000release-packages:SLES_SAP-release
n/a
binutils
- Update to current 2.43.1 branch [PED-10474]:
  * PR32109 - fuzzing problem
  * PR32083 - LTO vs overridden common symbols
  * PR32067 - crash with LTO-plugin and --oformat=binary
  * PR31956 - LTO vs wrapper symbols
  * riscv - add Zimop and Zcmop extensions
- Adjusted binutils-2.43-branch.diff.gz.

- Update to version 2.43:
  * new .base64 pseudo-op, allowing base64 encoded data as strings
  * Intel APX: add support for CFCMOV, CCMP, CTEST, zero-upper, NF
    (APX_F now fully supported)
  * x86 Intel syntax now warns about more mnemonic suffixes
  * macros and .irp/.irpc/.rept bodies can use \+ to get at number
    of times the macro/body was executed
  * aarch64: support 'armv9.5-a' for -march, add support for LUT
    and LUT2
  * s390: base register operand in D(X,B) and D(L,B) can now be
    omitted (ala 'D(X,)'); warn when register type doesn't match
    operand type (use option
    'warn-regtype-mismatch=[strict|relaxed|no]' to adjust)
  * riscv: support various extensions: Zacas, Zcmp, Zfbfmin,
    Zvfbfmin, Zvfbfwma, Smcsrind/Sscsrind, XCvMem, XCvBi, XCvElw,
    XSfCease, all at version 1.0;
    remove support for assembly of privileged spec 1.9.1 (linking
    support remains)
  * arm: remove support for some old co-processors: Maverick and FPA
  * mips: '--trap' now causes either trap or breakpoint instructions
    to be emitted as per current ISA, instead of always using trap
    insn and failing when current ISA was incompatible with that
  * LoongArch: accept .option pseudo-op for fine-grained control
    of assembly code options; add support for DT_RELR
  * readelf: now displays RELR relocations in full detail;
    add -j/--display-section to show just those section(s) content
    according to their type
  * objdump/readelf now dump also .eh_frame_hdr (when present) when
    dumping .eh_frame
  * gprofng: add event types for AMD Zen3/Zen4 and Intel Ice Lake
    processors; add minimal support for riscv
  * linker:
  - put .got and .got.plt into relro segment
  - add -z isa-level-report=[none|all|needed|used] to the x86 ELF
    linker to report needed and used x86-64 ISA levels
  - add --rosegment option which changes the -z separate-code
    option so that only one read-only segment is created (instead
    of two)
  - add --section-ordering-file <FILE> option to add extra
    mapping of input sections to output sections
  - add -plugin-save-temps to store plugin intermediate files
    permanently
- Removed binutils-2.42.tar.bz2, binutils-2.42-branch.diff.gz.
- Added binutils-2.43.tar.bz2, binutils-2.43-branch.diff.gz.
- Removed upstream patch riscv-no-relax.patch.
- Rebased ld-relro.diff and binutils-revert-rela.diff.

- binutils-pr22868.diff: Remove obsolete patch
- Undefine _FORTIFY_SOURCE when running checks

- Allow to disable profiling

- Use %patch -P N instead of deprecated %patchN.

- riscv-no-relax.patch: RISC-V: Don't generate branch/jump relocation if
  symbol is local when no-relax

- Add binutils-disable-code-arch-error.diff to demote an
  error about swapped .arch/.code directives to a warning.
  It happens in the wild.

- Update to version 2.42:
  * Add support for many aarch64 extensions: SVE2.1, SME2.1, B16B16,
  RASv2, LSE128, GCS, CHK, SPECRES2, LRCPC3, THE, ITE, D128, XS and
  flags to enable them: '+fcma', '+jscvt', '+frintts', '+flagm2',
  '+rcpc2' and '+wfxt'
  * Add experimantal support for GAS to synthesize call-frame-info for
  some hand-written asm (--scfi=experimental) on x86-64.
  * Add support for more x86-64 extensions: APX: 32 GPRs, NDD, PUSH2/POP2,
  PUSHP/POPP; USER_MSR, AVX10.1, PBNDKB, SM4, SM3, SHA512, AVX-VNNI-INT16.
  * Add support for more RISC-V extensions: T-Head v2.3.0, CORE-V v1.0,
  SiFive VCIX v1.0.
  * BPF assembler: ';' separates statements now, and does not introduce
  line comments anymore (use '#' or '//' for this).
  * x86-64 ld: Add '-z mark-plt/-z nomark-plt' to mark PLT entries with
  dynamic tags.
  * risc-v ld: Add '--[no-]check-uleb128'.
  * New linker script directive: REVERSE, to be combined with SORT_BY_NAME
  or SORT_BY_INIT_PRIORITY, reverses the generated order.
  * New linker options --warn-execstack-objects (warn only about execstack
  when input object files request it), and --error-execstack plus
  - -error-rxw-segments to convert the existing warnings into errors.
  * objdump: Add -Z/--decompress to be used with -s/--full-contents to
  decompress section contents before displaying.
  * readelf: Add --extra-sym-info to be used with --symbols (currently
  prints section name of references section index).
  * objcopy: Add --set-section-flags for x86_64 to include
  SHF_X86_64_LARGE.
  * s390 disassembly: add target-specific disasm option 'insndesc',
  as in "objdump -M insndesc" to display an instruction description
  as comment along with the disassembly.
- Add binutils-2.42-branch.diff.gz.
- Rebased s390-biarch.diff.
- Adjusted binutils-revert-hlasm-insns.diff,
  binutils-revert-plt32-in-branches.diff and binutils-revert-rela.diff
  for upstream changes.
- Removed binutils-2.41-branch.diff.gz, binutils-2.41.tar.bz2,
  binutils-2.41-branch.diff.gz.
- Removed binutils-use-less-memory.diff, binutils-old-makeinfo.diff
  and riscv-relro.patch (all upstreamed).
- Removed add-ulp-section.diff, we use a different mechanism
  for live patching since a long time.

- Add binutils-use-less-memory.diff to be a little nicer to 32bit
  userspace and huge links.  [bsc#1216908]

- riscv-relro.patch: RISC-V: Protect .got with relro

- Add libzstd-devel to Requires of binutils-devel. (bsc#1215341)
cloud-regionsrv-client
- Update to 10.3.4
  + Modify the message when network access over a specific IP version does
    not work. This is an informational message and should not look like
    an error
  + Inform the user that LTSS registration takes a little longer
  + Add fix-for-sles12-no-trans_update.patch
    + SLE 12 family has no products with transactional-update we do not
    need to look for this condition
- From 10.3.3 (bsc#1229472)
  + Handle changes in process structure to properly identify the running
    zypper parent process and only check for 1 PID
- From 10.3.2
  + Remove rgnsrv-clnt-fix-docker-setup.patch included upstream
- From 10.3.1 (jsc#PCT-400)
  + Add support for LTSS registration
  + Add fix-for-sles12-disable-registry.patch
    ~ No container support in SLE 12

- Add rgnsrv-clnt-fix-docker-setup.patch (bsc#1229137)
  + The entry for the update infrastructure registry mirror was written
    incorrectly causing docker daemon startup to fail.

- Update to version 10.3.0 (bsc#1227308, bsc#1222985)
  + Add support for sidecar registry
    Podman and rootless Docker support to set up the necessary
    configuration for the container engines to run as defined
  + Add running command as root through sudoers file

- Update to version 10.2.0 (bsc#1223571, bsc#1224014, bsc#1224016)
  + In addition to logging, write message to stderr when registration fails
  + Detect transactional-update system with read only setup and use
    the transactional-update command to register
  + Handle operation in a different target root directory for credentials
    checking
kernel-default
- btrfs: sysfs: update fs features directory asynchronously
  (bsc#1226168).
- commit 97cd90c

- ima: Fix use-after-free on a dentry's dname.name (bsc#1227716
  CVE-2024-39494).
- commit 81484ec

- ASoC: topology: Fix route memory corruption (CVE-2024-41069
  bsc#1228644).
- commit 586db1a

- net: do not leave a dangling sk pointer, when socket creation fails (CVE-2024-40954 bsc#1227808)
- commit 8f44f81

- check-for-config-changes: ignore also GCC_ASM_GOTO_OUTPUT_BROKEN
  Mainline commit f2f6a8e88717 ("init/Kconfig: remove
  CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND") replaced
  GCC_ASM_GOTO_OUTPUT_WORKAROUND with GCC_ASM_GOTO_OUTPUT_BROKEN. Ignore both
  when checking config changes.
- commit b60be3e

- IB/core: Implement a limit on UMAD receive List (bsc#1228743 CVE-2024-42145)
- commit 810053d

- ptp: fix integer overflow in max_vclocks_store (bsc#1227829
  CVE-2024-40994).
- commit 205cc4c

- filelock: Remove locks reliably when fcntl/close race is
  detected (CVE-2024-41012 bsc#1228247).
- commit e2c5917

- Update
  patches.suse/KVM-Always-flush-async-PF-workqueue-when-vCPU-is-being-des.patch
  (bsc#1223635 (CVE-2024-26976) CVE-2024-26976).
- Update
  patches.suse/jfs-xattr-fix-buffer-overflow-for-invalid-xattr.patch
  (bsc#1227383 CVE-2024-40902 bsc#1227764).
- Update
  patches.suse/vfio-fsl-mc-Block-calling-interrupt-handler-without-trigge.patch
  (bsc#1222810 (CVE-2024-26814) CVE-2024-26814).
- Update
  patches.suse/vfio-platform-Create-persistent-IRQ-handlers.patch
  (bsc#1222809 (CVE-2024-26813) CVE-2024-26813).
- commit 39eeeb9

- Update
  patches.suse/SUNRPC-Fix-UAF-in-svc_tcp_listen_data_ready.patch
  (git-fixes CVE-2023-52885 bsc#1227750).
- Update
  patches.suse/USB-core-Fix-race-by-not-overwriting-udev-descriptor.patch
  (bsc#1213123 CVE-2023-37453 CVE-2023-52886 bsc#1227981).
- Update
  patches.suse/virtio-blk-fix-implicit-overflow-on-virtio_max_dma_size.patch
  (bsc#1225573 (CVE-2023-52762) CVE-2023-52762).
- commit 3784f34

- Update
  patches.suse/HID-hid-thrustmaster-fix-OOB-read-in-thrustmaster_in.patch
  (git-fixes CVE-2022-48866 bsc#1228014).
- Update
  patches.suse/Input-aiptek-properly-check-endpoint-type.patch
  (git-fixes CVE-2022-48836 bsc#1227989).
- Update
  patches.suse/KVM-x86-nSVM-fix-potential-NULL-derefernce-on-nested.patch
  (git-fixes CVE-2022-48793 bsc#1228019).
- Update
  patches.suse/NFC-port100-fix-use-after-free-in-port100_send_compl.patch
  (git-fixes CVE-2022-48857 bsc#1228005).
- Update
  patches.suse/NFSD-Fix-NFSv3-SETATTR-CREATE-s-handling-of-large-fi.patch
  (git-fixes CVE-2022-48829 bsc#1228055).
- Update patches.suse/NFSD-Fix-ia_size-underflow.patch (git-fixes
  CVE-2022-48828 bsc#1228054).
- Update
  patches.suse/NFSD-Fix-the-behavior-of-READ-near-OFFSET_MAX.patch
  (bsc#1195957 CVE-2022-48827 bsc#1228037).
- Update
  patches.suse/SUNRPC-lock-against-sock-changing-during-sysfs-read.patch
  (bsc#1194324 CVE-2022-48816 bsc#1228038).
- Update
  patches.suse/can-isotp-fix-potential-CAN-frame-reception-race-in-.patch
  (git-fixes CVE-2022-48830 bsc#1227982).
- Update
  patches.suse/cfg80211-fix-race-in-netlink-owner-interface-destruc.patch
  (git-fixes CVE-2022-48784 bsc#1227938).
- Update
  patches.suse/dmaengine-ptdma-Fix-the-error-handling-path-in-pt_co.patch
  (git-fixes CVE-2022-48774 bsc#1227923).
- Update
  patches.suse/drm-amdgpu-bypass-tiling-flag-check-in-virtual-displ.patch
  (git-fixes CVE-2022-48849 bsc#1228061).
- Update
  patches.suse/drm-vc4-Fix-deadlock-on-DSI-device-attach-error.patch
  (git-fixes CVE-2022-48826 bsc#1227975).
- Update
  patches.suse/drm-vrr-Set-VRR-capable-prop-only-if-it-is-attached-.patch
  (git-fixes CVE-2022-48843 bsc#1228066).
- Update
  patches.suse/eeprom-ee1004-limit-i2c-reads-to-I2C_SMBUS_BLOCK_MAX.patch
  (git-fixes CVE-2022-48806 bsc#1227948).
- Update
  patches.suse/ethernet-Fix-error-handling-in-xemaclite_of_probe.patch
  (git-fixes CVE-2022-48860 bsc#1228008).
- Update
  patches.suse/fs-proc-task_mmu.c-don-t-read-mapcount-for-migration-entry.patch
  (CVE-2023-1582 bsc#1209636 CVE-2022-48802 bsc#1227942).
- Update
  patches.suse/gianfar-ethtool-Fix-refcount-leak-in-gfar_get_ts_inf.patch
  (git-fixes CVE-2022-48856 bsc#1228004).
- Update patches.suse/iavf-Fix-hang-during-reboot-shutdown.patch
  (jsc#SLE-18385 CVE-2022-48840 bsc#1227990).
- Update
  patches.suse/ibmvnic-don-t-release-napi-in-__ibmvnic_open.patch
  (bsc#1195668 ltc#195811 CVE-2022-48811 bsc#1227928).
- Update
  patches.suse/ice-Fix-KASAN-error-in-LAG-NETDEV_UNREGISTER-handler.patch
  (git-fixes CVE-2022-48807 bsc#1227970).
- Update
  patches.suse/ice-Fix-race-condition-during-interface-enslave.patch
  (git-fixes CVE-2022-48842 bsc#1228064).
- Update
  patches.suse/ice-fix-NULL-pointer-dereference-in-ice_update_vsi_t.patch
  (jsc#SLE-18375 CVE-2022-48841 bsc#1227991).
- Update
  patches.suse/iio-buffer-Fix-file-related-error-handling-in-IIO_BU.patch
  (git-fixes CVE-2022-48801 bsc#1227956).
- Update
  patches.suse/ima-fix-reference-leak-in-asymmetric_verify.patch
  (git-fixes CVE-2022-48831 bsc#1227986).
- Update
  patches.suse/iommu-Fix-potential-use-after-free-during-probe
  (git-fixes CVE-2022-48796 bsc#1228028).
- Update patches.suse/iwlwifi-fix-use-after-free.patch
  (bsc#1197762 git-fixes CVE-2022-48787 bsc#1227932).
- Update
  patches.suse/mISDN-Fix-memory-leak-in-dsp_pipeline_build.patch
  (git-fixes CVE-2022-48863 bsc#1228063).
- Update
  patches.suse/misc-fastrpc-avoid-double-fput-on-failed-usercopy.patch
  (git-fixes CVE-2022-48821 bsc#1227976).
- Update
  patches.suse/mm-don-t-try-to-NUMA-migrate-COW-pages-that-have-other-uses.patch
  (git fixes (mm/numa) CVE-2022-48797 bsc#1228035).
- Update
  patches.suse/mm-vmscan-remove-deadlock-due-to-throttling.patch
  (bsc#1195357 CVE-2022-48800 bsc#1227954).
- Update
  patches.suse/msft-hv-2515-Drivers-hv-vmbus-Fix-memory-leak-in-vmbus_add_channe.patch
  (git-fixes CVE-2022-48775 bsc#1227924).
- Update
  patches.suse/mtd-parsers-qcom-Fix-kernel-panic-on-skipped-partiti.patch
  (git-fixes CVE-2022-48777 bsc#1227922).
- Update
  patches.suse/mtd-parsers-qcom-Fix-missing-free-for-pparts-in-clea.patch
  (git-fixes CVE-2022-48776 bsc#1227925).
- Update
  patches.suse/mtd-rawnand-gpmi-don-t-leak-PM-reference-in-error-pa.patch
  (git-fixes CVE-2022-48778 bsc#1227935).
- Update
  patches.suse/net-dsa-ar9331-register-the-mdiobus-under-devres.patch
  (git-fixes CVE-2022-48817 bsc#1227931).
- Update
  patches.suse/net-dsa-bcm_sf2-don-t-use-devres-for-mdiobus.patch
  (git-fixes CVE-2022-48815 bsc#1227933).
- Update
  patches.suse/net-dsa-felix-don-t-use-devres-for-mdiobus.patch
  (git-fixes CVE-2022-48813 bsc#1227963).
- Update
  patches.suse/net-dsa-lantiq_gswip-don-t-use-devres-for-mdiobus.patch
  (git-fixes CVE-2022-48812 bsc#1227971).
- Update
  patches.suse/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_rem.patch
  (git-fixes CVE-2022-48783 bsc#1227949).
- Update
  patches.suse/net-dsa-mv88e6xxx-don-t-use-devres-for-mdiobus.patch
  (git-fixes CVE-2022-48818 bsc#1228039).
- Update
  patches.suse/net-dsa-seville-register-the-mdiobus-under-devres.patch
  (git-fixes CVE-2022-48814 bsc#1227944).
- Update
  patches.suse/net-ieee802154-at86rf230-Stop-leaking-skb-s.patch
  (git-fixes CVE-2022-48794 bsc#1228025).
- Update
  patches.suse/net-marvell-prestera-Add-missing-of_node_put-in-pres.patch
  (git-fixes CVE-2022-48859 bsc#1228007).
- Update
  patches.suse/net-mlx5-Fix-a-race-on-command-flush-flow.patch
  (git-fixes CVE-2022-48858 bsc#1228006).
- Update
  patches.suse/net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch
  (CVE-2022-20368 bsc#1202346 CVE-2022-48839 bsc#1227985).
- Update
  patches.suse/net-smc-Avoid-overwriting-the-copies-of-clcsock-callback-functions
  (git-fixes CVE-2022-48780 bsc#1227995).
- Update
  patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch
  (bsc#1196018 CVE-2022-28748 bsc#1202686 CVE-2022-2964
  CVE-2022-48805 bsc#1227969).
- Update
  patches.suse/nvme-fix-a-possible-use-after-free-in-controller-res.patch
  (bsc#1193787 bsc#1197146 bsc#1193554 CVE-2022-48790
  bsc#1227941).
- Update
  patches.suse/nvme-rdma-fix-possible-use-after-free-in-transport-e.patch
  (bsc#1193787 bsc#1197146 bsc#1193554 CVE-2022-48788
  bsc#1227952).
- Update
  patches.suse/nvme-tcp-fix-possible-use-after-free-in-transport-er.patch
  (bsc#1193787 bsc#1197146 bsc#1193554 CVE-2022-48789
  bsc#1228000).
- Update
  patches.suse/perf-Fix-list-corruption-in-perf_cgroup_switch.patch
  (git fixes CVE-2022-48799 bsc#1227953).
- Update
  patches.suse/phy-stm32-fix-a-refcount-leak-in-stm32_usbphyc_pll_e.patch
  (git-fixes CVE-2022-48820 bsc#1227972).
- Update
  patches.suse/phy-ti-Fix-missing-sentinel-for-clk_div_table.patch
  (git-fixes CVE-2022-48803 bsc#1227965).
- Update
  patches.suse/s390-cio-verify-the-driver-availability-for-path_event-call
  (bsc#1195927 LTC#196420 CVE-2022-48798 bsc#1227945).
- Update
  patches.suse/scsi-mpt3sas-Page-fault-in-reply-q-processing.patch
  (git-fixes CVE-2022-48835 bsc#1228060).
- Update patches.suse/scsi-myrs-Fix-crash-in-error-case.patch
  (git-fixes CVE-2022-48824 bsc#1227964).
- Update
  patches.suse/scsi-pm8001-Fix-use-after-free-for-aborted-SSP-STP-sas_task.patch
  (git-fixes CVE-2022-48792 bsc#1228013).
- Update
  patches.suse/scsi-pm8001-Fix-use-after-free-for-aborted-TMF-sas_task.patch
  (git-fixes CVE-2022-48791 bsc#1228002).
- Update
  patches.suse/scsi-qedf-Add-stag_work-to-all-the-vports.patch
  (git-fixes CVE-2022-48825 bsc#1228056).
- Update
  patches.suse/scsi-qedf-Fix-refcount-issue-when-LOGO-is-received-during-TMF.patch
  (git-fixes CVE-2022-48823 bsc#1228045).
- Update
  patches.suse/staging-gdm724x-fix-use-after-free-in-gdm_lte_rx.patch
  (git-fixes CVE-2022-48851 bsc#1227997).
- Update
  patches.suse/swiotlb-fix-info-leak-with-DMA_FROM_DEVICE.patch
  (CVE-2022-0854 bsc#1196823 CVE-2022-48853 bsc#1228015).
- Update patches.suse/usb-f_fs-Fix-use-after-free-for-epfile.patch
  (git-fixes CVE-2022-48822 bsc#1228040).
- Update
  patches.suse/usb-gadget-Fix-use-after-free-bug-by-not-setting-udc.patch
  (git-fixes CVE-2022-48838 bsc#1227988).
- Update
  patches.suse/usb-gadget-rndis-prevent-integer-overflow-in-rndis_s.patch
  (git-fixes CVE-2022-48837 bsc#1227987).
- Update
  patches.suse/usb-usbtmc-Fix-bug-in-pipe-direction-for-control-tra.patch
  (git-fixes CVE-2022-48834 bsc#1228062).
- Update
  patches.suse/vdpa-fix-use-after-free-on-vp_vdpa_remove.patch
  (git-fixes CVE-2022-48861 bsc#1228009).
- Update
  patches.suse/vhost-fix-hung-thread-due-to-erroneous-iotlb-entries.patch
  (git-fixes CVE-2022-48862 bsc#1228010).
- Update
  patches.suse/vsock-remove-vsock-from-connected-table-when-connect.patch
  (git-fixes CVE-2022-48786 bsc#1227996).
- Update
  patches.suse/vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch
  (git-fixes CVE-2022-48804 bsc#1227968).
- Update patches.suse/watch_queue-Fix-filter-limit-check.patch
  (CVE-2022-0995 bsc#1197246 CVE-2022-48847 bsc#1227993).
- Update
  patches.suse/xprtrdma-fix-pointer-derefs-in-error-cases-of-rpcrdm.patch
  (git-fixes CVE-2022-48773 bsc#1227921).
- commit e328ee7

- Update
  patches.suse/net-sunrpc-fix-reference-count-leaks-in-rpc_sysfs_xp.patch
  (git-fixes CVE-2021-47624 bsc#1227920).
- Update
  patches.suse/scsi-ufs-Fix-a-deadlock-in-the-error-handler.patch
  (git-fixes CVE-2021-47622 bsc#1227917).
- commit f2d923e

- cgroup/cpuset: Prevent UAF in proc_cpuset_show() (bsc#1228801).
- commit 8837200

- net/dpaa2: Avoid explicit cpumask var allocation on stack
  (CVE-2024-42093 bsc#1228680).
- commit e2a1614

- workqueue: Improve scalability of workqueue watchdog touch
  (bsc#1193454).
- commit 51a7eb4

- workqueue: wq_watchdog_touch is always called with valid CPU
  (bsc#1193454).
- commit 10bbd80

- KVM: arm64: Disassociate vcpus from redistributor region on
  teardown (CVE-2024-40989 bsc#1227823).
- commit 724dd5c

- ASoC: topology: Fix references to freed memory (CVE-2024-41069
  bsc#1228644).
- commit 44dd0c7

- Update
  patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch
  (bsc#1221044 CVE-2023-52591 bsc#1228440).
- commit d21f810

- hfsplus: fix uninit-value in copy_name (bsc#1228561
  CVE-2024-41059).
- commit cfc2db1

- dmaengine: idxd: Fix possible Use-After-Free in
  irq_process_work_list (CVE-2024-40956 bsc#1227810).
- commit 3632d87

- ocfs2: fix DIO failure due to insufficient transaction credits
  (bsc#1216834).
- commit edabc6f

- tap: add missing verification for short frame (CVE-2024-41090
  bsc#1228328).
- commit e64bcfc

- rpm/guards: fix precedence issue with control flow operator
  With perl 5.40 it report the following error on rpm/guards script:
  Possible precedence issue with control flow operator (exit) at scripts/guards line 208.
  Fix the issue by adding parenthesis around ternary operator.
- commit 07b8b4e

- drm/amdkfd: don't allow mapping the MMIO HDP page with large
  pages (CVE-2024-41011 bsc#1228115).
- commit ff8f843

- 9p: add missing locking around taking dentry fid list (bsc#1227090, CVE-2024-39463).
- commit c58a66f

- sch_cake: do not call cake_destroy() from cake_init()
  (CVE-2021-47598 bsc#1226574).
- commit d533b8e

- gve: Clear napi->skb before dev_kfree_skb_any() (CVE-2024-40937
  bsc#1227836).
- commit 610d469

- Update
  patches.suse/powerpc-pseries-iommu-LPAR-panics-during-boot-up-wit.patch
  (bsc#1222011 ltc#205900 CVE-2024-36926 bsc#1225829).
- commit 1ec0d1e

- Update
  patches.suse/perf-x86-intel-pt-Fix-crash-with-stop-filters-in-single-range-mode.patch
  (git fixes CVE-2022-48713 bsc#1227549).
- Update
  patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch
  (bsc#1226758 CVE-2024-38559 bsc#1226785).
- Update
  patches.suse/tls-fix-use-after-free-on-failed-backlog-decryption.patch
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186
  CVE-2024-26800 bsc#1222728).
- commit 329a684

- vfio/fsl-mc: Block calling interrupt handler without trigger
  (bsc#1222810 CVE-2024-26814).
- commit 520ae3c

- KVM: Always flush async #PF workqueue when vCPU is being
  destroyed (bsc#1223635 CVE-2024-26976).
- commit c5ed396

- virtio-blk: fix implicit overflow on virtio_max_dma_size
  (bsc#1225573 CVE-2023-52762).
- commit 4296dc1

- vfio/platform: Create persistent IRQ handlers (bsc#1222809
  CVE-2024-26813).
- commit a8290e8

- net: mana: Fix Rx DMA datasize and skb_over_panic (git-fixes CVE-2024-35901 bsc#1224495).
- commit 9db7ad0

- Update patches.suse/net-tls-factor-out-tls_-crypt_async_wait.patch.
- fix build warning
- commit 01715f7

- powerpc/pseries: Fix scv instruction crash with kexec
  (bsc#1194869 CVE-2024-42230).
- powerpc/kasan: Disable address sanitization in kexec paths
  (bsc#1194869 CVE-2024-42230).
- commit c9d175f

- kernel-binary: vdso: Own module_dir
- commit ff69986

- Update
  patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch
  (bsc#1226785 CVE-2024-38559).
  Fixed incorrect bug reference.
- commit e3b8fb6

- net/dcb: check for detached device before executing callbacks
  (bsc#1215587).
- commit 9c27e1c

- kABI: rtas: Workaround false positive due to lost definition
  (bsc#1227487).
- commit fb8a8f3

- powerpc/rtas: Prevent Spectre v1 gadget construction in
  sys_rtas() (bsc#1227487).
- commit 9648fb4

- tls: fix use-after-free on failed backlog decryption
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: separate no-async decryption request handling from async
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: decrement decrypt_pending if no async completion will be
  called (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- net: tls: handle backlogging of crypto requests (CVE-2024-26584
  bsc#1220186).
- tls: fix race between tx work scheduling and socket close
  (CVE-2024-26585 bsc#1220187).
- tls: fix race between async notify and socket close
  (CVE-2024-26583 bsc#1220185).
- net: tls: factor out tls_*crypt_async_wait() (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- net: tls: fix async vs NIC crypto offload (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: use async as an in-out argument (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: assume crypto always calls our callback (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: don't track the async count (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: simplify async wait (CVE-2024-26583 CVE-2024-26584
  bsc#1220185 bsc#1220186).
- tls: rx: wrap decryption arguments in a structure
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: don't report text length from the bowels of decrypt
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: drop unnecessary arguments from tls_setup_from_iter()
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- commit 63dd4a4

- Delete
  patches.suse/tls-fix-race-between-tx-work-scheduling-and-socket-c.patch.
  Will be replaced with a refreshed version once all conflicting new patches are in.
- commit a0fa0a3

- NFS: Reduce use of uncached readdir (bsc#1226662).
- NFS: Don't re-read the entire page cache to find the next cookie
  (bsc#1226662).
- commit a10cc0e

- jfs: xattr: fix buffer overflow for invalid xattr
  (bsc#1227383).
- commit 33e2d96
containerd
- Update to containerd v1.7.21. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.21>
  Fixes CVE-2023-47108. bsc#1217070
  Fixes CVE-2023-45142. bsc#1228553
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
cups
- cups-branch-2.2-commit-b643d6ba92f00752aa5e74ff86ad3974334914c1.diff
  is https://github.com/OpenPrinting/cups/commit/b643d6ba92f00752aa5e74ff86ad3974334914c1
  which was added in CUPS 2.2.8 that
  fixed a parsing bug in cups_auth_find() in cups/auth.c
  which lead to cupsd failing to authenticate users
  when group membership is required by cupsd configuration
  like 'Require user @GROUP' which lead to CUPS related commands
  requesting password from group users even if it is not needed
  (bsc#1226227)
- In cups.changes replaced one place where UTF-8 characters
  were used in the entry dated "Sat Sep 30 08:52:42 UTC 2017"
  for what should be ' - ' by ASCII to avoid RPMLINT warning
  about 'non-break-space' which "can lead to obscure errors".
curl
- Security fix: [bsc#1230093, CVE-2024-8096]
  * curl: OCSP stapling bypass with GnuTLS
  * Add curl-CVE-2024-8096.patch

- Security fix: [bsc#1228535, CVE-2024-7264]
  * curl: ASN.1 date parser overread
  * Add curl-CVE-2024-7264.patch
deltarpm
- update to deltarpm-3.6.4
  * support for threaded zstd
  * use a tmp file instead of memory to hold the incore data
    [bsc#1228948]
- dropped patches:
  * deltarpm-b7987f6aa4211df3df03dcfc55a00b2ce7472e0a.patch

- deltarpm-b7987f6aa4211df3df03dcfc55a00b2ce7472e0a.patch: fixed
  some C bugs ( incorrect sized memset() , memcpy instead of strcpy,
  unsigned int)

- update to deltarpm-3.6.3
  * support for threaded zstd compression

- Actually enable zstd compression

- update to deltarpm-3.6.2
  * support for zstd compression
dmidecode
- Update to upstream version 3.6 (jsc#PED-8574):
  * Support for SMBIOS 3.6.0. This includes new memory device types, new
    processor upgrades, and Loongarch support.
  * Support for SMBIOS 3.7.0. This includes new port types, new processor
    upgrades, new slot characteristics and new fields for memory modules.
  * Add bash completion.
  * Decode HPE OEM records 197, 216, 224, 230, 238, 239, 242 and 245.
  * Implement options --list-strings and --list-types.
  * Update HPE OEM records 203, 212, 216, 221, 233 and 236.
  * Update Redfish support.
  * Bug fixes:
    Fix enabled slot characteristics not being printed
  * Minor improvements:
    Print slot width on its own line
    Use standard strings for slot width
  * Add a --no-quirks option.
  * Drop the CPUID exception list.
  * Obsoletes dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch,
    dmidecode-fortify-entry-point-length-checks.patch,
    dmidecode-split-table-fetching-from-decoding.patch,
    dmidecode-write-the-whole-dump-file-at-once.patch,
    dmioem-fix-segmentation-fault-in-dmi_hp_240_attr.patch,
    dmioem-hpe-oem-record-237-firmware-change.patch,
    dmioem-typo-fix-virutal-virtual.patch,
    ensure-dev-mem-is-a-character-device-file.patch,
    news-fix-typo.patch and
    use-read_file-to-read-from-dump.patch.
  Update for HPE servers from upstream:
- dmioem-update-hpe-oem-type-238.patch: Decode PCI bus segment in
  HPE type 238 records.
dracut
- Update to version 055+suse.359.geb85610b:
  * fix(convertfs): error in conditional expressions (bsc#1228847)
expat
- Security fix (bsc#1229932, CVE-2024-45492): detect integer
  overflow in function nextScaffoldPart
  * Added expat-CVE-2024-45492.patch
- Security fix (bsc#1229931, CVE-2024-45491): detect integer
  overflow in dtdCopy
  * Added expat-CVE-2024-45491.patch
- Security fix (bsc#1229930, CVE-2024-45490): reject negative
  len for XML_ParseBuffer
  * Added expat-CVE-2024-45490.patch
glib2
- Add glib2-gdbusmessage-cache-arg0.patch: cache the arg0 value in
  a dbus message. Fixes a possible use after free (boo#1224044).
glibc
- s390x-wcsncmp.patch: s390x: Fix segfault in wcsncmp (bsc#1228043, BZ
  [#31934])
grub2
- Fix btrfs subvolume for platform modules not mounting at runtime when the
  default subvolume is the topmost root tree (bsc#1228124)
  * grub2-btrfs-06-subvol-mount.patch
- Rediff
  * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch

- Fix error in grub-install when root is on tmpfs (bsc#1226100)
  * 0001-grub-install-bailout-root-device-probing.patch

- Fix input handling in ppc64le grub2 has high latency (bsc#1223535)
  * 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch

- Fix PowerPC grub loads 5 to 10 minutes slower on SLE-15-SP5 compared to
  SLE-15-SP2 (bsc#1217102)
  * add 0001-ofdisk-enhance-boot-time-by-focusing-on-boot-disk-re.patch
  * add 0002-ofdisk-add-early_log-support.patch

- Enhancement to PPC secure boot's root device discovery config (bsc#1207230)
- Fix regex for Open Firmware device specifier with encoded commas
  * 0002-prep_loadenv-Fix-regex-for-Open-Firmware-device-spec.patch
- Fix regular expression in PPC secure boot config to prevent escaped commas
  from being treated as delimiters when retrieving partition substrings.
- Use prep_load_env in PPC secure boot config to handle unset host-specific
  environment variables and ensure successful command execution.
  * 0004-Introduce-prep_load_env-command.patch
- Refreshed
  * 0005-export-environment-at-start-up.patch
libqt5-qtbase
- Added a patch from upstream to prepare the code so that the
  following patch can be applied (which fixes QTBUG-95277):
  * 0001-H2-emit-encrypted-for-at-least-the-first-reply_-similar-to.patch
- Add rebased upstream patch to delay any HTTP2 communication until
  encrypted() can be responded to (bsc#1227426, CVE-2024-39936).
  * 0001-HTTP2-Delay-any-communication-until-encrypted-can-be.patch
- Add upstream patch to fix a NULL pointer dereference via the
  function QXcbConnection::initializeAllAtoms() when there is
  anomalous behavior from the X server (bsc#1222120,
  CVE-2023-45935):
  * 0001-xcb-guard-a-pointer-before-usage.patch

- Add patch from upstream to fix a regression in the ODBC driver
  (bsc#1227513, QTBUG-112375):
  * 0001-QSQL-ODBC-fix-regression-trailing-NUL.patch
  * 0002-SQL-ODBC-Pass-correct-length-to-SQLColAttribute.patch

- Add upstream patches to fix an incorrect integer overflow check
  (boo#1218413, CVE-2023-51714):
  * 0001-HPack-fix-a-Yoda-Condition.patch
  * 0002-HPack-fix-incorrect-integer-overflow-check.patch
- Add upstream patch to fix a potential overflow in
  assemble_hpack_block():
  * 0001-Http2-fix-potential-overflow-in-assemble_hpack_block.patch
util-linux
- agetty: Prevent login cursor escape (bsc#1194818,
  util-linux-agetty-prevent-cursor-escape.patch).
mozilla-nss
- Updated nss-fips-approved-crypto-non-ec.patch to enforce
  approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
openssl-1_1
- Build with no-afalgeng [bsc#1226463]

- Security fix: [bsc#1227138, CVE-2024-5535]
  * SSL_select_next_proto buffer overread
  * Add openssl-CVE-2024-5535.patch
libpcap
- Security fix: [bsc#1230034, CVE-2024-8006]
  * libpcap: NULL pointer derefence in pcap_findalldevs_ex()
  * Add libpcap-CVE-2024-8006.patch

- Security fix: [bsc#1230020, CVE-2023-7256]
  * libpcap: double free via addrinfo in sock_initaddress()
  * Add libpcap-CVE-2023-7256.patch
python311
- Add CVE-2024-6923-email-hdr-inject.patch to prevent email
  header injection due to unquoted newlines (bsc#1228780,
  CVE-2024-6923).
- %{profileopt} variable is set according to the variable
  %{do_profiling} (bsc#1227999)

- Remove %suse_update_desktop_file macro as it is not useful any
  more.

- Adding bso1227999-reproducible-builds.patch fixing bsc#1227999
  adding reproducibility patches from gh#python/cpython!121872
  and gh#python/cpython!121883.

- Stop using %%defattr, it seems to be breaking proper executable
  attributes on /usr/bin/ scripts (bsc#1227378).

- Update F00251-change-user-install-location.patch to make pip and
  modern tools install directly in /usr/local when used by the user.
  bsc#1225660
libsolv
- removed dependency on external find program in the repo2solv tool
- bindings: fix return value of repodata.add_solv()
- new SOLVER_FLAG_FOCUS_NEW flag
- bump version to 0.7.30
systemd
- Import commit a57a6d239c5d6b91fb3dcd269705e60804a03ae1
  cd0c9ac4f4 unit: drop ProtectClock=yes from systemd-udevd.service (bsc#1226414)
  e1eaa86a49 udev: do not set ID_PATH and by-path symlink for nvmf disks
  a85d211874 man: Document ranges for distributions config files and local config files

- Don't mention any rpm macros inside comments, even if escaped (bsc#1228091)
  Otherwise pesign-obs-integration ends up re-packaging systemd with all macros
  inside comments unescaped leading to unpredictable behavior. Now why rpm
  expands rpm macros inside comments is the question...

- Update 1011-sysv-generator-add-back-support-for-SysV-scripts-for.patch
  Really skip redundant dependencies specified the LSB description that
  references the file name of the service itself for early boot scripts (noticed
  in bsc#1221479).
tiff
- security update:
  * CVE-2024-7006 [bsc#1228924]
    Fix pointer deref in tif_dirinfo.c
    + tiff-CVE-2024-7006.patch
libzypp
- Make sure not to statically linked installed tools (bsc#1228787)
- version 17.35.8 (35)

- MediaPluginType must be resolved to a valid MediaHandler
  (bsc#1228208)
- version 17.35.7 (35)

- Export CredentialManager for legacy YAST versions (bsc#1228420)
- version 17.35.6 (35)

- Export asSolvable for YAST (bsc#1228420)
- Fix 4 typos in zypp.conf.
- version 17.35.5 (35)

- Fix typo in the geoip update pipeline (bsc#1228206)
- Export RepoVariablesStringReplacer for yast2 (bsc#1228138)
- version 17.35.4 (35)

- Translation: updated .pot file.
- Conflict with python zypp-plugin < 0.6.4 (bsc#1227793)
  Older zypp-plugins reject stomp headers including a '-'. Like the
  'content-length' header we may send.
- Fix int overflow in Provider (fixes #559)
  This patch fixes an issue in safe_strtonum which caused
  timestamps to overflow in the Provider message parser.
- Fix error reporting on repoindex.xml parse error (bsc#1227625)
- version 17.35.3 (35)

- Keep UrlResolverPlugin API public (fixes #560)
- Blacklist /snap executables for 'zypper ps' (bsc#1226014)
- Fix handling of buddies when applying locks (bsc#1225267)
  Buddy pairs (like -release package and product) internally share
  the same status object. When applying locks from query results
  the locked bit must be set if either item is locked.
- version 17.35.2 (35)

- Install zypp/APIConfig.h legacy include (fixes #557)
- version 17.35.1 (35)

- Update soname due to RepoManager refactoring and cleanup.
- version 17.35.0 (35)

- Workaround broken libsolv-tools-base requirements (fixes
  openSUSE/zypper#551)
- Strip ssl_clientkey from repo urls (bsc#1226030)
- Remove protobuf build dependency.
- Lazily attach medium during refresh workflows (bsc#1223094)
- Refactor RepoManager and add Service workflows.
- version 17.34.2 (34)
pam
- Prevent cursor escape from the login prompt [bsc#1194818]
  * Added: pam-bsc1194818-cursor-escape.patch
python-azure-agent
- Restart the agent (bsc#1227600)
  + The agent service gets restarted in post but may fail due to a missing
    config file. config files were split into their own package previously.
    When we detect that we have to restore a config file we also need
    to restart the agent again.
python-requests
- Update CVE-2024-35195.patch to allow the usage of "verify" parameter
  as a directory, bsc#1225912
python3-setuptools
- Add patch CVE-2024-6345-code-execution-via-download-funcs.patch:
  * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105)
python-aiohttp
- Add patch CVE-2024-42367-path-traversal-via-symlink.patch:
  * Do not follow symlinks for compressed file variants.
    (CVE-2024-42367, bsc#1229226)
python-setuptools
- Add patch CVE-2024-6345-code-execution-via-download-funcs.patch:
  * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105)
regionServiceClientConfigAzure
- Update to version 2.2.0 (jsc#PCT-360)
  + Add IPv6 certs to enable IPv6 access of the update infrastructure
  + Add noipv6.patch to patch out IPv6 on SLE 12, no IPv6 support in SLE 12
    in the Public Cloud

- Update to version 2.1.0 (bsc#1217537)
  + Replace certs 23.100.36.229.pem and 40.121.202.140.pem (4096 length):
    rgnsrv-azure-westus -> 23.100.36.229.pem expires 9 years
    rgnsrv-azure-eastus  -> 40.121.202.140.pem expires 10 years
runc
[ This was only ever released for SLES and Leap. ]
- Update to runc v1.1.14. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.14>.
  Includes the patch for CVE-2024-45310. bsc#1230092
- Rebase patches:
  * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
  * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
  * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
  * 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch
saptune
- update package version of saptune to 3.1.3
  * remove note 1868829 from solution S4HANA-APPSERVER as it is a
    HANA DB note and was added by accident
    (bsc#1226093)
  * for verify and simulate output table - wrap content of the
    columns 'actual', 'expected' and 'override', if they exceed a
    width of 30 characters (e.g. net.ipv4.ip_local_reserved_ports)
  * support inline comments in /etc/sysconfig/saptune
  * change handling of the performance options.
    Check, if the settings are supported in the get-Functions too.
    This should fix the problem with some special Azure VMs
    (E20d_v5) on newer SLES SPs
    (jsc#SAPSOL-110)
  * SAP Note 2578899 updated to Version 48
    setting kernel.pid_max to 4194304 and
    start sysctl-logger service
000release-packages:sle-ha-release
n/a
000release-packages:sle-module-basesystem-release
n/a
000release-packages:sle-module-containers-release
n/a
000release-packages:sle-module-desktop-applications-release
n/a
000release-packages:sle-module-development-tools-release
n/a
000release-packages:sle-module-live-patching-release
n/a
000release-packages:sle-module-public-cloud-release
n/a
000release-packages:sle-module-python3-release
n/a
000release-packages:sle-module-sap-applications-release
n/a
000release-packages:sle-module-server-applications-release
n/a
000release-packages:sle-module-web-scripting-release
n/a
supportutils
- Changes to version 3.2.8
  + Avoid getting duplicate kernel verifications in boot.text (pr#190)
  + lvm: suppress file descriptor leak warnings from lvm commands (pr#191)
  + docker_info: Add timestamps to container logs (pr#196)
  + Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198)
  + Update supportconfig get pam.d sorted (pr#199)
  + yast_files: Exclude .zcat (pr#201)
  + Sanitize grub bootloader (bsc#1227127, pr#203)
  + Sanitize regcodes (pr#204)
  + Improve product detection (pr#205)
  + Add read_values for s390x (bsc#1228265, pr#206)
  + hardware_info: Remove old alsa ver check (pr#209)
  + drbd_info: Fix incorrect escape of quotes (pr#210)
suse-build-key
- extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339)
  - gpg-pubkey-39db7c82-5f68629b.asc
  + gpg-pubkey-39db7c82-66c5d91a.asc
unzip
- Use %patch -P N instead of deprecated %patchN.

- Build unzip-rcc using multibuild and update unzip-rcc.spec file
util-linux-systemd
- agetty: Prevent login cursor escape (bsc#1194818,
  util-linux-agetty-prevent-cursor-escape.patch).
zypper
- Show rpm install size before installing (bsc#1224771)
  If filesystem snapshots are taken before the installation (e.g.
  by snapper) no disk space is freed by removing old packages. In
  this case the install size of all packages is a hint how much
  additional disk space is needed by the new packages static
  content.
- version 1.14.76

- Fix readline setup to handle Ctrl-C and Ctrl-D corrrectly
  (bsc#1227205)
- version 1.14.75

- Let_readline_abort_on_Ctrl-C (bsc#1226493)
- packages: add '--system' to show @System packages (bsc#222971)
- version 1.14.74