suse-sles-sap-15-sp7-v20260601-x86_64-llc Package Source Changes

crmsh

- Update to version 4.6.2+20260407.5131df91:
  * Fix: bootstrap: Ensure robust node identification when removing from cluster (bsc#1259683)

csync2

- VUL-1 CVE-2026-41051: csync2: uses insecure temporary directories when compiled with C99 or later
  (bsc#1262472) Add patch:
  configure_mkstemp_c99.patch

samba

- CVE-2026-4480: Fix Unauthenticated Remote Code Execution;
  (bso#16033); (bsc#1261161).
- CVE-2026-4408: Fix Remote Code Execution in SAMR;(bso#16034);
  (bsc#1261163).
- CVE-2026-3238: Fix unauthenticated udp packet crashes AD DC
  nbt server; (bso#16012); (bsc#1261160).
- CVE-2026-3012: Fix CVE-2026-3012 group policy certificate
  enrollment using http:// without validation;(bso#16003);
  (bsc#1261159).
- CVE-2026-1933: Fix missing access check on reparse point
  operations; (bso#15992); (bsc#1261188).
- CVE-2026-2340: vfs_worm does not block directory modification;
  (bso#15997); (bsc#1261158).

- Fix rpc workers with long living clients from growing server
  memory keytab and increasing memory used by workers;
  (bso#16042); (bsc#1257200).

- Generated dynamic profile based on path to special 'printers'
  share. (bsc#1259441).

- Fix regression "use-kerberos=desired" broken doesn't even try
  to authenticate with kerberos and instead fallsback to NTLM;
  (bsc#1255755); (bso#15789).
- Fix memory leak using cups parsed options and from filename
  allocated when processing end of printing job; (bso#15979);
  (bsc#1257200).
- fix manpage for "net offlinejoin requestodj"; (bso#15964)
- fix "ctdbd socket" documentation in manpage for smb.conf;
  (bso#15977)

- Fix memory leak opening local named pipe; (bso#15979);
  (bsc#1257200).

gnutls

- Security fixes:
  * CVE-2026-33846: buffers: add more checks to DTLS reassembly (bsc#1263705)
  * CVE-2026-42009: lib/buffers: ensure packets have differing sequence numbers (bsc#1263708)
  * CVE-2026-33845: buffers: switch from end_offset over to frag_length (bsc#1263704)
  * CVE-2026-42010: lib/auth/rsa_psk: fix binary PSK identity lookup (bsc#1263709)
  * CVE-2026-3833: x509/name-constraints: compare domain names case-insensitive (bsc#1263707)
  * CVE-2026-42011: x509/name_constraints: fix intersecting empty constraints (bsc#1263710)
  * CVE-2026-42012: x509/hostname-verify: make URI/SRV SAN preclude CN fallback (bsc#1263711)
  * CVE-2026-42013: x509: prevent fallback on oversized SAN (bsc#1263712)
  * CVE-2026-42014: pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin (bsc#1263713)
  * CVE-2026-42015: x509/pkcs12_bag: fix off-by-one in bag element bounds check (bsc#1263714)
  * CVE-2026-5260: lib/pkcs11_privkey: guard against overreading on short ciphertexts (bsc#1263715)
  * CVE-2026-5419: gnutls_cipher_decrypt3: make PKCS#7 unpadding branch free (bsc#1263716)
  * Add patches:
    gnutls-CVE-2026-33846.patch gnutls-CVE-2026-42009.patch
    gnutls-CVE-2026-33845.patch gnutls-CVE-2026-42010.patch
    gnutls-CVE-2026-3833.patch  gnutls-CVE-2026-42011.patch
    gnutls-CVE-2026-42012.patch gnutls-CVE-2026-42013.patch
    gnutls-CVE-2026-42014.patch gnutls-CVE-2026-5260.patch
    gnutls-CVE-2026-42015.patch gnutls-CVE-2026-5419.patch

xz

- Fix buffer overflow in lzma_index_append (bsc#1261280, CVE-2026-34743)
  * CVE-2026-34743.patch
- Change SUSE-Public-Domain license to LicenseRef-SUSE-Public-Domain to
  fix rpmlint errors

openssl-1_1

- bsc#1250782 Fix 30-test_fips_sli.t fails intermittently on s390x
  Fix AES_GCM IV test sometimes failing on s390x.
  * Add openssl-fix-fips-slitest-s390x.patch

lifecycle-data-sle-module-live-patching

- Added data for 5_14_21-150400_24_194, 5_14_21-150400_24_197,
  5_14_21-150400_24_200,
  5_14_21-150500_55_141, 5_14_21-150500_55_144,
  6_4_0-150600_23_92, 6_4_0-150700_53_34,
  +kernel-livepatch-6_4_0-150700_7_31-rt,*,+kernel-livepatch-6_4_0-150700_7_34-rt,*,+kernel-livepatch-6_4_0-150700_7_37-rt,*. (bsc#1020320)

python-certifi

- Add python36-certifi provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-decorator

- Add python36-decorator provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-idna

- Add python36-idna provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-packaging

- Add python36-packaging provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-pycparser

- Add python36-pycparser provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-python-dateutil

- Add python36-python-dateutil provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-py

- Add python36-py provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-six

- Add python36-six provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-urllib3

- CVE-2026-44431: sensitive information disclosure due to sensitive
  headers being forwarded across origins in proxied low-level redirects
  (bsc#1265267)
  Add patch CVE-2026-44431.patch

- fix regression in CVE-2025-66471.patch when downloading large files
  (bsc#1259829)

rsync

- Security update:
  - bsc#1234100, CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing
  - bsc#1234101, CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR
  - bsc#1234102, CVE-2024-12086: server leaks arbitrary client files
  - bsc#1234103, CVE-2024-12087: server can make client write files outside of destination directory using symbolic links
  - bsc#1234104, CVE-2024-12088: --safe-links bypass
  - bsc#1235475, CVE-2024-12747: Race Condition in rsync Handling Symbolic Links
  - bsc#1254441, CVE-2025-10158: Out of bounds array access via negative index
  - bsc#1262223, CVE-2026-41035: Count of entries mismatch can lead to a use-after-free
  - bsc#1264511, CVE-2026-29518: Symlink-Race TOCTOU in Daemon (use chroot = no)
  - bsc#1264515, CVE-2026-43617: Authorization Bypass via Hostname Resolution
  - bsc#1264512, CVE-2026-43618: Integer Overflow Information Disclosure
  - bsc#1264514, CVE-2026-43619: Symlink Race Condition via Path-Based Syscalls
  - bsc#1264513, CVE-2026-43620: Out-of-Bounds Array Read via recv_files()
  - bsc#1265296, CVE-2026-45232: Off-by-one stack OOB write in HTTP CONNECT proxy response parsing
- With the big security update above-mentioned, we received a big amount of harderning
  patches that are pre-requisitoes that we added to this version:
  - rsync-hardening-0001-Fix-warning-about-conflicting-lseek-lseek64-prototyp.patch
  - rsync-hardening-0002-hlink-Fix-function-pointer-cast-in-qsort.patch
  - rsync-hardening-0003-bool-is-a-keyword-in-C23.patch
  - rsync-hardening-0004-Fix-warning-about-missing-bomb-.-prototype.patch
  - rsync-hardening-0005-CVE-2024-12084-Some-checksum-buffer-fixes.patch
    (replaces: rsync-CVE-2024-12084-overflow-01.patch)
  - rsync-hardening-0006-CVE-2024-12084-Another-cast-when-multiplying-integers.patch
    (replaces: rsync-CVE-2024-12084-overflow-02.patch)
  - rsync-hardening-0007-CVE-2024-12085-prevent-information-leak-off-the-stack.patch
    (replaces: rsync-CVE-2024-12085.patch)
  - rsync-hardening-0008-CVE-2024-12086-refuse-fuzzy-options-when-fuzzy-not-selected.patch
    (replaces: rsync-CVE-2024-12086_01.patch)
  - rsync-hardening-0009-added-secure_relative_open.patch
    (replaces: rsync-CVE-2024-12086_02.patch)
  - rsync-hardening-0010-receiver-use-secure_relative_open-for-basis-file.patch
    (replaces: rsync-CVE-2024-12086_03.patch)
  - rsync-hardening-0011-disallow-.-elements-in-relpath-for-secure_relative_o.patch
    (replaces: rsync-CVE-2024-12086_04.patch)
  - rsync-hardening-0012-CVE-2024-12087-Refuse-a-duplicate-dirlist.patch
    (replaces: rsync-CVE-2024-12087_01.patch)
  - rsync-hardening-0013-CVE-2024-12087-range-check-dir_ndx-before-use.patch
    (replaces:: rsync-CVE-2024-12087_02.patch)
  - rsync-hardening-0014-CVE-2024-12088-make-safe-links-stricter.patch
    (replaces: rsync-CVE-2024-12088.patch)
  - rsync-hardening-0015-CVE-2024-12747-fixed-symlink-race-condition-in-sender.patch
    (replaces: rsync-CVE-2024-12747.patch)
  - rsync-hardening-0016-syscall-fix-a-Y2038-bug-by-replacing-Int32x32To64-wi.patch
  - rsync-hardening-0017-options.c-Fix-segv-if-poptGetContext-returns-NULL.patch
  - rsync-hardening-0018-Using-a-correct-time-in-log-file.patch
  - rsync-hardening-0019-configure.ac-check-for-xattr-support-both-in-libc-an.patch
    (replaces: rsync-no-libattr.patch)
  - rsync-hardening-0020-util-fixed-issue-in-clean_fname.patch
  - rsync-hardening-0021-testsuite-added-clean-fname-underflow-test.patch
  - rsync-hardening-0022-CVE-2025-10158-fixed-an-invalid-access-to-files-array.patch
    (replaces: rsync-CVE-2025-10158.patch)
  - rsync-hardening-0023-fix-uninitialized-buf1-in-get_checksum2-MD4-path.patch
  - rsync-hardening-0024-reject-negative-token-values-in-compressed-stream-re.patch
  - rsync-hardening-0025-acl-fixed-ACL-ID-mapping-for-non-root.patch
  - rsync-hardening-0026-fix-uninitialized-mul_one-in-AVX2-checksum-and-add-S.patch
  - rsync-hardening-0027-Fix-glibc-2.43-constness-warnings.patch
  - rsync-hardening-0029-fix-signed-integer-overflow-in-proxy-protocol-v2-hea.patch
  - rsync-hardening-0030-zero-all-new-memory-from-allocations.patch
  - rsync-hardening-0031-CVE-2026-41035-xattrs-fixed-count-in-qsort.patch
  - rsync-hardening-0032-call-tzset-before-chroot-to-cache-timezone-data.patch
  - rsync-hardening-0033-testsuite-xattrs-ignore-SUNWattr_-in-the-Solaris-xls.patch
  - rsync-hardening-0034-syscall-use-openat2-RESOLVE_BENEATH-on-Linux-for-sec.patch
  - rsync-hardening-0035-syscall-also-use-O_RESOLVE_BENEATH-on-FreeBSD-and-Ma.patch
  - rsync-hardening-0036-testsuite-skip-symlink-dirlink-basis-on-platforms-wi.patch
  - rsync-hardening-0037-CVE-2026-29518-syscall-clientserver-am_chrooted-and-use_secure_syml.patch
  - rsync-hardening-0038-CVE-2026-29518-sender-fix-read-path-TOCTOU-by-opening-from-module-r.patch
  - rsync-hardening-0039-CVE-2026-43619-syscall-receiver-secure-receiver-side-do_chmod-again.patch
  - rsync-hardening-0040-CVE-2026-43619-util1-secure-change_dir-against-symlink-race-chdir-e.patch
  - rsync-hardening-0041-CVE-2026-43619-syscall-add-symlink-race-safe-do_-_at-wrappers-and-h.patch
  - rsync-hardening-0042-CVE-2026-43619-util1-syscall-secure-copy_file-source-dest-opens-bar.patch
  - rsync-hardening-0043-CVE-2026-43619-testsuite-end-to-end-regression-test-for-chdir-symli.patch
  - rsync-hardening-0044-CVE-2026-43618-token-harden-compressed-token-decoding-against-integ.patch
  - rsync-hardening-0045-CVE-2026-43618-testsuite-cover-refuse-options-compress-for-the-daem.patch
  - rsync-hardening-0046-CVE-2026-43620-receiver-add-parent_ndx-0-guard-mirroring-797e17f.patch
  - rsync-hardening-0047-CVE-2026-43617-clientserver-fix-hostname-ACL-bypass-when-using-daem.patch
  - rsync-hardening-0048-CVE-2026-43618-defence-in-depth-bound-wire-supplied-counts-and-leng.patch
  - rsync-hardening-0049-CVE-2026-43618-defence-in-depth-guard-cumulative-snprintf-against-l.patch
  - rsync-hardening-0050-CVE-2026-43620-defence-in-depth-receiver-block-index-bounds-read_de.patch
  - rsync-hardening-0052-exclude-fix-crashes-with-fortified-strlcpy.patch
    (replaces: rsync-fortified-strlcpy-fix.patch)
  - rsync-hardening-0053-testsuite-use-integer-sleep-in-clean-fname-underflow.patch
  - rsync-hardening-0055-popt-fix-poptDupArgv-strlcpy-size-argument.patch
  - rsync-hardening-0056-testsuite-fixes-for-3.2.7-backport.patch
  - rsync-hardening-0057-rsync.h-lower-MAX_WIRE_DEL_STAT-to-avoid-signed-int-.patch
  - rsync-hardening-0058-CVE-2026-45232-socket-reject-over-long-proxy-response-line.patch
  - rsync-hardening-0059-main-reject-hyphen-prefixed-remote-shell-hostnames.patch
  - rsync-hardening-0060-util1-handle-out-of-range-times-in-timestring.patch
- A few hardening patches were discarded, as the don't affect SUSE distributions:
  - rsync-hardening-0028-zlib-convert-K-R-function-definitions-to-ANSI-style
    (we don't bundle zlib, nothing to patch)
  - rsync-hardening-0051-CI-added-workflows-from-master-for-backport-testing
    (fixes CI Github Actions, not present in release tarballs)
  - rsync-hardening-0054-ci-update-RSYNC_EXPECT_SKIPPED-for-3.2.7-backport-ba
    (fixes CI Github Actions, not present in release tarballs)
- Rename rsync-fix-FLAG_GOT_DIR_FLIST.patch to rsync-fix-duplicate.patch to align codestreams.

- Security update (CVE-2026-41035, bsc#1262223): rsync: count of
  entries mismatch can lead to a use-after-free
  - Add rsync-CVE-2026-41035.patch

supportutils-plugin-ha-sap

- Update to version 0.0.9+git.1778500769.8c44b8b
  * collect XSA information
    (jsc#PED-16103, jsc#PED-16105, jsc#PED-16104)
  * fix error for 'saphostexec -status' and adapt change in HANA
    installation (read /etc/sysctl.d/sap_hdb_sysctl.conf)

sysctl-logger

- Update to v0.0.7
  * Add systemd hardenings
  * Make output directory visible
- Specify LLVM version to use for SLES 15 SP7