - New low-level APIs for arithmetic mod the order of the prime
    order group:
  - crypto_core_ed25519_scalar_random(),
    crypto_core_ed25519_scalar_reduce(),
  - crypto_core_ed25519_scalar_invert(),
    crypto_core_ed25519_scalar_negate(),
  - crypto_core_ed25519_scalar_complement(),
    crypto_core_ed25519_scalar_add() and
    crypto_core_ed25519_scalar_sub().
  - New low-level APIs for scalar multiplication without clamping:
    crypto_scalarmult_ed25519_base_noclamp() and
    crypto_scalarmult_ed25519_noclamp().
    These new APIs are especially useful for blinding.
  - sodium_sub() has been implemented.
  - Support for WatchOS has been added.
  - getrandom(2) is now used on FreeBSD 12+.
  - The nonnull attribute has been added to all relevant
    prototypes.
  - More reliable AVX512 detection.
  - Javascript/Webassembly builds now use dynamic memory growth.
libsolv
- handle learnt rules in solver_alternativeinfo()
- support x86_64_v[234] architecture levels
- implement decision sorting for package decisionlists
- add back findutils requires for the libsolv-tools packagse
  [bsc#1195633]
- bump version to 0.7.24

- fix "keep installed" jobs not disabling "best update" rules
- do not autouninstall suse ptf packages
- ensure duplinvolvedmap_all is reset when a solver is reused
- special case file dependencies in the testcase writer
- support stringification of multiple solvables
- new weakdep introspection interface similar to ruleinfos
- support decision reason queries
- support merging of related decissions
- support stringification of ruleinfo, decisioninfo and decision reasons
- support better info about alternatives
- new '-P' and '-W' options for testsolv
- bump version to 0.7.23
sqlite3
- Sync version 3.44.0 from Factory
  * Fixes bsc#1210660, CVE-2023-2137: Heap buffer overflow
  * sqlite3-rtree-i686.patch: temporary build fix for 32-bit x86.
  * Obsoletes sqlite-CVE-2022-46908.patch
  * Obsoletes sqlite-src-3390000-func7-pg-181.patch

- bsc#1206337, CVE-2022-46908, sqlite-CVE-2022-46908.patch:
  relying on --safe for execution of an untrusted CLI script
libssh2_org
- Upgrade to version 1.11.0 in SLE-15: [jsc#PED-7040]
  * Add the keyring file: libssh2_org.keyring
  * Rebase libssh2-ocloexec.patch
  * Remove libssh2_org-CVE-2020-22218.patch

- Security fix: [bsc#1214527, CVE-2020-22218]
  * The function _libssh2_packet_add() allows to access out of
    bounds memory.
  * Add libssh2_org-CVE-2020-22218.patch

- Update to 1.11.0:
  * Enhancements and bugfixes
  - Adds support for encrypt-then-mac (ETM) MACs
  - Adds support for AES-GCM crypto protocols
  - Adds support for sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519 keys
  - Adds support for RSA certificate authentication
  - Adds FIDO support with *_sk() functions
  - Adds RSA-SHA2 key upgrading to OpenSSL, WinCNG, mbedTLS, OS400 backends
  - Adds Agent Forwarding and libssh2_agent_sign()
  - Adds support for Channel Signal message libssh2_channel_signal_ex()
  - Adds support to get the user auth banner message libssh2_userauth_banner()
  - Adds LIBSSH2_NO_{MD5, HMAC_RIPEMD, DSA, RSA, RSA_SHA1, ECDSA, ED25519,
    AES_CBC, AES_CTR, BLOWFISH, RC4, CAST, 3DES} options
  - Adds direct stream UNIX sockets with libssh2_channel_direct_streamlocal_ex()
  - Adds wolfSSL support to CMake file
  - Adds mbedTLS 3.x support
  - Adds LibreSSL 3.5 support
  - Adds support for CMake "unity" builds
  - Adds CMake support for building shared and static libs in a single pass
  - Adds symbol hiding support to CMake
  - Adds support for libssh2.rc for all build tools
  - Adds .zip, .tar.xz and .tar.bz2 release tarballs
  - Enables ed25519 key support for LibreSSL 3.7.0 or higher
  - Improves OpenSSL 1.1 and 3 compatibility
  - Now requires OpenSSL 1.0.2 or newer
  - Now requires CMake 3.1 or newer
  - SFTP: Adds libssh2_sftp_open_ex_r() and libssh2_sftp_open_r() extended APIs
  - SFTP: No longer has a packet limit when reading a directory
  - SFTP: now parses attribute extensions if they exist
  - SFTP: no longer will busy loop if SFTP fails to initialize
  - SFTP: now clear various errors as expected
  - SFTP: no longer skips files if the line buffer is too small
  - SCP: add option to not quote paths
  - SCP: Enables 64-bit offset support unconditionally
  - Now skips leading \r and \n characters in banner_receive()
  - Enables secure memory zeroing with all build tools on all platforms
  - No longer logs SSH_MSG_REQUEST_FAILURE packets from keepalive
  - Speed up base64 encoding by 7x
  - Assert if there is an attempt to write a value that is too large
  - WinCNG: fix memory leak in _libssh2_dh_secret()
  - Added protection against possible null pointer dereferences
  - Agent now handles overly large comment lengths
  - Now ensure KEX replies don't include extra bytes
  - Fixed possible buffer overflow when receiving SSH_MSG_USERAUTH_BANNER
  - Fixed possible buffer overflow in keyboard interactive code path
  - Fixed overlapping memcpy()
  - Fixed Windows UWP builds
  - Fixed DLL import name
  - Renamed local RANDOM_PADDING macro to avoid unexpected define on Windows
  - Support for building with gcc versions older than 8
  - Improvements to CMake, Makefile, NMakefile, GNUmakefile, autoreconf files
  - Restores ANSI C89 compliance
  - Enabled new compiler warnings and fixed/silenced them
  - Improved error messages
  - Now uses CIFuzz
  - Numerous minor code improvements
  - Improvements to CI builds
  - Improvements to unit tests
  - Improvements to doc files
  - Improvements to example files
  - Removed "old gex" build option
  - Removed no-encryption/no-mac builds
  - Removed support for NetWare and Watcom wmake build files
  * Rebase libssh2-ocloexec.patch

- Bump to version 1.10.0
    Enhancements and bugfixes:
  * support ECDSA certificate authentication
  * fix detailed _libssh2_error being overwritten by generic errors
  * unified error handling
  * fix _libssh2_random() silently discarding errors
  * don't error if using keys without RSA
  * avoid OpenSSL latent error in FIPS mode
  * fix EVP_Cipher interface change in openssl 3
  * fix potential overwrite of buffer when reading stdout of command
  * use string_buf in ecdh_sha2_nistp() to avoid attempting to parse malformed data
  * correct a typo which may lead to stack overflow
  * fix random big number generation to match openssl
  * added key exchange group16-sha512 and group18-sha512.
  * add support for an OSS Fuzzer fuzzing target
  * adds support for ECDSA for both key exchange and host key algorithms
  * clean up curve25519 code
  * update the min, preferred and max DH group values based on RFC 8270.
  * changed type of LIBSSH2_FX_* constants to unsigned long
  * added diffie-hellman-group14-sha256 kex
  * fix for use of uninitialized aes_ctr_cipher.key_len when using HAVE_OPAQUE_STRUCTS, regression
  * fixes memory leaks and use after free AES EVP_CIPHER contexts when using OpenSSL 1.0.x.
  * fixes crash with delayed compression option using Bitvise server.
  * adds support for PKIX key reading
  * use new API to parse data in packet_x11_open() for better bounds checking.
  * double the static buffer size when reading and writing known hosts
  * improved bounds checking in packet_queue_listener
  * improve message parsing (CVE-2019-17498)
  * improve bounds checking in kex_agree_methods()
  * adding SSH agent forwarding.
  * fix agent forwarding message, updated example.
  * added integration test code and cmake target. Added example to cmake list.
  * don't call `libssh2_crypto_exit()` until `_libssh2_initialized` count is down to zero.
  * add an EWOULDBLOCK check for better portability
  * fix off by one error when loading public keys with no id
  * fix use-after-free crash on reinitialization of openssl backend
  * preserve error info from agent_list_identities()
  * make sure the error code is set in _libssh2_channel_open()
  * fixed misspellings
  * fix potential typecast error for `_libssh2_ecdsa_key_get_curve_type`
  * rename _libssh2_ecdsa_key_get_curve_type to _libssh2_ecdsa_get_curve_type
- Rebased patch libssh2-ocloexec.path
- Removed patch libssh2_org-CVE-2019-17498.patch: the security fix
    is already included in the latest version.
systemd
- Fix systemd-coredump to not allow user to access coredumps with changed
  uid/gid/capabilities (bsc#1205000 CVE-2022-4415)
  Add 5000-coredump-Fix-format-string-type-mismatch.patch
  Add 5001-coredump-drop-an-unused-variable.patch
  Add 5002-coredump-adjust-whitespace.patch
  Add 5003-coredump-do-not-allow-user-to-access-coredumps-with-.patch

- Import commit b83846dc8a5db633cc6cf05a33ddc054f725214e
  4d53a5440f udev/net_id: show the correct identifier in the debug output of dev_pci_onboard()
  f70647a7b7 udev/net_id: add debug logging for construction of device names
  48f40fbc8e pid1: set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon (bsc#1203857)
  7e4434d883 docs: $SYSTEMD_NSS_BYPASS_BUS is not honoured anymore, don't document it
  2bdfc2d8cf pid1: lookup owning PID of BusName= name of services asynchronously
  dba888a4d3 pid1: watch bus name always when we have it
  f524807b89 udev: add one more assertion
  8558101c73 udev: drop assertion which is always false
  566a66dc5c udev: support by-path devlink for multipath nvme block devices (bsc#1200723)
  b4c4edaada tests: minor simplification in test-execute
  76d510c625 tests: make test-execute pass on openSUSE
- Drop the following patches which are part of 'SUSE/v246' now:
    6000-udev-net_id-add-debug-logging-for-construction-of-de.patch
    6001-udev-net_id-show-the-correct-identifier-in-the-debug.patch

- 80-hotplug-cpu-mem.rules: restrict cpu rule to x86_64 (bsc#1204423)
  Also update the rule files to make use of the "CONST{arch}" syntax (available
  since v244).

- Import commit 56bee38fd0da18dad5fc5c5d12c02238a22b50e2
  42a26330fc time-util: fix buffer-over-run (bsc#1204968 CVE-2022-3821)
  8a70235d8a core: Add trigger limit for path units
  93e544f3a0 core/mount: also add default before dependency for automount mount units
  5916a7748c logind: fix crash in logind on user-specified message string

- Add 1010-man-describe-the-net-naming-schemes-specific-to-SLE.patch (bsc#1204179)
tiff
- security update:
  * CVE-2023-38289 [bsc#1213589]
    + tiff-CVE-2023-38289.patch
  * CVE-2023-38288 [bsc#1213590]
    + tiff-CVE-2023-38288.patch
  * CVE-2023-3576 [bsc#1213273]
    + tiff-CVE-2023-3576.patch
  * CVE-2020-18768 [bsc#1214574]
    + tiff-CVE-2020-18768.patch
  * CVE-2023-26966 [bsc#1212881]
    + tiff-CVE-2023-26966.patch
  * CVE-2023-3618 [bsc#1213274]
    + tiff-CVE-2023-3618.patch
  * CVE-2023-2908 [bsc#1212888]
    + tiff-CVE-2023-2908.patch
  * CVE-2023-3316 [bsc#1212535]
    + tiff-CVE-2023-3316.patch

- security update:
  * CVE-2023-0795 [bsc#1208226]
  * CVE-2023-0796 [bsc#1208227]
  * CVE-2023-0797 [bsc#1208228]
  * CVE-2023-0798 [bsc#1208229]
  * CVE-2023-0799 [bsc#1208230]
  * CVE-2023-25433 [bsc#1212883]
    + tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799.patch
  * CVE-2023-0800 [bsc#1208231]
  * CVE-2023-0801 [bsc#1208232]
  * CVE-2023-0802 [bsc#1208233]
  * CVE-2023-0803 [bsc#1208234]
  * CVE-2023-0804 [bsc#1208236]
    + tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch

- security update:
  * CVE-2022-48281 [bsc#1207413]
    + tiff-CVE-2022-48281.patch

- security update:
  * CVE-2022-3570 [bsc#1205422]
  * CVE-2022-3598 [bsc#1204642]
    + tiff-CVE-2022-3598,3570.patch

- security update:
  * CVE-2022-3597 [bsc#1204641]
  * CVE-2022-3626 [bsc#1204644]
  * CVE-2022-3627 [bsc#1204645]
    + tiff-CVE-2022-3597,CVE-2022-3626,CVE-2022-3627.patch
  * CVE-2022-3599 [bsc#1204643]
    + tiff-CVE-2022-3599.patch
  * CVE-2022-3970 [bsc#1205392]
    + tiff-CVE-2022-3970.patch
libtirpc
- fix sed parsing for libtirpc.pc.in in specfile (boo#1216862)

-  update to 1.3.4 (bsc#1199467)
  * binddynport.c honor ip_local_reserved_ports
  - replaces: binddynport-honor-ip_local_reserved_ports.patch
  * gss-api: expose gss major/minor error in authgss_refresh()
  * rpcb_clnt.c: Eliminate double frees in delete_cache()
  * rpcb_clnt.c: memory leak in destroy_addr
  * portmapper: allow TCP-only portmapper
  * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
  * clnt_raw.c: fix a possible null pointer dereference
  * bindresvport.c: fix a potential resource leakage
- update to 1.3.3 (bsc#1201680, CVE-2021-46828):
  * Fix DoS vulnerability in libtirpc
  - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
  * _rpc_dtablesize: use portable system call
  * libtirpc: Fix use-after-free accessing the error number
  * Fix potential memory leak of parms.r_addr
  - replaces 0001-fix-parms.r_addr-memory-leak.patch
  * rpcb_clnt.c add mechanism to try v2 protocol first
  - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
  * Eliminate deadlocks in connects with an MT environment
  * clnt_dg_freeres() uncleared set active state may deadlock
  * thread safe clnt destruction
  * SUNRPC: mutexed access blacklist_read state variable
  * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c
- drop 0001-Fix-DoS-vulnerability-in-libtirpc.patch (upstream)
- update to 1.3.2:
  * Replace the final SunRPC licenses with BSD licenses
  * blacklist: Add a few more well known ports
  * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS
- Update to libtirpc 1.3.1
  * Remove AUTH_DES interfaces from auth_des.h
    The unsupported  AUTH_DES authentication has be
    compiled out since commit d918e41d889 (Wed Oct 9 2019)
    replaced by API routines that return errors.
  * svc_dg: Free xp_netid during destroy
  * Fix memory management issues of fd locks
  * libtirpc: replace array with list for per-fd locks
  * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
  * __rpc_dtbsize: rlim_cur instead of rlim_max
  * pkg-config: use the correct replacements for libdir/includedir
  Patches replaced by update:
  binddynport-honor-ip_local_reserved_ports.patch (bsc#1199467)
  0001-Fix-DoS-vulnerability-in-libtirpc.patch (bsc#1201680)
  0001-fix-parms.r_addr-memory-leak.patch (bsc#1198752)
  0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
  (bsc#1196647), (bsc#1200800), (bsc#1198176)
  * replaces /etc/netconfig-try-2-first by the environment variable
  RPCB_V2FIRST

- consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding
  to a random port (bsc#1199467)
  - add binddynport-honor-ip_local_reserved_ports.patch
libvirt
- qemu: Fix potential crash during driver cleanup
  15277033-qemu-Fix-potential-crash-during-driver-cleanup.patch
  bsc#1209861
wayland
- U_util-Limit-size-of-wl_map.patch
  U_util-set-errno-when-hitting-WL_MAP_MAX_OBJECTS.patch
  * fixes Reference-count overflow in libwayland-server SHM
    handling (CVE-2021-3782, bsc#1190486)
libwebp
- Add 0001-Fix-OOB-write-in-BuildHuffmanTable.patch
  Add 0001-Fix-invalid-incremental-decoding-check.patch:
  [boo#1215231] [CVE-2023-4863]

- Add libwebp-double-free.patch: Avoid a double free, upstream
  commit a486d800 (bsc#1210212 CVE-2023-1999).
libxml2
- Security update:
  * [CVE-2023-45322, bsc#1216129] use-after-free in xmlUnlinkNode()
    in tree.c
  - Added file libxml2-CVE-2023-45322.patch

- Security update:
  * [CVE-2023-39615, bsc#1214768] Crafted xml can cause global
    buffer overflow
  - Added file libxml2-CVE-2023-39615.patch

- Security update:
  * [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings
    isn't deterministic
  - Added patch libxml2-CVE-2023-29469.patch
  * [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in
    xmlSchemaFixupComplexType
  - Added patch libxml2-CVE-2023-28484-1.patch
  - Added patch libxml2-CVE-2023-28484-2.patch
- Fix changelog entries in both .changes files.
- Apply al patches correctly for libxml2 and python-libxml2.

- Add W3C conformance tests to the testsuite (bsc#1204585):
  * Added file xmlts20080827.tar.gz
libxslt
- Security Fix: [bsc#1208574, CVE-2021-30560]
  * Use after free in Blink XSLT
  * Add libxslt-CVE-2021-30560.patch

- Fix broken license symlink for libxslt-tools [bsc#1203669]
libyajl
- add libyajl-CVE-2023-33460.patch (CVE-2023-33460, bsc#1212928)
zlib
- Fix CVE-2023-45853, integer overflow and resultant heap-based buffer
  overflow in zipOpenNewFileInZip4_6, bsc#1216378
  * CVE-2023-45853.patch

- Fix deflateBound() before deflateInit(), bsc#1210593
  bsc1210593.patch

- Add DFLTCC support for using inflate() with a small window,
  fixes bsc#1206513
  * bsc1206513.patch

- Follow up fix for bsc#1203652 due to libxml2 breakage
  * bsc1203652-2.patch

- Fix bsc#1203652, inflate() does not update strm.adler if DFLTCC is used
  * bsc1203652.patch
zstd
- Fix CVE-2022-4899, bsc#1209533
  * Disallow empty --output-dir-flat=
- Added patch:
  * Disallow-empty-output-directory.patch
libzypp
- Preliminary disable 'rpm --runposttrans' usage for chrooted
  systems (bsc#1216091)
  This limits the %transfiletrigger(postun|in) support in the
  default installer if --root is used (as described in bsc#1041742).
  The chrooted execution of the scripts in 'rpm --runposttrans'
  broke in rpm-4.18. It's expected to be fixed in rpm-4.19.
  Then we'll enable the feature again.
- fix comment typo on zypp.conf (boo#1215979)
- version 17.31.22 (22)

- Attempt to delay %transfiletrigger(postun|in) execution if rpm
  supports it (bsc#1041742)
  Decide during installation whether rpm is capable of delayed
  %posttrans %transfiletrigger(postun|in) execution or whether we
  can just handle the packages %posttrans. On TW a delayed
  %transfiletrigger handling is possible since rpm-4.17.
- Make sure the old target is deleted before a new one is created
  (bsc#1203760)
- version 17.31.21 (22)

- Fixup changes for 17.31.16. Remove faulty reference to a bug
  actually fixed in 2019.
- version 17.31.20 (22)

- Fix zypp-tui/output/Out.h to build with clang.
- Fix zypp/Arch.h for clang (fixes #478)
  Clang seems to have issues with picking the overload in
  std::men_fn if there is a static overload of a member function.
  We need to explicitely specify the correct type of the function
  pointer. To make sure this would not break compiling a
  application with clang that builds against libzypp this patch
  works around the problem.
- version 17.31.19 (22)

- SINGLE_RPMTRANS: Respect ZYPP_READONLY_HACK when checking the
  zypp-rpm lock (fixes openSUSE/openSUSE-repos#29)
- version 17.31.18 (22)

- Fix wrong filesize exceeded dl abort in zyppng::Downloader
  (bsc#1213673)
  In some cases when downloading very small files we can run into
  issues when the URL is protected by credentials.
- version 17.31.17 (22)

- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
- Don't cleanup orphaned dirs if read-only mode was promised
  (bsc#1210740)
- version 17.31.16 (22)

- Fix build against protobuf >= 22 (fixes #465, closes #466)
  Port away from protobuf_generate_cpp. Upstream protobuf does not
  export protobuf_generate_cpp by default anymore.
  Use protobuf_generate instead, which is also available on older
  versions.
- Remove SUSE < SLE11 constructs (fixes #464).
- version 17.31.15 (22)

- build: honor libproxy.pc's includedir (bsc#1212222)
- Curl: trim all custom headers (bsc#1212187)
  HTTP/2 RFC 9113 forbids fields ending with a space. So we make
  sure all custom headers are trimmed. This also includes headers
  returned by URL-Resolver plugins.
- version 17.31.14 (22)

- curl: Trim user agent string (bsc#1212187)
  HTTP/2 RFC 9113 forbids fields ending with a space. Violation
  results in curl error: 92: HTTP/2 PROTOCOL_ERROR.
- version 17.31.13 (22)

- Do not unconditionally release a medium if provideFile failed
  (bsc#1211661)
- libzypp.spec.cmake: remove duplicate file listing.
- version 17.31.12 (22)

- MediaCurl: Fix endless loop if wrong credentials are stored in
  credentials.cat (bsc#1210870)
  Since libzypp-17.31.7 wrong credentials stored in credentials.cat
  may lead to an endless loop. Rather than asking for the right
  credentials, the stored ones are used again and again.
- zypp.conf: Introduce 'download.connect_timeout' [60 sec.]
  (bsc#1208329)
  Maximum time in seconds that you allow the connection phase to
  the server to take. This only limits the connection phase, it has
  no impact once it has connected. (see also CURLOPT_CONNECTTIMEOUT)
- commit: Try to provide /dev fs if not present (fixes #444)
- fix build with boost 1.82.
- version 17.31.11 (22)

- fix build with boost 1.82

- BuildRequires: libsolv-devel >= 0.7.24 for x86_64_v[234]
  support.
- version 17.31.10 (22)

- Workround bsc#1195633 while libsolv <= 0.7.23 is used.
- Fix potential endless loop in new ZYPP_MEDIANETWORK.
- ZYPP_METALINK_DEBUG=1: Log URL and priority of the mirrors
  parsed from a metalink file.
- multicurl: propagate ssl settings stored in repo url
  (boo#1127591)
  Closes #335.
- Teach MediaNetwork to retry on HTTP2 errors.
- fix CapDetail to return Rel::NONE if an EXPRESSION is used as a
  NAMED cap.
- Capability: support parsing richdeps from string.
- defaultLoadSystem: default to LS_NOREFRESH if not root.
- Detect x86_64_v[234]: Fix LZCNT bit used in detection (fixes
  [#439])
  Merges rpm-software-management/rpm#2412: The bit for LZCNT is in
  CPUID 0x80000001, not 1.
- Detect x86_64_v[234] architecture levels (fixes #439)
- Support x86_64_v[234] architecture levels (for #439)
- version 17.31.9 (22)

- ProgressData: enforce reporting the INIT||END state
  (bsc#1206949)
- ps: fix service detection on newer Tumbleweed systems
  (bsc#1205636)
- version 17.31.8 (22)

- Hint to "zypper removeptf" to remove PTFs.
- Removing a PTF without enabled repos should always fail
  (bsc#1203248)
  Without enabled repos, the dependent PTF-packages would be
  removed (not replaced!) as well. To remove a PTF "zypper install
  - - -PTF" or a dedicated "zypper removeptf PTF" should be used.
  This will update the installed PTF packages to theit latest
  version.
- version 17.31.7 (22)

- Avoid calling getsockopt when we know the info already.
  This patch hopefully fixes logging on WSL, getsockopt seems to
  not be fully supported but the code required it when accepting
  new socket connections. (for bsc#1178233)
- Enhance yaml-cpp detection (fixes #428)
- No need to redirect 'history.logfile=/dev/null' into the target.
- MultiCurl: Make sure to reset the progress function when
  falling back.
- version 17.31.6 (22)

- Create '.no_auto_prune' in the package cache dir to prevent auto
  cleanup of orphaned repositories (bsc#1204956)
- properly reset range requests (bsc#1204548)
- version 17.31.5 (22)

- Do not clean up MediaSetAccess before using the geoip file
  (fixes #424)
- version 17.31.4 (22)

- Improve download of optional files (fixes #416)
- Do not use geoip rewrites if the repo has explicit country
  settings.
- Implement geoIP feature for zypp.
  This patch adds a feature to rewrite request URLs to the repo
  servers by querying a geoIP file from download.opensuse.org. This
  file can return a redirection target depending on the clients IP
  adress, this way we can directly contact a local mirror of d.o.o
  instead. The redir target stays valid for 24hrs.
  This feature can be disabled in zypp.conf by setting
  'download.use_geoip_mirror = false'.
- Use a dynamic fallback for BLKSIZE in downloads.
  When not receiving a blocklist via metalink file from the server
  MediaMultiCurl used to fallback to a fixed, relatively small
  BLKSIZE. This patch changes the fallback into a dynamic value
  based on the filesize using a similar metric as the MirrorCache
  implementation on the server side.
- Skip media.1/media download for http repo status calc.
  This patch allows zypp to skip a extra media.1/media download to
  calculate if a repository needs to be refreshed. This
  optimisation only takes place if the repo does specify only
  downloading base urls.
- version 17.31.3 (22)
lifecycle-data-sle-module-live-patching
- Added data for 4_12_14-150100_197_151, 5_14_21-150400_24_69,
  5_14_21-150500_55_7, 5_3_18-150200_24_157,
  5_3_18-150300_59_127,
  +kernel-livepatch-5_14_21-150400_15_37-rt,*,+kernel-livepatch-5_14_21-150400_15_40-rt,*,+kernel-livepatch-5_14_21-150500_11-rt,*,+kernel-livepatch-5_14_21-150500_13_5-rt,*. (bsc#1020320)

- Added data for 4_12_14-150100_197_145,
  4_12_14-150100_197_148, 5_14_21-150400_24_63,
  5_14_21-150400_24_66, 5_14_21-150500_53,
  5_3_18-150200_24_151, 5_3_18-150200_24_154,
  5_3_18-150300_59_121, 5_3_18-150300_59_124,
  +kernel-livepatch-5_14_21-150400_15_28-rt,*,2024-05-17+kernel-livepatch-5_14_21-150500_11-rt,*,TBD (bsc#1020320)

- Added data for 4_12_14-150100_197_137,
  4_12_14-150100_197_142, 5_14_21-150400_24_49,
  5_14_21-150400_24_55, 5_14_21-150400_24_60,
  5_3_18-150200_24_145, 5_3_18-150200_24_148,
  5_3_18-150300_59_115, 5_3_18-150300_59_118,
  +kernel-livepatch-5_14_21-150400_15_14-rt,*,2024-03-15+kernel-livepatch-5_14_21-150400_15_18-rt,*,2024-03-28+kernel-livepatch-5_14_21-150400_15_23-rt,*,2024-04-25 (bsc#1020320)

- Added data for 4_12_14-150100_197_134, 5_14_21-150400_24_41,
  5_14_21-150400_24_46, 5_3_18-150200_24_142,
  5_3_18-150300_59_109, 5_3_18-150300_59_112,
  +kernel-livepatch-5_14_21-150400_15_11-rt,*,2024-02-23+kernel-livepatch-5_14_21-150400_15_8-rt,*,2024-01-26 (bsc#1020320)

- Added data for 4_12_14-150000_150_109,
  4_12_14-150100_197_131, 5_14_21-150400_24_33,
  5_14_21-150400_24_38, 5_3_18-150200_24_139,
  5_3_18-150300_59_101, 5_3_18-150300_59_106,
  +kernel-livepatch-5_14_21-150400_15_5-rt,*,2023-12-23 (bsc#1020320)

- Added data for 4_12_14-150000_150_101, 4_12_14-150000_150_104,
  4_12_14-150100_197_123, 4_12_14-150100_197_126,
  5_14_21-150400_24_21, 5_14_21-150400_24_28,
  5_3_18-150200_24_129, 5_3_18-150200_24_134,
  5_3_18-150300_59_93, 5_3_18-150300_59_98. (bsc#1020320)
shadow
- bsc#1214806 (CVE-2023-4641):
  Fix potential password leak
- Add shadow-CVE-2023-4641.patch

- bsc#1213189: Change lock mechanism to file locking to prevent
  lock files after power interruptions
- Add shadow-4.8.1-lock-mechanism.patch

- bsc#1206627: Add --prefix support to passwd, chpasswd and chage
  Needed for YaST
- Add shadow-4.8.1-add-prefix-passwd-chpasswd-chage.patch

- bsc#1210507 (CVE-2023-29383):
  Check for control characters
- Add shadow-CVE-2023-29383.patch
man
- Use inverted exit status in exec option of find command to
  avoid refreshing man database (boo#1155879)

- Minor corrections on %ghost /var/cache/man
mlocate
- Set umask 0022 before running /usr/bin/updatedb (boo#1209409)

- Pass "--shell=/bin/sh" to "su" when running the "updatedb"
  command so that we don't depend on the "${RUN_UPDATEDB_AS}"
  user's login shell. Since that user is "nobody" by default, the
  login shell will oftentimes be "/bin/false". [jsc#PED-1717]
mozilla-nspr
- update to version 4.35
  * fixes for building with clang
  * use the number of online processors for the
    PR_GetNumberOfProcessors() API on some platforms
  * fix build on mips+musl libc
  * Add support for the LoongArch 64-bit architecture
nfs-utils
- Add 0032-exportfs-Ingnore-export-failures-in-nfs-server.seriv.patch
  Inconsistencies in /etc/exports shouldn't be fatal.
  (bsc#1212594)

- Add 0030-systemd-use-correct-modprobe-d-directory
  SLE15-SP5 an earlier don't use /usr/lib/modprobe.d
  (bsc#1200710)
- Add 0031-mountd-don-t-advertise-krb5-for-v4root-when-not-conf.patch
  Avoid unhelpful warning if rpcsec_gss_krb5.ko not installed

- Add 0028-mount.nfs-always-include-mountpoint-or-spec-if-error.patch
  boo#1157881
- Add 0029-nfsd.man-fix-typo-in-section-on-scope.patch
  bsc#1209859
- Allow scope to be set in sysconfig: NFSD_SCOPE

- Rename all drop-in options.conf files as 10-options.conf
  This makes it easier for other packages to over-ride
  with a drop-in with a later sequence number.
  resource-agents does this.
  (bsc#1207843)

- 0026-modprobe-avoid-error-messages-if-sbin-sysctl-fail.patch
  Avoid modprobe errors when sysctl is not installed.
  (bsc#1200710 bsc#1207022 bsc#1206781)
- 0027-nfsd-allow-server-scope-to-be-set-with-config-or-com.patch
  Add "-S scope" option to rpc.nfsd to simplify fail-over cluster
  config.
  (bsc#1203746)

- add 0025-nfsdcltrack-getopt_long-fails-on-a-non-x86_64-archs.patch
  Fix nfsdcltrack bug that affected non-x86 archs.
  (bsc#1202627)

- 0024-systemd-Apply-all-sysctl-settings-when-NFS-related-m.patch
  Ensure sysctl setting work (bsc#1199856)
nfsidmap
- 0001-Removed-some-unused-and-set-but-not-used-warnings.patch
  0002-Handle-NULL-names-better.patch
  0003-Strip-newlines-out-of-IDMAP_LOG-messages.patch
  0004-onf_parse_line-Ignore-whitespace-at-the-beginning-of.patch
  0005-nss.c-wrong-check-of-return-value.patch
  0006-Fixed-a-memory-leak-nss_name_to_gid.patch
  Various bugfixes and improvemes from upstream
  In particular, 0001 fixes a crash that can happen when
  a 'static' mapping is configured.
  (bnc#1200901)
openssh
- Add openssh-CVE-2023-38408-PKCS11-execution.patch, Abort if
  requested to load a PKCS#11 provider that isnt a PKCS#11
  provider (bsc#1213504,CVE-2023-38408)

- openssh-7.7p1-fips_checks.patch: close the right filedescriptor
  to avoid fd leads, and also close fdh in read_hmac (bsc#1209536)

- Revert addition of openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish:
  This caused invalid and irrelevant environment assignments (bsc#1207014).

- Add openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish: Make ssh
  connections update their dbus environment (bsc#1179465).
patterns-server-enterprise
- [aarch64] install system with all patterns, nothing provides 'sapconf' when installing pattern ‘sap_server’
  (bsc#1214811)
  The pattern sap_server is only available for x86_64 and ppc64le
perl-Bootloader
- merge gh#openSUSE/perl-bootloader#157
- bootloader_entry script can have an optional 'force-default'
  argument (bsc#1215064)
- skip warning about unsupported options when in compat mode
- 0.945

- merge gh#openSUSE/perl-bootloader#152
- use signed grub EFI binary when updating grub in default EFI
  location (bsc#1210799)
- check whether grub2-install supports --suse-force-signed option
- 0.944

- merge gh#openSUSE/perl-bootloader#147
- UEFI: update also default location, if it is controlled by SUSE
  (bsc#1210799, bsc#1201399)
- 0.943

- merge gh#openSUSE/perl-bootloader#142
- use fw_platform_size to distinguish between 32 bit and 64 bit
  UEFI platforms (bsc#1208003)
- 0.942

- merge gh#openSUSE/perl-bootloader#141
- systemd-boot: easier initial setup
- 0.941

- merge gh#openSUSE/perl-bootloader#140
- add basic support for systemd-boot
- 0.940
perl
- enable TLS cert verification in CPAN [bnc#1210999] [CVE-2023-31484]
  new patch: perl-cpan_verify_cert.diff
permissions
- Update to version 20181225:
  * Backport postfix to SLE-15-SP2 (bsc#1206738)
psmisc
- Fix version at configure time as there was no .tarball-version
purge-kernels-service
- Change service type to exec (boo#1198668).
python-PyJWT
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Drop CVE-2022-29217-non-blocked-pubkeys.patch since the issue
  was fixed upstream in version 2.4.0
python-PyNaCl
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

- six is needed by testsuite

- Update to 1.4.0
  * Update ``libsodium`` to 1.0.18.
  * **BACKWARDS INCOMPATIBLE:** We no longer distribute 32-bit ``manylinux1``
    wheels. Continuing to produce them was a maintenance burden.
  * Added support for Python 3.8, and removed support for Python 3.4.
  * Add low level bindings for extracting the seed and the public key
    from crypto_sign_ed25519 secret key
  * Add low level bindings for deterministic random generation.
  * Add ``wheel`` and ``setuptools`` setup_requirements in ``setup.py`` (#485)
  * Fix checks on very slow builders (#481, #495)
  * Add low-level bindings to ed25519 arithmetic functions
  * Update low-level blake2b state implementation
  * Fix wrong short-input behavior of SealedBox.decrypt() (#517)
  * Raise CryptPrefixError exception instead of InvalidkeyError when trying
    to check a password against a verifier stored in a unknown format (#519)
  * Add support for minimal builds of libsodium. Trying to call functions
    not available in a minimal build will raise an UnavailableError
    exception. To compile a minimal build of the bundled libsodium, set
    the SODIUM_INSTALL_MINIMAL environment variable to any non-empty
    string (e.g. ``SODIUM_INSTALL_MINIMAL=1``) for setup.
- removed obsolete back-port patch:
  * fix_tests.patch
  * hypothesis-no-unilmited.patch
  * python-PyNaCl-hypothesis-remove-average_size.patch

- Fix tests with latest hypothesis:
  * hypothesis-no-unilmited.patch
python-azure-core
- Add patch reqs.patch to update the typing-extensions version
  requirement to match spec file in setup.py. (bsc#1213529)

- Update in SLE-15 (bsc#1202088, CVE-2022-30187)

- Lower python-typing_extensions version to 3.10.0.0 in Requires

- New upstream release
  + Version 1.23.1
  + For detailed information about changes see the
    CHANGELOG.md file provided with this package
- Update Requires from setup.py
python-certifi
- remove all TrustCor CAs, as TrustCor issued multiple man-in-the-middle
  certs (bsc#1206212 CVE-2022-23491)
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - TrustCor ECA-1
- Add removeTrustCor.patch
python-configobj
- Add CVE-2023-26112.patch (bsc#1210070)
python-cryptography
- Add patch CVE-2023-23931-dont-allow-update-into.patch (bsc#1208036, CVE-2023-23931)
  * Don't allow update_into to mutate immutable objects

- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

- Update in SLE-15 (bsc#1177083, jsc#PM-2730, jsc#SLE-18312)

- Refresh patches for new version
  + 5507-mitigate-Bleichenbacher-attacks.patch
python-humanfriendly
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

- Update to 10.0
  * *Noteworthy changes:**
  * Merged pull request `#45`_ to resolve the issue caused by the conditional
    :pypi:`pyreadline` requirement on Windows not supporting Python 3.9+.
  * Updated the readme to use Python 3 in the example (reported in issue `#56`_).
    Also added a mention of the ``humanfriendly --demo`` command.
  * Removed the ``humanfriendly.compat.unittest`` alias that presumably no-one is
    using at this point; it had been rendered useless quite a long time ago
    (requested in issue `#53`_).
  * *Internal changes:**
  * Merged pull request `#54`_ which migrates the :pypi:`humanfriendly` project
    from Travis CI to GitHub Actions and from Coveralls.io to Codecov.
  * Fixed a deprecation warning concerning ``setup.cfg`` and some Sphinx
    documentation errors.

- Update to 9.2
  Maintenance release:
  * Merged pull request `#46`_ which fixes several :pypi:`flake8` warnings.
  * Merged pull request `#49`_ which marks Python 3.9 support final.
  * Merged pull request `#51`_ which helps to stabilize the test suite.
  * Merged pull request `#52`_ which updates the :mod:`humanfriendly.sphinx`
    module to include Sphinx extension metadata that has become mandatory in a
    recent Sphinx release. After merging the pull request I added additional
    metadata including the version.
- from version 9.1
  * Added :func:`~humanfriendly.compat.on_macos()` function to detect Apple MacOS
    (I need this in an upcoming :pypi:`coloredlogs` release and don't want to have
    to think about how to detect MacOS again in the future 😇).
- from version 9.0
  The major version number was bumped because the bug fix for
  :func:`~humanfriendly.text.pluralize()` is backwards incompatible
  and (even though this seems like very "cosmetic" functionality)
  version numbers are cheap, so who cares 😉.
  * *Bug fixes:**
  * Changed :func:`~humanfriendly.format_number()` to properly support negative
    numbers (as suggested in `issue #40`_).
  * Changed :func:`~humanfriendly.text.pluralize()` to generate "1.5 seconds"
    instead of "1.5 second" (as suggested in `issue #43`_).
  * *Enhancements:**
  * Enhanced :func:`~humanfriendly.text.concatenate()` to support ``conjunction``
    and ``serial_comma`` keyword arguments (as suggested in `issue #30`_).
  * Added :func:`~humanfriendly.text.pluralize_raw()` to select singular or
    plural form without prefixing the count to the text that is returned.
- from version 8.2
  * Added a simple case insensitive dictionary implementation, for details refer to
    the new :mod:`humanfriendly.case` module.

- Fix build without python2

- Update to 8.1
  * Make it possible to opt out of the output capturing that
    :func:`humanfriendly.testing.run_cli()` sets up by default.
  * Improve feature parity between :class:`humanfriendly.testing.CaptureOutput`
    and my :pypi:`capturer` package to the point where most of the
    :pypi:`humanfriendly` test suite can now run without :pypi:`capturer`.
  * Refactored the test suite to import all names separately instead of referring
    to identifiers via their modules (my preferences have changed since this code
    was written a long time ago).
  * Adopt :func:`functools.wraps()` to make decorator functions more robust.
  * Make the :class:`~humanfriendly.terminal.spinners.Spinner` class more
    customizable. The interval at which spinners are updated and the characters
    used to draw the animation of spinners can now be customized by callers.
    This was triggered by `executor issue #2`_.
  * Improve test skipping based on exception types.
  * The "deprecated imports" feature provided by :mod:`humanfriendly.deprecation`
    has been adopted to clean up the maze of (almost but not quite) cyclic import
    dependencies between modules.
  * HTML to ANSI functionality has been extracted to a new
    :mod:`humanfriendly.terminal.html` module.
  * Support for spinners has been extracted to a new
    :mod:`humanfriendly.terminal.spinners` module.
  * The use of positional arguments to initialize
    :class:`~humanfriendly.terminal.spinners.Spinner` objects has been deprecated
    using the new :func:`humanfriendly.deprecation.deprecated_args()` decorator
    function.
  * Added the :func:`humanfriendly.deprecation.deprecated_args()` decorator function
    which makes it easy to switch from positional arguments to keyword arguments
    without dropping backwards compatibility.
  * Accept pluralized disk size units (`#26`_). I'm not claiming this is a full
    solution to the problem, far from it. It does lessen the pain a bit (IMHO).
  * Make sure the selected pager is available before trying to run it. While
    testing :pypi:`humanfriendly` on Windows 10 I noticed that ``humanfriendly
  * -help`` resulted in nothing but a traceback, because :man:`less` wasn't
    available. That's not human friendly at all 😕 (even if it is Windows 😈).
  * Merge pull request `#24`_: Fix bug in :func:`~humanfriendly.parse_length()` that rounded floats.
  * Merge pull request `#32`_: Update hyperlinks in readme.
  * Merge pull request `#33`_: Drop support for Python 2.6 and 3.0-3.4
  * Merge pull request `#35`_: SVG badge in readme.
  * Merge pull request `#36`_: Add support for nanoseconds and microseconds time units
  * Fixed :func:`~humanfriendly.tables.format_rst_table()` omission from
    ``humanfriendly.tables.__all__``.
  * Start testing on Python 3.8 and 3.9-dev.
  * Emit an ANSI reset code when :func:`humanfriendly.terminal.html.HTMLConverter.close()`
  * Added the :func:`humanfriendly.terminal.html_to_ansi()` function which is a
  * Added ``humanfriendly.testing.TestCase.assertRaises()`` enhancements.
  * Define ``humanfriendly.text.__all__``.

- Update to 6.1:
  - Added a :pypy:`...` role for easy linking to packages on the
    Python Package Index, for details refer to
    :func:`humanfriendly.sphinx.pypi_role()`.
  - Wasted quite a bit of time debugging a MacOS failure on
    Travis CI caused by a broken man`pip` installation, fixed by
    using get-pip.py to bootstrap an installation that actually
    works wink.
  - Enable :class:`~humanfriendly.testing.MockedProgram` to
    customize the shell script code of mocked programs. This was
    added to make it easy to mock a program that is expected to
    generate specific output (I'm planning to use this in the
    :pypi:`linux-utils` test suite).
  - Defined __all__ for all public modules that previously lacked
    "export control" and decided to bump the major version number
    as a precaution:
  - These changes should not have any impact on backwards
    compatibility, unless I forgot entries, in which case
    callers can get :exc:`~exceptions.ImportError`
    exceptions...
  - Imports of public modules were previously exported
    (implicitly) and this pollutes code completion suggestions
    which in turn can encourage bad practices (not importing
    things using their "canonical" name).
  - I started developing the humanfriendly package years before
    I learned about the value of defining __all__ and so some
    modules lacked a definition until now. I decided that now
    was as good a time as any to add those definitions
    innocent.
  - Simplified the headings in docs/api.rst so that only the
    module names remain. This was done because Sphinx doesn't
    support nested links in HTML output and thus generated really
    weird "Table of Contents" listings.
  - Fixed the reStructuredText references in the documentation of
    :func:`~humanfriendly.prompts.prompt_for_choice()`. This
    function is imported from :mod:`humanfriendly.prompts` to
    :mod:`humanfriendly` (for backwards compatibility) where it
    can't use relative references to refer to the other functions
    in the :mod:`humanfriendly.prompts` module.
  - Embedded quite a few Python API references into recent
    changelog entries, just because I could (I heart what
    hyperlinks can do for the usability of technical
    documentation, it gives a lot more context).
  - Added custom :man:`...` role for easy linking to Linux manual
    pages to the :mod:`humanfriendly.sphinx` module.
  - Changed rendering of pretty tables to expand tab characters
    to spaces: Until now pretty tables did not take the variable
    width of tab characters into account which resulted in tables
    whose "line drawing characters" were visually misaligned.
    Tabs are now expanded to spaces using str.expandtabs().
  - Stop testing on Python 2.6 and drop official support. The
    world (including Travis CI) has moved on and preserving
    Python 2.6 compatibility was clearly starting to drag the
    project down...
  - I decided to bump the major version number because each of
    these changes can be considered backwards incompatible in one
    way or another and version numbers are cheap anyway so there
    stuck_out_tongue.

- Require full python stack for sqlite module

- Simplify the multibuild conditioning and name creation

- Update to 4.18:
  * Added humanfriendly.text.generate_slug() function.
  * Fixed "invalid escape sequence" DeprecationWarning (pointed out by Python >= 3.6).

- Update to 4.17:
  * compatibility with python 3.7
python-jsondiff
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

- Update to version 1.3.0
  * Update README.rst
  * Add license to setup.py
  * Upating travis config to explicitly set ubuntu versions to use
    for each python version.
  * Fix long list diffing bug by converting recursive code to iterative.
  * Add failing test for list-diff recursion error bug
- Refresh patches for new version
  * remove_nose.patch
- Switch Source field to point to Github tarball URL
  * The tarball from PyPi does not contain the tests
python-knack
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

- Update to version 0.9.0
  * Support Python 3.10 (#250)
  * Only install colorama on Windows (#249)
- Update BuildRequires and Requires from setup.py

- Update to version 0.8.2
  * Always use UTF-8 for log file encoding (#247)
- from version 0.8.1
  * Add error message for invalid argument value (#244)
- Remove temporary version override

- Update to version 0.8.0
  * Make colors customizable (#242)
  * Init colorama only in Windows legacy terminal (#238)
  * Add `raw_result` to `CommandResultItem` (#235)
  * Refine code style to comply with Python 3 (#232, #233)
  * CI: Support Python 3.9 (#229)
  * Logging: `CLILogging.configure` returns as early as possible (#228)
- Override upstream version with 0.8.0.0 to ensure
  proper upgrade from previous version 0.8.0rc2
- Update BuildRequires and Requires from setup.py

- Update to version 0.8.0rc2
  * Support multiple cli loggers by adding more logger names to
    `knack.log.cli_logger_names` list (#227)
- from version 0.8.0rc1
  * Make config item names case-insensitive (#220)
  * `get_logger` uses `module_name` directly and no
    longer adds `cli` prefix (#221)
  * `CLILogging` accepts a custom `cli_logger_name` (#221)
  * Support ppc64le arch in Travis CI (#222)
  * Allow customizing tag message (#223)
  * Add `EVENT_CLI_SUCCESSFUL_EXECUTE` (#224)
python-packaging
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

- Add patch to fix testsuite on big-endian targets
  + fix-big-endian-build.patch

- Ignore python3.6.2 since the test doesn't support it.

- update to 21.3:
  * Add a pp3-none-any tag (gh#pypa/packaging#311)
  * Replace the blank pyparsing 3 exclusion with a 3.0.5 exclusion
    (gh#pypa/packaging#481), (gh#pypa/packaging#486)
  * Fix a spelling mistake (gh#pypa/packaging#479)

- update to 21.2:
  * Update documentation entry for 21.1.
  * Update pin to pyparsing to exclude 3.0.0.
  * PEP 656: musllinux support
  * Drop support for Python 2.7, Python 3.4 and Python 3.5.
  * Replace distutils usage with sysconfig
  * Add support for zip files in ``parse_sdist_filename``
  * Use cached ``_hash`` attribute to short-circuit tag equality comparisons
  * Specify the default value for the ``specifier`` argument to ``SpecifierSet``
  * Proper keyword-only "warn" argument in packaging.tags
  * Correctly remove prerelease suffixes from ~= check
  * Fix type hints for ``Version.post`` and ``Version.dev``
  * Use typing alias ``UnparsedVersion``
  * Improve type inference for ``packaging.specifiers.filter()``
  * Tighten the return type of ``canonicalize_version()``

- Add Provides: for python*dist(packaging): work around boo#1186870
- skip tests failing because of no-legacyversion-warning.patch

- add no-legacyversion-warning.patch to restore compatibility with 20.4

- update to 20.9:
  * Run [isort](https://pypi.org/project/isort/) over the code base (:issue:`377`)
  * Add support for the ``macosx_10_*_universal2`` platform tags (:issue:`379`)
  * Introduce ``packaging.utils.parse_wheel_filename()`` and ``parse_sdist_filename()``

- update to 20.8:
  * Revert back to setuptools for compatibility purposes for some Linux distros (:issue:`363`)
  * Do not insert an underscore in wheel tags when the interpreter version number
    is more than 2 digits (:issue:`372`)
  * Fix flit configuration, to include LICENSE files (:issue:`357`)
  * Make `intel` a recognized CPU architecture for the `universal` macOS platform tag (:issue:`361`)
  * Add some missing type hints to `packaging.requirements` (issue:`350`)
  * Officially support Python 3.9 (:issue:`343`)
  * Deprecate the ``LegacyVersion`` and ``LegacySpecifier`` classes (:issue:`321`)
  * Handle ``OSError`` on non-dynamic executables when attempting to resolve
    the glibc version string.

- update to 20.4:
  * Canonicalize version before comparing specifiers. (:issue:`282`)
  * Change type hint for ``canonicalize_name`` to return
  ``packaging.utils.NormalizedName``.
  This enables the use of static typing tools (like mypy) to detect mixing of
  normalized and un-normalized names.
python-parallax
- Fix: manager: writer thread can only be started once (bsc#1208817)
  Add patch 0001-Fix-manager-writer-thread-can-only-be-started-once-b.patch

- Fix: manager: file descriptor leakage (bsc#1205116)
- Release 1.0.8

- Release 1.0.7
- Remove patches since already included:
  Remove patch 0001-Add-ssh_key-option-used-by-i-option-of-ssh-scp.patch
  Remove patch 0002-Change-format-of-scp-command-for-ipv6-compatible.patch
  Remove patch 0003-Fix-task-Don-t-use-ssh-if-command-running-on-local-b.patch
  Remove patch 0004-Fix-Error-inherit-from-Exception-instead-of-BaseExce.patch
  Remove patch 0005-Dev-add-parallax.run-to-return-non-zero-rc-without-r.patch

- Dev: add parallax.run() to return non-zero rc without raising exceptions
  Add patch 0005-Dev-add-parallax.run-to-return-non-zero-rc-without-r.patch
- Fix: Error: inherit from Exception instead of BaseExceptin
  Add patch 0004-Fix-Error-inherit-from-Exception-instead-of-BaseExce.patch
python-paramiko
- Add rsa-key-loading-fix.patch (bsc#1205132) fixing loading RSA
  key.
python-pip
- Add CVE-2023-5752-r-param-hg.patch to fix bsc#1217353
  (CVE-2023-5752) avoiding injection of arbitrary configuration
  through Mercurial parameter.

- Remove .exe files from package (bsc#1212015)
python-pyasn1
- To avoid users of this package having to recompile bytecode
  files, change the mtime of any __init__.py. (bsc#1207805)
python-py
- Remove all traces of py._path.svn{url,wc}. (bsc#1204364, CVE-2022-42969)
- Add patch remove-svn-remants.patch to help with that goal.
- Refresh pr_222.patch as needed for above.
python-requests
- Add CVE-2023-32681.patch to fix unintended leak of
  Proxy-Authorization header (CVE-2023-32681, bsc#1211674)
  Upstream commit: gh#psf/requests@74ea7cf7a6a2

- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

- Don't pin idna<3 in the egg-info so that depending packages
  can install the new idna dropping python2

- update to 2.25.1:
  - Requests now treats `application/json` as `utf8` by default. Resolving
  inconsistencies between `r.text` and `r.json` output. (#5673)

- Update in SLE-15 (bsc#1176785, jsc#ECO-3105, jsc#PM-2352)

- update to 2.25.0:
  * Added support for NETRC environment variable. (#5643)
  * Requests now supports urllib3 v1.26.
  * Requests v2.25.x will be the last release series with support for Python 3.5.
- refreshed requests-no-hardcoded-version.patch
python-setuptools
- Add CVE-2022-40897-ReDos.patch to fix Regular Expression Denial of Service
  (ReDoS) in package_index.py.
  bsc#1206667
python-urllib3
- Add CVE-2023-45803.patch (bsc#1216377, CVE-2023-45803)
  gh#urllib3/urllib3@4e98d57809da

- Add CVE-2023-43804.patch (bsc#1215968, CVE-2023-43804)
  gh#urllib3/urllib3#3139
  * Added the Cookie header to the list of headers to strip from
    requests when redirecting to a different host. As before,
    different headers can be set via Retry.remove_headers_on_redirect.
python-websocket-client
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

- Remove version requirements for python-Sphinx and python-sphinx_rtd_theme dependencies

- Revert change to use libalternative which does not work on SLE-15
- Revert change to use %pyunittest which does not work on SLE-15

- Update to version 1.3.2
  * Add support for pre-initialized stream socket in new WebSocketApp (#804)
  * Remove rel.saferead() in examples (f0bf03d)
  * Increase scope of linting checks (dca4022)
  * Start adding type hints (a8a4099)
- from version 1.3.1
  * Fix 10 year old bug and improve dispatcher handling
    for run_forever (#795)
  * Fix run_forever to never return None, only
    return True or False, and add two tests (#788)
  * Remove Python 3.6 support, EOL in Dec 2021
- from version 1.3.0
  * BREAKING: Set Origin header to use https:// scheme
    when wss:// WebSocket URL is passed (#787)
  * Replace deprecated/broken WebSocket URLs with working ones (6ad5197)
  * Add documentation referencing rel for automatic
    reconnection with run_forever()
  * Add missing opcodes 1012, 1013 (#771)
  * Add errno.ENETUNREACH to improve error handling (da1b050)
  * Minor documentation improvements and typo fixes
- from version 1.2.3
  * Fix broken run_forever() functionality (#769)
- from version 1.2.2
  * Migrate wsdump script in setup.py from scripts to newer entry_points (#763)
  * Add support for ssl.SSLContext for arbitrary SSL parameters (#762)
  * Remove keep_running variable (#752)
  * Remove HAVE_CONTEXT_CHECK_HOSTNAME variable (dac1692)
  * Replace deprecated ssl.PROTOCOL_TLS with ssl.PROTOCOL_TLS_CLIENT (#760)
  * Simplify code and improve Python 3 support (#751, #750, #746)
  * Fill default license template fields (#748)
  * Update CI tests
  * Improve documentation (#732, #733, #734, #737, #766, #768)
- from version 1.2.1
  * Fix python-socks dependency issue mentioned in #728
  * Replace echo.websocket.org with a local websockets
    echo server for unit tests (4951de2)
- from version 1.2.0
  * Fix #697, #665: Transition from LGPL 2.1 license to Apache 2.0 license
  * Revert #417 and reimplement SOCKS proxy support with
    python-socks instead of PySocks (fbcbd43)
- from version 1.1.1
  * Fix #377: increase exception verbosity in _app.py callback exception
  * Fix #717: race condition during connection close
  * Fix #722: improve handling where credentials include symbols like @
  * Fix #711: improve handling if ssl is None
- from version 1.1.0
  * Set enable_multithread to True by default (beb135a)
  * Performance improvement in _mask() function (287970e, #433)
  * Performance improvement in recv_strict() function (60e4711, #255)
  * Performance improvement by removing numpy-related code (a462d45)
  * Support uppercase no_proxy, http_proxy, https_proxy env vars (150df4f, #700)
  * Add sslopt 'server_hostname' support (#698)
  * Replace deprecated ssl.PROTOCOL_SSLv23 with ssl.PROTOCOL_TLS (494564f)
  * Update documentation, README (7c9d604, #704)
- from version 1.0.1
  * Fix exception handling bug #694
- from version 1.0.0
  * Removed Python 2 code, now only Python 3 compatible (d45343b, b7c5733, ff67af8)
  * Use semver for release versions, unlike breaking release 0.58.0 (#669)
  * Enhance enableTrace output (13e83b4)
  * Improve unit tests to over 80% code coverage (1679ab0, a00dd2d, etc.)
  * Fix old _app.py close status code bug (resulted in on_close() requiring 3 args) (#686)
  * Replace select import with selectors (#568)
- from version 0.59.0
  * Last main release to support Python 2
  * Fix Python 2 urlparse scheme (#332)
  * Add support for headers with multiple values (#627)
  * Add debug support for reserved custom status codes (#639)
  * Allow multiple Set-Cookie: headers (#649)
  * Simplified cookie sorting (#662)
  * Add no_proxy support (#671)
  * Add Host header to HTTP proxy request (#677)
  * Improve PEP8 style compliance (dc3f5c4)
- Drop support for Python2 which was removed upstream
- Rename README.rst to README.md in %files section

- Use libalternatives instead of update-alternatives.

- remove RHEL 7 compatibility from specfile
- update to version 0.58.0:
  - fix callback
  - Capitalize default connection header
  - Fix None.lower() when sec-websocket-protocol response header does notexist
  - Fix for #516
  - Tweak Python 3.4 build settings
  - fix callback
  - Fix None.lower() when sec-websocket-protocol response header doesn't exist
  - Create README.md and fix minor typo (both from existing pull requests)
  - Fix _handshake.py error where subproto is None
  - fix documentation: create_connection, settimeout
  - Capitalize default connection header
  - Edit README.md for clarification and to add missing material from parent repo
  - Fix minor typo - getdefauttimeout to getdefaulttimeout
  - Remove README text copied from fork that is not applicable
  - Add support for Python 3.8 and 3.9 (#596)
  - Fix a few minor typo/misspellings (#659)
  - Add pip command to README for 2nd dependency
  - Improve README code example formatting
  - Use thread.is_alive() to replace deprecated thread.isAlive() (#594)
  - Add first draft of Sphinx documentation
  - Edit README.md to include docs links and badges
  - Replace README.md FAQ with link to documentation FAQ page
  - Add acknowledgements section to README.md
  - Add detail to Autobahn testing README (still needs improvement)
  - Add autobahn test report and additional test instructions
  - Add sample connection code to example docs page
  - Fixes #631
  - Improve documentation, mostly new examples but some code comment upgrades
  - Add suppress origin example to documentation
  - Add FAQ advice to ping server
  - 'ping_interval' should be less than 'ping_timeout' (#611)
  - Allow optional, not mandatory, argument for pong() in WebSocket
  - Add basic ping/pong and HTTP proxy documentation and examples
  - Properly revert _app.py callback to state before PR #442 (previously only partially reverted)
  - Add timeout examples to documentation
  - Edit documentation to clarify timeout can be int or float (#654)
  - Reshuffle and enhance documentation
  - Fix #526 by reverting invalid BSD license migration in commit e94ed9e to return to LGPL2.1
  - Fix #526 by reverting invalid BSD license migration in commit e94ed9e to return to LGPL2.1
  - Fix #546 by removing comments introduced by PR #513
  - Update contribution guidelines
  - Revert PR #611
  - Replace deprecated assertEquals() with assertEqual()
  - The plural 'assertEquals()' is deprecated in Python 3 and triggers a warning
  - during CI:
  - https://docs.python.org/3/library/unittest.html#deprecated-aliases
python-wheel
- Add wheel_cve_2022_40898.patch (bsc#1206670)
  + Fix parsing regex, CVE-2022-40898
regionServiceClientConfigAzure
- Update to version 2.0.1 (bsc#1217537)
  + Replacing 104.45.31.195.pem 191.237.254.253.pem certs
    expiring in 8 years and new length of 4096
    These certs will replace the current certs that
    expire soon
release-notes-sles-for-sap
- 15.3.20220930 (tracked in bsc#933411)
- Added note about SUSEConnect tracking (jsc#SLE-23312)
rsync
- Drop rsync-fix-external-compression.patch, rsync-iconv-segfault.patch

- Fix --delay-updates never updates after interruption [bsc#1204538]
  * Added patch rsync-fix-delay-updates-never-updates-after-interruption.patch
rsyslog
- fix rsyslog crash in imrelp (bsc#1210286)
  * add: 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch

- fix segfaults in modExit() of imklog.c (bsc#1211757)
  * add 0001-imklog-fix-invalid-memory-adressing-could-cause-abor.patch

- fix removal of imfile state files (bsc#1213212)
  * add 0001-fixing-the-deleteStateOnFileDelete-option.patch

-  fix parsing of legacy config syntax (bsc#1205275)
  * add:
    0001-testbench-add-test-for-legacy-permittedPeer-statemen.patch
    0002-imtcp-bugfix-legacy-config-directives-did-no-longer-.patch
rubygem-actionpack-5_1
- security update
- added patches
  fix CVE-2023-28362 [bsc#1213312], Possible XSS via User Supplied Values to redirect_to
  + 0008-CVE-2023-28362.patch

- Add patch to fix CVE-2023-22795 (bsc#1207451)
  0007-CVE-2023-22795.patch

- Add patch to fix CVE-2023-22792 (bsc#1207455)
  0006-CVE-2023-22792.patch
rubygem-actionview-5_1
- security update
- added patches
  fix CVE-2023-23913 [bsc#1209826], DOM Based Cross-site Scripting in rails-ujs
  + rubygem-actionview-5_1-CVE-2023-23913.patch

- Add patch to fix CVE-2022-27777 (bsc#1199060)
  0004-CVE-2022-27777.patch

- Add patch to fix CVE-2020-15169 (bsc#1176421)
  0003-CVE-2020-15169.patch

- Add patch to fix CVE-2020-8167 (bsc#1172184)
  0002-CVE-2020-8167.patch
rubygem-activerecord-5_1
- Add patch to fix CVE-2022-44566 (bsc#1207450)
  CVE-2022-44566.patch
rubygem-activesupport-5_1
- Add patch to fix CVE-2023-22796 (bsc#1207454)
  CVE-2023-22796.patch
rubygem-globalid
- security update
- added patches
  fix CVE-2023-22799 [bsc#1207587], ReDoS vulnerability
  + rubygem-globalid-CVE-2023-22799.patch
rubygem-loofah
- Added patch CVE-2022-23516.patch to fix CVE-2022-23516 (bsc#1206416)

- Added patch CVE-2022-23514.patch to fix CVE-2022-23514 (bsc#1206415)
- Added patch CVE-2022-23515.patch to fix CVE-2022-23515 (bsc#1206417)
rubygem-nokogiri
- add 003-CVE-2022-24836.patch (CVE-2022-24836, bsc#1198408)
    fixes possibility to DoS because of inefficient RE in HTML encoding
- add 004_CVE-2022-29181.patch (CVE-2022-29181, bsc#1199782)
    fixes Improper Handling of Unexpected Data Types
rubygem-puma
- Add CVE-2023-40175.patch (bsc#1214425, CVE-2023-40175.patch)
  Reject empty string for Content-Length
rubygem-rack
- security update
- added patches
  fix CVE-2023-27539 [bsc#1209503], denial of service in header parsing
  + rubygem-rack-CVE-2023-27539.patch

- security update
- added patches
  fix CVE-2023-27530 [bsc#1209095], Denial of service in Multipart MIME parsing
  + rubygem-rack-CVE-2023-27530.patch

- security update
- added patches
  fix CVE-2022-44570 [bsc#1207597], denial of service in Content-Disposition parsing
  + rubygem-rack-CVE-2022-44570.patch
  fix CVE-2022-44571 [bsc#1207599], denial of service in Content-Disposition parsing
  + rubygem-rack-CVE-2022-44571.patch
  fix CVE-2022-44572 [bsc#1207596], denial of service in Content-Disposition parsing
  + rubygem-rack-CVE-2022-44572.patch
rubygem-rails-html-sanitizer
- Fixing typos in CVEs corrected by prior submission

- Add patch 0002_CVE-2022-23517_CVE-2022-23518_CVE-2022-23519_CVE-2022-23520.patch
  This patch fixes 4 different CVEs:
  * CVE-2022-23517 (bsc#1206433)
  * CVE-2022-23518 (bsc#1206434)
  * CVE-2022-23519 (bsc#1206435)
  * CVE-2022-23520 (bsc#1206436)
  In order to have the
  0002_CVE-2022-23517_CVE-2022-23518_CVE-2022-23519_CVE-2022-23520.patch
  working smoothly I monkey patched loofah API and crass rubygem code into
  rails-html-sanitizer.
rubygem-websocket-extensions
- security update
- added patches
  fix CVE-2020-7663 [bsc#1172445], Denial of Service (DoS) via Regex Backtracking
  + rubygem-websocket-extensions-CVE-2020-7663.patch
runc
- Update to runc v1.1.10. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.10>.
sapconf
- version update from 5.0.5 to 5.0.6
- add parameter IGNORE_RELOAD to /etc/sysconfig/sapconf to prevent
  sapconf from changing any system tunables during package update
  (bsc#1209408)
- fix for a race condition which leads to a missing start/restart
  of sapconf, which ends up with restored kernel parameters to
  defaults
  (bsc#1207899)

- version update from 5.0.4 to 5.0.5
- adapt check of an active saptune service during the initial
  package installation to work in a chroot environment and fix the
  missing enablement of sapconf.
  (bsc#1190736, bsc#1190787)
saptune
- update package version of saptune to 3.1.1
  * typo in logfile directory name creates /varlog/saptune instead
    of /var/log/saptune
    (bsc#1215969)
  * SAP Note 2382421
    fix missing handling for Azure systems regarding parameter
    'net.ipv4.tcp_timestamps'. This exclude setting was left out
    during the last SAP Note update by mistake.
  * add parameter IGNORE_RELOAD to /etc/sysconfig/saptune to
    prevent saptune from stopping and starting the system tuning
    during package update
    Related to sapconf bug bsc#1209408.
- create a flag file in preinstall and remove it in posttrans of
  the package installation to inform saptune that currently a
  package installation/update takes place so that some special
  situations can be handled as expected.

- update package version of saptune to 3.1.0
  * machine readable interfaces for saptune
    add json output support
    related json v1 schemas can be found after installation
    on the system at /usr/share/saptune/schemas/1.0/
    (jsc#PED-2194, jsc#PED-2195, jsc#SLE-23696)
  * enhance the identification of the cloud service provider
    (jsc#SLE-23779)
  * add a command line syntax check
  * colorized and filtered output for 'saptune note verify'
    It is now possible to uses a 'color scheme' for the output to
    highlight the non-compliant parameter or to limit the verify
    output to show only non-compliant parameter.
    (jsc#SLE-23727)
  * add action 'saptune solution change' to switch to a new
    solution even that another solution was already applied.
    It's basically a 'revert OLDSOLUTION' && 'apply NEWSOLUTION'.
    This will change the Note order in case of additional applied
    Notes, but this is intended.
    The confirmation for the revert of the old solution can be
    suppressed by '--force'
    (jsc#PED-2196)
  * introduce a Trento naming convention for custom solutions in
    the saptune man page to support trento checks.
    (jsc#PED-4118)
  * deprecate action 'saptune note|solution simulate'.
    The action might get removed in a future saptune version
    (jsc#PED-2199)
  * deprecate support for the v1 vendor or custom specific Note
    definition file format
    (jsc#SLE-23725)
  * detect virtualization environment by 'systemd-detect-virt' and
    add the information to 'saptune status'.
    (jsc#SLE-23885)
  * enhance saptune with the new action 'check' to directly call
    the external check script '/usr/sbin/saptune_check'.
    (jsc#SLE-23726)
  * de-deprecate the MAXDB solution definition. It is still active
    supported by SAP.
    And add solution NETWEAVER+MAXDB
    (jsc#SLE-23724)
  * support inline comments in the Note definition files
    (jsc#SLE-23729)
  * rework Note representation in 'saptune status' output
    (jsc#SLE-24530)
  * fix problem with 'verify' output, if a sysctl parameter is
    empty on the system
    (bsc#1199527)
  * add hint to the manual page of saptune(8) regarding 'missing'
    line feed for 'saptune note applied' and 'saptune note enabled'
    It's intended.
    (bsc#1193714)
  * rework the version section to make it clear, which information
    needs to be provided
    (jsc#SLE-23722)
  * add more information to 'saptune status':
    differ between 'enabled' and 'applied' Solutions and add the
    related Notes.
    differ between Notes and Solutions in the staging area.
    rename 'system state' line to 'systemd system state' to prevent
    misunderstandings.
    add virtualisation information.
  * add tuning state to 'saptune status' output.
    The check of the tuning state (an internal 'verify' operation)
    can be skipped by using the flag '--non-compliance-check'.
    In this case the tuning state will be reported as
    unknown (checking disabled)
    'saptune status' will exit with a return code of '4', if the
    saptune service is enabled, the system is tuned, but the
    tuning state is 'not compliant'.
    (jsc#SLE-24928)
  * add support for the IBM Power architecture to the vendor and
    model section tagging
    (jsc#SLE-23824)
  * add new SAP Note 1868829 to set fs.aio-max-nr and add it to
    the HANADB related solutions for SLE12 and SLE15.
  * SAP Note 3024346 updated to Version 6
    SAP Note 1557506 updated to Version 16
    SAP Note 1656250 updated to Version 46
    SAP Note 1805750 updated to Version 9
    SAP Note 2161991 updated to Version 28
    SAP Note 2205917 updated to Version 63
    SAP Note 2382421 updated to Version 45
    SAP Note 2534844 updated to Version 15
    SAP Note BOBJ updated to Version 1
    but without parameter value changes, only house keeping of the
    version section and comment updates
  * SAP Note 1984787 updated to Version 40
    SAP Note 2578899 updated to Version 46
    SAP Note 2684254 updated to Version 23
    SAP Note 1680803 updated to Version 27
    includes version 3.1 of 'SAP Applications on SAP Adaptive
    Server Enterprise - Best Practices for Migration and Runtime'
  * Solution 'SAP-ASE' changed - remove SAP Note 1410736.
    The best practice document (version 3.1) for ASE was changed
    and the SAP Note 1410736 is no longer referenced. Instead the
    parameter 'net.ipv4.tcp_keepalive_time' is set in
    SAP Note 1680803 (the ASE SAP Note) directly.
  * introduce an additional parameter 'SKIP_SYSCTL_FILES' in the
    /etc/sysconfig/saptune configuration file, which contains a
    comma separated list of sysctl.conf files or directories
    containing sysctl.conf files, which should be excluded from
    the 'additional defined' WARNING messages.
    Default is
    SKIP_SYSCTL_FILES="/boot"
    to skip the WARNINGS for '/boot/sysctl.conf-<kernelversion>'
- check in preinstall and posttrans of the package installation,
  if the active tuned profile is still 'saptune', even that this
  profile no longer exists. If yes, try to remove it.
  (bsc#1194688)
sbd
- sbd-inquisitor: fail startup if pacemaker integration is disabled while SBD_SYNC_RESOURCE_STARTUP is conflicting (bsc#1204319)
  * bsc#1204319-0004-Fix-sbd-inquisitor-fail-startup-if-pacemaker-integra.patch
- sbd-inquisitor: do not warn about startup syncing if pacemaker integration is even intentionally disabled (bsc#1204319)
  * bsc#1204319-0003-Log-sbd-inquisitor-do-not-warn-about-startup-syncing.patch
- sbd-inquisitor: log a warning if SBD_PACEMAKER is overridden by -P or -PP option (bsc#1204319)
  * bsc#1204319-0002-Log-sbd-inquisitor-log-a-warning-if-SBD_PACEMAKER-is.patch
- sbd-inquisitor: ensure a log info only tells the fact about how SBD_PACEMAKER is set (bsc#1204319)
  * bsc#1204319-0001-Log-sbd-inquisitor-ensure-a-log-info-only-tells-the-.patch
- Rebase:
  * bsc#1180966-0001-Log-sbd-inquisitor-downgrade-the-warning-about-SBD_S.patch

- configure: have --with-runstatedir overrule --runstatedir (bsc#1185182)
  * bsc#1185182-0001-build-configure-have-with-runstatedir-overrule-runst.patch

- Update to version 1.5.0+20211111.7bcdf69:
- configure: validate configure options for paths (bsc#1185182)
- man: refer to the modern run state directory `/run` if appropriate (bsc#1185182)
- configure: add --with-runstatedir option (bsc#1185182)

- Update to version 1.5.0+20211005.5ed9fd2:
- sbd-md: properly destroy io-context
- sbd-md: properly free one-time-allocations of sector-buffers
- avoid using deprecated valloc & frequent aligned alloc
000release-packages:sle-ha-release
n/a
000release-packages:sle-module-basesystem-release
n/a
000release-packages:sle-module-cap-tools-release
n/a
000release-packages:sle-module-containers-release
n/a
000release-packages:sle-module-desktop-applications-release
n/a
000release-packages:sle-module-development-tools-release
n/a
000release-packages:sle-module-live-patching-release
n/a
000release-packages:sle-module-public-cloud-release
n/a
000release-packages:sle-module-sap-applications-release
n/a
000release-packages:sle-module-server-applications-release
n/a
000release-packages:sle-module-web-scripting-release
n/a
sudo
- Fix CVE-2023-28486, sudo does not escape control characters in
  log messages, (CVE-2023-28486, bsc#1209362)
  * Add sudo-CVE-2023-28486.patch
- Fix CVE-2023-28487, sudo does not escape control characters in
  sudoreplay output (CVE-2023-28487, bsc#1209361)

- sudo-dont-enable-read-after-pty_finish.patch
  * bsc#1203201
  * Do not re-enable the reader when flushing the buffers as part
    of pty_finish().
  * While sudo-observe-SIGCHLD patch applied earlier prevents a
    race condition from happening, this fixes a related buffer hang.

- Added sudo-fix_NULL_deref_RunAs.patch
  * bsc#1206483
  * Fix a situation where "sudo -U otheruser -l" would dereference
    a NULL pointer.

- Added sudo-CVE-2023-22809.patch
  * CVE-2023-22809
  * bsc#1207082
  * Prevent '--' in the EDITOR environment variable which can allow
    users to edit sensitive files as root.

- Added sudo-utf8-ldap-schema.patch
  * Change sudo-ldap schema from ASCII to UTF8.
  * Fixes bsc#1197998
  * Credit to William Brown <william.brown@suse.com>
  * https://github.com/sudo-project/sudo/pull/163

- Added sudo-observe-SIGCHLD.patch
  * Make sure SIGCHLD is not ignored when sudo is executed; fixes
    race condition.
  * bsc#1203201
  * Sourced from https://github.com/sudo-project/sudo/commit/727056e

- Added sudo-CVE-2022-43995.patch
  * CVE-2022-43995
  * bsc#1204986
  * Fixed a potential heap-based buffer over-read when entering a password
    of seven characters or fewer and using the crypt() password backend.

- Fixed an issue where some redundant entries in a sudo configuration
  file caused freed memory to be accessed in the error message thus
  wrong information was output in the error message.
  * [bsc#1190818]
  * Added [sudo-1.9.5p2-no_free_alias_name.patch]
    Sourced from the following git commit hashes:
    | 9ed14870c Add garbage collection to the sudoers parser to clean
    up on error. This makes it possible to avoid memory leaks when
    there is a parse error.
    | bdb02b1ef Got back to calling alias_free() on alias_add() failure.
    We now need to remove the name and members from the leak list
  * before* calling alias_add() since alias_add() will consume them
    for both success and failure.
    | b4cabdb39 Don't free the alias name in alias_add() if the alias
    already exists. We need to be able to display it using
    alias_error(). Only free what we actually allocated in alias_add()
    on error and let the caller handle cleanup.  Note that we cannot
    completely fill in the alias until it is inserted.  Otherwise,
    we will have modified the file and members parameters even if
    there was an error. As a result, we have to remove those from the
    leak list after alias_add(), not before.
supportutils-plugin-suse-public-cloud
- Update to version 1.0.8 (bsc#1213951)
  + Capture CSP billing adapter config and log (issue#13)
  + Accept upper case Amazon string in DMI table (issue#12)

- Update to version 1.0.7 (bsc#1209026)
  + Include information about the cached registration data
  + Collect the data that is sent to the update infrastructure during
    registration
supportutils
- Changes in version 3.1.26
  + powerpc plugin to collect the slots and active memory (bsc#1210950)
  + A Cleartext Storage of Sensitive Information vulnerability CVE-2022-45154
  + supportconfig: collect BPF information (pr#154)
  + Added additional iscsi information (pr#155)

- Added run time detection (bsc#1213127)

- ha_info sle15 uses /var/log/pacemaker/ (pq#153)

- Changes for supportutils version 3.1.25
  + Removed iSCSI passwords CVE-2022-45154 (bsc#1207598)
  + powerpc: Collect lsslot,amsstat, and opal elogs (pr#149)
  + powerpc: collect invscout logs (pr#150)
  + powerpc: collect RMC status logs (pr#151)
  + Added missing nvme nbft commands (bsc#1211599)
  + Fixed invalid nvme commands (bsc#1211598)
  + Added missing podman information (PED-1703, bsc#1181477)
  + Removed dependency on sysfstools
  + Check for systool use (bsc#1210015)
  + Added selinux checking (bsc#1209979)
  + Updated SLES_VER matrix

- Fixed missing status detail for apparmor (bsc#1196933)
- Corrected invalid argument list in docker.txt (bsc#1206608)
- Applies limit equally to sar data and text files (bsc#1207543)
- Collects hwinfo hardware logs (bsc#1208928)
- Collects lparnumascore logs (issue#148)

- Add dependency to `numactl` on ppc64le and `s390x`, this enforces
  that `numactl --hardware` data is provided in supportconfigs

- Changes to supportconfig.rc version 3.1.11-35
  + Corrected _sanitize_file to include iscsi.conf and others (bsc#1206402)

- Changes to supportconfig version 3.1.11-46.4
  + Added plymouth_info

- Changes to getappcore version 1.53.02
  + The location of chkbin was updated earlier. This documents that
    change (bsc#1205533, bsc#1204942)

- Changes to supportconfig version 3.1.11-46.3
  + Added missed sanitation check on crash.txt (bsc#1203818)
- Changes to supportconfig.rc version 3.1.11-30
  + Added check to _sanitize_file
  + Using variable for replement text in _sanitize_file

- Added lifecycle information (issue#140)

- Changes to version 3.1.21
  + Added type output with df command in fs-diskio.txt (issue#141)
  + Gather all files in /etc/security/limits.d/ (issue#142)
  + Fixed KVM virtualization detection on bare metal (bsc#1184689)
  + Added logging using journalctl (bsc#1200330)
  + Passwords correctly removed from email.txt, updates.txt and fs-iscsi.txt (bsc#1203818)
  + Added system logging configuration and checking in messages_config.txt (issue#103)
  + If rsyslog not installed collect more from journalctl (issue#120)
  + Added systemd-status.txt for the status of all service units (issue#125)
  + autofs includes files in (+dir:<path>) (issue#111)
  + Get current sar data before collecting files (bsc#1192648)
  + Collects everything in /etc/multipath/ (bsc#1192252)
  + Collects power management information in hardware.txt (bsc#1197428)
  + Checks for suseconnect-ng or SUSEConnect packages (bsc#1202337)
  + Fixed conf_files and conf_text_files so y2log is gathered (issue#134, bsc#1202269)
  + Update to nvme_info and block_info #133 (bsc#1202417)
  + Added IO scheduler (issue#136)
  + Added includedir directories from /etc/sudoers (bsc#1188086)

- Added a listing to /dev/mapper/. #129
suse-build-key
- replace libzypp-post-script based installation with a systemd timer
  and service.
  - suse-build-key-import.service
  - suse-build-key-import.timer

- add and run a import-suse-build-key scripts, this will be ran
  after installation with libzypp based installers. (jsc#PED-2777)

- Establish multiple new 4096 RSA keys that we will switch
  to mid of 2023. (jsc#PED-2777)
  - gpg-pubkey-3fa1d6ce-63c9481c.asc: new 4096 RSA signing key for SLE (RPM+repos).
  - gpg-pubkey-d588dc46-63c939db.asc: new 4096 RSA reserver key for SLE (RPM+repos).
  - suse_ptf_key_4096.asc: new 4096 RSA signing key for PTF RPMs.
  - build-container-8fd6c337-63c94b45.asc/build-container-8fd6c337-63c94b45.pem:
    new RSA 4096 key for the SUSE registry registry.suse.com, installed as
    suse-container-key-2023.pem and suse-container-key-2023.asc
  - suse_ptf_containerkey_2023.asc suse_ptf_containerkey_2023.pem:
    New PTF container signing key for registry.suse.com/ptf/ space.

- added /usr/share/pki/containers directory for container pem keys
  (cosign/sigstore style), put our PEM key there too (bsc#1204706)
suse-module-tools
- Update to version 15.3.17:
  * blacklist RNDIS modules (bsc#1205767, jsc#PED-5731, CVE-2023-23559)
  * modprobe.conf: Blacklist cls_tcindex module (bsc#1210335, CVE-2023-1829)

- Update to version 15.3.16:
  * modprobe.conf: s390x: remove softdep on fbcon (boo#1207853)
systemd-presets-common-SUSE
- Enable systemd-pstore.service by default (jsc#PED-2663)
tar
- Fix CVE-2022-48303, tar has a one-byte out-of-bounds read that
  results in use of uninitialized memory for a conditional jump
  (CVE-2022-48303, bsc#1207753)
  * fix-CVE-2022-48303.patch
- Fix hang when unpacking test tarball, bsc#1202436
  * remove bsc1202436.patch
  * bsc1202436-1.patch
  * bsc1202436-1.patch

- Fix hang when unpacking test tarball, bsc#1202436
  * bsc1202436.patch

- Fix unexpected inconsistency when making directory, bsc#1203600
  * tar-avoid-overflow-in-symlinks-tests.patch
  * tar-fix-extract-unlink.patch
- Update race condition fix, bsc#1200657
  * tar-fix-race-condition.patch
- Refresh bsc1200657.patch
tcl
- [bsc#1206623], tcl-string-compare.patch:
  Fix [string compare -length] on big endian and improve
  [string equal] on little endian.

- Fix a race condition in test socket-13.1
  (tcl-test-socket-13.1.patch).

- Remove the SQLite extension and package it as a subpackage of
  sqlite3 to have only a single copy and keep it more up to date
  (bsc#1195773).
- Clean up the lib dependencies in tclConfig.sh and tcl.pc.
timezone
- timezone update 2023c:
  * Revert changes made in 2023b
- timezone update 2023b:
  * Lebanon delays the start of DST this year.
- timezone update 2023a:
  * Egypt now uses DST again, from April through October.
  * This year Morocco springs forward April 23, not April 30.
  * Palestine delays the start of DST this year.
  * Much of Greenland still uses DST from 2024 on.
  * America/Yellowknife now links to America/Edmonton.
  * tzselect can now use current time to help infer timezone.
  * The code now defaults to C99 or later.
- Refresh tzdata-china.diff

- timezone update 2022g (bsc#1177460):
  * In the Mexican state of Chihuahua, the border strip near the US
    will change to agree with nearby US locations on 2022-11-30.
    The strip's western part, represented by Ciudad Juárez, switches
    from -06 all year to -07/-06 with US DST rules, like El Paso, TX.
    The eastern part, represented by Ojinaga, will observe US DST next
    year, like Presidio, TX.
    A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
  * Much of Greenland, represented by America/Nuuk, stops observing
    winter time after March 2023, so its daylight saving time becomes
    standard time.
  * Changes for pre-1996 northern Canada
  * Update to past DST transition in Colombia (1993), Singapore
    (1981)
  * timegm is now supported by default

- timezone update 2022f (bsc#1177460):
  * Mexico will no longer observe DST except near the US border
  * Chihuahua moves to year-round -06 on 2022-10-30
  * Fiji no longer observes DST
  * Move links to 'backward'
  * In vanguard form, GMT is now a Zone and Etc/GMT a link
  * zic now supports links to links, and vanguard form uses this
  * Simplify four Ontario zones
  * Fix a Y2438 bug when reading TZif data
  * Enable 64-bit time_t on 32-bit glibc platforms
  * Omit large-file support when no longer needed
  * In C code, use some C23 features if available
  * Remove no-longer-needed workaround for Qt bug 53071
- Refreshed patches:
  * fat.patch
  * tzdata-china.diff

- timezone update 2022e (bsc#1177460):
  * Jordan and Syria switch from +02/+03 with DST to year-round +03
- timezone update 2022d:
  * Palestine transitions are now Saturdays at 02:00
  * Simplify three Ukraine zones into one
- timezone update 2022c:
  * Work around awk bug
  * Improve tzselect on intercontinental Zones
- timezone update 2022b:
  * Chile's DST is delayed by a week in September 2022 boo#1202324
  * Iran no longer observes DST after 2022
  * Rename Europe/Kiev to Europe/Kyiv
  * New zic -R option
  * Vanguard form now uses %z
  * Finish moving duplicate-since-1970 zones to 'backzone'
- Refresh tzdata-china.diff
- Remove upstreamed bsc1202310.patch
util-linux-systemd
- Add upstream patch fix-lib-internal-cache-size.patch
  bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9

- libuuid continuous clock handling for time based UUIDs:
  Prevent use of the new libuuid ABI by uuidd %post before update
  of libuuid1 (bsc#1205646).
- util-linux-uuidd-prevent-root-owning.patch: Use chown --quiet
  to prevent error message if /var/lib/libuuid/clock.txt does not
  exist.

- Fix file conflict during upgrade (boo#1204211).

- libuuid improvements (bsc#1201959, PED-1150):
  * libuuid: Fix range when parsing UUIDs
    (util-linux-libuuid-uuid_parse-overrun.patch).
  * Improve cache handling for short running applications-increment
    the cache size over runtime
    (util-linux-libuuid-improve-cache-handling.patch).
  * Implement continuous clock handling for time based UUIDs
    (util-linux-libuuid-continuous-clock-handling.patch).
  * Check clock value from clock file to provide seamless libuuid
    update (util-linux-libuuid-check-clock-value.patch).
vim
- Updated to version 9.0 with patch level 2103, fixes the following security problems
  * Fixing bsc#1215940 (CVE-2023-5344) - VUL-0: CVE-2023-5344: vim: Heap-based Buffer Overflow in vim prior to 9.0.1969.
  * Fixing bsc#1216001 (CVE-2023-5441) - VUL-0: CVE-2023-5441: vim: segfault in exmode when redrawing
  * Fixing bsc#1216167 (CVE-2023-5535) - VUL-0: CVE-2023-5535: vim: use-after-free from buf_contents_changed()
  * Fixing bsc#1216696 (CVE-2023-46246) - VUL-0: CVE-2023-46246: vim: Integer Overflow in :history command
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1894...v9.0.2103

- Updated to version 9.0 with patch level 1894, fixes the following security problems
  * Fixing bsc#1214922 (CVE-2023-4738) - VUL-0: CVE-2023-4738: vim: heap-buffer-overflow in vim_regsub_both
  * Fixing bsc#1214924 (CVE-2023-4735) - VUL-0: CVE-2023-4735: vim: OOB Write ops.c
  * Fixing bsc#1214925 (CVE-2023-4734) - VUL-0: CVE-2023-4734: vim: segmentation fault in function f_fullcommand
  * Fixing bsc#1215004 (CVE-2023-4733) - VUL-0: CVE-2023-4733: vim: use-after-free in function buflist_altfpos
  * Fixing bsc#1215006 (CVE-2023-4752) - VUL-0: CVE-2023-4752: vim: Heap Use After Free in function ins_compl_get_exp
  * Fixing bsc#1215033 (CVE-2023-4781) - VUL-0: CVE-2023-4781: vim: heap-buffer-overflow in function vim_regsub_both
- drop patches: disable-unreliable-tests.patch
    ignore-flaky-test-failure.patch
    vim-8.1.0297-dump3.patch
- dropped %check - most of tests didn't work correctly in OBS
    and maintenance burden of this was getting too big
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1632...v9.0.1894

- Use app icon generated from vimlogo.eps in source tarball; add
  higher res icons of sizes 128, 256, and 512px as png sources.
  Our current icons deviate from upstream flatpaks for example.
- Updated to version 9.0 with patch level 1632
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1443...v9.0.1632

- Updated to version 9.0 with patch level 1572, fixes the following security problems
  * Fixing bsc#1210996 (CVE-2023-2426) - VUL-0: CVE-2023-2426: vim: Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.
  * Fixing bsc#1211256 (CVE-2023-2609) - VUL-1: CVE-2023-2609: vim: NULL Pointer Dereference prior to 9.0.1531
  * Fixing bsc#1211257 (CVE-2023-2610) - VUL-1: CVE-2023-2610: vim: Integer Overflow or Wraparound prior to 9.0.1532
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1443...v9.0.1572

- Fixing bsc#1211461 - L3: vim "eats" first character from prompt in xterm
  * Add: reorder-exit-raw-mode.patch
  * Swaps out_str_t_TE() and cursor_on() during exit to prevent missing characters in xterm prompt on exit.

- Fixing bsc#1211144 - [Build 96.1] openQA test fails in zypper_migration - conflict between xxd and vim
  * Revert the creation standalone xxd packages

- Updated to version 9.0 with patch level 1443, fixes the following security problems
  * Fixing bsc#1209042 (CVE-2023-1264) - VUL-0: CVE-2023-1264: vim: NULL Pointer Dereference vim prior to 9.0.1392
  * Fixing bsc#1209187 (CVE-2023-1355) - VUL-0: CVE-2023-1355: vim: NULL Pointer Dereference prior to 9.0.1402.
  * Fixing bsc#1208828 (CVE-2023-1127) - VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown()
- drop vim-8.0-ttytype-test.patch as it changes test_options.vim which we
  remove during %prep anyway. And this breaks quilt setup.
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1386...v9.0.1443

- Updated to version 9.0 with patch level 1386, fixes the following security problems
  * Fixing bsc#1207780 - (CVE-2023-0512) VUL-0: CVE-2023-0512: vim: Divide By Zero in GitHub repository vim/vim prior to 9.0.1247
  * Fixing bsc#1208957 - (CVE-2023-1175) VUL-0: CVE-2023-1175: vim: Incorrect Calculation of Buffer Size
  * Fixing bsc#1208959 - (CVE-2023-1170) VUL-0: CVE-2023-1170: vim: Heap-based Buffer Overflow in vim prior to 9.0.1376
  * Fixing bsc#1208828 - (CVE-2023-1127) VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown()
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1234...v9.0.1386

- Updated to version 9.0 with patch level 1234, fixes the following security problems
  * Fixing bsc#1207396 VUL-0: CVE-2023-0433: vim: Heap-based Buffer Overflow in vim prior to 9.0.1225
  * Fixing bsc#1207162 VUL-1: CVE-2023-0288: vim: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189.
  * Fixing bsc#1206868 VUL-1: CVE-2023-0054: vim: Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.
  * Fixing bsc#1206867 VUL-1: CVE-2023-0051: vim: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.
  * Fixing bsc#1206866 VUL-1: CVE-2023-0049: vim: Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.
- refreshed vim-7.4-highlight_fstab.patch
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1040...v9.0.1234

- Updated to version 9.0 with patch level 1040, fixes the following security problems
  * Fixing bsc#1206028 VUL-0: CVE-2022-3491: vim: Heap-based Buffer Overflow prior to 9.0.0742
  * Fixing bsc#1206071 VUL-0: CVE-2022-3520: vim: Heap-based Buffer Overflow
  * Fixing bsc#1206072 VUL-0: CVE-2022-3591: vim: Use After Free
  * Fixing bsc#1206075 VUL-0: CVE-2022-4292: vim: Use After Free in GitHub repository vim/vim prior to 9.0.0882.
  * Fixing bsc#1206077 VUL-0: CVE-2022-4293: vim: Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804.
  * Fixing bsc#1205797 VUL-0: CVE-2022-4141: vim: heap-buffer-overflow in alloc.c 246:11
  * Fixing bsc#1204779 VUL-0: CVE-2022-3705: vim: use after free in function qf_update_buffer of the file quickfix.c
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.814...v9.0.1040

- Updated to version 9.0 with patch level 0814, fixes the following problems
  * Fixing bsc#1192478 VUL-1: CVE-2021-3928: vim: vim is vulnerable to Stack-based Buffer Overflow
  * Fixing bsc#1203508 VUL-0: CVE-2022-3234: vim: Heap-based Buffer Overflow prior to 9.0.0483.
  * Fixing bsc#1203509 VUL-1: CVE-2022-3235: vim: Use After Free in GitHub prior to 9.0.0490.
  * Fixing bsc#1203820 VUL-0: CVE-2022-3324: vim: Stack-based Buffer Overflow in prior to 9.0.0598.
  * Fixing bsc#1204779 VUL-0: CVE-2022-3705: vim: use after free in function qf_update_buffer of the file quickfix.c
  * Fixing bsc#1203152 VUL-1: CVE-2022-2982: vim: use after free in qf_fill_buffer()
  * Fixing bsc#1203796 VUL-1: CVE-2022-3296: vim: stack out of bounds read in ex_finally() in ex_eval.c
  * Fixing bsc#1203797 VUL-1: CVE-2022-3297: vim: use-after-free in process_next_cpt_value() at insexpand.c
  * Fixing bsc#1203110 VUL-1: CVE-2022-3099: vim: Use After Free in ex_docmd.c
  * Fixing bsc#1203194 VUL-1: CVE-2022-3134: vim: use after free in do_tag()
  * Fixing bsc#1203272 VUL-1: CVE-2022-3153: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404.
  * Fixing bsc#1203799 VUL-1: CVE-2022-3278: vim: NULL pointer dereference in eval_next_non_blank() in eval.c
  * Fixing bsc#1203924 VUL-1: CVE-2022-3352: vim: vim: use after free
  * Fixing bsc#1203155 VUL-1: CVE-2022-2980: vim: null pointer dereference in do_mouse()
  * Fixing bsc#1202962 VUL-1: CVE-2022-3037: vim: Use After Free in vim prior to 9.0.0321
- ignore-flaky-test-failure.patch: Ignore failure of flaky tests
- disable-unreliable-tests-arch.patch: Removed
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.0313...v9.0.0814
wget
- Update 0001-possibly-truncate-pathname-components.patch
  * Truncate file name even if no directory structure
  * [bsc#1204720]
wicked
- ifconfig: fix arp notify loop (boo#1212806) and burst sending
  [+ 0001-fix_arp_notify_loop_and_burst_sending.patch]

- update to version 0.6.73
- spec: cleanup artefacts and fix some rpmlint warnings
- arp: allow verify/notify counter and interval configuration
- arp: handle ENOBUFS sending errors (bsc#1203300)
- extensions: improve environment variable handling
- firmware: refactor firmware extension definition
- firmware: enable, disable and revert cli commands
- code cleanup: fix memory leaks, add array/list utils
- wireless: Ignore WIRELESS_EAP_AUTH within TLS (bsc#1211026)
- cleanup /var/run leftovers in extension scripts (bsc#1194557)
- json: output formatting improvements and Unicode support
- bond: workaround 6.1 kernel enslave regression (boo#1206674)
- update to version 0.6.72
- client: add `wicked firmware extensions|interfaces|enable|disable`
  command to improve `ibft`,`nbft`,`redfish` firmware extension and
  interface handling.
- client: improve error handling in netif firmware discovery
  extension execution and extension definition overrides in
  the wicked-config.
- nanny: fix use-after-free in debug mode (bsc#1206447)
- spec: replace transitional `%usrmerged` macro with regular
  version check (boo#1206798)
- client: improve to show `no-carrier` in ifstatus output
- linux: cleanup inclusions and update uapi header to 6.0
- ethtool: link mode nwords cleanup and new advertise mode names
- update to version 0.6.71
- dhcp: enable raw-ip support for wwan-qmi interfaces (jsc#PED-90)
- schema: fix the ip rule to-selector to handle network prefixes
- spec: Add /etc/sysconfig/network to file list, no longer in the
  default list of a cleaned up filesystem package on tumbleweed
  (https://github.com/openSUSE/wicked/pull/939).

- version 0.6.70
- build: Link as Position Independent Executable (bsc#1184124)
- dhcp4: Fix issues in reuse of last lease (bsc#1187655)
- dhcp6: Add option to refresh lease (jsc#SLE-9492,jsc#SLE-24307)
- dhcp6: Remove address before release (USGv6 DHCPv6_1_2_07b)
- dhcp6: Ignore lease release status (USGv6 DHCPv6_1_2_07e,1_3_03)
- dhcp6: Consider ppp interfaces supported (gh#openSUSE/wicked#924)
- team: Fix to configure port priority in teamd (bsc#1200505)
- firewall-ext: No config change on ifdown (bsc#1201053,bsc#118950)
- wireless: Fix SEGV on supplicant restart (gh#openSUSE/wicked#931)
- wireless: Add support for WPA3 and PMF (bsc#1198894)
- wireless: Remove libiw dependencies (gh#openSUSE/wicked#910)
- client: Fix SEGV on empty xpath results (gh#openSUSE/wicked#919)
- client: Add release options to ifdown/ifreload (jsc#SLE-10249)
- dbus: Clear string array before append (gh#openSUSE/wicked#913)
- socket: Fix SEGV on heavy socket restart errors (bsc#1192508)
- systemd: Remove systemd-udev-settle dependency (bsc#1186787)
- version 0.6.69
- redfish: decode smbios and setup host interface
  Add initial support to decode the SMBIOS Management Controller Host
  Interface (Type 42) structure and expose it as wicked `firmware:redfish`
  configuration to setup a Host Network Interface (to the BMC) using the
  `Redfish over IP` protocol allowing access to the Redfish Service (via
  redfish-localhost in /etc/hosts) used to manage the computer system.
  Tech Preview (jsc#SLE-17762).
- buffer: fix size_t length downcast to uint, add guards to init functions
- wireless: fix to not expect colons in 64byte long wpa-psk hex hash string
- xml-schema: reference counting fix to not crash at exit on schema errors
- compat-suse: match sysctl.d /etc vs. /run read order with systemd-sysctl,
  remove obsolete (sle11/sysconfig) lines about ifup-sysctl from ifsysctl.5.
- compat-suse: fix reading of sysctl addr_gen_mode to wrong variable
- auto6: fix to apply DNS from RA rdnss after ifdown/ifup (bsc#1181429)
- removed obsolete patch included in the master sources (bsc#1194392)
  [- 0001-fsm-fix-device-rename-via-yast-bsc-1194392.patch]
xen
- bsc#1216807 - VUL-0: CVE-2023-46836: xen: x86: BTC/SRSO fixes not
  fully effective (XSA-446)
  xsa446.patch

- bsc#1216654 - VUL-0: CVE-2023-46835: xen: x86/AMD: mismatch in
  IOMMU quarantine page table levels (XSA-445)
  xsa445.patch

- bsc#1215744 - VUL-0: CVE-2023-34323: xen: xenstored: A
  transaction conflict can crash C Xenstored (XSA-440)
  xsa440.patch
- bsc#1215746 - VUL-0: CVE-2023-34326: xen: x86/AMD: missing IOMMU
  TLB flushing (XSA-442)
  xsa442.patch
- bsc#1215747 - VUL-0: CVE-2023-34325: xen: Multiple
  vulnerabilities in libfsimage disk handling (XSA-443)
  xsa443-01.patch
  xsa443-02.patch
  xsa443-03.patch
  xsa443-04.patch
  xsa443-05.patch
  xsa443-06.patch
  xsa443-07.patch
  xsa443-08.patch
  xsa443-09.patch
  xsa443-10.patch
  xsa443-11.patch
- bsc#1215748 - VUL-0: CVE-2023-34327,CVE-2023-34328: xen: x86/AMD:
  Debug Mask handling (XSA-444)
  xsa444-1.patch
  xsa444-2.patch

- bsc#1215474 - VUL-0: CVE-2023-20588: xen: AMD CPU transitional
  execution leak via division by zero (XSA-439)
  xsa439-01.patch
  xsa439-02.patch
  xsa439-03.patch
  xsa439-04.patch
  xsa439-05.patch
  xsa439-06.patch
  xsa439-07.patch
  xsa439-08.patch
  xsa439-09.patch
- bsc#1215145 - VUL-0: CVE-2023-34322: xen: top-level shadow
  reference dropped too early for 64-bit PV guests (XSA-438)
  xsa438.patch
- bsc#1213616 - VUL-0: CVE-2023-20593: xen: x86/AMD: Zenbleed
  (XSA-433)
  64e5b4ac-x86-AMD-extend-Zenbleed-check.patch

- Handle potential unaligned access to bitmap in
  libxc-sr-restore-hvm-legacy-superpage.patch
  If setting BITS_PER_LONG at once, the initial bit must be aligned

- Update to Xen 4.14.6 bug fix release (bsc#1027519)
  xen-4.14.6-testing-src.tar.bz2
  * No upstream changelog found in sources or webpage
- bsc#1214082 - VUL-0: CVE-2023-20569: xen: x86/AMD: Speculative
  Return Stack Overflow (XSA-434)
- bsc#1214083 - VUL-0: CVE-2022-40982: xen: x86/Intel: Gather Data
  Sampling (XSA-435)
- Dropped patches contained in new tarball
  62a1e594-x86-clean-up-_get_page_type.patch
  62a1e5b0-x86-ABAC-race-in-_get_page_type.patch
  62a1e5d2-x86-introduce-_PAGE_-for-mem-types.patch
  62a1e5f0-x86-dont-change-cacheability-of-directmap.patch
  62a1e60e-x86-split-cache_flush-out-of-cache_writeback.patch
  62a1e62b-x86-AMD-work-around-CLFLUSH-ordering.patch
  62a1e649-x86-track-and-flush-non-coherent.patch
  62ab0fab-x86-spec-ctrl-VERW-flushing-runtime-cond.patch
  62ab0fac-x86-spec-ctrl-enum-for-MMIO-Stale-Data.patch
  62ab0fad-x86-spec-ctrl-add-unpriv-mmio.patch
  62bdd840-x86-spec-ctrl-only-adjust-idle-with-legacy-IBRS.patch
  62bdd841-x86-spec-ctrl-knobs-for-STIBP-and-PSFD.patch
  62cc31ee-cmdline-extend-parse_boolean.patch
  62cc31ef-x86-spec-ctrl-fine-grained-cmdline-subopts.patch
  62cd91d0-x86-spec-ctrl-rework-context-switching.patch
  62cd91d1-x86-spec-ctrl-rename-SCF_ist_wrmsr.patch
  62cd91d2-x86-spec-ctrl-rename-opt_ibpb.patch
  62cd91d3-x86-spec-ctrl-rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch
  62cd91d4-x86-spec-ctrl-IBPB-on-entry.patch
  62cd91d5-x86-cpuid-BTC_NO-enum.patch
  62cd91d6-x86-spec-ctrl-enable-Zen2-chickenbit.patch
  62cd91d7-x86-spec-ctrl-mitigate-Branch-Type-Confusion.patch
  62dfe40a-x86-mm-gpt-TLB-flush-condition.patch
  62f27ebd-x86-expose-more-MSR_ARCH_CAPS-to-hwdom.patch
  62f51e16-x86-spec-ctrl-enum-PBRSB_NO.patch
  62f523da-AMD-setup_force_cpu_cap-BSP-only.patch
  63455f82-Arm-P2M-prevent-adding-mapping-when-dying.patch
  63455fa8-Arm-P2M-preempt-when-freeing-intermediate.patch
  63455fc3-x86-p2m_teardown-allow-skip-root-pt-removal.patch
  63455fe4-x86-HAP-monitor-table-error-handling.patch
  63456000-x86-tolerate-sh_set_toplevel_shadow-failure.patch
  6345601d-x86-tolerate-shadow_prealloc-failure.patch
  6345603a-x86-P2M-refuse-new-alloc-for-dying.patch
  63456057-x86-P2M-truly-free-paging-pool-for-dying.patch
  63456075-x86-P2M-free-paging-pool-preemptively.patch
  63456090-x86-p2m_teardown-preemption.patch
  63456175-libxl-per-arch-extra-default-paging-memory.patch
  63456177-Arm-construct-P2M-pool-for-guests.patch
  6345617a-Arm-XEN_DOMCTL_shadow_op.patch
  6345617c-Arm-take-P2M-pages-P2M-pool.patch
  634561aa-gnttab-locking-on-transitive-copy-error-path.patch
  6351095c-Arm-rework-p2m_init.patch
  6351096a-Arm-P2M-populate-pages-for-GICv2-mapping.patch
  63569723-x86-shadow-replace-bogus-assertions.patch
  636a9130-x86-spec-ctrl-Enumeration-for-IBPB_RET.patch
  636a9130-x86-spec-ctrl-Mitigate-IBPB-not-flushing-the-RSB-RAS.patch
  xsa326-01.patch
  xsa326-02.patch
  xsa326-03.patch
  xsa326-04.patch
  xsa326-05.patch
  xsa326-06.patch
  xsa326-07.patch
  xsa326-08.patch
  xsa326-09.patch
  xsa326-10.patch
  xsa326-11.patch
  xsa326-12.patch
  xsa326-13.patch
  xsa326-14.patch
  xsa326-15.patch
  xsa326-16.patch
  xsa403.patch
  xsa414.patch
  xsa415.patch
  xsa416.patch
  xsa417.patch
  xsa418-01.patch
  xsa418-02.patch
  xsa418-03.patch
  xsa418-04.patch
  xsa418-05.patch
  xsa418-06.patch
  xsa419-01.patch
  xsa419-02.patch
  xsa419-03.patch
  xsa421-01.patch
  xsa421-02.patch
  xsa427.patch
  xsa428-1.patch
  xsa428-2.patch
  xsa429.patch
  xsa433.patch

- Handle potential off-by-one errors in libxc-sr-xg_sr_bitmap.patch
  A bit is an index in bitmap, while bits is the allocated size
  of the bitmap.

- bsc#1213616 - VUL-0: CVE-2023-20593: xen: x86/AMD: Zenbleed
  (XSA-433)
  xsa433.patch
- Updated fix for XSA-417 (bsc#1204489)
  64ba268b-xenstore-fix-XSA-417.patch

- bsc#1209017 - VUL-0: CVE-2022-42332: xen: x86 shadow plus
  log-dirty mode use-after-free (XSA-427)
  xsa427.patch
- bsc#1209018 - VUL-0: CVE-2022-42333,CVE-2022-42334: xen: x86/HVM
  pinned cache attributes mis-handling (XSA-428)
  xsa428-1.patch
  xsa428-2.patch
- bsc#1209019 - VUL-0: CVE-2022-42331: xen: x86: speculative
  vulnerability in 32bit SYSCALL path (XSA-429)
  xsa429.patch

- Upstream bug fixes (bsc#1027519)
  63624fa6-xenstored-call-remove_domid_from_perm-for-special.patch
  637b5f4f-efifb-ignore-invalid.patch
  63a03e28-x86-high-freq-TSC-overflow.patch
- Re-order some patches back into their proper upstream sequence.

- bsc#1205209 - VUL-0: CVE-2022-23824: xen: x86: Multiple
  speculative security issues (XSA-422)
  636a9130-x86-spec-ctrl-Enumeration-for-IBPB_RET.patch
  636a9130-x86-spec-ctrl-Mitigate-IBPB-not-flushing-the-RSB-RAS.patch

- bsc#1193923 - VUL-1: xen: Frontends vulnerable to backends
  (XSA-376)
  61dd5f64-limit-support-statement-for-Linux-and-Windows-frontends.patch

- bsc#1204482 - VUL-0: CVE-2022-42311, CVE-2022-42312,
  CVE-2022-42313, CVE-2022-42314, CVE-2022-42315, CVE-2022-42316,
  CVE-2022-42317, CVE-2022-42318: xen: Xenstore: Guests can let
  xenstored run out of memory (XSA-326)
  xsa326-10.patch (correction)

- bsc#1203806 - VUL-0: CVE-2022-33746: xen: P2M pool freeing may
  take excessively long (XSA-410)
  63455f82-Arm-P2M-prevent-adding-mapping-when-dying.patch
  63455fa8-Arm-P2M-preempt-when-freeing-intermediate.patch
  63455fc3-x86-p2m_teardown-allow-skip-root-pt-removal.patch
  63455fe4-x86-HAP-monitor-table-error-handling.patch
  63456000-x86-tolerate-sh_set_toplevel_shadow-failure.patch
  6345601d-x86-tolerate-shadow_prealloc-failure.patch
  6345603a-x86-P2M-refuse-new-alloc-for-dying.patch
  63456057-x86-P2M-truly-free-paging-pool-for-dying.patch
  63456075-x86-P2M-free-paging-pool-preemptively.patch
  63456090-x86-p2m_teardown-preemption.patch
- bcs#1203804 - VUL-0: CVE-2022-33747: xen: unbounded memory consumption
  for 2nd-level page tables on ARM systems (XSA-409)
  63456175-libxl-per-arch-extra-default-paging-memory.patch
  63456177-Arm-construct-P2M-pool-for-guests.patch
  6345617a-Arm-XEN_DOMCTL_shadow_op.patch
  6345617c-Arm-take-P2M-pages-P2M-pool.patch
- bsc#1203807 - VUL-0: CVE-2022-33748: xen: lock order inversion in
  transitive grant copy handling (XSA-411)
  634561aa-gnttab-locking-on-transitive-copy-error-path.patch
- Upstream bug fixes (bsc#1027519)
  6306185f-x86-XSTATE-CPUID-subleaf-1-EBX.patch
  6346e404-VMX-correct-error-handling-in-vmx_create_vmcs.patch
  6351095c-Arm-rework-p2m_init.patch
  6351096a-Arm-P2M-populate-pages-for-GICv2-mapping.patch
  635274c0-EFI-dont-convert-runtime-mem-to-RAM.patch
  635665fb-sched-fix-restore_vcpu_affinity.patch
  63569723-x86-shadow-replace-bogus-assertions.patch
- Drop patches replaced by upstream versions:
  xsa410-01.patch
  xsa410-02.patch
  xsa410-03.patch
  xsa410-04.patch
  xsa410-05.patch
  xsa410-06.patch
  xsa410-07.patch
  xsa410-08.patch
  xsa410-09.patch
  xsa410-10.patch
  xsa411.patch

- bsc#1204482 - VUL-0: CVE-2022-42311, CVE-2022-42312,
  CVE-2022-42313, CVE-2022-42314, CVE-2022-42315, CVE-2022-42316,
  CVE-2022-42317, CVE-2022-42318: xen: Xenstore: Guests can let
  xenstored run out of memory (XSA-326)
  xsa326-01.patch
  xsa326-02.patch
  xsa326-03.patch
  xsa326-04.patch
  xsa326-05.patch
  xsa326-06.patch
  xsa326-07.patch
  xsa326-08.patch
  xsa326-09.patch
  xsa326-10.patch
  xsa326-11.patch
  xsa326-12.patch
  xsa326-13.patch
  xsa326-14.patch
  xsa326-15.patch
  xsa326-16.patch
- bsc#1204485 - VUL-0: CVE-2022-42309: xen: Xenstore: Guests can
  crash xenstored (XSA-414)
  xsa414.patch
- bsc#1204487 - VUL-0: CVE-2022-42310: xen: Xenstore: Guests can
  create orphaned Xenstore nodes (XSA-415)
  xsa415.patch
- bsc#1204488 - VUL-0: CVE-2022-42319: xen: Xenstore: Guests can
  cause Xenstore to not free temporary memory (XSA-416)
  xsa416.patch
- bsc#1204489 - VUL-0: CVE-2022-42320: xen: Xenstore: Guests can
  get access to Xenstore nodes of deleted domains (XSA-417)
  xsa417.patch
- bsc#1204490 - VUL-0: CVE-2022-42321: xen: Xenstore: Guests can
  crash xenstored via exhausting the stack (XSA-418)
  xsa418-01.patch
  xsa418-02.patch
  xsa418-03.patch
  xsa418-04.patch
  xsa418-05.patch
  xsa418-06.patch
- bsc#1204494 - VUL-0: CVE-2022-42322,CVE-2022-42323: xen:
  Xenstore: cooperating guests can create arbitrary numbers of
  nodes (XSA-419)
  xsa419-01.patch
  xsa419-02.patch
  xsa419-03.patch
- bsc#1204496 - VUL-0: CVE-2022-42325,CVE-2022-42326: xen:
  Xenstore: Guests can create arbitray number of nodes via
  transactions (XSA-421)
  xsa421-01.patch
  xsa421-02.patch
xrdb
- Downgrade cpp requires to recommends (bsc#1211267)
xterm
- xterm-CVE-2023-40359.patch: Fixed reporting characterset names
  in ReGiS graphics mode (bsc#1214282)

- xterm-CVE-2022-45063.patch: Fixed use-after-free in fontops when
  a font is not present (bsc#1205305 CVE-2022-45063)

- xterm-CVE-2022-24130.patch: Fixed buffer overflow in set_sixel
  when Sixel support is enabled (bsc#1195387)
yast2-bootloader
- prevent leak of grub2 password to logs(bsc#1201962)
- 4.3.32
yast2-cluster
- bsc#1209602 bugs in yast2-cluster Write funcion
- Remove sensless call to sysconfig.openais
- Remove sensless sysconfig.openais agent
- Enable csync2.socket
- Add SCR.Write(PATH,nil) to save the configuration inmediately
- Version 4.3.8

- bsc#1204530, set crypto_hash as "sha1" and set crypto_cipher as "aes256",
- set transport as "udpu" by default,
- set default values for mcastaddr/mcastport/bindnedaddr when cluster firstly configured
- Set focus on "Generate Auth Key File" when secauth is true
- Implement ValidateSecurity method
- Set focus on memberaddr add when using udpu
- Version 4.3.7
yast2-installation
- AutoYaST SecondStage: Revert changes introduced in 4.3.46 running
  the initscript service before systemd-user-sessions again once
  systemd patched logind (bsc#1195059, bsc#1200780)
- 4.3.55

- Do not restart services when updating the package (bsc#1199480,
  bsc#1200274)
- 4.3.54

- AutoYaST Second Stage: Added a missing dependency to the service
  to prevent getty-autogeneration listen on 5901 port (bsc#1199746)
- 4.3.53
yast2-network
- Fix typo when writing the wireless channel (bsc#1212976)
- 4.3.88

- bsc#1211431
  - Do not crash installation when storing vlan configuration into
    NetworkManager
- 4.3.87

- Fixed issue when writing the NetworkManager config without a
  gateway (bsc#1203866)
- 4.3.86

- Added a class to generate the configuration needed for a FCoE
  device being aware of it during the installation (bsc#1199554)
- 4.3.85

- AY: Added missing route extrapara element to the networking
  section (bsc#1201129)
- 4.3.84

- Allow more than 6 domains in resolver search list (bsc#1200155).
- 4.3.83
yast2-online-update
- Fix showing of release notes when we update a rubygem
  (bsc#1205913)
- 4.2.3
yast2-pkg-bindings
- Pkg.TargetInitializeOptions() - added a new option for
  rebuilding the RPM database (--rebuilddb) (bsc#1209565)
- 4.3.12
yast2-registration
- Switch to the new SUSEConnect-ng (bsc#1212799)
  - Includes a SSL reload fix (bsc#1195220)
  - Depends on a new suseconnect-ruby-bindings package instead of
    the old rubygem-suseconnect
- 4.3.27

- Import the SSL certificate from the <reg_server_cert> AutoYaST
  data also in the self-update step (bsc#1199091, bsc#1198642)
- 4.3.26
yast2-sap-ha
- Set default value for global_alloc_limit to "0"
- New function to get the primary hostname on the master.
- Fix setting secondary and primary hostname for the template
- The hook creation is deprecated. This was removed from wizard and from backend.
  This functionality now will be provided by the susCostOpt.py delivered by SAPHanaSR
  Now a key sus_<SID>_costopt must be created.
- yast2-sap-ha for Cost-Opt scenario is not up-to-date with SR takeover in best practice guide (bsc#1209204)
- yast2-sap-ha can not configure firewall (bsc#1211027)
- Rework package sturcture to use the yast2 defaults
- L3: yast2-sap-ha error - Could not adjust global.ini for the production system
  (bsc#1207740)
- yast2-sap-ha: csync2 configuration not enabled (bsc#1202112)
- 4.3.0

- L3: yast2-sap-ha error - Could not adjust global.ini for the production system
  (bsc#1207740)
- 1.0.19

- Clean up Rakefile
- 1.0.18

- Use ruby base64 to replace uuencode/uudecode
  (bsc#1206601)
- 1.0.17

- YaST2 HA Setup for SAP Products - cannot input several instance numbers
  (bsc#1202979)
- 1.0.16
yast2-schema
- Add 'extrapara' to routes in the networking section (bsc#1201129)
- 4.3.31

- Support for flatten and nested "category_filter" element in the
  "online_update_configuration" section (bsc#1198848).
- 4.3.30
yast2-transfer
- Fixed TFTP download, truncate the target file to avoid garbage
  at the end of the file when saving to an already existing file
  (bsc#1208754)
- 4.1.1
yast2-update
- Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)
- 4.3.5
zypper
- Return 104 also if info suggests near matches (fixes #504)
- Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422)
- Fix typo (fixes #484)
- version 1.14.66

- Fix some typos and spelling errors found by Lintian (fixes #501)
- Prefer unaliased `grep` to avoid unexpected/wrong completions.
  (#503)
- commit: Insert a headline to separate output of different rpm
  scripts (bsc#1041742)
- Fix typo in changes file.
- version 1.14.65

- Fix name of the bash completion script (bsc#1215007)
  In 1.14.63 the location of the bash completion script was changed
  to /usr/share/bash-completion/completions/. But the patch failed
  to also rename the completion script. The original script name
  zypper.sh is not recognized at the new location.
- Update notes about failing signature checks (bsc#1214395)
  It might be a transient issue if the server is in the midst of
  receiving new data. Retry after a few minutes might work.
- Improve the SIGINT handler to be signal safe (bsc#1214292)
  This patch updates the SIGINT handling strategy to be signal
  safe. Meaning the signal handler will do not much more than
  setting a flag, which we are going to check in the normal program
  flow as much as possible.
- version 1.14.64

- Changed location of bash completion script (bsc#1213854).
  This changes the location of zypper.sh bash completion script
  from /usr/share/bash-completion/completions/.
- version 1.14.63

- man: revised explanation of --force-resolution (bsc#1213557)
  Point out that the option not only allows to remove packages but
  may also violate any other active policy if there is no other way
  to resolve the job.
- Print summary hint if policies were violated due to
  - -force-resolution (bsc#1213557)
- BuildRequires:  libzypp-devel >= 17.31.16 (for zypp-tui)
- version 1.14.62

- targetos: Add an error note if XPath:/product/register/target
  is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)
- version 1.14.61

- Fix selecting installed patterns from picklist (bsc#1209406)
- man: better explanation of --priority (fixes #480)
- version 1.14.60

- BuildRequires:  libzypp-devel >= 17.31.7.
- Provide "removeptf" command (bsc#1203249)
  A remove command which prefers replacing dependant packages to
  removing them as well.
  A PTF is typically removed as soon as the fix it provides is
  applied to the latest official update of the dependant packages.
  But you don't want the dependant packages to be removed together
  with the PTF, which is what the remove command would do. The
  removeptf command however will aim to replace the dependant
  packages by their official update versions.
- patterns: Avoid dispylaing superfluous @System entries
  (bsc#1205570)
- version 1.14.59

- Update man page and explain '.no_auto_prune' (bsc#1204956)
- Allow to (re)add a service with the same URL (bsc#1203715)
- Explain outdatedness of repos (fixes #463)
- BuildRequires:  libzypp-devel >= 17.31.5
- version 1.14.58