Removed rpms
============

 - libabsl2308_0_0

Added rpms
==========

 - libabsl2401_0_0
 - libevent-2_1-7
 - libnfsidmap1

Package Source Changes
======================

abseil-cpp
+- SLE-only: import upstream patch to fix build with gcc7 in C++17
+  mode: hash-fix-gcc7-cpp17-build.patch (bsc#1222261)
+  + Upstream commit bb83aceacb554e79e7cd2404856f0be30bd00303
+
+- update to 20240116.1:
+  * Add absl::NoDestructor<T> to simplify defining static types
+    that do not need to be destructed upon program exit.
+  * Add configurable verbose logging (also known as VLOG).
+  * Added absl::Overload(), which returns a functor that provides
+    overloads based on the functors passed to it. Note that this
+    functionality requires C++17 or newer.
+  * Breaking Change: AbslHashValue() no longer accepts C-style
+    arrays as a parameter, caller need to wrap C-string literals in
+    absl::string_view.
+  * Breaking Change: absl::weak_equality and absl::strong_equality
+    have been removed. The corresponding std types were removed
+    before C++20 was finalized
+
branding-openSUSE
+- Use png for wallpapers for Leap 15.6
+- SLES seems to be using png
+- Using a compat symlink wallpapers/openSUSEdefault-> wallpapers/SLEdefault
+  allows running certain apps without rebuild. Such as cockpit.
+- Use optipng -o5 to compress files (has to be reflected in spec)
+- Bump date
+
c-ares
+- CVE-2024-25629.patch: fix out of bounds read in ares__read_line()
+  (bsc#1220279, CVE-2024-25629)
+
curl
+- Security fix: [bsc#1221666, CVE-2024-2379]
+  * curl: QUIC certificate check bypass with wolfSSL
+  * Add curl-CVE-2024-2379.patch
+
+- Security fix: [bsc#1221668, CVE-2024-2466]
+  * curl: TLS certificate check bypass with mbedTLS
+  * Add curl-CVE-2024-2466.patch
+
+- Security fix: [bsc#1221665, CVE-2024-2004]
+  * Usage of disabled protocol
+  * Add curl-CVE-2024-2004.patch
+
+- Security fix: [bsc#1221667, CVE-2024-2398]
+  * curl: HTTP/2 push headers memory-leak
+  * Add curl-CVE-2024-2398.patch
+
distribution-logos-openSUSE
+- Update to version 20240404:
+  * Turn apple-touch-icon into round square ones
+  * SLES Compatability supply apple-touch-icon for Leap, LeapMicro, TW
+  * Delete dist/package directory
+  * fix source mismatch with package name
+
+- Add handling for Leap Micro 6.X and Leap 16.X
+
expat
+- Security fix (boo#1221289, CVE-2024-28757): XML Entity Expansion
+  attack when there is isolated use of external parsers.
+  * Added expat-CVE-2024-28757.patch
+
+- Security fix:
+  * (CVE-2023-52425, bsc#1219559) denial of service (resource
+    consumption) caused by processing large tokens.
+  - Added patch expat-CVE-2023-52425-1.patch
+  - Added patch expat-CVE-2023-52425-2.patch
+  - Added patch expat-CVE-2023-52425-backport-parser-changes.patch
+  - Added patch expat-CVE-2023-52425-fix-tests.patch
+
gcc13
+- Add gcc13-pr111731.patch to fix unwinding for JIT code.
+  [bsc#1221239]
+
+- Revert libgccjit dependency change.  [boo#1220724]
+
+- Fix libgccjit-devel dependency, a newer shared library is OK.
+- Fix libgccjit dependency, the corresponding compiler isn't required.
+
+- Use %patch -P N instead of %patchN.
+
+- Add gcc13-sanitizer-remove-crypt-interception.patch to remove
+  crypt and crypt_r interceptors.  The crypt API change in SLE15 SP3
+  breaks them.  [bsc#1219520]
+
+- Update to gcc-13 branch head, 67ac78caf31f7cb3202177e642, git8285
+- Add gcc13-pr88345-min-func-alignment.diff to add support for
+  - fmin-function-alignment.  [bsc#1214934]
+
+- Use %{_target_cpu} to determine host and build.
+
+- Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250
+  * Includes fix for building TVM.  [boo#1218492]
+
+- Add cross-X-newlib-devel requires to newlib cross compilers.
+  [boo#1219031]
+
+- Package m2rte.so plugin in the gcc13-m2 sub-package rather than
+  in gcc13-devel.  [boo#1210959]
+- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs
+  are linked against libstdc++6.
+
+- Update to gcc-13 branch head, 36ddb5230f56a30317630a928, git8205
+
+- Update to gcc-13 branch head, 741743c028dc00f27b9c8b1d5, git8109
+  * Includes fix for building mariadb on i686.  [bsc#1217667]
+  * Remove pr111411.patch contained in the update.
+
+- Avoid update-alternatives dependency for accelerator crosses.
+- Package tool links to llvm in cross-amdgcn-gcc13 rather than in
+  cross-amdgcn-newlib13-devel since that also has the dependence.
+- Depend on llvmVER instead of llvm with VER equal to
+  %product_libs_llvm_ver where available and adjust tool discovery
+  accordingly.  This should also properly trigger re-builds when
+  the patchlevel version of llvmVER changes, possibly changing
+  the binary names we link to.  [bsc#1217450]
+
glibc
+- Add workaround for invalid use of libc_nonshared.a with non-SUSE libc
+  (bsc#1221482)
+
gnutls
+- Security fix: [bsc#1221747, CVE-2024-28835]
+  * gnutls: certtool crash when verifying a certificate chain
+  * Add gnutls-CVE-2024-28835.patch
+
+- Security fix: [bsc#1221746, CVE-2024-28834]
+  * gnutls: side-channel in the deterministic ECDSA
+  * Add gnutls-CVE-2024-28834.patch
+
+- jitterentropy: Release the memory of the entropy collector when
+  using jitterentropy with phtreads as there is also a
+  pre-intitization done in the main thread. [bsc#1221242]
+  * Add gnutls-FIPS-jitterentropy-deinit-threads.patch
+
hwdata
+- update to 0.380:
+  * Update pci, usb and vendor ids
+
+- update to 0.379:
+  * Update pci, usb and vendor ids
+
icewm-theme-branding:openSUSE
+- Do not substitute png to jpg for default wallpaper
+  Details at https://github.com/openSUSE/branding/pull/149
+- Keep openSUSEDefault although SLEDefault compat symlink exist
+
+- Make sure flavor is never defined without content, but at least
+  has %nil.
+- Use an invalid arch for "" flavor (do-not-build): %nil is not
+  actually supported and worked by accident.
+
+- Use %autosetup macro. Allows to eliminate the usage of deprecated
+  %patchN
+
+- Add fix-web-browser-icon.patch:
+  The Adwaita theme does not provide much legacy apps icon now,
+  redirect icewm web-browser icon to the right place. See:
+  https://gitlab.gnome.org/GNOME/adwaita-icon-theme/-/issues/163
+  https://gitlab.gnome.org/GNOME/adwaita-icon-theme/-/merge_requests/34/
+
+- Add pass-env-var-to-systemd-user-session.patch instead of changing
+  the tar ball to fix the bsc#1179237.
+- Update the tar ball to sync with upstream.
+
kernel-default
+- selinux: saner handling of policy reloads (bsc#1222230).
+- commit 35fdf2d
+
+- Move upstreamed patches into sorted section
+- commit ebe113d
+
+- blacklist.conf: fbdev: flush deferred IO before closing (bsc#1221814)
+- commit 6339fe4
+
+- netfilter: nf_tables: skip set commit for deleted/destroyed sets
+  (CVE-2024-0193 bsc#1218495).
+- commit e7bf1c3
+
+- README.BRANCH: Remove copy of branch name
+- commit fc25aed
+
+- scsi: lpfc: Copyright updates for 14.4.0.1 patches
+  (bsc#1221777).
+- scsi: lpfc: Update lpfc version to 14.4.0.1 (bsc#1221777).
+- scsi: lpfc: Define types in a union for generic void *context3
+  ptr (bsc#1221777).
+- scsi: lpfc: Define lpfc_dmabuf type for ctx_buf ptr
+  (bsc#1221777).
+- scsi: lpfc: Define lpfc_nodelist type for ctx_ndlp ptr
+  (bsc#1221777).
+- scsi: lpfc: Use a dedicated lock for ras_fwlog state
+  (bsc#1221777).
+- scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()
+  (bsc#1221777).
+- scsi: lpfc: Replace hbalock with ndlp lock in
+  lpfc_nvme_unregister_port() (bsc#1221777).
+- scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic
+  (bsc#1221777).
+- scsi: lpfc: Remove IRQF_ONESHOT flag from threaded IRQ handling
+  (bsc#1221777 bsc#1217958).
+- scsi: lpfc: Move NPIV's transport unregistration to after
+  resource clean up (bsc#1221777).
+- scsi: lpfc: Remove unnecessary log message in queuecommand path
+  (bsc#1221777).
+- scsi: lpfc: Correct size for cmdwqe/rspwqe for memset()
+  (bsc#1221777).
+- scsi: lpfc: Correct size for wqe for memset() (bsc#1221777).
+- commit 561883a
+
+- scsi: qla2xxx: Update version to 10.02.09.200-k (bsc#1221816).
+- scsi: qla2xxx: Delay I/O Abort on PCI error (bsc#1221816).
+- scsi: qla2xxx: Change debug message during driver unload
+  (bsc#1221816).
+- scsi: qla2xxx: Fix double free of fcport (bsc#1221816).
+- scsi: qla2xxx: Fix double free of the ha->vp_map pointer
+  (bsc#1221816).
+- scsi: qla2xxx: Fix command flush on cable pull (bsc#1221816).
+- scsi: qla2xxx: NVME|FCP prefer flag not being honored
+  (bsc#1221816).
+- scsi: qla2xxx: Update manufacturer detail (bsc#1221816).
+- scsi: qla2xxx: Split FCE|EFT trace control (bsc#1221816).
+- scsi: qla2xxx: Fix N2N stuck connection (bsc#1221816).
+- scsi: qla2xxx: Prevent command send on chip reset (bsc#1221816).
+- commit 5c3d977
+
+- net/bnx2x: Prevent access to a freed page in page_pool
+  (bsc#1215322).
+- commit c9d3937
+
+- Revert "fbdev: flush deferred IO before closing (git-fixes)." (bsc#1221814)
+  This reverts commit 81476d7e609a6d383f3d404542eebc93cebd0a4d.
+  This fixes bsc#1221814
+- commit a7a9087
+
kexec-tools
+- fix kexec-bootloader path in kexec-load.service (bsc#1222245)
+
libnvme
+- Update to version 1.8+8.g8c9685f: (bsc#1222026)
+  * nbft: Whitespace fixes
+  * tests: Add complex NBFT table from Dell R660
+  * tests: Adapt to added NBFT SSNS flags
+  * nbft: Add SSNS 'discovered' flag
+  * nbft: Add SSNS 'unavailable' flag
+  * doc: Document the NBFT API
+  * log: Respect DEFAULT_LOGLEVEL on uninitialized logging
+  * log: Introduce nvme_get_logging_level()
+
libssh
+- Fix regression parsing IPv6 addresses provided as hostname (bsc#1220385)
+  * Added libssh-fix-ipv6-hostname-regression.patch
+
libssh2_org
+- Fix an issue with Encrypt-then-MAC family. [bsc#1221622]
+  * Test the ETM feature in the remote end's configuration when
+    receiving data. Upstream issue: #1331.
+  * Add libssh2_org-ETM-remote.patch
+
lightdm-gtk-greeter-branding-openSUSE
+- Use 1600x1200.png now when we've changed backgrounds to png
+  Details in https://github.com/openSUSE/branding/pull/149
+
+- Fix default theme entry because Greybird-Geeko-Light renamed to
+  Greybird-geeko
+
ncurses
+- Add patch ncurses-6.1-bsc1220061.patch (bsc#1220061, CVE-2023-45918)
+  * Backport from ncurses-6.4-20230615.patch
+    improve checks in convert_string() for corrupt terminfo entry
+
+    (bsc#1218014)
nfs-utils
+- Update to 2.6.4, to get many improvements, particularly
+  got NFS-over-TLS support
+  (bsc#1220075)
+  Patches removed because that have been included upstream:
+    nsm-headers.patch
+    0001-conffile-ignore-empty-environment-variables.patch
+    0002-mount-call-setgroups-before-setuid.patch
+    0003-nfs-server-generator-handle-noauto-mounts-correctly.patch
+    0002-Let-systemd-know-when-rpc.statd-is-needed.patch
+    0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch
+    0007-statd-user-from-sm
+    0008-gssd-replace-non-thread-safe-strtok-with-strsep.patch
+    0009-Convert-remaining-python-scripts-to-python3.patch
+    0010-gssd-Fix-locking-for-machine-principal-list.patch
+    0011-manpage-Add-a-description-of-the-nconnect-mount-opti.patch
+    0012-mountd-reject-unknown-client-IP-when-use_ipaddr.patch
+    0013-mountd-Don-t-proactively-add-export-info-when-fh-inf.patch
+    0014-mountd-update-man-page.patch
+    0015-mountd-add-logging-for-authentication-results-for-ac.patch
+    0016-mountd-add-cache-use-ipaddr-option-to-force-use_ipad.patch
+    0017-mountd-make-default-ttl-settable-by-option.patch
+    0018-Replace-all-var-run-with-run.patch
+    0019-gssd-use-mutex-to-protect-decrement-of-refcount.patch
+    0020-mountd-Initialize-logging-early.patch
+    0021-mount.nfs-insert-sloppy-at-beginning-of-the-options.patch
+    0022-mount.nfs-Fix-the-sloppy-option-processing.patch
+    0023-cache.c-removed-a-couple-warning.patch
+    0024-systemd-Apply-all-sysctl-settings-when-NFS-related-m.patch
+    0025-nfsdcltrack-getopt_long-fails-on-a-non-x86_64-archs.patch
+    0026-modprobe-avoid-error-messages-if-sbin-sysctl-fail.patch
+    0027-nfsd-allow-server-scope-to-be-set-with-config-or-com.patch
+    0028-mount.nfs-always-include-mountpoint-or-spec-if-error.patch
+    0029-nfsd.man-fix-typo-in-section-on-scope.patch
+    0030-systemd-use-correct-modprobe-d-directory
+    0031-mountd-don-t-advertise-krb5-for-v4root-when-not-conf.patch
+    0032-exportfs-Ingnore-export-failures-in-nfs-server.seriv.patch
+  Patches added from upstream, or to fix build errors:
+    0001-exportfs-remove-warning-if-neither-subtree_check-or-.patch
+    0002-conffile-don-t-report-error-from-conf_init_file.patch
+    0003-conffile-allow-usr-etc-to-provide-any-config-files-e.patch
+    0004-fsidd-call-anonymous-sockets-by-their-name-only-don-.patch
+    buildfix.patch
+
nghttp2
+  fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+  + nghttp2-CVE-2024-28182-1.patch
+  fix CVE-2024-28182-2 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+  + nghttp2-CVE-2024-28182-2.patch
+
+- security update
+- added patches
nvme-cli
+- Update to version 2.8+12.g34d799c:
+  * sed: update SED password when initalizing (bsc#1222168)
+  * nbft: Include SSNS index in error messages (bsc#1222026)
+  * nbft: Pause logging for expected connection failures (bsc#1222026)
+  * nbft: Silence connection failures for unavailable SSNS (bsc#1222026)
+  * nbft: Fix 'verbose' argument type (bsc#1222026)
+  * logging: track log level globally
+  * logging: move logging code to a new file
+  * nvme: update include for libnvme
+  * nvme-netapp: add nspath tlv handling (bsc#1220971)
+
openssh
+- Update to openssh 9.6p1:
+  = Security
+  * ssh(1), sshd(8): implement protocol extensions to thwart the
+    so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
+    Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
+    limited break of the integrity of the early encrypted SSH transport
+    protocol by sending extra messages prior to the commencement of
+    encryption, and deleting an equal number of consecutive messages
+    immediately after encryption starts. A peer SSH client/server
+    would not be able to detect that messages were deleted
+    (bsc#1217950, CVE-2023-48795).
+  * ssh-agent(1): when adding PKCS#11-hosted private keys while
+    specifying destination constraints, if the PKCS#11 token returned
+    multiple keys then only the first key had the constraints applied.
+    Use of regular private keys, FIDO tokens and unconstrained keys
+    are unaffected.
+  * ssh(1): if an invalid user or hostname that contained shell
+    metacharacters was passed to ssh(1), and a ProxyCommand,
+    LocalCommand directive or "match exec" predicate referenced the
+    user or hostname via %u, %h or similar expansion token, then
+    an attacker who could supply arbitrary user/hostnames to ssh(1)
+    could potentially perform command injection depending on what
+    quoting was present in the user-supplied ssh_config(5) directive.
+  = Potentially incompatible changes
+  * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
+    a TCP-like window mechanism that limits the amount of data that
+    can be sent without acceptance from the peer. In cases where this
+    limit was exceeded by a non-conforming peer SSH implementation,
+    ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH
+    9.6, ssh(1)/sshd(8) will now terminate the connection if a peer
+    exceeds the window limit by more than a small grace factor. This
+    change should have no effect of SSH implementations that follow
+    the specification.
+  = New features
+  * ssh(1): add a %j token that expands to the configured ProxyJump
+    hostname (or the empty string if this option is not being used)
+    that can be used in a number of ssh_config(5) keywords. bz3610
+  * ssh(1): add ChannelTimeout support to the client, mirroring the
+    same option in the server and allowing ssh(1) to terminate
+    quiescent channels.
+  * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for
+    reading ED25519 private keys in PEM PKCS8 format. Previously
+    only the OpenSSH private key format was supported.
+  * ssh(1), sshd(8): introduce a protocol extension to allow
+    renegotiation of acceptable signature algorithms for public key
+    authentication after the server has learned the username being
+    used for authentication. This allows varying sshd_config(5)
+    PubkeyAcceptedAlgorithms in a "Match user" block.
+  * ssh-add(1), ssh-agent(1): add an agent protocol extension to allow
+    specifying certificates when loading PKCS#11 keys. This allows the
+    use of certificates backed by PKCS#11 private keys in all OpenSSH
+    tools that support ssh-agent(1). Previously only ssh(1) supported
+    this use-case.
+  = Bugfixes
+  * ssh(1): when deciding whether to enable the keystroke timing
+    obfuscation, enable it only if a channel with a TTY is active.
+  * ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals
+    before checking flags set in signal handler. Avoids potential
+    race condition between signaling ssh to exit and polling. bz3531
+  * ssh(1): when connecting to a destination with both the
+    AddressFamily and CanonicalizeHostname directives in use,
+    the AddressFamily directive could be ignored. bz5326
+  * sftp(1): correct handling of the limits@openssh.com option when
+    the server returned an unexpected message.
+  * A number of fixes to the PuTTY and Dropbear regress/integration
+    tests.
+  * ssh(1): release GSS OIDs only at end of authentication, avoiding
+    unnecessary init/cleanup cycles. bz2982
+  * ssh_config(5): mention "none" is a valid argument to IdentityFile
+    in the manual. bz3080
+  * scp(1): improved debugging for paths from the server rejected for
+    not matching the client's glob(3) pattern in old SCP/RCP protocol
+    mode.
+  * ssh-agent(1): refuse signing operations on destination-constrained
+    keys if a previous session-bind operation has failed. This may
+    prevent a fail-open situation in future if a user uses a mismatched
+    ssh(1) client and ssh-agent(1) where the client supports a key type
+    that the agent does not support.
+- Update to openssh 9.5p1:
+  = Potentially incompatible changes
+  * ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
+    are very convenient due to their small size. Ed25519 keys are
+    specified in RFC 8709 and OpenSSH has supported them since version 6.5
+    (January 2014).
+  * sshd(8): the Subsystem directive now accurately preserves quoting of
+    subsystem commands and arguments. This may change behaviour for exotic
+    configurations, but the most common subsystem configuration
+    (sftp-server) is unlikely to be affected.
+  = New features
+  * ssh(1): add keystroke timing obfuscation to the client. This attempts
+    to hide inter-keystroke timings by sending interactive traffic at
+    fixed intervals (default: every 20ms) when there is only a small
+    amount of data being sent. It also sends fake "chaff" keystrokes for
+    a random interval after the last real keystroke. These are
+    controlled by a new ssh_config ObscureKeystrokeTiming keyword.
+  * ssh(1), sshd(8): Introduce a transport-level ping facility. This adds
+    a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
+    implement a ping capability. These messages use numbers in the "local
+    extensions" number space and are advertised using a "ping@openssh.com"
+    ext-info message with a string version number of "0".
+  * sshd(8): allow override of Subsystem directives in sshd Match blocks.
+  = Bugfixes
+  * scp(1): fix scp in SFTP mode recursive upload and download of
+    directories that contain symlinks to other directories. In scp mode,
+    the links would be followed, but in SFTP mode they were not. bz3611
+  * ssh-keygen(1): handle cr+lf (instead of just cr) line endings in
+    sshsig signature files.
+  * ssh(1): interactive mode for ControlPersist sessions if they
+    originally requested a tty.
+  * sshd(8): make PerSourceMaxStartups first-match-wins
+  * sshd(8): limit artificial login delay to a reasonable maximum (5s)
+    and don't delay at all for the "none" authentication mechanism.
+    bz3602
+  * sshd(8): Log errors in kex_exchange_identification() with level
+    verbose instead of error to reduce preauth log spam. All of those
+    get logged with a more generic error message by sshpkt_fatal().
+  * sshd(8): correct math for ClientAliveInterval that caused the probes
+    to be sent less frequently than configured.
+  * ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
+    multiplexed sessions to ignore SIGINT under some circumstances.
+- Update to openssh 9.4p1:
+  = Potentially incompatible changes
+  * This release removes support for older versions of libcrypto.
+    OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
+    Note that these versions are already deprecated by their upstream
+    vendors.
+  * ssh-agent(1): PKCS#11 modules must now be specified by their full
+    paths. Previously dlopen(3) could search for them in system
+    library directories.
+  = New features
+  * ssh(1): allow forwarding Unix Domain sockets via ssh -W.
+  * ssh(1): add support for configuration tags to ssh(1).
+    This adds a ssh_config(5) "Tag" directive and corresponding
+    "Match tag" predicate that may be used to select blocks of
+    configuration similar to the pf.conf(5) keywords of the same
+    name.
+  * ssh(1): add a "match localnetwork" predicate. This allows matching
+    on the addresses of available network interfaces and may be used to
+    vary the effective client configuration based on network location.
+  * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
+    extensions.  This defines wire formats for optional KRL extensions
+    and implements parsing of the new submessages. No actual extensions
+    are supported at this point.
+  * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
+    accept two additional %-expansion sequences: %D which expands to
+    the routing domain of the connected session and %C which expands
+    to the addresses and port numbers for the source and destination
+    of the connection.
+  * ssh-keygen(1): increase the default work factor (rounds) for the
+    bcrypt KDF used to derive symmetric encryption keys for passphrase
+    protected key files by 50%.
+  = Bugfixes
+  * ssh-agent(1): improve isolation between loaded PKCS#11 modules
+    by running separate ssh-pkcs11-helpers for each loaded provider.
+  * ssh(1): make -f (fork after authentication) work correctly with
+    multiplexed connections, including ControlPersist. bz3589 bz3589
+  * ssh(1): make ConnectTimeout apply to multiplexing sockets and not
+    just to network connections.
+  * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
+    modules being loaded by checking that the requested module
+    contains the required symbol before loading it.
+  * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
+    appears before it in sshd_config. Since OpenSSH 8.7 the
+    AuthorizedPrincipalsCommand directive was incorrectly ignored in
+    this situation. bz3574
+  * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
+    signatures When the KRL format was originally defined, it included
+    support for signing of KRL objects. However, the code to sign KRLs
+    and verify KRL signatues was never completed in OpenSSH. This
+    release removes the partially-implemented code to verify KRLs.
+    All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
+    KRL files.
+  * All: fix a number of memory leaks and unreachable/harmless integer
+    overflows.
+  * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
+    modules; GHPR406
+  * sshd(8), ssh(1): better validate CASignatureAlgorithms in
+    ssh_config and sshd_config. Previously this directive would accept
+    certificate algorithm names, but these were unusable in practice as
+    OpenSSH does not support CA chains. bz3577
+  * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
+    algorithms that are valid for CA signing. Previous behaviour was
+    to list all signing algorithms, including certificate algorithms.
+  * ssh-keyscan(1): gracefully handle systems where rlimits or the
+    maximum number of open files is larger than INT_MAX; bz3581
+  * ssh-keygen(1): fix "no comment" not showing on when running
+    `ssh-keygen -l` on multiple keys where one has a comment and other
+    following keys do not. bz3580
+  * scp(1), sftp(1): adjust ftruncate() logic to handle servers that
+    reorder requests. Previously, if the server reordered requests then
+    the resultant file would be erroneously truncated.
+  * ssh(1): don't incorrectly disable hostname canonicalization when
+    CanonicalizeHostname=yes and ProxyJump was expicitly set to
+    "none". bz3567
+  * scp(1): when copying local->remote, check that the source file
+    exists before opening an SFTP connection to the server. Based on
+    GHPR#370
+- Dropped patches:
+  * cb4ed12f.patch - implemented upstream.
+- Rebased patches:
+  * openssh-7.7p1-fips.patch
+  * openssh-7.8p1-role-mls.patch
+  * openssh-8.0p1-gssapi-keyex.patch
+- Add patches from obs:
+  * Mon Mar  4 09:57:06 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+- Add crypto-policies support [bsc#1211301]
+  * Add patches:
+  - openssh-9.6p1-crypto-policies.patch
+  - openssh-9.6p1-crypto-policies-man.patch
+
+- Rebase openssh-7.7p1-fips.patch (bsc#1221928)
+  Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by upstream
+
+- Use %config(noreplace) for sshd_config . In any case, it's
+  recommended to drop a file in sshd_config.d instead of editing
+  sshd_config (bsc#1221063)
+- Add patches from obs package that were also in SP3/SP4/SP5:
+  * Fri Nov  3 10:44:14 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
+  - Enhanced SELinux functionality. Added
+  * openssh-7.8p1-role-mls.patch
+    Proper handling of MLS systems and basis for other SELinux
+    improvements
+  * openssh-6.6p1-privsep-selinux.patch
+    Properly set contexts during privilege separation
+  * openssh-6.6p1-keycat.patch
+    Add ssh-keycat command to allow retrival of authorized_keys
+    on MLS setups with polyinstantiation
+  * openssh-6.6.1p1-selinux-contexts.patch
+    Additional changes to set the proper context during privilege
+    separation
+  * openssh-7.6p1-cleanup-selinux.patch
+    Various changes and putting the pieces together
+  For now we don't ship the ssh-keycat command, but we need the patch
+  for the other SELinux infrastructure
+  This change fixes issues like bsc#1214788, where the ssh daemon
+  needs to act on behalf of a user and needs a proper context for this
+
openssh-askpass-gnome
+- Update to openssh 9.6p1:
+  * No changes for askpass, see main package changelog for
+    details.
+
python3
+- Add bpo38361-syslog-no-slash-ident.patch (bsc#1222109,
+  gh#python/cpython!16557) fixes syslog making default "ident"
+  from sys.argv[0].
+
rpm
+- backport signature reserved space handling from upstream
+  * new patch: sigreserved.diff
+
+- turn on imaevm file signature support and move the imaevm code
+  that needs the libimaevm library into a plugin. Put this
+  plugin into a new "rpm-imaevmsign" subpackage. [jsc#PED-7246]
+  * new patch: imaevmsignplugin.diff
+
s390-tools
+- SE-tooling: New IBM host-key subject locality (s390-tools) (bsc#1222282)
+  * s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch
+  * s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch
+  * s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch
+  * s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch
+
+- Apllied a patch(bsc#1220949,bsc#1221873)
+  * s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch
+
systemd
+- Update 1010-sysv-generator-add-back-support-for-SysV-scripts-for.patch (bsc#1221479)
+  Really skip redundant dependencies specified the LSB description that
+  references the file name of the service itself for early boot scripts.
+  Note that the dropped code was incorrect as it didn't freed the original
+  allocated pointer 'filename' but 'filename+5'.
+
+- Add 1018-man-Restore-systemd.unified_cgroup_hierarchy-0-cmdli.patch (jsc#PED-5849)
+
+- Import commit 0dfcbead8caf4cac7db6d03e7b52b7516e5842fb (merge of v254.10)
+  For a complete list of changes, visit:
+  https://github.com/openSUSE/systemd/compare/8baddb9037b88fec2b700226914fa2eac2c04a13...0dfcbead8caf4cac7db6d03e7b52b7516e5842fb
+
wicked
+- client: do not convert sec to msec twice (bsc#1222105)
+  [+ 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch]
+
xorg-x11-server
+- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
+  * fixes regression for security fix for CVE-2024-31083 (bsc#1222312,
+    boo#1222442, gitlab xserver issue #1659)
+
+- U_CVE-2024-31080-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
+  * Xi: ProcXIGetSelectedEvents needs to use unswapped length
+    (CVE-2024-31080, bsc#1222309)
+- U_CVE-2024-31081-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
+  * Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply
+    (CVE-2024-31081, bsc#1222310)
+- U_CVE-2024-31082-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch
+  * Xquartz: ProcAppleDRICreatePixmap needs to use unswapped length to send reply
+    (CVE-2024-31082, bsc#1222311)
+- U_CVE-2024-31083-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
+  * render: fix refcounting of glyphs during ProcRenderAddGlyphs
+    (CVE-2024-31083, bsc#1222312)
+
xterm
+- xterm-reset-parsing-state.patch: A bug in the parser for several
+  escape sequences causes the first character following the
+  sequence to be ignored (bsc#1220585). Patch backported from
+  version 335n.
+
xz
-- Build static library on SLE
-
-- update to 5.4.6:
-  * Fixed a bug involving internal function pointers in liblzma
-    not being initialized to NULL. The bug can only be
-    triggered if lzma_filters_update() is called on a LZMA1
-    encoder, so it does not affect xz or any application known
-    to us that uses liblzma.
-  * Fixed a regression introduced in 5.4.2 that caused
-    encoding in the raw format to unnecessarily fail if --suffix
-    was not used. For instance, the following command no longer
-    reports that --suffix must be used:
-    echo foo | xz --format=raw --lzma2 | wc -c
-  * Fixed an issue on MinGW-w64 builds that prevented
-    reading from or writing to non-terminal character devices
-    like NUL.
-  * Added a new test.
+- revert to 5.4.1, last release from Lasse Collin
-- Update to version 5.4.5:
-  * liblzma:
-  - Fixed an assertion failure that could be triggered by a large
-    unpadded_size argument. It was verified that there was no
-    other bug than the assertion failure.
-  - Fixed a bug that prevented building with Windows Vista
-    threading when __attribute__((__constructor__)) is not
-    supported.
-  * xz now properly handles special files such as "con" or "nul" on
-    Windows. Before this fix, the following wrote "foo" to the
-    console and deleted the input file "con_xz":
-    echo foo | xz > con_xz
-    xz --suffix=_xz --decompress con_xz
-  * Small fixes and improvements to the tests.
-  * Updated translations: Chinese (simplified) and Esperanto.
+- Build static library on SLE
-- Update to version 5.4.4:
-  * liblzma and xzdec can now build against WASI SDK when threading
-    support is disabled. xz and tests don't build yet.
-  * documentation update
-  * translations update
-
-- Update to version 5.4.3:
-  * Build system fixes
-  * Translation updates: Croatian
-- update signing key
-
-- Update to version 5.4.2:
-  * All fixes from 5.2.11 that were not included in 5.4.1.
-  * If xz is built with support for the Capsicum sandbox but running
-    in an environment that doesn't support Capsicum, xz now runs
-    normally without sandboxing instead of exiting with an error.
-  * liblzma:
-  - Documentation was updated to improve the style, consistency,
-    and completeness of the liblzma API headers.
-  - The Doxygen-generated HTML documentation for the liblzma API
-    header files is now included in the source release and is
-    installed as part of "make install". All JavaScript is
-    removed to simplify license compliance and to reduce the
-    install size.
-  - Fixed a minor bug in lzma_str_from_filters() that produced
-    too many filters in the output string instead of reporting
-    an error if the input array had more than four filters. This
-    bug did not affect xz.
-  * Build systems:
-  - autogen.sh now invokes the doxygen tool via the new wrapper
-    script doxygen/update-doxygen, unless the command line option
-  - -no-doxygen is used.
-  - Added microlzma_encoder.c and microlzma_decoder.c to the
-    VS project files for Windows and to the CMake build. These
-    should have been included in 5.3.2alpha.
-  * Tests:
-  - Added a test to the CMake build that was forgotten in the
-    previous release.
-  - Added and refactored a few tests.
-  * Translations:
-  - Updated the Brazilian Portuguese translation.
-  - Added Brazilian Portuguese man page translation.
-
yast2-bootloader
+- Follow up of previous change to use even more precise wording
+  (bsc#1219989,bsc#1222353)
+- 4.6.7
+
yast2-installation
+- Adapted call for connecting all discovered NVMe-over-Fabrics
+  subsystems (bsc#1222246).
+- 4.6.12
+
yast2-storage-ng
+- Fix unlimited-sized fake device graphs (bsc#1221222)
+- 4.6.17
+