------------------------------------------------------------------ --- Changelog.all ----------- Fri Jan 9 11:18:43 UTC 2026 ------ ------------------------------------------------------------------ ------------------------------------------------------------------ ------------------ 2026-1-6 - Jan 6 2026 ------------------- ------------------------------------------------------------------ ++++ bluez: - Add input.conf-Change-default-of-ClassicBondedOnly.patch to change default of ClassicBondedOnly in input.conf. 25a471a83e02 input.conf: Change default of ClassicBondedOnly (bsc#1217877, CVE-2023-45866) - Fixed the date in bluez.changes: - Mon Sep2y 09:36:31 CEST 2008 - seife@suse.de +Mon Sep 29 09:36:31 CEST 2008 - seife@suse.de ------------------------------------------------------------------ ------------------ 2026-1-5 - Jan 5 2026 ------------------- ------------------------------------------------------------------ ++++ libpcap: - Security fix: [bsc#1255765, CVE-2025-11961] * Fix out-of-bound-write and out-of-bound-read in pcap_ether_aton() due to missing validation of provided MAC-48 address string * Add libpcap-CVE-2025-11961.patch ------------------------------------------------------------------ ------------------ 2026-1-2 - Jan 2 2026 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fixes: * [bsc#1255731, CVE-2025-14524] if redirected, require permission to use bearer * [bsc#1255734, CVE-2025-15224] require private key or user-agent for public key auth * [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache * [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file * Add patches: - curl-CVE-2025-14524.patch - curl-CVE-2025-15224.patch - curl-CVE-2025-14819.patch - curl-CVE-2025-15079.patch ------------------------------------------------------------------ ------------------ 2025-12-24 - Dec 24 2025 ------------------- ------------------------------------------------------------------ ++++ ovmf: - Add the following patches from edk2-stable202402 for CVE-2023-45230: - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch f31453e8d654 NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch - ovmf-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch 8014ac2d7bbb NetworkPkg: : Add Unit tests to CI and create Host Test DSC - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch 5f3658197bf2 NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests (bsc#1218880, CVE-2023-45230) - Add the following patches from edk2-stable202402 for CVE-2023-45229: - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch 1dbb10cc52dc NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch 07362769ab7a NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests - ovmf-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch 1d0b95f6457d NetworkPkg: : Adds a SecurityFix.yaml file - ovmf-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch 1c440a5eceed NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related Patch - ovmf-NetworkPkg-Updating-SecurityFixes.yaml.patch 5fd3078a2e08 NetworkPkg: Updating SecurityFixes.yaml (bsc#1218879, CVE-2023-45229) ------------------------------------------------------------------ ------------------ 2025-12-22 - Dec 22 2025 ------------------- ------------------------------------------------------------------ ++++ qemu: - More spec file cleanup: * [openSUSE][RPM} spec: delete old specfile constructs ------------------------------------------------------------------ ------------------ 2025-12-19 - Dec 19 2025 ------------------- ------------------------------------------------------------------ ++++ podman: - Add patch for CVE-2025-47914 (bsc#1253993), CVE-2025-47913 (bsc#1253542): * 0012-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch - Rebase patches: * 0001-vendor-update-c-buildah-to-1.33.12.patch * 0002-Backport-fix-for-CVE-2024-6104.patch * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch * 0004-http2-close-connections-when-receiving-too-many-head.patch * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch * 0008-CVE-2025-6032-machine-init-fix-tls-check.patch * 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch * 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch * 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch ------------------------------------------------------------------ ------------------ 2025-12-18 - Dec 18 2025 ------------------- ------------------------------------------------------------------ ++++ python311-core: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ python311: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ++++ qemu: - We *always* want a display driver in x86 too: * [openSUSE][RPM] spec: require qemu-hw-display-virtio-gpu-pci for x86 too ------------------------------------------------------------------ ------------------ 2025-12-17 - Dec 17 2025 ------------------- ------------------------------------------------------------------ ++++ selinux-policy: - Fix systemd generator.early and generator.late file contexts (bsc#1255027) ------------------------------------------------------------------ ------------------ 2025-12-16 - Dec 16 2025 ------------------- ------------------------------------------------------------------ ++++ libvirt: - CVE-2025-13193: qemu: Set umask for 'qemu-img' when creating external inactive snapshots bsc#1253703 - CVE-2025-12748: Check ACLs before parsing the whole domain XML bsc#1253278 ++++ qemu: - Bug and CVE fixes: * [openSUSE][RPM]: really fix *-virtio-gpu-pci dependency on ARM (bsc#1254286) * net: pad packets to minimum length in qemu_receive_packet() (bsc#1253002, CVE-2025-12464) ++++ rsync: - Security update (CVE-2025-10158, bsc#1254441): rsync: Out of bounds array access via negative index - Add rsync-CVE-2025-10158.patch ++++ shim: - shim-install: Add ca_string for SL Micro to update fallback loader The fallback loader, /boot/efi/EFI/BOOT/bootaa64.efi or bootx64.efi, cannot be upgraded by shim-install on SL Micro. The issue case is SL Micro 6.0. It causes that system gets regression bug because it's fallback to a old shim. So this patch adds ca_string to SL Micro. (bsc#1254336) ------------------------------------------------------------------ ------------------ 2025-12-15 - Dec 15 2025 ------------------- ------------------------------------------------------------------ ++++ glib2: - Add CVE fixes: + glib2-CVE-2025-13601-1.patch, glib2-CVE-2025-13601-2.patch (bsc#1254297 CVE-2025-13601 glgo#GNOME/glib#3827). + glib2-CVE-2025-14087-1.patch, glib2-CVE-2025-14087-2.patch, glib2-CVE-2025-14087-3.patch (bsc#1254662 CVE-2025-14087 glgo#GNOME/glib#3834). + glib2-CVE-2025-14512.patch (bsc#1254878 CVE-2025-14512 glgo#GNOME/glib#3845). ++++ systemd: - Import commit 9ecd16228492f44212e2771bec11ec78245b4094 9ecd162284 timer: rebase last_trigger timestamp if needed cd4a9103ef timer: rebase the next elapse timestamp only if timer didn't already run c3f4407e97 timer: don't run service immediately after restart of a timer (bsc#1254563) 05bcfe3295 test: check the next elapse timer timestamp after deserialization fe8f656975 test: restarting elapsed timer shouldn't trigger the corresponding service e4dd315b6c units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356) b58e72215a units: add dep on systemd-logind.service by user@.service 97ceca445c detect-virt: add bare-metal support for GCE (bsc#1244449 - Sync systemd-update-helper with the version shipped in Base:System This includes the following changes: - systemd-update-helper: do not stop or disable services when they are migrated to other packages. This can occur during package renaming or splitting. - systemd-update-helper: Fix invalid use of "break" in case statement - systemd-update-helper: fix regression introduced when support for package renaming/splitting was added (bsc#1245551) - systemd-update-helper: backport commit 2d0af8bc354f4a1429ce Since user@.service has `Type=notify-reload` (making the reloading process synchronous) and reloading implies reexecuting with `ReloadSignal=RTMIN+25`, reexecuting user managers synchronously can be achieved with `systemctl reload user@*.service" now. ++++ python-tornado6: - Add security patches: * CVE-2025-67724.patch (bsc#1254903) * CVE-2025-67725.patch (bsc#1254905) * CVE-2025-67726.patch (bsc#1254904) ++++ shim: - Add DER format certificate files for the pretrans script to verify that the necessary certificate is in the UEFI db - openSUSE Secure Boot CA, 2013-2035 openSUSE_Secure_Boot_CA_2013.crt - SUSE Linux Enterprise Secure Boot CA, 2013-2035 SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt - Microsoft Corporation UEFI CA 2011, 2011-2026 Microsoft_Corporation_UEFI_CA_2011.crt - Microsoft UEFI CA 2023, 2023-2038 Microsoft_UEFI_CA_2023.crt - shim.spec: Add a pretrans script to verify that the necessary certificate is in the UEFI db. - Always put SUSE Linux Enterprise Secure Boot CA to target array. (bsc#1254679) ------------------------------------------------------------------ ------------------ 2025-12-12 - Dec 12 2025 ------------------- ------------------------------------------------------------------ ++++ shim: - Update to 16.1 - RPMs shim-16.1-150300.4.31.1.x86_64.rpm shim-debuginfo-16.1-150300.4.31.1.x86_64.rpm shim-debugsource-16.1-150300.4.31.1.x86_64.rpm shim-16.1-150300.4.31.1.aarch64.rpm shim-debuginfo-16.1-150300.4.31.1.aarch64.rpm shim-debugsource-16.1-150300.4.31.1.aarch64.rpm - submitreq: https://build.suse.de/request/show/395247 - repo: https://build.suse.de/package/show/SUSE:Maintenance:39913/shim.SUSE_SLE-15-SP3_Update - Patches (git log --oneline --reverse 16.0..16.1) 4040ec4 shim_start_image(): fix guid/handle pairing when uninstalling protocols 39c0aa1 str2ip6(): parsing of "uncompressed" ipv6 addresses 3133d19 test-mock-variables: make our filter list entries safer. d44405e mock-variables: remove unused variable 0e8459f Update CI to use ubuntu-24.04 instead of ubuntu-20.04 d16a5a6 SbatLevel_Variable.txt: minor typo fix. 32804cf Realloc() needs one more byte for sprintf() 431d370 IPv6: Add more check to avoid multiple double colon and illegal char 5e4d93c Loader Proto: make freeing of bprop.buffer conditional. 33deac2 Prepare to move things from shim.c to verify.c 030e7df Move a bunch of stuff from shim.c to verify.c f3ddda7 handle_image(): make verification conditional 774f226 Cache sections of a loaded image and sub-images from them. eb0d20b loader-protocol: handle sub-section loading for UKIs 2f64bb9 loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages 1abc7ca loader-protocol: NULL output variable in load_image on failure fb77b44 Generate Authenticode for the entire PE file b86b909 README: mention new loader protocol and interaction with UKIs 8522612 ci: add mkosi configuration and CI 9ebab84 mkosi workflow: fix the branch name for main. 72a4c41 shim: change automatically enable MOK_POLICY_REQUIRE_NX a2f0dfa This is an organizational patch to move some things around in mok.c 54b9946 Update to the shim-16.1 branch of gnu-efi to get AsciiSPrint() a5a6922 get_max_var_sz(): add more debugging for apple platforms 77a2922 Add a "VariableInfo" variable to mok-variables. efc71c9 build: Avoid passing *FLAGS to sub-make 7670932 Fixes for 'make TOPDIR=... clean' 13ab598 add SbatLevel entry 2025051000 for PSA-2025-00012-1 617aed5 Update version to 16.1~rc1 d316ba8 format_variable_info(): fix wrong size test. f5fad0e _do_sha256_sum(): Fix missing error check. 3a9734d doc: add howto for running mkosi locally ced5f71 mkosi: remove spurious slashes from script 0076155 ci: update mkosi commit 5481105 fix http boot 121cddf loader-protocol: Handle UnloadImage after StartImage properly 6a1d1a9 loader-protocol: Fix memory leaks 27a5d22 gitignore: add more mkosi dirs and vscode dir 346ed15 mkosi: disable repository key check on Fedora afc4955 Update version to 16.1 - 16.1 release note https://github.com/rhboot/shim/releases shim_start_image(): fix guid/handle pairing when uninstalling protocols by @vathpela in #738 Fix uncompressed ipv6 netboot by @hrvach in #742 fix test segfaults caused by uninitialized memory by @Fabian-Gruenbichler in #739 Update CI to use ubuntu-24.04 instead of ubuntu-20.04 by @vathpela in #749 SbatLevel_Variable.txt: minor typo fix. by @vathpela in #751 Realloc() needs to allocate one more byte for sprintf() by @dennis-tseng99 in #746 IPv6: Add more check to avoid multiple double colon and illegal char by @dennis-tseng99 in #753 Loader proto v2 by @vathpela in #748 loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages by @bluca in #750 Generate Authenticode for the entire PE file by @esnowberg in #604 README: mention new loader protocol and interaction with UKIs by @bluca in #755 ci: add mkosi configuration and CI by @bluca in #764 shim: change automatically enable MOK_POLICY_REQUIRE_NX by @vathpela in #761 Save var info by @vathpela in #763 build: Avoid passing *FLAGS to sub-make by @rosslagerwall in #758 Fixes for 'make TOPDIR=... clean' by @bluca in #762 add SbatLevel entry 2025051000 for PSA-2025-00012-1 by @Fabian-Gruenbichler in #766 Coverity fixes 20250804 by @vathpela in #767 ci: fixlets and docs for mkosi workflow by @bluca in #768 fix http boot by @jsetje in #770 Fix double free and leak in the loader protocol by @rosslagerwall in #769 gitignore: add more mkosi dirs and vscode dir by @bluca in #771 - Drop upstreamed patch: The following patches are merged to 16.1 - shim-alloc-one-more-byte-for-sprintf.patch - 32804cf5d9 Realloc() needs one more byte for sprintf() [16.1] - shim-change-automatically-enable-MOK_POLICY_REQUIRE_NX.patch (bsc#1205588) - 72a4c41877 shim: change automatically enable MOK_POLICY_REQUIRE_NX [16.1] - Building MokManager.efi and fallback.efi with POST_PROCESS_PE_FLAGS=-n (bsc#1205588) - Building with the latest version of gcc in the codebase: - The gcc13 can workaround dxe_get_mem_attrs() hsi_status problem - We prefer that building shim with the latest version of gcc in codebase. - Set the minimum version is gcc-13. (bsc#1247432) - SLE shim should includes vendor-dbx-sles.esl instead of vendor-dbx-opensuse.esl. Fixed it in shim.spec. ++++ supportutils: - Changes to version 3.2.12 + Optimized lsof usage and honors OPTION_OFILES (bsc#1232351, PR#274) + Run in containers without errors (bsc#1245667, PR#272) + Removed pmap PID from memory.txt (bsc#1246011, PR#263) + Added missing /proc/pagetypeinfo to memory.txt (bsc#1246025, PR#264) + Improved database perforce with kGraft patching (bsc#1249657, PR#273) + Using last boot for journalctl for optimization (bsc#1250224, PR#287) + Fixed extraction failures (bsc#1252318, PR#275) + Update supportconfig.conf path in docs (bsc#1254425, PR#281) + drm_sub_info: Catch error when dir doesn't exist (PR#265) + Replace remaining `egrep` with `grep -E` (PR#261, PR#266) + Add process affinity to slert logs (PR#269) + Reintroduce cgroup statistics (and v2) (PR#270) + Minor changes to basic-health-check: improve information level (PR#271) + Collect important machine health counters (PR#276) + powerpc: collect hot-pluggable PCI and PHB slots (PR#278) + podman: collect podman disk usage (PR#279) + Exclude binary files in crondir (PR#282) + kexec/kdump: collect everything under /sys/kernel/kexec dir (PR#284) + Use short-iso for journalctl (PR#288) ------------------------------------------------------------------ ------------------ 2025-12-5 - Dec 5 2025 ------------------- ------------------------------------------------------------------ ++++ libpng16: - security update - added patches CVE-2025-66293 [bsc#1254480], LIBPNG out-of-bounds read in png_image_read_composite * libpng16-CVE-2025-66293-1.patch * libpng16-CVE-2025-66293-2.patch ------------------------------------------------------------------ ------------------ 2025-11-28 - Nov 28 2025 ------------------- ------------------------------------------------------------------ ++++ libpng16: - security update - added patches CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index * libpng16-CVE-2025-64505.patch CVE-2025-64506 [bsc#1254158], heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled * libpng16-CVE-2025-64506.patch CVE-2025-64720 [bsc#1254159], buffer overflow in `png_image_read_composite` via incorrect palette premultiplication * libpng16-CVE-2025-64720.patch CVE-2025-65018 [bsc#1254160], heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read` * libpng16-CVE-2025-65018.patch ++++ runc: - Update to runc v1.3.4. Upstream changelog is available from . bsc#1254362 ------------------------------------------------------------------ ------------------ 2025-11-26 - Nov 26 2025 ------------------- ------------------------------------------------------------------ ++++ openvswitch: - OpenvSwitch upstream bugfix updates: * https://www.openvswitch.org/releases/NEWS-3.1.7.txt * v3.1.7 - Bug fixes - OVS validated with DPDK 22.11.7. * v3.1.6 - Bug fixes - OVS validated with DPDK 22.11.6. * v3.1.5 - Bug fixes - OVS validated with DPDK 22.11.5. * v3.1.4 - Bug fixes - Fixed vulnerabilities CVE-2023-3966 (bsc#1219465) and CVE-2023-5366 (bsc#1216002). - OVS validated with DPDK 22.11.4. * v3.1.3 - Bug fixes * v3.1.2 - Bug fixes * v3.1.1 - Bug fixes - Fixed vulnerability CVE-2023-1668 (bsc#1210054) - Remove included patches: CVE-2023-1668.patch - OVN upstream bugfix updates: * https://github.com/ovn-org/ovn/blob/branch-23.03/NEWS - Fix CVE-2025-0650 (bsc#1236353) ovn: egress ACLs may be bypassed via specially crafted UDP packet (CVE-2025-0650.patch) * v23.03.3 - Bug fixes - Add "garp-max-timeout-sec" config option to vswitchd external-ids to cap the time between when ovn-controller sends gARP packets. - Security: Fixed vulnerability CVE-2024-2182 (bsc#1255435). - Updated patches install-ovsdb-tools.patch * v23.03.2 - Bug fixes * v23.03.1 - Bug fixes - CT entries are not flushed by default anymore whenever a load balancer backend is removed. A new, per-LB, option 'ct_flush' can be used to restore the previous behavior. Disabled by default. - Always allow IPv6 Router Discovery, Neighbor Discovery, and Multicast Listener Discovery protocols, regardless of ACLs defined. - Send ICMP Fragmentation Needed packets back to offending ports when communicating with multichassis ports using frames that don't fit through a tunnel. This is done only for logical switches that are attached to a physical network via a localnet port, in which case multichassis ports may have an effective MTU different from regular ports and hence may need this mechanism to maintain connectivity with other peers in the network. - ECMP routes use L4_SYM dp-hash by default if the datapath supports it. Existing sessions might get re-hashed to a different ECMP path when OVN detects the algorithm support in the datapath during an upgrade or restart of ovn-controller. - Add CoPP for the svc_monitor_mac. This addresses CVE-2023-3153 (bsc#1212125). - Remove included patches: CVE-2023-3152.patch ------------------------------------------------------------------ ------------------ 2025-11-25 - Nov 25 2025 ------------------- ------------------------------------------------------------------ ++++ salt: - Add minimum_auth_version to enforce security (CVE-2025-62349) - Backport security fixes for vendored tornado * BDSA-2024-3438 * BDSA-2024-3439 * BDSA-2024-9026 - Junos module yaml loader fix (CVE-2025-62348) - Require Python dependencies only for used Python version - Fix TLS and x509 modules for OSes with older cryptography module - Require python-legacy-cgi only for Python > 3.12 - Builds with py >=3.13 require python-legacy-cgi - Fix Salt for Python > 3.11 (bsc#1252285) (bsc#1252244) - * Use external tornado on Python > 3.11 - * Make tls and x509 to use python-cryptography - * Remove usage of spwd - Fix payload signature verification on Tumbleweed (bsc#1251776) - Fix broken symlink on migration to Leap 16.0 (bsc#1250755) - Use versioned python interpreter for salt-ssh - Fix known_hosts error on gitfs (bsc#1250520) (bsc#1227207) - Add python3.11 as preferable for salt-ssh to avoid tests fails - Make test_pillar_timeout test more reliable - Modify README and other doc files for openSUSE - Set python-CherryPy as required for python-salt-testsuite (#115) - Revert require M2Crypto >= 0.44.0 for SUSE Family distros - This reverts commit aa40615dcf7a15325ef71bbc09a5423ce512491d. - Improve SL Micro 6.2 detection with grains - Fix functional.states.test_user for SLES 16 and Micro systems - Fix the tests failing on AlmaLinux 10 and other clones - Added: * backport-3006.17-security-fixes-739.patch * fix-tls-and-x509-modules-for-older-cryptography-modu.patch * fix-salt-for-python-3.11.patch * do-not-break-signature-verification-on-latest-m2cryp.patch * use-versioned-python-interpreter-for-salt-ssh.patch * allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch * add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch * even-more-reliable-pillar-timeout-test.patch * modify-readme-for-opensuse-728.patch * improve-sl-micro-6.2-detection-with-grains.patch * fix-functional.states.test_user-for-sles-16-and-micr.patch * fix-the-tests-failing-on-almalinux-10-and-other-clon.patch ------------------------------------------------------------------ ------------------ 2025-11-24 - Nov 24 2025 ------------------- ------------------------------------------------------------------ ++++ gnutls: - Security fix bsc#1254132 CVE-2025-9820 * Fix buffer overflow in gnutls_pkcs11_token_init * Added gnutls-CVE-2025-9820.patch ------------------------------------------------------------------ ------------------ 2025-11-21 - Nov 21 2025 ------------------- ------------------------------------------------------------------ ++++ libmicrohttpd: - Fix for the following bugs: * bsc#1253177 CVE-2025-59777 * bsc#1253178 CVE-2025-62689 - Add patch: * CVE-2025-59777.patch * this same patch fixes both CVEs * git commit ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b ------------------------------------------------------------------ ------------------ 2025-11-19 - Nov 19 2025 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fix: [bsc#1253757, CVE-2025-11563] * curl: wcurl path traversal with percent-encoded slashes * Add curl-CVE-2025-11563.patch ++++ curl: - Security fix: [bsc#1253757, CVE-2025-11563] * curl: wcurl path traversal with percent-encoded slashes * Add curl-CVE-2025-11563.patch ++++ kmod: - man: modprobe.d: document the config file order handling (bsc#1253741) * man-modprobe.d-document-the-config-file-order-handling.patch ------------------------------------------------------------------ ------------------ 2025-11-18 - Nov 18 2025 ------------------- ------------------------------------------------------------------ ++++ sssd: - Install file in krb5.conf.d to include sssd krb5 config snippets; (bsc#1244325); - Disable Kerberos localauth an2ln plugin for AD; (CVE-2025-11561); (bsc#1251827); Add patch 0006-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch ------------------------------------------------------------------ ------------------ 2025-11-17 - Nov 17 2025 ------------------- ------------------------------------------------------------------ ++++ dpdk: - Upstream bugfix update: - Version 22.11.10 - net/mlx5: fix out-of-order completions in ordinary Rx burst (CVE-2025-23259, bsc#1254161) - Version 22.11.9 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id24 - Version 22.11.8 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id21 - Version 22.11.7 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id18 - Remove included fix dpdk-CVE-2024-11614.patch - Version 22.11.6 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id15 - Version 22.11.5 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id12 - Version 22.11.4 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id8 - Version 22.11.3 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id4 Remove included fixes: - 0001-kni-fix-build-with-Linux-6.3.patch - Version 22.11.2 https://doc.dpdk.org/guides-22.11/rel_notes/release_22_11.html#id2 - Fix [bsc#1214724], SUSE provided DPDK modules taint the kernel as unsupported + Add kernel support flag for rte_kni.ko ++++ glib2: - Add glib2-CVE-2025-7039.patch: fix computation of temporary file name (bsc#1249055 CVE-2025-7039 glgo#GNOME/glib#3716). ++++ glib2: - Add glib2-CVE-2025-7039.patch: fix computation of temporary file name (bsc#1249055 CVE-2025-7039 glgo#GNOME/glib#3716). ------------------------------------------------------------------ ------------------ 2025-11-13 - Nov 13 2025 ------------------- ------------------------------------------------------------------ ++++ python311-core: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311-core: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ unbound: - Fix CVE-2025-11411 (possible domain hijacking attack). Since this minimal patch interferes with most of the unit tests, the '%check' section has been removed from the spec file. [CVE-2025-11411, bsc#1252525, unbound-1.22-CVE-2025-11411.patch] ++++ python311: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ python311: - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch ++++ qemu: - Bugfixes: * io: fix use after free in websocket handshake code (bsc#1250984, CVE-2025-11234) * io: move websock resource release to close method (bsc#1250984, CVE-2025-11234) * io: release active GSource in TLS channel finalizer (bsc#1250984, CVE-2025-11234) * block/curl: fix curl internal handles handling (bsc#1252768, CVE-2025-11234) ------------------------------------------------------------------ ------------------ 2025-11-9 - Nov 9 2025 ------------------- ------------------------------------------------------------------ ++++ containerd: - Update to containerd v1.7.29. Upstream release notes: * CVE-2024-25621 bsc#1253126 * CVE-2025-64329 bsc#1253132 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch ------------------------------------------------------------------ ------------------ 2025-11-7 - Nov 7 2025 ------------------- ------------------------------------------------------------------ ++++ openssh: - Add openssh-cve-2025-61984-username-validation.patch (bsc#1251198, CVE-2025-61984). - Add openssh-cve-2025-61985-nul-url-encode.patch (bsc#1251199, CVE-2025-61985). ------------------------------------------------------------------ ------------------ 2025-11-6 - Nov 6 2025 ------------------- ------------------------------------------------------------------ ++++ podman: - Add patch for CVE-2025-31133,CVE-2025-52565,CVE-2025-52881 (bsc#1252376): * 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch - Add patch for bsc#1252543: * 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch - Rebase patches: * 0001-vendor-update-c-buildah-to-1.33.12.patch * 0002-Backport-fix-for-CVE-2024-6104.patch * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch * 0004-http2-close-connections-when-receiving-too-many-head.patch * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch * 0008-CVE-2025-6032-machine-init-fix-tls-check.patch * 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch ++++ podman: - Add patch for CVE-2025-31133,CVE-2025-52565,CVE-2025-52881 (bsc#1252376): * 0011-CVE-2025-52881-backport-subset-of-patch-from-runc.patch - Add patch for bsc#1252543: * 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch - Rebase patches: * 0001-vendor-update-c-buildah-to-1.33.12.patch * 0002-Backport-fix-for-CVE-2024-6104.patch * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch * 0004-http2-close-connections-when-receiving-too-many-head.patch * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch * 0008-CVE-2025-6032-machine-init-fix-tls-check.patch * 0009-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch ------------------------------------------------------------------ ------------------ 2025-11-5 - Nov 5 2025 ------------------- ------------------------------------------------------------------ ++++ runc: - Update to runc v1.3.3. Upstream changelog is available from . bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 - Remove upstreamed patches for bsc#1252232: - 2025-11-05-CVEs.patch ++++ runc: - Update to runc v1.3.3. Upstream changelog is available from . bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 - Remove upstreamed patches for bsc#1252232: - 2025-11-05-CVEs.patch ------------------------------------------------------------------ ------------------ 2025-11-4 - Nov 4 2025 ------------------- ------------------------------------------------------------------ ++++ dracut: - Update to version 059+suse.607.g05002594: * fix(kernel-modules-extra): remove stray \ before / (bsc#1253029) ------------------------------------------------------------------ ------------------ 2025-10-28 - Oct 28 2025 ------------------- ------------------------------------------------------------------ ++++ libgcrypt: - Fix running the test suite in FIPS mode [bsc#1246934] * Add libgcrypt-fix-pkcs12-test-in-FIPS-mode.patch * Rebase libgcrypt-FIPS-SLI-kdf-leylength.patch ------------------------------------------------------------------ ------------------ 2025-10-27 - Oct 27 2025 ------------------- ------------------------------------------------------------------ ++++ docker: - Enable SELinux in default daemon.json config (--selinux-enabled). This has no practical impact on non-SELinux systems. bsc#1252290 ------------------------------------------------------------------ ------------------ 2025-10-22 - Oct 22 2025 ------------------- ------------------------------------------------------------------ ++++ gpgme: - Treat empty DISPLAY variable as unset. [bsc#1252425, bsc#1231055] * To avoid gpgme constructing an invalid gpg command line when the DISPLAY variable is empty it can be treated as unset. * Add gpgme-Treat-empty-DISPLAY-variable-as-unset.patch * Reported upstream: dev.gnupg.org/T7919 ------------------------------------------------------------------ ------------------ 2025-10-21 - Oct 21 2025 ------------------- ------------------------------------------------------------------ ++++ sqlite3: - bsc#1252217: Add a %license file. ------------------------------------------------------------------ ------------------ 2025-10-17 - Oct 17 2025 ------------------- ------------------------------------------------------------------ ++++ libsoup: - Update libsoup-CVE-2025-11021.patch: Add NULL check for soup_date_time_to_string() (bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!483). ------------------------------------------------------------------ ------------------ 2025-10-16 - Oct 16 2025 ------------------- ------------------------------------------------------------------ ++++ runc: [ This update was only released for SLE 12 and 15. ] - Backport patches for three CVEs. All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files. bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 + 2025-11-05-CVEs.patch ++++ runc: [ This update was only released for SLE 12 and 15. ] - Backport patches for three CVEs. All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files. bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 + 2025-11-05-CVEs.patch ------------------------------------------------------------------ ------------------ 2025-10-15 - Oct 15 2025 ------------------- ------------------------------------------------------------------ ++++ libxslt: - security update - added patches CVE-2025-11731 [bsc#1251979], type confusion in exsltFuncResultCompfunction leading to denial of service * libxslt-CVE-2025-11731.patch ++++ python311-core: - Update to 3.11.14: - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with “zip64 extensible data” if there are no bytes prepended to the ZIP file (CVE-2025-8291, bsc#1251305). - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. * Whitespaces no longer accepted between does not end the script section. * Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space. * Null character (U+0000) no longer ends the tag name. * Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . * Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the