- PackageKit
-
- Add 0001-Do-not-allow-re-invoking-methods-on-non-new-txn.patch:
Do not allow re-invoking methods on non-new transactions
(bsc#1262220, CVE-2026-41651).
- az-cli-container
-
n/a
- az-sdk-container
-
n/a
- kernel-source:kernel-default
-
- crypto: authencesn - Fix src offset when decrypting in-place
(bsc#1262573 CVE-2026-31431).
- commit 66d7b47
- crypto: authencesn - Do not place hiseq at end of dst for
out-of-place decryption (bsc#1262573 CVE-2026-31431).
- commit d5fe1c6
- crypto: authenc - use memcpy_sglist() instead of null skcipher
(bsc#1262573 CVE-2026-31431).
- Refresh
patches.suse/crypto-authencesn-reject-too-short-AAD-assoclen-8-to.patch
- commit 3e7ba77
- kABI: Restore af_alg_{count,pull}_tsgl() signatures (bsc#1262573
CVE-2026-31431).
- commit 748d5b2
- crypto: algif_aead - Revert to operating out-of-place
(bsc#1262573 CVE-2026-31431).
- commit 02b8598
- crypto: algif_aead - use memcpy_sglist() instead of null skciphe
(bsc#1262573 CVE-2026-31431).
- commit 28e785f
- crypto: scatterwalk - Fix memcpy_sglist() to always succeed
(bsc#1262573 CVE-2026-31431).
- commit 620f22b
- crypto: scatterwalk - Add memcpy_sglist (bsc#1262573 CVE-2026-31431).
- commit 429a54b
- powerpc/crash: adjust the elfcorehdr size (jsc#PED-11175
git-fixes).
- powerpc/kdump: Fix size calculation for hot-removed memory
ranges (jsc#PED-11175 git-fixes).
- commit cfb9cde
- ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
(CVE-2026-23304 bsc#1260544).
- commit 51fafb4
- selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15
(bsc#1261669 ltc#212590).
- commit e7cec47
- scsi: target: Fix recursive locking in __configfs_open_file()
(CVE-2026-23292 bsc#1260500).
- scsi: target: iscsi: Fix use-after-free in
iscsit_dec_session_usage_count() (CVE-2026-23193 bsc#1258414).
- scsi: target: iscsi: Fix use-after-free in
iscsit_dec_conn_usage_count() (CVE-2026-23216 bsc#1258447).
- commit f1d41b2
- xdp: produce a warning when calculated tailroom is negative
(CVE-2026-23343 bsc#1260527).
- commit 72b74a3
- bpf, arm64: Force 8-byte alignment for JIT buffer to prevent
atomic tearing (CVE-2026-23383 bsc#1260497).
- commit b5b5e19
- nvmet: move async event work off nvmet-wq (git-fixes).
- nvme-pci: cap queue creation to used queues (git-fixes).
- nvme-pci: ensure we're polling a polled queue (git-fixes).
- nvme-fabrics: use kfree_sensitive() for DHCHAP secrets
(git-fixes).
- commit 5ccf382
- tg3: Fix race for querying speed/duplex (bsc#1257183).
- commit 4d083ab
- KVM: arm64: Fix ID register initialization for non-protected
pKVM guests (CVE-2026-23425 bsc#1261506).
- commit b02fb9f
- Refresh
patches.suse/scsi-scsi_transport_sas-Fix-the-maximum-channel-scan.patch.
- commit bf87874
- net/rds: Fix circular locking dependency in rds_tcp_tune
(CVE-2026-23419 bsc#1261507).
- commit 2e0e6d2
- RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() (CVE-2026-23335 bsc#1260550)
- commit 2c8db95
- soc: qcom: pd-mapper: Fix element length in
servreg_loc_pfr_req_ei (git-fixes).
- firmware: microchip: fail auto-update probe if no flash found
(git-fixes).
- soc: aspeed: socinfo: Mask table entries for accurate SoC ID
matching (git-fixes).
- commit c6e2074
- net/sched: teql: fix NULL pointer dereference in iptunnel_xmit
on TEQL slave xmit (CVE-2026-23277 bsc#1259997).
- commit 880dba8
- net/sched: Only allow act_ct to bind to clsact/ingress qdiscs
and shared blocks (CVE-2026-23270 bsc#1259886).
- commit 82e8fe9
- icmp: fix NULL pointer dereference in icmp_tag_validation()
(CVE-2026-23398 bsc#1260730).
- clsact: Fix use-after-free in init/destroy rollback asymmetry
(CVE-2026-23413 bsc#1261498).
- net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
(CVE-2026-23293 bsc#1260486).
- net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
(CVE-2026-23381 bsc#1260471).
- gve: Fix stats report corruption on queue count change
(CVE-2026-23262 bsc#1259870).
- commit b9e6af3
- net/sched: ets: fix divide by zero in the offload path
(CVE-2026-23379 bsc#1260481).
- commit d39e420
- tls: Purge async_hold in tls_decrypt_async_wait() (CVE-2026-23414
bsc#1261496).
- commit 2db5b5f
- misc: fastrpc: possible double-free of cctx->remote_heap
(git-fixes).
- comedi: Reinit dev->spinlock between attachments to low-level
drivers (git-fixes).
- comedi: me_daq: Fix potential overrun of firmware buffer
(git-fixes).
- comedi: me4000: Fix potential overrun of firmware buffer
(git-fixes).
- comedi: ni_atmio16d: Fix invalid clean-up after failed attach
(git-fixes).
- counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev
member (git-fixes).
- counter: rz-mtu3-cnt: prevent counter from being toggled
multiple times (git-fixes).
- iio: dac: ad5770r: fix error return in ad5770r_read_raw()
(git-fixes).
- iio: accel: fix ADXL355 temperature signature value (git-fixes).
- iio: light: vcnl4035: fix scan buffer on big-endian (git-fixes).
- iio: adc: ti-adc161s626: use DMA-safe memory for spi_read()
(git-fixes).
- iio: adc: ti-adc161s626: fix buffer read on big-endian
(git-fixes).
- iio: imu: bmi160: Remove potential undefined behavior in
bmi160_config_pin() (git-fixes).
- iio: adc: aspeed: clear reference voltage bits before
configuring vref (git-fixes).
- iio: adc: ti-ads1119: Reinit completion before
wait_for_completion_timeout() (git-fixes).
- iio: adc: ti-ads1119: Replace IRQF_ONESHOT with IRQF_NO_THREAD
(git-fixes).
- iio: imu: bno055: fix BNO055_SCAN_CH_COUNT off by one
(git-fixes).
- iio: gyro: mpu3050: Fix out-of-sequence free_irq() (git-fixes).
- iio: gyro: mpu3050: Move iio_device_register() to correct
location (git-fixes).
- iio: gyro: mpu3050: Fix irq resource leak (git-fixes).
- iio: gyro: mpu3050: Fix incorrect free_irq() variable
(git-fixes).
- iio: imu: st_lsm6dsx: Set FIFO ODR for accelerometer and
gyroscope only (git-fixes).
- iio: accel: adxl380: fix FIFO watermark bit 8 always written
as 0 (git-fixes).
- iio: adc: ti-ads1119: Fix unbalanced pm reference count in
ds1119_single_conversion() (git-fixes).
- usb: cdns3: gadget: fix state inconsistency on gadget init
failure (git-fixes).
- usb: ulpi: fix double free in ulpi_register_interface() error
path (git-fixes).
- usb: cdns3: gadget: fix NULL pointer dereference in ep_queue
(git-fixes).
- usb: core: phy: avoid double use of 'usb3-phy' (git-fixes).
- usb: gadget: f_rndis: Protect RNDIS options with mutex
(git-fixes).
- usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
(git-fixes).
- usb: typec: thunderbolt: Set enter_vdo during initialization
(git-fixes).
- usb: dwc2: gadget: Fix spin_lock/unlock mismatch in
dwc2_hsotg_udc_stop() (git-fixes).
- usb: gadget: uvc: fix NULL pointer dereference during unbind
race (git-fixes).
- usb: ehci-brcm: fix sleep during atomic (git-fixes).
- USB: dummy-hcd: Fix interrupt synchronization error (git-fixes).
- USB: dummy-hcd: Fix locking/synchronization error (git-fixes).
- usb: usbtmc: Flush anchored URBs in usbtmc_release (git-fixes).
- usb: gadget: u_ether: Fix race between gether_disconnect and
eth_stop (git-fixes).
- thunderbolt: Fix property read in nhi_wake_supported()
(git-fixes).
- commit 61dafca
- Input: synaptics-rmi4 - fix a locking bug in an error path
(git-fixes).
- hwmon: (occ) Fix missing newline in occ_show_extended()
(git-fixes).
- hwmon: (occ) Fix division by zero in occ_show_power_1()
(git-fixes).
- hwmon: (tps53679) Fix device ID comparison and printing in
tps53676_identify() (git-fixes).
- hwmon: (pxe1610) Check return value of page-select write in
probe (git-fixes).
- commit 00e4cbf
- drm/amdgpu: fix the idr allocation flags (git-fixes).
- commit 5c5d353
- gpio: mxc: map Both Edge pad wakeup to Rising Edge (git-fixes).
- drm/ioc32: stop speculation on the drm_compat_ioctl path
(git-fixes).
- drm/ast: dp501: Fix initialization of SCU2C (git-fixes).
- accel/qaic: Handle DBC deactivation if the owner went away
(git-fixes).
- Revert "drm: Fix use-after-free on framebuffers and property
blobs when calling drm_dev_unplug" (git-fixes).
- drm/i915/dp: Use crtc_state->enhanced_framing properly on
ivb/hsw CPU eDP (git-fixes).
- drm/i915/dsi: Don't do DSC horizontal timing adjustments in
command mode (git-fixes).
- drm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB
(git-fixes).
- crypto: af-alg - fix NULL pointer dereference in scatterwalk
(git-fixes).
- crypto: caam - fix overflow on long hmac keys (git-fixes).
- crypto: caam - fix DMA corruption on long hmac keys (git-fixes).
- crypto: tegra - Add missing CRYPTO_ALG_ASYNC (git-fixes).
- commit cbd9b43
- ASoC: ak4458: Convert to RUNTIME_PM_OPS() & co (stable-fixes).
- Refresh
patches.suse/ASoC-ak4458-Disable-regulator-when-error-happens.patch.
- commit 5c2bb96
- net/x25: Fix overflow when accumulating packets (git-fixes).
- net/x25: Fix potential double free of skb (git-fixes).
- Bluetooth: hci_sync: fix stack buffer overflow in
hci_le_big_create_sync (git-fixes).
- Bluetooth: SMP: derive legacy responder STK authentication
from MITM state (git-fixes).
- Bluetooth: SMP: force responder MITM requirements before
building the pairing response (git-fixes).
- Bluetooth: MGMT: validate mesh send advertising payload length
(git-fixes).
- Bluetooth: hci_event: fix potential UAF in
hci_le_remote_conn_param_req_evt (git-fixes).
- Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync
(git-fixes).
- Bluetooth: MGMT: validate LTK enc_size on load (git-fixes).
- Bluetooth: SCO: fix race conditions in sco_sock_connect()
(git-fixes).
- Bluetooth: hci_sync: call destroy in hci_cmd_sync_run if
immediate (git-fixes).
- NFC: pn533: bound the UART receive buffer (git-fixes).
- wifi: iwlwifi: mvm: fix potential out-of-bounds read in
iwl_mvm_nd_match_info_handler() (git-fixes).
- wifi: ath11k: Pass the correct value of each TID during a stop
AMPDU session (git-fixes).
- wifi: wilc1000: fix u8 overflow in SSID scan buffer size
calculation (git-fixes).
- ASoC: Intel: boards: fix unmet dependency on PINCTRL
(git-fixes).
- ASoC: ep93xx: Fix unchecked clk_prepare_enable() and add
rollback on failure (git-fixes).
- ALSA: caiaq: fix stack out-of-bounds read in init_card
(git-fixes).
- hwmon: (pmbus) Introduce the concept of "write-only" attributes
(git-fixes).
- hwmon: (pmbus) Mark lowest/average/highest/rated attributes
as read-only (git-fixes).
- drm/amdgpu: prevent immediate PASID reuse case (stable-fixes).
- i3c: master: dw-i3c: Fix missing of_node for virtual I2C adapter
(stable-fixes).
- usb: core: new quirk to handle devices with zero configurations
(stable-fixes).
- drm/amdgpu: fix gpu idle power consumption issue for gfx v12
(stable-fixes).
- spi: intel-pci: Add support for Nova Lake mobile SPI flash
(stable-fixes).
- ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390
(stable-fixes).
- ALSA: hda/realtek: add HP Laptop 14s-dr5xxx mute LED quirk
(stable-fixes).
- ALSA: hda/realtek: add quirk for ASUS UM6702RC (stable-fixes).
- drm/ttm/tests: Fix build failure on PREEMPT_RT (stable-fixes).
- ASoC: fsl_easrc: Fix event generation in
fsl_easrc_iec958_set_reg() (stable-fixes).
- ASoC: fsl_easrc: Fix event generation in
fsl_easrc_iec958_put_bits() (stable-fixes).
- ALSA: hda/senary: Ensure EAPD is enabled during init
(stable-fixes).
- HID: mcp2221: cancel last I2C command on read error
(stable-fixes).
- HID: asus: add xg mobile 2023 external hardware support
(stable-fixes).
- HID: magicmouse: fix battery reporting for Apple Magic Trackpad
2 (stable-fixes).
- HID: asus: avoid memory leak in asus_report_fixup()
(stable-fixes).
- HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
(stable-fixes).
- HID: apple: avoid memory leak in apple_report_fixup()
(stable-fixes).
- platform/x86: intel-hid: Enable 5-button array on ThinkPad X1
Fold 16 Gen 1 (stable-fixes).
- platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to
dmi_vgbs_allow_list (stable-fixes).
- platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix
touchscreen on SUPI S10 (stable-fixes).
- net: usb: r8152: add TRENDnet TUC-ET2G (stable-fixes).
- hwmon: (pmbus/core) Fix various coding style issues
(stable-fixes).
- commit 053df39
- kABI: Include trace recursion bits in kABI tracking
(bsc#1258301).
- commit 7414cd0
- tracing: Add recursion protection in kernel stack trace
recording (CVE-2026-23138 bsc#1258301).
- kABI: Preserve values of the trace recursion bits
(CVE-2026-23138 bsc#1258301).
- commit ba21d86
- bridge: cfm: Fix race condition in peer_mep deletion
(CVE-2026-23393 bsc#1260522).
- commit 11e82ff
- net: add proper RCU protection to /proc/net/ptype
(CVE-2026-23255 bsc#1259891).
- commit 9473781
- netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
(CVE-2026-23274 bsc#1260005).
- commit e8d0573
- netfilter: nf_tables: always walk all pending catchall elements
(CVE-2026-23278 bsc#1259998).
- commit ef6d5cc
- netfilter: nf_tables: unconditionally bump set->nelems before
insertion (CVE-2026-23272 bsc#1260009).
- commit 7374f2f
- btrfs: fix zero size inode with non-zero size after log replay
(git-fixes).
- commit 4cd09a5
- btrfs: log new dentries when logging parent dir of a conflicting
inode (git-fixes).
- commit 8b6c07f
- bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
(CVE-2026-23319 bsc#1260735).
- commit 08c179a
- btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() (bsc#1257777).
- commit 68a8609
- xsk: Fix fragment node deletion to prevent buffer leak
(CVE-2026-23326 bsc#1260606).
- commit 82be0c6
- xen/privcmd: unregister xenstore notifier on module exit
(git-fixes).
- commit c843a07
- ice: set max queues in alloc_etherdev_mqs() (git-fixes).
- net/mlx5: Fix crash when moving to switchdev mode (git-fixes).
- gve: fix incorrect buffer cleanup in
gve_tx_clean_pending_packets for QPL (CVE-2026-23386
bsc#1260799).
- bnxt_en: Allow ntuple filters for drops (git-fixes).
- octeontx2-af: Workaround SQM/PSE stalls by disabling sticky
(git-fixes).
- commit c1f367d
- phy: qcom: qmp-ufs: Fix SM8650 PCS table for Gear 4 (git-fixes).
- phy: ti: j721e-wiz: Fix device node reference leak in
wiz_get_lane_phy_types() (git-fixes).
- dmaengine: xilinx_dma: Fix reset related timeout with
two-channel AXIDMA (git-fixes).
- dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction
(git-fixes).
- dmaengine: xilinx: xilinx_dma: Fix residue calculation for
cyclic DMA (git-fixes).
- dmaengine: xilinx: xilinx_dma: Fix dma_device directions
(git-fixes).
- dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock
(git-fixes).
- dmaengine: sh: rz-dmac: Protect the driver specific lists
(git-fixes).
- dmaengine: idxd: fix possible wrong descriptor completion in
llist_abort_desc() (git-fixes).
- dmaengine: xilinx: xdma: Fix regmap init error handling
(git-fixes).
- dmaengine: dw-edma: Fix multiple times setting of the
CYCLE_STATE and CYCLE_BIT bits for HDMA (git-fixes).
- dmaengine: idxd: Fix leaking event log memory (git-fixes).
- dmaengine: idxd: Fix freeing the allocated ida too late
(git-fixes).
- dmaengine: idxd: Fix memory leak when a wq is reset (git-fixes).
- dmaengine: idxd: Fix not releasing workqueue on .release()
(git-fixes).
- dmaengine: idxd: Fix possible invalid memory access after FLR
(git-fixes).
- dmaengine: fsl-edma: fix channel parameter config for fixed
channel requests (git-fixes).
- irqchip/qcom-mpm: Add missing mailbox TX done acknowledgment
(git-fixes).
- commit 264b815
- PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry
(CVE-2026-23361 bsc#1260732).
- commit b836028
- net: mana: Trigger VF reset/recovery on health check failure
due to HWC timeout (bsc#1259580).
- net: mana: fix use-after-free in add_adev() error path
(git-fixes).
- commit 96d07db
- hwmon: (adm1177) fix sysfs ABI violation and current unit
conversion (git-fixes).
- hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible()
(git-fixes).
- hwmon: (peci/cputemp) Fix crit_hyst returning delta instead
of absolute temperature (git-fixes).
- hwmon: (pmbus/isl68137) Add mutex protection for AVS enable
sysfs attributes (git-fixes).
- drm/i915/dp_tunnel: Fix error handling when clearing stream
BW in atomic state (git-fixes).
- drm/i915/gmbus: fix spurious timeout on 512-byte burst reads
(git-fixes).
- drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib
(git-fixes).
- drm/amd/display: Do not skip unrelated mode changes in DSC
validation (git-fixes).
- spi: spi-fsl-lpspi: fix teardown order issue (UAF) (git-fixes).
- spi: meson-spicc: Fix double-put in remove path (git-fixes).
- spi: sn-f-ospi: Fix resource leak in f_ospi_probe() (git-fixes).
- regmap: Synchronize cache for the page selector (git-fixes).
- ASoC: SOF: ipc4-topology: Allow bytes controls without initial
payload (git-fixes).
- ASoC: adau1372: Fix clock leak on PLL lock failure (git-fixes).
- ASoC: adau1372: Fix unchecked clk_prepare_enable() return value
(git-fixes).
- ASoC: Intel: catpt: Fix the device initialization (git-fixes).
- ALSA: firewire-lib: fix uninitialized local variable
(git-fixes).
- ALSA: hda/realtek: Sequence GPIO2 on Star Labs StarFighter
(git-fixes).
- net: usb: pegasus: validate USB endpoints (stable-fixes).
- commit ba7e9a1
- wifi: libertas: fix use-after-free in lbs_free_adapter()
(CVE-2026-23281 bsc#1260464).
- commit a8cb81b
- PM: hibernate: Drain trailing zero pages on userspace restore
(git-fixes).
- platform/x86: ISST: Correct locked bit width (git-fixes).
- platform/x86: intel-hid: disable wakeup_mode during hibernation
(git-fixes).
- platform/olpc: olpc-xo175-ec: Fix overflow error message to
print inlen (git-fixes).
- serial: 8250: Add late synchronize_irq() to shutdown to handle
DW UART BUSY (git-fixes).
- serial: 8250_pci: add support for the AX99100 (stable-fixes).
- serial: uartlite: fix PM runtime usage count underflow on probe
(git-fixes).
- serial: 8250: Fix TX deadlock when using DMA (git-fixes).
- spi: fix statistics allocation (git-fixes).
- spi: fix use-after-free on controller registration failure
(git-fixes).
- wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is
not enough headroom (git-fixes).
- wifi: mac80211: fix NULL deref in mesh_matches_local()
(git-fixes).
- wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
(git-fixes).
- wifi: mac80211: Fix static_branch_dec() underflow for
aql_disable (git-fixes).
- PM: runtime: Fix a race condition related to device removal
(git-fixes).
- soc: fsl: cpm1: qmc: Fix error check for devm_ioremap_resource()
in qmc_qe_init_resources() (git-fixes).
- soc: fsl: qbman: fix race condition in qman_destroy_fq
(git-fixes).
- soc: microchip: mpfs: Fix memory leak in
mpfs_sys_controller_probe() (git-fixes).
- USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb
speed (stable-fixes).
- usb: dwc3: pci: add support for the Intel Nova Lake -H
(stable-fixes).
- usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
(stable-fixes).
- usb: xhci: Prevent interrupt storm on host controller error
(HCE) (stable-fixes).
- usb: misc: uss720: properly clean up reference in uss720_probe()
(stable-fixes).
- usb: image: mdc800: kill download URB on timeout (stable-fixes).
- usb: mdc800: handle signal and read racing (stable-fixes).
- usb: yurex: fix race in probe (stable-fixes).
- USB: add QUIRK_NO_BOS for video capture several devices
(stable-fixes).
- staging: rtl8723bs: properly validate the data in
rtw_get_ie_ex() (stable-fixes).
- wifi: mac80211: set default WMM parameters on all links
(stable-fixes).
- USB: serial: f81232: fix incomplete serial port generation
(stable-fixes).
- commit 2fe4f6e
- nfc: nci: fix circular locking dependency in nci_close_device
(git-fixes).
- pinctrl: mediatek: common: Fix probe failure for devices
without EINT (git-fixes).
- pinctrl: qcom: spmi-gpio: implement .get_direction()
(git-fixes).
- media: mc, v4l2: serialize REINIT and REQBUFS with
req_queue_mutex (git-fixes).
- i2c: pxa: defer reset on Armada 3700 when recovery is used
(git-fixes).
- i2c: fsi: Fix a potential leak in fsi_i2c_probe() (git-fixes).
- i2c: cp2615: fix serial string NULL-deref at probe (git-fixes).
- hwmon: axi-fan: don't use driver_override as IRQ name
(git-fixes).
- hwmon: (max6639) Fix pulses-per-revolution implementation
(git-fixes).
- hwmon: (pmbus/isl68137) Fix unchecked return value and use
sysfs_emit() (git-fixes).
- mmc: sdhci: fix timing selection for 1-bit bus width
(git-fixes).
- mmc: sdhci-pci-gli: fix GL9750 DMA write corruption (git-fixes).
- mtd: rawnand: pl353: make sure optimal timings are applied
(git-fixes).
- mtd: rawnand: brcmnand: skip DMA during panic write (git-fixes).
- mtd: rawnand: serialize lock/unlock against other NAND
operations (git-fixes).
- mtd: rawnand: cadence: Fix error check for dma_alloc_coherent()
in cadence_nand_init() (git-fixes).
- mtd: Avoid boot crash in RedBoot partition table parser
(git-fixes).
- mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN
stations (stable-fixes).
- NFC: nxp-nci: allow GPIOs to sleep (git-fixes).
- net: usb: aqc111: Do not perform PM inside suspend callback
(git-fixes).
- net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
(git-fixes).
- net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
(git-fixes).
- net/rose: fix NULL pointer dereference in rose_transmit_link
on reconnect (git-fixes).
- mmc: dw_mmc-rockchip: Fix runtime PM support for internal
phase support (git-fixes).
- mmc: dw_mmc-rockchip: Add memory clock auto-gating support
(stable-fixes).
- mtd: spi-nor: core: avoid odd length/address writes in 8D-8D-8D
mode (stable-fixes).
- mtd: spi-nor: core: avoid odd length/address reads on 8D-8D-8D
mode (stable-fixes).
- mmc: dw_mmc-rockchip: use modern PM macros (stable-fixes).
- commit f3a1015
- hwmon: (pmbus/mp2975) Add error check for pmbus_read_word_data()
return value (git-fixes).
- drm/xe: Open-code GGTT MMIO access protection (git-fixes).
- drm/xe/oa: Allow reading after disabling OA stream (git-fixes).
- drm/radeon: apply state adjust rules to some additional HAINAN
vairants (stable-fixes).
- drm/amdgpu: apply state adjust rules to some additional HAINAN
vairants (stable-fixes).
- drm/amdgpu/gmc9.0: add bounds checking for cid (stable-fixes).
- drm/amdgpu/mmhub4.1.0: add bounds checking for cid
(stable-fixes).
- drm/amdgpu/mmhub3.0: add bounds checking for cid (stable-fixes).
- drm/amdgpu/mmhub3.0.2: add bounds checking for cid
(stable-fixes).
- drm/amdgpu/mmhub3.0.1: add bounds checking for cid
(stable-fixes).
- drm/amdgpu/mmhub2.3: add bounds checking for cid (stable-fixes).
- drm/amdgpu/mmhub2.0: add bounds checking for cid (stable-fixes).
- drm/amd: fix dcn 2.01 check (git-fixes).
- drm/amd/display: Fix DisplayID not-found handling in
parse_edid_displayid_vrr() (git-fixes).
- drm/amd/display: Wrap dcn32_override_min_req_memclk() in
DC_FP_{START, END} (git-fixes).
- drm: Fix use-after-free on framebuffers and property blobs
when calling drm_dev_unplug (git-fixes).
- drm/imagination: Fix deadlock in soft reset sequence
(git-fixes).
- drm/i915/gt: Check set_default_submission() before deferencing
(git-fixes).
- firmware: arm_scpi: Fix device_node reference leak in probe path
(git-fixes).
- firmware: arm_ffa: Remove vm_id argument in ffa_rxtx_unmap()
(git-fixes).
- crypto: ccp - Fix leaking the same page twice (git-fixes).
- drm/amd: Set num IP blocks to 0 if discovery fails
(stable-fixes).
- drm/i915/dsc: Add helper for writing DSC Selective Update ET
parameters (stable-fixes).
- drm/i915/dsc: Add Selective Update register definitions
(stable-fixes).
- drm/amdgpu: Fix use-after-free race in VM acquire
(stable-fixes).
- drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on
smu v13.0.x (stable-fixes).
- drm/amd/display: Fallback to boot snapshot for dispclk
(stable-fixes).
- drm/amdgpu/vcn5: Add SMU dpm interface type (stable-fixes).
- drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode
with HPD (stable-fixes).
- drm/amd/display: Add pixel_clock to amd_pp_display_configuration
(stable-fixes).
- commit 63d8be5
- Bluetooth: btusb: clamp SCO altsetting table indices
(git-fixes).
- Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite
loop (git-fixes).
- Bluetooth: btintel: serialize btintel_hw_error() with
hci_req_sync_lock (git-fixes).
- Bluetooth: L2CAP: Fix send LE flow credits in ACL link
(git-fixes).
- can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
(git-fixes).
- can: gw: fix OOB heap access in cgw_csum_crc8_rel() (git-fixes).
- Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
(git-fixes).
- Bluetooth: hci_ll: Fix firmware leak on error path (git-fixes).
- Bluetooth: MGMT: Fix dangling pointer on
mgmt_add_adv_patterns_monitor_complete (git-fixes).
- Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to
missing sock_hold (git-fixes).
- Bluetooth: L2CAP: Validate PDU length before reading SDU length
in l2cap_ecred_data_rcv() (git-fixes).
- Bluetooth: L2CAP: Fix stack-out-of-bounds read in
l2cap_ecred_conn_req (git-fixes).
- Bluetooth: qca: fix ROM version reading on WCN3998 chips
(git-fixes).
- Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before
access (git-fixes).
- Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
(git-fixes).
- Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
(git-fixes).
- Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
(git-fixes).
- Bluetooth: HIDP: Fix possible UAF (git-fixes).
- commit b7580ee
- ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()
(git-fixes).
- ata: libata-core: disable LPM on ADATA SU680 SSD (stable-fixes).
- Bluetooth: MGMT: Fix list corruption and UAF in command complete
handlers (git-fixes).
- Bluetooth: hci_sync: Fix hci_le_create_conn_sync (git-fixes).
- Bluetooth: ISO: Fix defer tests being unstable (git-fixes).
- Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy (git-fixes).
- Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed
SDU (git-fixes).
- Bluetooth: LE L2CAP: Disconnect if received packet's SDU
exceeds IMTU (git-fixes).
- ACPI: processor: Fix previous acpi_processor_errata_piix4()
fix (git-fixes).
- ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2
mixer interfaces (stable-fixes).
- ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA
(stable-fixes).
- ata: libata-core: Add BRIDGE_OK quirk for QEMU drives
(stable-fixes).
- ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table
(stable-fixes).
- ASoC: cs42l43: Report insert for exotic peripherals
(stable-fixes).
- ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter
(stable-fixes).
- ACPI: PM: Save NVS memory on Lenovo G70-35 (stable-fixes).
- ACPI: OSI: Add DMI quirk for Acer Aspire One D255
(stable-fixes).
- commit 037720b
- ceph: fix oops due to invalid pointer for kfree() in parse_longname() (CVE-2026-23201 bsc#1258337).
- commit 6fc237a
- Refresh patches.suse/nvme-add-partial_nid-quirk.patch.
- commit b0acf62
- audit: add fchmodat2() to change attributes class (bsc#1259759 CVE-2025-71239).
- commit 9071781
- nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit()
(CVE-2026-23297 bsc#1260490).
- commit b452925
- Revert "drm/i915/display: Add quirk to skip retraining of dp link (bsc#1253129)."
This reverts commit f73088654455665292f21760fa5dee5345f8a25f.
- commit d6dafb4
- xen/privcmd: restrict usage in unprivileged domU (bsc#1259707
CVE-2026-31788).
- commit ef16009
- btrfs: only enforce free space tree if v1 cache is required
for bs < ps cases (bsc#1260459).
- commit 8492959
- x86/platform/uv: Handle deconfigured sockets (bsc#1260347).
- commit d2d840b
- RDMA/umad: Reject negative data_len in ib_umad_write (CVE-2026-23243 bsc#1259797)
- commit 52dd89a
- RDMA/siw: Fix potential NULL pointer dereference in header processing (CVE-2026-23242 bsc#1259795)
- commit 41503e8
- tls: Fix race condition in tls_sw_cancel_work_tx()
(CVE-2026-23240 bsc#1259484).
- espintcp: Fix race condition in espintcp_close() (CVE-2026-23239
bsc#1259485).
- commit 3627070
- drm/i915/display: Add module param to skip retraining of dp link (bsc#1253129).
- commit 6c67fea
- net/sched: cls_u32: use skb_header_pointer_careful()
(CVE-2026-23204 bsc#1258340).
- net: add skb_header_pointer_careful() helper (CVE-2026-23204
bsc#1258340).
- commit 096c21e
- sched/debug: Fix updating of ppos on server write ops
(git-fixes).
- commit 70e8001
- scsi: smartpqi: Fix memory leak in pqi_report_phys_luns()
(git-fixes, jsc#PED-15042).
- commit 02cf1d1
- Update
patches.suse/crypto-ecdsa-make-ecdsa_ecc_ctx_deinit-to-zeroize-th.patch
(jsc#PED-15986,bsc#1222768).
- commit bf86f55
- Update
patches.suse/crypto-ecdh-make-ecdh_compute_value-to-zeroize-the-p.patch
(jsc#PED-15986,bsc#1222768).
- commit 2edc156
- Update
patches.suse/crypto-seqiv-flag-instantiations-as-fips-compliant.patch
(jsc#PED-15986,bsc#1194778).
- commit 0c9d6c5
- Update patches.suse/crypto-dh-implement-FIPS-PCT.patch
(jsc#PED-15986,bsc#1191256,bsc#1207184).
- commit 6e61d6f
- Update patches.suse/crypto-ecdh-implement-FIPS-PCT.patch
(jsc#PED-15986,bsc#1191256,bsc#1207184).
- commit 00c3bc1
- Update
patches.suse/0002-crypto-populate-downstream-list-of-drivers-unapprove.patch
(jsc#PED-15986,bsc#1191270).
- commit ceaee7e
- Update
patches.suse/0001-crypto-implement-downstream-solution-for-disabling-d.patch
(jsc#PED-15986,bsc#1191270).
- commit c3732b7
- soc: rockchip: grf: Add missing of_node_put() when returning (git-fixes)
- commit e54adb5
- add mainline tag to a mana patch
- commit cb76aaf
- bpf, test_run: Subtract size of xdp_frame from allowed metadata
size (CVE-2026-23140 bsc#1258305).
- commit d6a4451
- scsi: scsi_transport_sas: Fix the maximum channel scanning issue
(bsc#1255687, git-fixes).
- commit d70069d
- scsi: hisi_sas: Fix NULL pointer exception during user_scan()
(bsc#1255687).
- commit 43112c2
- bpf, btf: Enforce destructor kfunc type with CFI (bsc#1259955).
- selftests/bpf: Use the correct destructor kfunc type
(bsc#1259955).
- bpf: crypto: Use the correct destructor kfunc type (bsc#1259955).
- commit 2fdc072
- kabi/severities: Clean up unused entries
Clean up kABI severity rules that ksymvers reports as unused.
* kabi/severities:29: WARNING: Severity rule 'MODULE drivers/block/rbd PASS' is unused
kabi/severities:30: WARNING: Severity rule 'MODULE fs/ceph PASS' is unused
The modules are present but don't export any symbols. Remove the entries.
* kabi/severities:31: WARNING: Severity rule 'MODULE drivers/target/target_core_rbd PASS' is unused
The entry refers to a non-existent module. Remove the entry.
* kabi/severities:37: WARNING: Severity rule 'SYMBOL get_dev_data PASS' is unused
Mainline commit fb1b6955bbf3 ("iommu/amd: Unexport get_dev_data()")
unexported the function and commit 05a0542b456e ("iommu/amd: Store
dev_data as device iommu private data") subsequently removed it. The
entry is no longer relevant in SL-16.0 and later, therefore remove it.
* kabi/severities:43: WARNING: Severity rule 'MODULE net/iucv/* PASS' is unused
The entry is a module pattern but the iucv support is built into vmlinux.
Change the pattern to match the iucv_* and __iucv_* symbols instead.
* kabi/severities:81: WARNING: Severity rule 'MODULE drivers/cxl/core/* PASS' is unused
The pattern is never matched because it is preceded by the superset
pattern 'MODULE drivers/cxl/* PASS'. Remove the superfluous entry.
* kabi/severities:82: WARNING: Severity rule 'MODULE include/linux/cxl-events.h PASS' is unused
The pattern doesn't make sense because matching on a header file is not
supported. Remove the entry.
* kabi/severities:121: WARNING: Severity rule 'SYMBOL hv_init_clocksource PASS' is unused
kabi/severities:122: WARNING: Severity rule 'SYMBOL mdio_bus_init PASS' is unused
kabi/severities:123: WARNING: Severity rule 'SYMBOL seg6_hmac_net_init PASS' is unused
kabi/severities:124: WARNING: Severity rule 'SYMBOL seg6_hmac_init PASS' is unused
kabi/severities:125: WARNING: Severity rule 'SYMBOL tick_nohz_full_setup PASS' is unused
kabi/severities:126: WARNING: Severity rule 'SYMBOL xen_xlate_map_ballooned_pages PASS' is unused
kabi/severities:127: WARNING: Severity rule 'SYMBOL xfrm4_protocol_init PASS' is unused
These entries were necessary because the specified symbols were
previously marked as both exported and __init. This issue was resolved
upstream through several commits, which were also backported to SLE,
requiring us to mark the symbols as ignored from the kABI perspective.
Since SL-16.0 began with all relevant fixes already present, these
entries are no longer needed, therefore remove them.
* kabi/severities:130: WARNING: Severity rule 'SYMBOL rt5682_headset_detect PASS' is unused
This is a similar case. Mainline commit 4045daf0fa87 ("ASoC: rt5682: Fix
deadlock on resume") unexported the specified symbol. To backport the
fix, the symbol needed to be marked as ignored. The entry is no longer
relevant in SL-16.0 and later, therefore remove it.
* kabi/severities:160: WARNING: Severity rule 'MODULE drivers/gpu/drm/vmwgfx/* PASS' is unused
The vmwgfx module previously had some exported symbols but mainline
commit a309c7194e8a ("drm/vmwgfx: Remove rcu locks from user resources")
removed the last of these symbols. Remove the now unnecessary entry.
* kabi/severities:163: WARNING: Severity rule 'MODULE io_uring/* PASS' is unused
This entry is a module pattern but the io_uring support is built into
vmlinux. It doesn't appear this entry is currently needed, therefore
remove it.
* kabi/severities:170: WARNING: Severity rule 'SYMBOL retbleed_untrain_ret PASS' is unused
kabi/severities:171: WARNING: Severity rule 'SYMBOL srso_untrain_ret PASS' is unused
Mainline commit eb54be26b0d2 ("x86/srso: Unexport untraining functions")
unexported the specified symbols. The entry is no longer relevant in
SL-16.0 and later, therefore remove it.
* kabi/severities:174: WARNING: Severity rule 'SYMBOL tasdevice_prmg_calibdata_load PASS' is unused
Mainline commit b195acf5266d ("ASoC: tas2781: Fix wrong loading
calibrated data sequence") removed the specified symbol. The entry is no
longer relevant in SL-16.0 and later, therefore remove it.
* kabi/severities:177: WARNING: Severity rule 'SYMBOL pci_create_ims_domain PASS' is unused
Mainline commit b966b1102871 ("Revert "PCI/MSI: Provide IMS (Interrupt
Message Store) support"") removed the specified symbol. The entry is no
longer relevant in SL-16.0 and later, therefore remove it.
* kabi/severities:178: WARNING: Severity rule 'SYMBOL pci_ims_alloc_irq PASS' is unused
kabi/severities:179: WARNING: Severity rule 'SYMBOL pci_ims_free_irq PASS' is unused
Mainline commit 1794808fb1b3 ("Revert "PCI/MSI: Provide
pci_ims_alloc/free_irq()"") removed the specified symbols. The entry is
no longer relevant in SL-16.0 and later, therefore remove it.
* kabi/severities:190: WARNING: Severity rule 'SYMBOL tlbstate_untag_mask PASS' is unused
Downstream commit 405fa97a73d8 ("config: Disable LAM on x86
(bsc#1217845)") unset CONFIG_ADDRESS_MASKING and marked the specified
symbol as ignored from the kABI perspective. The entry is no longer
relevant in SL-16.0 and later, therefore remove it.
* kabi/severities:193: WARNING: Severity rule 'SYMBOL mmio_stale_data_clear PASS' is unused
Mainline commit d9b79111fd99 ("x86/bugs: Rename mmio_stale_data_clear to
cpu_buf_vm_clear") renamed the specified symbol, and to backport the
patch, the symbol was marked as ignored from the kABI perspective. The
entry is no longer relevant in SL-16.0 and later, therefore remove it.
- commit 177fa7d
- x86/vmware: Fix hypercall clobbers (CVE-2026-23215 bsc#1258476).
- commit 6fb22e1
- pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains (CVE-2026-23187 bsc#1258330)
- commit 2110258
- KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM
(git-fixes).
- commit 7b41d14
- KVM: x86: synthesize CPUID bits only if CPU capability is set
(bsc#1257511).
- commit 798c0f2
- Refresh
patches.suse/mm-page_alloc-thp-prevent-reclaim-for-__GFP_THISNODE-THP-a.patch.
- Refresh
patches.suse/scsi-lpfc-Rework-lpfc_sli4_fcf_rr_next_index_get.patch.
- Refresh
patches.suse/scsi-lpfc-Update-lpfc-version-to-14.4.0.13.patch.
- Refresh
patches.suse/scsi-qla2xxx-Add-Speed-in-SFP-print-information.patch.
- Refresh
patches.suse/scsi-qla2xxx-Add-bsg-interface-to-support-firmware-i.patch.
- Refresh
patches.suse/scsi-qla2xxx-Add-load-flash-firmware-mailbox-support.patch.
- Refresh
patches.suse/scsi-qla2xxx-Add-support-for-64G-SFP-speed.patch.
- Refresh
patches.suse/scsi-qla2xxx-Allow-recovery-for-tape-devices.patch.
- Refresh
patches.suse/scsi-qla2xxx-Delay-module-unload-while-fabric-scan-i.patch.
- Refresh
patches.suse/scsi-qla2xxx-Fix-bsg_done-causing-double-free.patch.
- Refresh
patches.suse/scsi-qla2xxx-Free-sp-in-error-path-to-fix-system-cra.patch.
- Refresh
patches.suse/scsi-qla2xxx-Query-FW-again-before-proceeding-with-l.patch.
- Refresh
patches.suse/scsi-qla2xxx-Update-version-to-10.02.10.100-k.patch.
- Refresh
patches.suse/scsi-qla2xxx-Validate-MCU-signature-before-executing.patch.
- Refresh
patches.suse/scsi-qla2xxx-Validate-sp-before-freeing-associated-m.patch.
- commit 4563ee6
- nvme: fix memory leak in quirks_param_set() (bsc#1243208).
- nvme: add support for dynamic quirk configuration via module
parameter (bsc#1243208).
- nvme: expose active quirks in sysfs (bsc#1243208).
Refresh:
- patches.suse/nvme-add-partial_nid-quirk.patch
- commit 422f1b7
- netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
(CVE-2026-23231 bsc#1259188).
- commit febac42
- s390/ctcm: Fix double-kfree (CVE-2025-40253 bsc#1255084).
- commit a8fc62d
- Update config files (bsc#1254307).
- commit 3e059ac
- s390/ipl: Clear SBP flag when bootprog is set (bsc#1258175).
- s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP (bsc#1254306).
- s390/cio: Update purge function to unregister the unused
subchannels (bsc#1254214).
- commit 9226bc5
- l2tp: avoid one data-race in l2tp_tunnel_del_work() (CVE-2026-23120 bsc#1258280)
- commit 6883716
- l2tp: Fix memleak in l2tp_udp_encap_recv() (CVE-2026-23072 bsc#1257708)
- commit 9859402
- Use unified maintainers' email address
- commit ab708b6
- 9p/xen: protect xen_9pfs_front_free against concurrent calls
(git-fixes).
- commit bff5c7c
- vhost: fix caching attributes of MMIO regions by setting them
explicitly (git-fixes).
- commit ce01fc5
- vmw_vsock: bypass false-positive Wnonnull warning with gcc-16
(git-fixes).
- commit 3b72ad4
- xenbus: Use .freeze/.thaw to handle xenbus devices (git-fixes).
- commit e219626
- scsi: target: target_core_configfs: Add length check to avoid
buffer overflow (CVE-2025-39998 bsc#1252073).
- commit a088008
- scsi: fnic: Fix missing DMA mapping error in fnic_send_frame()
(jsc#PED-15441).
- scsi: fnic: Turn off FDMI ACTIVE flags on link down
(jsc#PED-15441).
- scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times
out (jsc#PED-15441).
- scsi: fnic: Remove unnecessary spinlock locking and unlocking
(jsc#PED-15441).
- scsi: fnic: Replace fnic->lock_flags with local flags
(jsc#PED-15441).
- scsi: fnic: Replace use of sizeof with standard usage
(jsc#PED-15441).
- scsi: fnic: Fix indentation and remove unnecessary parenthesis
(jsc#PED-15441).
- scsi: fnic: Remove unnecessary debug print (jsc#PED-15441).
- scsi: fnic: Propagate SCSI error code from fnic_scsi_drv_init()
(jsc#PED-15441).
- scsi: fnic: Test for memory allocation failure and return
error code (jsc#PED-15441).
- scsi: fnic: Return appropriate error code from failure of scsi
drv init (jsc#PED-15441).
- scsi: fnic: Return appropriate error code for mem alloc failure
(jsc#PED-15441).
- scsi: fnic: Remove always-true IS_FNIC_FCP_INITIATOR macro
(jsc#PED-15441).
- scsi: fnic: Fix use of uninitialized value in debug message
(jsc#PED-15441).
- scsi: fnic: Delete incorrect debugfs error handling
(jsc#PED-15441).
- scsi: fnic: Remove unnecessary else to fix warning in FDLS FIP
(jsc#PED-15441).
- scsi: fnic: Remove extern definition from .c files
(jsc#PED-15441).
- scsi: fnic: Remove unnecessary else and unnecessary break in
FDLS (jsc#PED-15441).
- scsi: fnic: Add support to handle port channel RSCN
(jsc#PED-15441).
- scsi: fnic: Code cleanup (jsc#PED-15441).
- scsi: fnic: Add stats and related functionality (jsc#PED-15441).
- scsi: fnic: Modify fnic interfaces to use FDLS (jsc#PED-15441).
- scsi: fnic: Modify IO path to use FDLS (jsc#PED-15441).
- scsi: fnic: Add functionality in fnic to support FDLS
(jsc#PED-15441).
- scsi: fnic: Add and integrate support for FIP (jsc#PED-15441).
- scsi: fnic: Add and integrate support for FDMI (jsc#PED-15441).
- scsi: fnic: Add Cisco hardware model names (jsc#PED-15441).
- scsi: fnic: Add support for unsolicited requests and responses
(jsc#PED-15441).
- scsi: fnic: Add support for target based solicited requests
and responses (jsc#PED-15441).
- scsi: fnic: Add support for fabric based solicited requests
and responses (jsc#PED-15441).
- scsi: fnic: Add headers and definitions for FDLS
(jsc#PED-15441).
- scsi: fnic: Replace shost_printk() with dev_info()/dev_err()
(jsc#PED-15441).
- scsi: fnic: Increment driver version (jsc#PED-15441).
- commit 975501d
- arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix (git-fixes)
- commit 3475d30
- arm64: Fix sampling the "stable" virtual counter in preemptible (git-fixes)
- commit 2a1727d
- iomap: adjust read range correctly for non-block-aligned positions (CVE-2025-68794 bsc#1256647)
- commit 3c90321
- Refresh
patches.suse/selftests-bpf-add-verifier-sign-extension-bound-comp.patch.
Updated expected BPF verifier message to align with those output by
SL-16.0 kernel.
- commit 63646e4
- net: mana: fix use-after-free in mana_hwc_destroy_channel()
by reordering teardown (git-fixes).
- net/mana: Null service_wq on setup error to prevent double
destroy (git-fixes).
- commit c784715
- usb: roles: get usb role switch from parent only for
usb-b-connector (git-fixes).
- usb: typec: altmode/displayport: set displayport signaling
rate in configure message (git-fixes).
- usb: xhci: Fix memory leak in xhci_disable_slot() (git-fixes).
- usb: class: cdc-wdm: fix reordering issue in read code path
(git-fixes).
- usb: renesas_usbhs: fix use-after-free in ISR during device
removal (git-fixes).
- usb: cdc-acm: Restore CAP_BRK functionnality to CH343
(git-fixes).
- usb: gadget: f_mass_storage: Fix potential integer overflow
in check_command_size_in_blocks() (git-fixes).
- USB: core: Limit the length of unkillable synchronous timeouts
(git-fixes).
- USB: usbtmc: Use usb_bulk_msg_killable() with user-specified
timeouts (git-fixes).
- USB: usbcore: Introduce usb_bulk_msg_killable() (git-fixes).
- usb: core: don't power off roothub PHYs if phy_set_mode()
fails (git-fixes).
- iio: buffer: Fix wait_queue not being removed (git-fixes).
- iio: gyro: mpu3050-core: fix pm_runtime error handling
(git-fixes).
- iio: gyro: mpu3050-i2c: fix pm_runtime error handling
(git-fixes).
- iio: chemical: sps30_serial: fix buffer size in
sps30_serial_read_meas() (git-fixes).
- iio: chemical: sps30_i2c: fix buffer size in
sps30_i2c_read_meas() (git-fixes).
- iio: proximity: hx9023s: Protect against division by zero in
set_samp_freq (git-fixes).
- iio: chemical: bme680: Fix measurement wait duration calculation
(git-fixes).
- iio: dac: ds4424: reject -128 RAW value (git-fixes).
- iio: potentiometer: mcp4131: fix double application of wiper
shift (git-fixes).
- iio: imu: inv-mpu9150: fix irq ack preventing irq storms
(git-fixes).
- iio: frequency: adf4377: Fix duplicated soft reset mask
(git-fixes).
- iio: imu: inv_icm42600: fix odr switch when turning buffer off
(git-fixes).
- iio: imu: inv_icm42600: fix odr switch to the same value
(git-fixes).
- commit dd7a351
- i2c: i801: Revert "i2c: i801: replace acpi_lock with I2C bus
lock" (git-fixes).
- commit b6700c3
- drm/amdkfd: Unreserve bo if queue update failed (git-fixes).
- drm/amdgpu: Fix kernel-doc comments for some LUT properties
(git-fixes).
- drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT
for smu v14 (git-fixes).
- drm/i915: Fix potential overflow of shmem scatterlist length
(git-fixes).
- drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding
(git-fixes).
- drm/msm/dsi: fix pclk rate calculation for bonded dsi
(git-fixes).
- drm/msm: Fix dma_free_attrs() buffer size (git-fixes).
- drm/msm/dsi: fix hdisplay calculation when programming dsi
registers (git-fixes).
- regulator: pca9450: Correct interrupt type (git-fixes).
- ASoC: amd: acp-mach-common: Add missing error check for clock
acquisition (git-fixes).
- ASoC: detect empty DMI strings (git-fixes).
- ASoC: amd: acp3x-rt5682-max9836: Add missing error check for
clock acquisition (git-fixes).
- ASoC: soc-core: flush delayed work before removing DAIs and
widgets (git-fixes).
- ASoC: soc-core: drop delayed_work_pending() check before flush
(git-fixes).
- ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop
and start (git-fixes).
- ALSA: pcm: fix use-after-free on linked stream runtime in
snd_pcm_drain() (git-fixes).
- hwmon: (max6639) fix inverted polarity (git-fixes).
- hwmon: (aht10) Fix initialization commands for AHT20
(git-fixes).
- HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks
missing them (stable-fixes).
- platform/x86: dell-wmi: Add audio/mic mute key codes
(stable-fixes).
- ALSA: scarlett2: Fix DSP filter control array handling
(git-fixes).
- ALSA: hda/conexant: Fix headphone jack handling on Acer Swift
SF314 (stable-fixes).
- ALSA: hda/realtek: Add quirk for Samsung Galaxy Book3 Pro 360
(NP965QFG) (stable-fixes).
- ALSA: hda/realtek: Add quirk for Gigabyte G5 KF5 (2023)
(stable-fixes).
- usb: cdns3: fix role switching during resume (git-fixes).
- drm/exynos: vidi: use ctx->lock to protect struct vidi_context
member variables related to memory alloc/free (stable-fixes).
- drm/exynos: vidi: fix to avoid directly dereferencing user
pointer (stable-fixes).
- ALSA: hda/conexant: Add quirk for HP ZBook Studio G4
(stable-fixes).
- hwmon: (aht10) Add support for dht20 (stable-fixes).
- drm/exynos/vidi: Remove redundant error handling in
vidi_get_modes() (stable-fixes).
- usb: cdns3: call cdns_power_is_lost() only once in cdns_resume()
(stable-fixes).
- usb: cdns3: remove redundant if branch (stable-fixes).
- ALSA: scarlett2: Fix redeclaration of loop variable
(stable-fixes).
- hwmon: (max6639) : Configure based on DT property
(stable-fixes).
- commit 6b23ebb
- sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
(CVE-2026-23125 bsc#1258293).
- commit 6fbbb68
- KVM: x86/mmu: Drop/zap existing present SPTE even when creating
an MMIO SPTE (bsc#1259461).
- commit e55e509
- ACPI: OSL: fix __iomem type on return from
acpi_os_map_generic_address() (git-fixes).
- can: hi311x: hi3110_open(): add check for hi3110_power_enable()
return value (git-fixes).
- net: usb: lan78xx: fix TX byte statistics for small packets
(git-fixes).
- net: usb: lan78xx: fix silent drop of packets with checksum
errors (git-fixes).
- qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size
(git-fixes).
- remoteproc: sysmon: Correct subsys_name_len type in QMI request
(git-fixes).
- commit 0d180fa
- apparmor: fix race between freeing data and fs accessing it
(bsc#1258849).
- apparmor: fix race on rawdata dereference (bsc#1258849).
- apparmor: fix differential encoding verification (bsc#1258849).
- apparmor: fix unprivileged local user can do privileged policy
management (bsc#1258849).
- apparmor: Fix double free of ns_name in aa_replace_profiles()
(bsc#1258849).
- apparmor: fix missing bounds check on DEFAULT table in
verify_dfa() (bsc#1258849).
- apparmor: fix side-effect bug in match_char() macro usage
(bsc#1258849).
- apparmor: fix: limit the number of levels of policy namespaces
(bsc#1258849).
- apparmor: replace recursive profile removal with iterative
approach (bsc#1258849).
- apparmor: fix memory leak in verify_header (bsc#1258849).
- apparmor: validate DFA start states are in bounds in unpack_pdb
(bsc#1258849).
- commit 4a76367
- RDMA/rtrs-clt: For conn rejection use actual err number (git-fixes)
- commit f0999f7
- Refresh
patches.suse/cpufreq-default-to-performance-governor-on-servers.patch.
Remove call to __init function acpi_os_get_root_pointer() from non __init context.
acpi_os_get_root_pointer() is now called in __init context, the result is stored
in a global variable, which is later accessed by the non-__init intel_pstate_cpu_init()
and amd_pstate_epp_cpu_init().
- commit 49b0ab2
- crmsh
-
- Update to version 5.0.0+20260420.f7e8ecad:
* Dev: utils: Improve check_port_open to concurrently try all addresses (bsc#1262094)
* Dev: qdevice: Remove unused codes
* Fix: bootstrap: On join node, retrieve qdevice certification files before starting qdevice (bsc#1254243)
- Update to version 5.0.0+20260403.7274d51c:
* Fix: bootstrap: Ensure robust node identification when removing from cluster (bsc#1259683)
* Dev: utils: Rename utils.ssh_reachable_check to utils.ssh_port_reachable_check
* Dev: utils: Check if the peer node needs password to access
* Dev: utils: Rename utils.node_reachable_check to utils.ssh_reachable_check
* Dev: ui_utils: Move ui_node.parse_option_for_nodes to ui_utils.parse_and_validate_node_args
* Fix: utils: Raise UnreachableNodeError for those ssh unreachable nodes (bsc#1250645)
* Dev: utils: Adjust node_reachable_check function and the way it is used
* Dev: doc: Update the formular to calculate the expected fencing-watchdog-timeout
* Fix: sbd: Update the formular to calculate the expected fencing-watchdog-timeout
* Dev: bootstrap: Sync directory sbd.SBDManager.SBD_SYSTEMD_DELAY_START_DIR
* Dev: bootstrap: Refactor retrieve_all_config_files function
* Dev: behave_agent: Prevent client hang behind firewall during long cluster joins
* Fix: log: Disable color when not on a TTY (bsc#1259178)
* Dev: sh: Use sh_helper.py for su commands (bsc#1254757)
* Dev: doc: Mention about watchdog-device option also acceptes driver name
* Dev: watchdog: Improve the fatal error logging message
* Dev: ui_cluster: Hint the watchdog option should be used with sbd option
* Dev: bootstrap: Skip inactive cluster node when calling restart_cluster function
* Fix: cibverify: If no errors found, treat crm_verify result as success (bsc#1250349)
* Fix: log: Add milliseconds time format to crmsh.log (bsc#1255021)
* Dev: corosync: Add milliseconds to log time format
* Fix: ui_cluster: Stop dlm in maintenance mode correctly (bsc#1253733)
* Dev: utils: Reuse methods in xmlutil.CrmMonXmlParser
- cryptsetup
-
- Update to 2.8.4: (jsc#PED-15889)
* Fix integritysetup resize (grow) of the device if integrity bitmap
mode is used. Increasing the integrity device in bitmap mode did
not work as integritysetup incorrectly used journal settings that
were not applicable.
* Fix device size status reports in cryptsetup and integritysetup.
If the device uses a sector size larger than 512 bytes, the newly
reported byte sizes (introduced in 2.8.0) in the status report
were incorrectly displayed.
* BITLK: Fix unlocking BitLocker device with recovery passphrase.
If the recovery passphrase was present in the first keyslot, the
device failed to unlock. This bug was introduced in 2.8.2 with
Clear Key support.
- Update to 2.8.3:
* Stable bug-fix release with minor extensions.
- Update to 2.8.2:
* BITLK: Fix for BitLocker metadata validation on big-endian systems.
- Update to 2.8.1:
* Fix status and deactivation of TCRYPT (VeraCrypt compatible) devices that use chained ciphers.
* Fix unlocking BITLK (BitLocker compatible) devices with multibyte UTF8 characters in the passphrase.
* Do not allow activation of the LUKS2 device if the used keyslot is not encrypted (it uses a null cipher).
- Such a configuration cannot be created by cryptsetup, but can be crafted outside of it.
- Null cipher is sometimes used to create an empty container for later reencryption.
- Only an empty passphrase can activate such a container (the same as in LUKS1).
* Do not silently decrease PBKDF parallel cost (threads) if set by an option.
- The maximum parallel cost is limited to 4 threads.
* Fixes to configuration and installation scripts.
- Meson and autoconf tools now properly support --prefix option for temporary directory installation.
- Multiple fixes and cleanups to config.h for compatibility between Meson and autoconf.
- Fix the luks2-external-tokens-path Meson option to work the same as in autoconf.
- Fix Meson install for tool binaries, install fvault2Open man page and include test/fuzz/meson.build in release.
* Major update to manual pages.
- Try to explain the PBKDF hardcoded limits.
- Add a better explanation for automatic integrity tag recalculation.
- Mention crypt/verity/integritytab.
- Remove or reformulate some misleading warnings present only with old and no longer supported kernels.
- Clarify that some commands do not wipe data and unify OPAL reset wording.
- Clarify the --label option.
- There are also many other grammar and stylistic fixes to unify the man-page style.
* Fixes for false-positive and annoying (optional) warnings added in recent compilers.
- Update to 2.8.0:
* Full release notes in:
- https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/v2.8.0-ReleaseNotes
* Introduce support for inline mode (use HW sectors with additional hardware
metadata space).
* Finalize use of keyslot context API.
* Make all keyslot context types fully self-contained.
* Add --key-description and --new-key-description cryptsetup options.
* Support more precise keyslot selection in reencryption initialization.
* Allow reencryption to resume using token and volume keys.
* Cryptsetup repair command now tries to check LUKS keyslot areas for corruption.
* Opal2 SED: PSID keyfile is now expected to be 32 alphanumeric characters.
* Opal2: Avoid the Erase method and use Secure Erase for locking range.
* Opal2: Fix some error description (in debug only).
* Opal2: Do not allow deferred deactivation.
* Allow --reduce-device-size and --device-size combination for reencryption
(encrypt) action.
* Fix the userspace storage backend to support kernel "capi:" cipher specification format.
* Disallow conversion from LUKS2 to LUKS1 if kernel "capi:" cipher specification is used.
* Explicitly disallow kernel "capi:" cipher specification format for LUKS2
keyslot encryption.
* Do not allow conversion of LUKS2 to LUKS1 if an unbound keyslot is present.
* cryptsetup: Adjust the XTS key size for kernel "capi:" cipher specification.
* Remove keyslot warning about possible failure due to low memory.
* Do not limit Argon2 KDF memory cost on systems with more than 4GB of available memory.
* Properly report out of memory error for cryptographic backends implementing Argon2.
* Avoid KDF2 memory cost overflow on 32-bit platforms.
* Do not use page size as a fallback for device block size.
* veritysetup: Check hash device size in advance.
* Print a better error message for unsupported LUKS2 AEAD device resize.
* Optimize LUKS2 metadata writes.
* veritysetup: support --error-as-corruption option.
* Report all sizes in status and dump command output in the correct units.
* Add --integrity-key-size option to cryptsetup.
* Support trusted & encrypted keyrings for plain devices.
* Support plain format resize with a keyring key.
* TCRYPT: Clear mapping of system-encrypted partitions.
* TCRYPT: Print all information from the decrypted metadata header in
the tcryptDump command.
* Always lock the volume key structure in memory.
* Do not run direct-io read check on block devices.
* Fix a possible segfault in deferred deactivation.
* Exclude cipher allocation time from the cryptsetup benchmark.
* Add Mbed-TLS optional crypto backend.
* Fix the wrong preprocessor use of #ifdef for config.h processed by Meson.
* Reorganize license files. The license text files are now in docs/licenses.
The COPYING file in the root directory is the default license.
* Remove cc-by-sa-4.0.txt as already shipped now in docs/licenses
and named as COPYING.CC-BY-SA-4.0.
* Libcryptsetup API extensions. The libcryptsetup API is backward compatible
with all existing symbols. Due to the self-contained memory allocation,
these symbols have the new version:
- crypt_keyslot_context_init_by_passphrase;
- crypt_keyslot_context_init_by_keyfile;
- crypt_keyslot_context_init_by_token;
- crypt_keyslot_context_init_by_volume_key;
- crypt_keyslot_context_init_by_signed_key;
- crypt_keyslot_context_init_by_keyring;
- crypt_keyslot_context_init_by_vk_in_keyring;
* New symbols:
- crypt_format_inline
- crypt_get_old_volume_key_size
- crypt_reencrypt_init_by_keyslot_context
- crypt_safe_memcpy
* New defines:
- CRYPT_ACTIVATE_HIGH_PRIORITY
- CRYPT_ACTIVATE_ERROR_AS_CORRUPTION
- CRYPT_ACTIVATE_INLINE_MODE
- CRYPT_REENCRYPT_CREATE_NEW_DIGEST
* New requirement flag:
- CRYPT_REQUIREMENT_INLINE_HW_TAGS
- Add a dependency on device-mapper to libcryptsetup12 to install
the required device-mapper udev rules. [bsc#1241612]
- librsvg
-
- Add librsvg-CVE-2026-25727.patch: Fix denial of service when
parsing rfc2822. (bsc#1257922, CVE-2026-25727)
- grub2
-
- Fix missing install device check in grub2-install on PowerPC which could lead
to bootlist corruption (bsc#1221126)
* 0001-Mandatory-install-device-check-for-PowerPC.patch
- Fix double free in xen booting if root filesystem is Btrfs (bsc#1259543)
* grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
* grub2-btrfs-09-get-default-subvolume.patch
- himmelblau
-
- Fix openQA test fails in selinux; (bsc#1261613).
* Add 0001-selinux-allow-unconfined_service_t-to-search-himmelb.patch
- Update to version 2.3.9+git0.a9fd29b:
* cargo vet
* nss: block local group-name collisions on getgrnam (CVE-2026-34397).
* update aws-lc-sys to 0.39.0 for security fixes
* update rustls-webpki to 0.103.10 for CRL revocation fix
* Version 2.3.9
* cargo vet
* packaging: fix if/else block for debian's postrm
* Update apparmor.unix-chkpwd.local (Issue #1252)
* When Hello user encounters SSPR demand, be permissive
* add tests for sudo_groups functionality
* Fix config tests to ignore local host config
* Do not clear $NOTIFY_SOCKET when calling sd_ready
* Fix token cache 24h purge
* broker: use SSO server nonce for PRT only when provided
* Fix pam_himmelblau blocking local user password changes (#1199)
* Remove unused File import
* Use is_ascii_alphanumeric() for account_id validation
* Fix path traversal in LoadProfilePhoto AccountsService writes
* Drop initialization tracing span
* himmelblau-hsm-pin-init: drop RemainAfterExit=yes
* Add fallback behavior when consent is required
* qr-greeter: enable extension without socket noise
* debian: make install/remove noninteractive; reduce QR postinst noise; soften missing hello prt
* Never respond with BadRequest without error detail
* deps(rust): bump the all-cargo-updates group across 1 directory with 7 updates
- libcap
-
- CVE-2026-4878: Fixed a a potential TOCTOU race condition in cap_set_file() (bsc#1261809)
0001-Address-a-potential-TOCTOU-race-condition-in-cap_set.patch:
- mozilla-nss
-
- update to NSS 3.112.5
* bmo#2033783 - reject DTLS 1.3 Server Hello after HVR without capping ss->vrange.max.
* bmo#2034185 - update to version 2.84 of builtins module.
- Added "Suggests: p11-kit-nss-trust" to favor over mozilla-nss-certs
(Jira: PED-15633)
- update to NSS 3.112.4
* bmo#2030135 - improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey.
* bmo#2029752 - Improving the allocation of S/MIME DecryptSymKey.
* bmo#2029462 - store email on subject cache_entry in NSS trust domain.
* bmo#2029425 - Heap use-after-free in cert_VerifyCertChainOld via dangling certsList[] entry on NameConstraints violation.
* bmo#2029323 - Improve size calculations in CMS content buffering.
* bmo#2028001 - avoid integer overflow while escaping RFC822 Names.
* bmo#2027378 - Reject excessively large ASN.1 SEQUENCE OF in quickder.
* bmo#2027365 - Deep copy profile data in CERT_FindSMimeProfile.
* bmo#2027345 - Improve input validation in DSAU signature decoding.
* bmo#2026311 - avoid integer overflow in RSA_EMSAEncodePSS.
* bmo#2019357 - RSA_EMSAEncodePSS should validate the length of mHash.
* bmo#2026156 - Add a maximum cert uncompressed len and tests.
* bmo#2026089 - Clarify extension negotiation mechanism for TLS Handshakes.
* bmo#2023209 - ensure permittedSubtrees don't match wildcards that could be outside the permitted tree.
* bmo#2023207 - Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag.
* bmo#2019224 - Remove invalid PORT_Free().
* bmo#1964722 - free digest objects in SEC_PKCS7DecoderFinish if they haven't already been freed.
* bmo#1935995 - make ss->ssl3.hs.cookie an owned-copy of the cookie.
- update to NSS 3.112.3
* bmo#2009552 - avoid integer overflow in platform-independent ghash
- Add bmo1990242.patch to move NSS DB password hash away from SHA-1
- update to NSS 3.112.2
* bmo#1970079 - Prevent leaks during pkcs12 decoding.
* bmo#1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates
- Adding patch bmo1980465.patch to fix bug on s390x (bmo#1980465)
- Adding patch bmo1956754.patch to fix possible undefined behaviour (bmo#1956754)
- update to NSS 3.112.1
* bmo#1982742 - restore support for finding certificates by decoded serial number.
- libgcrypt
-
- Update to 1.12.1 (jsc#PED-15059)
* Various fixes
- Drop libgcrypt-1.12.0-ec_regression.patch as it's upstreamed
- Update to 1.12.0 (jsc#PED-15059)
* New and extended interfaces:
- Allow access to the FIPS service indicator via the new
GCRYCTL_FIPS_SERVICE_INDICATOR control code.
- Make SHA-1 non-FIPS internally for the 1.12 API
- Add Dilithium (ML-DSA) support
- Support optional random-override and support byte string data
* Bug fixes:
- Use secure MPI in _gcry_mpi_assign_limb_space.
- Use CSIDL_COMMON_APPDATA instead of /etc on Windows.
- Apply a Kyber patch from upstream.
- Fix an edge case in Jent initialization.
- mceliece6688128f: Fix stack overflow crash on win64/wine
* Performance:
- Many performance improvements, new AVX512 implementations for modern CPUs.
- Add RISC-V Zbb+Zbc implementation of CRC.
- Add RISC-V vector cryptography implementation of GHASH, AES, SHA256 and SHA512
- Add AVX2 and AVX512 code paths to improve CRC.
For a full changelog, see:
https://dev.gnupg.org/source/libgcrypt/history/master/;libgcrypt-1.12.0
* Dropped libgcrypt-1.11.1-public-SLI-API.patch - applied upstream
* Rebased libgcrypt-CVE-2024-2236.patch
* Rebased libgcrypt-FIPS-SLI-hash-mac.patch
* Rebased libgcrypt-FIPS-SLI-kdf-leylength.patch
* Rebased libgcrypt-FIPS-SLI-pk.patch
* Rebased libgcrypt-FIPS-jitter-standalone.patch
* Rebased libgcrypt-FIPS-rndjent_poll.patch
* Rebased libgcrypt-nobetasuffix.patch
* Rebased libgcrypt-rol64-redefinition.patch
* Added libgcrypt-1.12.0-ec_regression.patch
* libgcrypt 1.12.0: gcry_mpi_ec_curve_point corrupts point
- giflib
-
- Added patch:
* 0001-Avoid-potentuial-double-free-on-weird-images.patch
+ fixing bsc#1259502 (CVE-2026-23868): double-free result of a
shallow copy can lead to memory corruption
- libgpg-error
-
- Update to 1.58
* New src/gpg-error.c (main): New command "fconcat".
* Rename src/spawn-posix.c (struct gpgrt_spawn_actions): Rename the field to
ENVP.
* argparse: Use SYSCONFDIR for /etc.
* Update translations for Portugese, German
* src/estream.c (parse_mode): Fix parsing of "share". Set sysopen
flag.
* syscfg: Add 64-bit Android arch.
- libpng16
-
- added patches
CVE-2026-34757: Information disclosure and data corruption via use-after-free vulnerability [bsc#1261957]
* libpng16-CVE-2026-34757.patch
- libsodium
-
- Drop libsodium-CVE-2025-15444.patch, merged upstream
- Update to 1.0.21: [bsc#1256070, CVE-2025-15444, bsc#1255764, CVE-2025-69277]
* The new crypto_ipcrypt_* functions implement mechanisms for securely
encrypting and anonymizing IP addresses.
* The sodium_bin2ip and sodium_ip2bin helper functions have been added to
complement the crypto_ipcrypt_* functions and easily convert addresses
between bytes and strings.
* XOF: the crypto_xof_shake* and crypto_xof_turboshake* functions are
* standard
extendable output functions. From input of any length, they can derive
output of any length with the same properties as hash functions. These
primitives are required by many post-quantum mechanisms, but can also be
used for a wide range of applications, including key derivation, session
encryption and more.
* Performance of AES256-GCM and AEGIS on ARM has been improved with some
compilers
* Security: optblockers have been introduced in critical code paths to prevent
compilers from introducing unwanted side channels via conditional jumps. This
was observed on RISC-V targets with specific compilers and options.
* Security: crypto_core_ed25519_is_valid_point() now properly rejects
small-order points that are not in the main subgroup
* ((nonnull)) attributes have been relaxed on some crypto_stream* functions to
allow NULL output buffers when the output length is zero
* A cross-compilation issue with old clang versions has been fixed
* crypto_aead_aes256gcm_is_available is exported to JavaScript
* Security: memory fences have been added after MAC verification in AEAD to
prevent speculative access to plaintext before authentication is complete
* Assembly files now include .gnu.property notes for proper IBT and Shadow
Stack support when building with CET instrumentation.
- Add patch libsodium-Fix-compilation-with-GCC-on-aarch64.patch
- libssh
-
- Update to 0.11.4:
* Security fixes:
- CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request()
(bsc#1258049)
- CVE-2026-0965: Possible Denial of Service when parsing unexpected
configuration files (bsc#1258045)
- CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input
(bsc#1258054)
- CVE-2026-0967: Specially crafted patterns could cause DoS (bsc#1258081)
- CVE-2026-0968: OOB Read in sftp_parse_longname() (bsc#1258080)
- libssh-2026-sftp-extensions: Read buffer overrun when handling SFTP extensions
* Other fixes:
- Stability and compatibility improvements of ProxyJump
* Remove patch upstream: libssh-cmake-Add-option-WITH_HERMETIC_USR.patch
- Update to 0.11.3
* Security:
* CVE-2025-8114: Fix NULL pointer dereference after allocation failure (bsc#1246974)
* CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated wrong KEX (bsc#1249375)
* Potential UAF when send() fails during key exchange
* Bugfixes:
* Fix possible timeout during KEX if client sends authentication too early
* Cleanup OpenSSL PKCS#11 provider when loaded
* Zeroize buffers containing private key blobs during export
- patterns-sap
-
- add package 'polkit' to pattern 'minimal_sap'
(bsc#1259071)
- move 'libltdl7' from pattern 'base_sap_server' to pattern
'minimal_sap'
- add package 'ansible-trento' to pattern 'automation'
- Use sentence style capitalization everywhere for consistency.
- Minor updates for some entries.
- python-PyNaCl
-
- update to 1.6.2 (bsc#1255764, CVE-2025-69277):
* Updated libsodium to 1.0.20-stable (2025-12-31 build) to
resolve CVE-2025-69277.
- Update to 1.6.1
* The ``MAKE`` environment variable can now be used to specify
the ``make`` binary that should be used in the build process.
- update to 1.6.0:
* BACKWARDS INCOMPATIBLE: Removed support for Python 3.6 and
3.7.
* Added support for the low level AEAD AES bindings.
* Added support for crypto_core_ed25519_from_uniform.
* Update libsodium to 1.0.20-stable (2025-08-27 build).
* Added support for free-threaded Python 3.14.
* Added support for Windows on ARM wheels.
- Convert to pip-based build
- python-urllib3
-
- Fix regression in CVE-2025-66471.patch (bsc#1254867)
- selinux-policy
-
- Revert OrderWithRequires for openssh-server and systemd
and move %postInstall to %post as fix until zypper moves to
rpm single transaction backend by default (bsc#1262083)
- Add OrderWithRequires for systemd as workaround (bsc#1262083)
to unblock the product increment bsc#1262083 until a proper fix is developed
- Add OrderWithRequires for openssh-server as workaround
to unblock the product increment bsc#1262083 until a proper fix is developed
- Update to version 20250627+git363.7b84cc7fb:
* Add missing Nextcloud file contexts (bsc#1261535)
* openSUSE uses /var/lib/php8 (bsc#1239177)
* /srv/www/htdocs is DocumentRoot of apache (bsc#1261535)
* Allow snapper sdbootutil plugin read kernel modules (bsc#1259867)
* Allow named_filetrans_domain filetrans flatpak homedir (bsc#1253682)
- sudo
-
- CVE-2026-35535: potential privilege escalation when running
the mailer (bsc#1261420)
* fix-CVE-2026-35535.patch
- sysctl-logger
-
- Update to v0.0.7
* Add systemd hardenings
* Make output directory visible
- Specify LLVM version to use for SLES 15 SP7
- xfsprogs
-
- update to 6.19.0
- xfs_io: print more realtime subvolume related information in statfs
- xfs_io: fix fsmap help
- mkfs: fix log sunit automatic configuration
- mkfs: fix protofile data corruption when in/out file block sizes don't match
- libxfs: fix data corruption bug in libxfs_file_write
- misc: fix a few memory leaks
- mkfs.xfs fix sunit size on 512e and 4kN disks.
- xfs_scrub_all: fix non-service-mode arguments to xfs_scrub
- mkfs: remove unnecessary return value affectation
- xfs: use blkdev_report_zones_cached()
- include blkzoned.h in platform_defs.h
- xfs_mdrestore: fix restoration on filesystems with 4k sectors
- mkfs: quiet down warning about insufficient write zones
- xfs_logprint: print log data to the screen in host-endian order
- mkfs: set rtstart from user-specified dblocks