------------------------------------------------------------------ --- Changelog.all ----------- Sat Jul 26 10:01:44 UTC 2025 ------ ------------------------------------------------------------------ ------------------------------------------------------------------ ------------------ 2025-7-24 - Jul 24 2025 ------------------- ------------------------------------------------------------------ ++++ glibc: - regcomp-double-free.patch: posix: Fix double-free after allocation failure in regcomp (CVE-2025-8058, bsc#1246965, BZ #33185) ++++ kdump: - upgrade to version 2.1.5 * kdumptool calibrate: use kernel flavour from the kdump kernel (jsc#PED-12971) * order kdump-commandline.service after kdump.service * updated documentation (bsc#1246908) ------------------------------------------------------------------ ------------------ 2025-7-23 - Jul 23 2025 ------------------- ------------------------------------------------------------------ ++++ transactional-update: - Add journalmount.patch to bind mount systemd journal only when available ++++ sysuser-tools: - disable the buildroot virus scanning, as it needs the vscan user this package provides. (bsc#1246878) ------------------------------------------------------------------ ------------------ 2025-7-22 - Jul 22 2025 ------------------- ------------------------------------------------------------------ ++++ fde-tools: - Add fde-tools-bsc1246464-use-default-uefi-boot-path.patch to use the default EFI boot path if there is no FILE compoment in in the boot entry (bsc#1246464) ++++ kernel-firmware-sound: - Update to version 20250721 (git commit d89120bb80fc): * cirrus: cs35l41: Add Firmware for various ASUS commercial Laptops using CS35L41 HDA * cirrus: cs35l41: Update Firmware for Dell Oasis * cirrus: cs35l56: Add firmware for Cirrus CS35L56 for various Dell laptops * qcom: Add Audio topology for QCS6490 RB3Gen2 ++++ libnvme: - Update to version 1.11+4.g18b9f8e5: * tree: free ctrl attributes when (re)configure ctrl (bsc#1243716) * tree: filter tree after scan has completed (bsc#1243716) * test/mock: pass thru unknown ioctls * linux: fix derive_psk_digest OpenSSL 1.1 version - Drop intergrated patches * remove 0001-linux-fix-derive_psk_digest-OpenSSL-1.1-version.patch * remove 0002-test-mock-pass-thru-unknown-ioctls.patch ++++ nvme-cli: - Update to version 2.11+4.g16c450a7: * nvme: fix mem leak in nvme copy (bsc#1243716) * nvme-print: suppress output when no ctrl is present for list-subsys (bsc#1243716) * nvme: extend filter to match device name (bsc#1243716) * udev-rules-ontap: switch to queue-depth iopolicy (bsc#1246599) ------------------------------------------------------------------ ------------------ 2025-7-21 - Jul 21 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit: - Add cockpit-firewalld package for easily configuring the users firewall jsc#PED-13228 ++++ transactional-update: - Version 5.0.7 - Add sysext compatibility [bsc#1246140] - Fix soft-reboot with btrfs subvolume based /etc - Sync /etc layers also on soft-reboot - Bind mount /run/systemd/journal to allow log calls [gh#openSUSE/transactional-update#149] - Use rootlesskit instead of fakeroot for tests - Small coding style fixes - Temporarily disabling the testsuite because it doesn't run in the build environment so far ++++ kernel-default: - kABI workaround for bluetooth hci_dev changes (CVE-2025-38250 bsc#1246182). - commit 9363e74 - Bluetooth: hci_core: Fix use-after-free in vhci_flush() (CVE-2025-38250 bsc#1246182). - commit 7979f02 - tools/hv: fcopy: Fix irregularities with size of ring buffer (git-fixes). - PCI: hv: Use the correct hypercall for unmasking interrupts on nested (git-fixes). - x86/hyperv: Expose hv_map_msi_interrupt() (git-fixes). - Drivers: hv: Use nested hypercall for post message and signal event (git-fixes). - x86/hyperv: Clean up hv_map/unmap_interrupt() return values (git-fixes). - x86/hyperv: Fix usage of cpu_online_mask to get valid cpu (git-fixes). - PCI: hv: Don't load the driver for baremetal root partition (git-fixes). - net: mana: Fix warnings for missing export.h header inclusion (git-fixes). - PCI: hv: Fix warnings for missing export.h header inclusion (git-fixes). - clocksource: hyper-v: Fix warnings for missing export.h header inclusion (git-fixes). - x86/hyperv: Fix warnings for missing export.h header inclusion (git-fixes). - Drivers: hv: Fix warnings for missing export.h header inclusion (git-fixes). - Drivers: hv: Fix the check for HYPERVISOR_CALLBACK_VECTOR (git-fixes). - tools/hv: fcopy: Fix incorrect file path conversion (git-fixes). - Drivers: hv: Select CONFIG_SYSFB only if EFI is enabled (git-fixes). - hv_netvsc: Set VF priv_flags to IFF_NO_ADDRCONF before open to prevent IPv6 addrconf (git-fixes). - commit 6fce57d - i2c: stm32f7: unmap DMA mapped buffer (git-fixes). - i2c: stm32: fix the device used for the DMA map (git-fixes). - usb: hub: Don't try to recover devices lost during warm reset (git-fixes). - usb: dwc2: gadget: Fix enter to hibernation for UTMI+ PHY (git-fixes). - usb: musb: fix gadget state on disconnect (git-fixes). - thunderbolt: Fix bit masking in tb_dp_port_set_hops() (git-fixes). - thunderbolt: Fix wake on connect at runtime (git-fixes). - pch_uart: Fix dma_sync_sg_for_device() nents value (git-fixes). - serial: core: fix OF node leak (git-fixes). - comedi: Fix initialization of data for instructions that write to subdevice (git-fixes). - comedi: Fix use of uninitialized data in insn_rw_emulate_bits() (git-fixes). - comedi: das6402: Fix bit shift out of bounds (git-fixes). - comedi: aio_iiro_16: Fix bit shift out of bounds (git-fixes). - comedi: pcl812: Fix bit shift out of bounds (git-fixes). - comedi: das16m1: Fix bit shift out of bounds (git-fixes). - comedi: Fix some signed shift left operations (git-fixes). - comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large (git-fixes). - interconnect: icc-clk: destroy nodes in case of memory allocation failures (git-fixes). - interconnect: exynos: handle node name allocation failure (git-fixes). - interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node (git-fixes). - iio: adc: ad7949: use spi_is_bpw_supported() (git-fixes). - iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush (git-fixes). - iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps (git-fixes). - iio: adc: stm32-adc: Fix race in installing chained IRQ handler (git-fixes). - iio: backend: fix out-of-bound write (git-fixes). - spi: Add check for 8-bit transfer with 8 IO mode support (git-fixes). - regmap: fix potential memory leak of regmap_bus (git-fixes). - Input: xpad - set correct controller type for Acer NGR200 (git-fixes). - commit efa1e54 ++++ kernel-firmware-nvidia: - Remove stale *.rpmmoved directories (bsc#1244458) ++++ kernel-firmware-qcom: - Remove stale *.rpmmoved directories (bsc#1244458) ++++ kernel-rt: - kABI workaround for bluetooth hci_dev changes (CVE-2025-38250 bsc#1246182). - commit 9363e74 - Bluetooth: hci_core: Fix use-after-free in vhci_flush() (CVE-2025-38250 bsc#1246182). - commit 7979f02 - tools/hv: fcopy: Fix irregularities with size of ring buffer (git-fixes). - PCI: hv: Use the correct hypercall for unmasking interrupts on nested (git-fixes). - x86/hyperv: Expose hv_map_msi_interrupt() (git-fixes). - Drivers: hv: Use nested hypercall for post message and signal event (git-fixes). - x86/hyperv: Clean up hv_map/unmap_interrupt() return values (git-fixes). - x86/hyperv: Fix usage of cpu_online_mask to get valid cpu (git-fixes). - PCI: hv: Don't load the driver for baremetal root partition (git-fixes). - net: mana: Fix warnings for missing export.h header inclusion (git-fixes). - PCI: hv: Fix warnings for missing export.h header inclusion (git-fixes). - clocksource: hyper-v: Fix warnings for missing export.h header inclusion (git-fixes). - x86/hyperv: Fix warnings for missing export.h header inclusion (git-fixes). - Drivers: hv: Fix warnings for missing export.h header inclusion (git-fixes). - Drivers: hv: Fix the check for HYPERVISOR_CALLBACK_VECTOR (git-fixes). - tools/hv: fcopy: Fix incorrect file path conversion (git-fixes). - Drivers: hv: Select CONFIG_SYSFB only if EFI is enabled (git-fixes). - hv_netvsc: Set VF priv_flags to IFF_NO_ADDRCONF before open to prevent IPv6 addrconf (git-fixes). - commit 6fce57d - i2c: stm32f7: unmap DMA mapped buffer (git-fixes). - i2c: stm32: fix the device used for the DMA map (git-fixes). - usb: hub: Don't try to recover devices lost during warm reset (git-fixes). - usb: dwc2: gadget: Fix enter to hibernation for UTMI+ PHY (git-fixes). - usb: musb: fix gadget state on disconnect (git-fixes). - thunderbolt: Fix bit masking in tb_dp_port_set_hops() (git-fixes). - thunderbolt: Fix wake on connect at runtime (git-fixes). - pch_uart: Fix dma_sync_sg_for_device() nents value (git-fixes). - serial: core: fix OF node leak (git-fixes). - comedi: Fix initialization of data for instructions that write to subdevice (git-fixes). - comedi: Fix use of uninitialized data in insn_rw_emulate_bits() (git-fixes). - comedi: das6402: Fix bit shift out of bounds (git-fixes). - comedi: aio_iiro_16: Fix bit shift out of bounds (git-fixes). - comedi: pcl812: Fix bit shift out of bounds (git-fixes). - comedi: das16m1: Fix bit shift out of bounds (git-fixes). - comedi: Fix some signed shift left operations (git-fixes). - comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large (git-fixes). - interconnect: icc-clk: destroy nodes in case of memory allocation failures (git-fixes). - interconnect: exynos: handle node name allocation failure (git-fixes). - interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node (git-fixes). - iio: adc: ad7949: use spi_is_bpw_supported() (git-fixes). - iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush (git-fixes). - iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps (git-fixes). - iio: adc: stm32-adc: Fix race in installing chained IRQ handler (git-fixes). - iio: backend: fix out-of-bound write (git-fixes). - spi: Add check for 8-bit transfer with 8 IO mode support (git-fixes). - regmap: fix potential memory leak of regmap_bus (git-fixes). - Input: xpad - set correct controller type for Acer NGR200 (git-fixes). - commit efa1e54 ++++ libbpf: - update to 1.6.0: * add more control over BPF object lifetime with new preparation step (bpf_object__prepare() API) * libbpf will report symbolic error code (e.g., "-EINVAL") in addition to human-readable error description * bpf_prog_stream_read() API * BPF token support when attaching BPF trampoline-based BPF programs in bpf_program__set_attach_target() * BPF token support for BPF_BTF_GET_FD_BY_ID command * support multi-uprobe session (SEC("uprobe.session")) BPF programs * support unique_match option for multi-kprobe attachment * support creating and destroying qdisk with BPF_TC_QDISC flag; * bpf_program__attach_cgroup_opts() which enables more precise cgroup-based attachment ordering * automatically take advantage of memory-mappable kernel BTF (/sys/kernel/btf/vmlinux), if supported * emit_strings option for BTF dumper API, improving string-like data printing * add BPF program's func and line info accessors * BPF linker supports linking ELF object files coming from memory buffer and referenced by FD, in addition to file path-based APIs; * small improvements to BTF dedup to handle rare quirky corner cases produces by some compilers * add likely() and unlikely() convenience macros; * __arg_untrusted annotation for BPF global subprog arguments; * bpf_stream_printk() macro for working with BPF streams; * bpf_usdt_arg_size() API - update to 1.6.0: * fixing a possible crash when handling BPF arena global variable relocations - drop 0001-libbpf-Add-identical-pointer-detection-to-btf_dedup_.patch, which is now included ------------------------------------------------------------------ ------------------ 2025-7-20 - Jul 20 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - hwmon: (corsair-cpro) Validate the size of the received input buffer (git-fixes). - drm/mediatek: only announce AFBC if really supported (git-fixes). - drm/mediatek: Add wait_event_timeout when disabling plane (git-fixes). - drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume (git-fixes). - drm/nouveau: check ioctl command codes better (git-fixes). - soundwire: amd: fix for clearing command status register (git-fixes). - dmaengine: nbpfaxi: Fix memory corruption in probe() (git-fixes). - phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode (git-fixes). - memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() (git-fixes). - mmc: bcm2835: Fix dma_unmap_sg() nents value (git-fixes). - mmc: sdhci_am654: Workaround for Errata i2312 (git-fixes). - mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models (git-fixes). - commit f4e7d99 ++++ kernel-rt: - hwmon: (corsair-cpro) Validate the size of the received input buffer (git-fixes). - drm/mediatek: only announce AFBC if really supported (git-fixes). - drm/mediatek: Add wait_event_timeout when disabling plane (git-fixes). - drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume (git-fixes). - drm/nouveau: check ioctl command codes better (git-fixes). - soundwire: amd: fix for clearing command status register (git-fixes). - dmaengine: nbpfaxi: Fix memory corruption in probe() (git-fixes). - phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode (git-fixes). - memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() (git-fixes). - mmc: bcm2835: Fix dma_unmap_sg() nents value (git-fixes). - mmc: sdhci_am654: Workaround for Errata i2312 (git-fixes). - mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models (git-fixes). - commit f4e7d99 ------------------------------------------------------------------ ------------------ 2025-7-19 - Jul 19 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - virtio-net: fix recursived rtnl_lock() during probe() (git-fixes). - commit 0bc7aff - vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` (git-fixes). - commit 615e0f1 - vsock: Fix transport_* TOCTOU (git-fixes). - commit 704674f - vsock: Fix transport_{g2h,h2g} TOCTOU (git-fixes). - commit 3024c81 ++++ kernel-firmware-amdgpu: - Update to version 20250718 (git commit a5fbfa20d1bd): * amdgpu: update dmcub fw for various DCN version ++++ kernel-firmware-intel: - Update to version 20250718 (git commit a5fbfa20d1bd): * intel_vpu: Update NPU firmware ++++ kernel-rt: - virtio-net: fix recursived rtnl_lock() during probe() (git-fixes). - commit 0bc7aff - vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` (git-fixes). - commit 615e0f1 - vsock: Fix transport_* TOCTOU (git-fixes). - commit 704674f - vsock: Fix transport_{g2h,h2g} TOCTOU (git-fixes). - commit 3024c81 ------------------------------------------------------------------ ------------------ 2025-7-18 - Jul 18 2025 ------------------- ------------------------------------------------------------------ ++++ kdump: - upgrade to version 2.1.4 * work around failing calibration on aarch64 * support for kernel flavour-specific calibration * specific calibration for aarch64 -64kb kernels (jsc#PED-12971) * use KDUMP_NET_TIMEOUT as sftp/ftp timeout - update calibrate values ++++ kernel-default: - vsock/vmci: Clear the vmci transport packet properly when initializing it (git-fixes). - commit ec91da1 - virtio-net: xsk: rx: fix the frame's length check (git-fixes). - commit d6ac97d - af_unix: Don't set -ECONNRESET for consumed OOB skb (bsc#1246093). - commit 6c81d26 - sched/psi: Optimize psi_group_change() cpu_clock() usage KABI (bsc#1234634 (Scheduler functional and performance backports)). - commit 74a8f57 - virtio-net: ensure the received length does not exceed allocated size (git-fixes). - commit 98cd35a - sched: Skip useless sched_balance_running acquisition if load balance is not due (bsc#1234634 (Scheduler functional and performance backports)). - commit 8648646 - net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (git-fixes). - commit ecdd7a1 - net: fix segmentation after TCP/UDP fraglist GRO (git-fixes). - commit 0365d28 - ipv6: mcast: Delay put pmc->idev in mld_del_delrec() (git-fixes). - commit 6b2d784 - rpl: Fix use-after-free in rpl_do_srh_inline() (git-fixes). - commit fa150fb - af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() (git-fixes). - commit f0f997a - net/sched: sch_qfq: Fix race condition on qfq_aggregate (git-fixes). - commit e3a7f48 - sched/deadline: Less agressive dl_server handling KABI (bsc#1234634 (Scheduler functional and performance backports)). - commit ce216e3 - sched/fair: Workaround NO_RUN_TO_PARITY fix kabi (bsc#1234634 (Scheduler functional and performance backports)). - commit 6a6e170 - af_unix: Don't leave consecutive consumed OOB skbs (CVE-2025-38236 bsc#1246093). - commit a443f38 - kABI workaround for struct drm_framebuffer changes (git-fixes). - commit 7f15c4f - bridge: mcast: Fix use-after-free during router port configuration (CVE-2025-38248 bsc#1246173). - commit 78cf8a3 - Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU (git-fixes). - Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID (git-fixes). - Bluetooth: hci_core: add missing braces when using macro parameters (git-fixes). - Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout (git-fixes). - Bluetooth: SMP: If an unallowed command is received consider it a failure (git-fixes). - Bluetooth: btintel: Check if controller is ISO capable on btintel_classify_pkt_type (git-fixes). - Bluetooth: hci_sync: fix connectable extended advertising when using static random address (git-fixes). - Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() (git-fixes). - wifi: cfg80211: remove scan request n_channels counted_by (git-fixes). - can: tcan4x5x: fix reset gpio usage during probe (git-fixes). - usb: net: sierra: check for no status endpoint (git-fixes). - net: phy: Don't register LEDs for genphy (git-fixes). - clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data (git-fixes). - clk: scmi: Handle case where child clocks are initialized before their parents (git-fixes). - drm/gem: Fix race in drm_gem_handle_create_tail() (stable-fixes). - drm/framebuffer: Acquire internal references on GEM handles (git-fixes). - wifi: prevent A-MSDU attacks in mesh networks (stable-fixes). - wifi: mac80211: correctly identify S1G short beacon (git-fixes). - wifi: cfg80211: fix S1G beacon head validation in nl80211 (git-fixes). - net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol() (git-fixes). - net: phy: qcom: move the WoL function to shared library (stable-fixes). - Revert "ACPI: battery: negate current when discharging" (stable-fixes). - drm/gem: Acquire references on GEM handles for framebuffers (stable-fixes). - vt: add missing notification when switching back to text mode (stable-fixes). - Revert "PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()" (stable-fixes). - ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak (stable-fixes). - ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic (stable-fixes). - ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 (stable-fixes). - HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 (stable-fixes). - HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY (stable-fixes). - HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras (stable-fixes). - HID: nintendo: avoid bluetooth suspend/resume stalls (stable-fixes). - driver: bluetooth: hci_qca:fix unable to load the BT driver (stable-fixes). - net: usb: qmi_wwan: add SIMCom 8230C composition (stable-fixes). - wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements (git-fixes). - drm/amdgpu/ip_discovery: add missing ip_discovery fw (stable-fixes). - drm/amdgpu/discovery: use specific ip_discovery.bin for legacy asics (stable-fixes). - ASoC: Intel: soc-acpi: arl: Add match entries for new cs42l43 laptops (stable-fixes). - ASoC: Intel: soc-acpi: arl: Correct naming of a cs35l56 address struct (stable-fixes). - commit ead540d ++++ kernel-firmware-media: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-mellanox: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-network: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-platform: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-qlogic: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-realtek: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-serial: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-usb-network: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-rt: - vsock/vmci: Clear the vmci transport packet properly when initializing it (git-fixes). - commit ec91da1 - virtio-net: xsk: rx: fix the frame's length check (git-fixes). - commit d6ac97d - af_unix: Don't set -ECONNRESET for consumed OOB skb (bsc#1246093). - commit 6c81d26 - sched/psi: Optimize psi_group_change() cpu_clock() usage KABI (bsc#1234634 (Scheduler functional and performance backports)). - commit 74a8f57 - virtio-net: ensure the received length does not exceed allocated size (git-fixes). - commit 98cd35a - sched: Skip useless sched_balance_running acquisition if load balance is not due (bsc#1234634 (Scheduler functional and performance backports)). - commit 8648646 - net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (git-fixes). - commit ecdd7a1 - net: fix segmentation after TCP/UDP fraglist GRO (git-fixes). - commit 0365d28 - ipv6: mcast: Delay put pmc->idev in mld_del_delrec() (git-fixes). - commit 6b2d784 - rpl: Fix use-after-free in rpl_do_srh_inline() (git-fixes). - commit fa150fb - af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() (git-fixes). - commit f0f997a - net/sched: sch_qfq: Fix race condition on qfq_aggregate (git-fixes). - commit e3a7f48 - sched/deadline: Less agressive dl_server handling KABI (bsc#1234634 (Scheduler functional and performance backports)). - commit ce216e3 - sched/fair: Workaround NO_RUN_TO_PARITY fix kabi (bsc#1234634 (Scheduler functional and performance backports)). - commit 6a6e170 - af_unix: Don't leave consecutive consumed OOB skbs (CVE-2025-38236 bsc#1246093). - commit a443f38 - kABI workaround for struct drm_framebuffer changes (git-fixes). - commit 7f15c4f - bridge: mcast: Fix use-after-free during router port configuration (CVE-2025-38248 bsc#1246173). - commit 78cf8a3 - Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU (git-fixes). - Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID (git-fixes). - Bluetooth: hci_core: add missing braces when using macro parameters (git-fixes). - Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout (git-fixes). - Bluetooth: SMP: If an unallowed command is received consider it a failure (git-fixes). - Bluetooth: btintel: Check if controller is ISO capable on btintel_classify_pkt_type (git-fixes). - Bluetooth: hci_sync: fix connectable extended advertising when using static random address (git-fixes). - Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() (git-fixes). - wifi: cfg80211: remove scan request n_channels counted_by (git-fixes). - can: tcan4x5x: fix reset gpio usage during probe (git-fixes). - usb: net: sierra: check for no status endpoint (git-fixes). - net: phy: Don't register LEDs for genphy (git-fixes). - clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data (git-fixes). - clk: scmi: Handle case where child clocks are initialized before their parents (git-fixes). - drm/gem: Fix race in drm_gem_handle_create_tail() (stable-fixes). - drm/framebuffer: Acquire internal references on GEM handles (git-fixes). - wifi: prevent A-MSDU attacks in mesh networks (stable-fixes). - wifi: mac80211: correctly identify S1G short beacon (git-fixes). - wifi: cfg80211: fix S1G beacon head validation in nl80211 (git-fixes). - net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol() (git-fixes). - net: phy: qcom: move the WoL function to shared library (stable-fixes). - Revert "ACPI: battery: negate current when discharging" (stable-fixes). - drm/gem: Acquire references on GEM handles for framebuffers (stable-fixes). - vt: add missing notification when switching back to text mode (stable-fixes). - Revert "PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()" (stable-fixes). - ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak (stable-fixes). - ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic (stable-fixes). - ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 (stable-fixes). - HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 (stable-fixes). - HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY (stable-fixes). - HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras (stable-fixes). - HID: nintendo: avoid bluetooth suspend/resume stalls (stable-fixes). - driver: bluetooth: hci_qca:fix unable to load the BT driver (stable-fixes). - net: usb: qmi_wwan: add SIMCom 8230C composition (stable-fixes). - wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements (git-fixes). - drm/amdgpu/ip_discovery: add missing ip_discovery fw (stable-fixes). - drm/amdgpu/discovery: use specific ip_discovery.bin for legacy asics (stable-fixes). - ASoC: Intel: soc-acpi: arl: Add match entries for new cs42l43 laptops (stable-fixes). - ASoC: Intel: soc-acpi: arl: Correct naming of a cs35l56 address struct (stable-fixes). - commit ead540d ++++ libxml2: - security update - added patches CVE-2025-7425 [bsc#1246296], Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr + libxml2-CVE-2025-7425.patch ++++ libxml2-python: - security update - added patches CVE-2025-7425 [bsc#1246296], Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr + libxml2-CVE-2025-7425.patch ------------------------------------------------------------------ ------------------ 2025-7-17 - Jul 17 2025 ------------------- ------------------------------------------------------------------ ++++ busybox: - add placeholder variable and ignore applet logic to busybox.install ++++ busybox-links: - add filtering of ignored applets to busybox.install ++++ docker: - Update to Go 1.24 for builds, to match upstream. ++++ kernel-default: - sched/fair: Reimplement NEXT_BUDDY to align with EEVDF goals (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Enable scheduler feature NEXT_BUDDY (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Always trigger resched at the end of a protected period (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Fix entity's lag with run to parity (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Limit run to parity to the min slice of enqueued entities (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Remove spurious shorter slice preemption (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Fix NO_RUN_TO_PARITY case (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Use protect_slice() instead of direct comparison (bsc#1234634 (Scheduler functional and performance backports)). - sched/deadline: Less agressive dl_server handling (bsc#1234634 (Scheduler functional and performance backports)). - sched/psi: Optimize psi_group_change() cpu_clock() usage (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails (bsc#1234634 (Scheduler functional and performance backports)). - sched/eevdf: Correct the comment in place_entity (bsc#1234634 (Scheduler functional and performance backports)). - sched/deadline: Fix dl_server runtime calculation formula (bsc#1234634 (Scheduler functional and performance backports)). - sched/core: Fix migrate_swap() vs. hotplug (bsc#1234634 (Scheduler functional and performance backports)). - sched: Fix preemption string of preempt_dynamic_none (bsc#1234634 (Scheduler functional and performance backports)). - sched/numa: fix task swap by skipping kernel threads (bsc#1234634 (Scheduler functional and performance backports)). - mm: pcp: increase pcp->free_count threshold to trigger free_high (bsc#1241169 (MM functional and performance backports)). - sched/numa: add tracepoint that tracks the skipping of numa balancing due to cpuset memory pinning (bsc#1234634 (Scheduler functional and performance backports)). - sched/numa: skip VMA scanning on memory pinned to one NUMA node via cpuset.mems (bsc#1234634 (Scheduler functional and performance backports)). - mm: page_alloc: remove redundant READ_ONCE (bsc#1241169 (MM functional and performance backports)). - sched/uclamp: Align uclamp and util_est and call before freq update (bsc#1234634 (Scheduler functional and performance backports)). - sched/util_est: Simplify condition for util_est_{en,de}queue() (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Fixup wake_up_sync() vs DELAYED_DEQUEUE (bsc#1234634 (Scheduler functional and performance backports)). - sched/core: Tweak wait_task_inactive() to force dequeue sched_delayed tasks (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Adhere to place_entity() constraints (bsc#1234634 (Scheduler functional and performance backports)). - sched/debug: Print the local group's asym_prefer_cpu (bsc#1234634 (Scheduler functional and performance backports)). - sched/topology: Introduce sched_update_asym_prefer_cpu() (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Use READ_ONCE() to read sg->asym_prefer_cpu (bsc#1234634 (Scheduler functional and performance backports)). - sched/isolation: Make use of more than one housekeeping cpu (bsc#1234634 (Scheduler functional and performance backports)). - sched/rt: Fix race in push_rt_task (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Allow decaying util_est when util_avg > CPU capa (bsc#1234634 (Scheduler functional and performance backports)). - sched: Fix trace_sched_switch(.prev_state) (bsc#1234634 (Scheduler functional and performance backports)). - commit 2289d34 - Update patches.suse/scsi-megaraid_sas-Fix-invalid-node-index.patch (git-fixes CVE-2025-38239 bsc#1246178). - commit 3918567 - soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled (git-fixes). - soc: aspeed: lpc-snoop: Cleanup resources in stack-order (git-fixes). - HID: core: ensure __hid_request reserves the report ID as the first byte (git-fixes). - commit d4ff6f9 - x86/iopl: Cure TIF_IO_BITMAP inconsistencies (CVE-2025-38100 bsc#1245650). - commit 2e30d9c - config: x86_64: default: use run_oldconfig to refresh - commit e2e6c0d - kABI workaround for bpf: Do not include stack ptr register in precision backtracking bookkeeping (bsc#1246264 CVE-2025-38279). - commit e82df30 ++++ kernel-firmware-amdgpu: - Update to version 20250716 (git commit 1b1a9d871442): * amdgpu: Update GC 11.5.1 microcode ++++ kernel-rt: - sched/fair: Reimplement NEXT_BUDDY to align with EEVDF goals (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Enable scheduler feature NEXT_BUDDY (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Always trigger resched at the end of a protected period (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Fix entity's lag with run to parity (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Limit run to parity to the min slice of enqueued entities (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Remove spurious shorter slice preemption (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Fix NO_RUN_TO_PARITY case (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Use protect_slice() instead of direct comparison (bsc#1234634 (Scheduler functional and performance backports)). - sched/deadline: Less agressive dl_server handling (bsc#1234634 (Scheduler functional and performance backports)). - sched/psi: Optimize psi_group_change() cpu_clock() usage (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails (bsc#1234634 (Scheduler functional and performance backports)). - sched/eevdf: Correct the comment in place_entity (bsc#1234634 (Scheduler functional and performance backports)). - sched/deadline: Fix dl_server runtime calculation formula (bsc#1234634 (Scheduler functional and performance backports)). - sched/core: Fix migrate_swap() vs. hotplug (bsc#1234634 (Scheduler functional and performance backports)). - sched: Fix preemption string of preempt_dynamic_none (bsc#1234634 (Scheduler functional and performance backports)). - sched/numa: fix task swap by skipping kernel threads (bsc#1234634 (Scheduler functional and performance backports)). - mm: pcp: increase pcp->free_count threshold to trigger free_high (bsc#1241169 (MM functional and performance backports)). - sched/numa: add tracepoint that tracks the skipping of numa balancing due to cpuset memory pinning (bsc#1234634 (Scheduler functional and performance backports)). - sched/numa: skip VMA scanning on memory pinned to one NUMA node via cpuset.mems (bsc#1234634 (Scheduler functional and performance backports)). - mm: page_alloc: remove redundant READ_ONCE (bsc#1241169 (MM functional and performance backports)). - sched/uclamp: Align uclamp and util_est and call before freq update (bsc#1234634 (Scheduler functional and performance backports)). - sched/util_est: Simplify condition for util_est_{en,de}queue() (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Fixup wake_up_sync() vs DELAYED_DEQUEUE (bsc#1234634 (Scheduler functional and performance backports)). - sched/core: Tweak wait_task_inactive() to force dequeue sched_delayed tasks (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Adhere to place_entity() constraints (bsc#1234634 (Scheduler functional and performance backports)). - sched/debug: Print the local group's asym_prefer_cpu (bsc#1234634 (Scheduler functional and performance backports)). - sched/topology: Introduce sched_update_asym_prefer_cpu() (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Use READ_ONCE() to read sg->asym_prefer_cpu (bsc#1234634 (Scheduler functional and performance backports)). - sched/isolation: Make use of more than one housekeeping cpu (bsc#1234634 (Scheduler functional and performance backports)). - sched/rt: Fix race in push_rt_task (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Allow decaying util_est when util_avg > CPU capa (bsc#1234634 (Scheduler functional and performance backports)). - sched: Fix trace_sched_switch(.prev_state) (bsc#1234634 (Scheduler functional and performance backports)). - commit 2289d34 - Update patches.suse/scsi-megaraid_sas-Fix-invalid-node-index.patch (git-fixes CVE-2025-38239 bsc#1246178). - commit 3918567 - soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled (git-fixes). - soc: aspeed: lpc-snoop: Cleanup resources in stack-order (git-fixes). - HID: core: ensure __hid_request reserves the report ID as the first byte (git-fixes). - commit d4ff6f9 - x86/iopl: Cure TIF_IO_BITMAP inconsistencies (CVE-2025-38100 bsc#1245650). - commit 2e30d9c - config: x86_64: default: use run_oldconfig to refresh - commit e2e6c0d - kABI workaround for bpf: Do not include stack ptr register in precision backtracking bookkeeping (bsc#1246264 CVE-2025-38279). - commit e82df30 ++++ gcc15: - Fixup conflicts again. - Make sure to retain binary suffixes for accelerator crosses. ++++ libxslt: - security update - added patches CVE-2025-7424 [bsc#1246360], Type confusion in xmlNode.psvi between stylesheet and source nodes + libxslt-CVE-2025-7424.patch ++++ update-bootloader: - merge gh#openSUSE/perl-bootloader#191 - avoid spurious warning messages when parsing /etc/default/grub (bsc#1246373, bsc#1245323) - 1.25 ------------------------------------------------------------------ ------------------ 2025-7-16 - Jul 16 2025 ------------------- ------------------------------------------------------------------ ++++ dracut: - Update to version 059+suse.692.g6ec224d5: * ci(suse.conf.example): change log levels (jsc#PED-12922) ++++ grub2: - Fix test -f and -s do not work properly over the network files served via tftp and http (bsc#1246157) (bsc#1246237) * 0001-test-Fix-f-test-on-files-over-network.patch * 0002-http-Return-HTTP-status-code-in-http_establish.patch * 0003-docs-Clarify-test-for-files-on-TFTP-and-HTTP.patch * 0004-tftp-Fix-hang-when-file-is-a-directory.patch ++++ kernel-default: - seg6: Fix validation of nexthop addresses (CVE-2025-38310 bsc#1246361). - netfs: Fix oops in write-retry from mis-resetting the subreq iterator (CVE-2025-38139 bsc#1245718). - x86/sgx: Prevent attempts to reclaim poisoned pages (CVE-2025-38334 bsc#1246384). - commit 5e00081 - fs/proc/kcore.c: Clear ret value in read_kcore_iter after successful iov_iter_zero (bsc#1246620). - commit ac8d8ea - net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping (CVE-2025-38126 bsc#1245708). - bpf: fix ktls panic with sockmap (CVE-2025-38166 bsc#1245758). - commit f2dcced - objtool: Ignore end-of-section jumps for KCOV/GCOV (git-fixes). - commit cdba1ce - objtool: Silence more KCOV warnings, part 2 (git-fixes). - commit 4da0721 - objtool: Add missing endian conversion to read_annotate() (git-fixes). - commit 33dacf5 - ixgbe: add FW API version check (jsc#PED-12380 bsc#1245410 bsc#1246128). - Refresh patches.suse/bsc1170284-ixgbe_dont_check_firmware_errors.patch. - commit c263240 - ixgbe: add support for devlink reload (jsc#PED-12380 bsc#1245410 bsc#1246128). - Refresh patches.suse/bsc1170284-ixgbe_dont_check_firmware_errors.patch. - commit 207db98 - ixgbe: devlink: add devlink region support for E610 (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add E610 .set_phys_id() callback implementation (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: apply different rules for setting FC on E610 (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add support for ACPI WOL for E610 (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: create E610 specific ethtool_ops structure (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add support for FW rollback mode (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add E610 implementation of FW recovery mode (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add device flash update via devlink (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: extend .info_get() with stored versions (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add E610 functions getting PBA and FW ver info (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add .info_get extension specific for E610 devices (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: read the netlist version information (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: read the OROM version information (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add E610 functions for acquiring flash data (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add handler for devlink .info_get() (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add initial devlink support (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: wrap netdev_priv() usage (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: Fix unreachable retry logic in combined and byte I2C write functions (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add support for thermal sensor event reception (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add PTP support for E610 device (jsc#PED-12380 bsc#1245410 bsc#1246128). - commit aea9558 - objtool: Stop UNRET validation on UD2 (git-fixes). - commit 82f38be - objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() (git-fixes). - commit af1e729 - objtool: Properly disable uaccess validation (git-fixes). - commit c47d66e - objtool: Silence more KCOV warnings (git-fixes). - commit 700d945 - wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan (git-fixes). - commit bd0db70 - wifi: mt76: mt7925: fix the wrong config for tx interrupt (git-fixes). - commit 1568d0d - wifi: rt2x00: fix remove callback type mismatch (git-fixes). - commit c0ae7f4 - wifi: mwifiex: discard erroneous disassoc frames on STA interface (git-fixes). - commit decdc76 - wifi: mac80211: fix non-transmitted BSSID profile search (git-fixes). - commit 7ee21af - wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() (git-fixes). - commit c13b504 - selftests/bpf: Add tests with stack ptr register in conditional jmp (bsc#1246264 CVE-2025-38279). - bpf: Do not include stack ptr register in precision backtracking bookkeeping (bsc#1246264 CVE-2025-38279). - commit 3a79b8b - selftests/bpf: Set test path for token/obj_priv_implicit_token_envvar (git-fixes). - commit 493edb3 - perf/core: Fix the WARN_ON_ONCE is out of lock protected region (git-fixes). - commit 6223b3a - perf: Revert to requiring CAP_SYS_ADMIN for uprobes (git-fixes). - perf/aux: Fix pending disable flow when the AUX ring buffer overruns (git-fixes). - perf/core: Fix WARN in perf_cgroup_switch() (git-fixes). - perf: Fix dangling cgroup pointer in cpuctx (git-fixes). - perf: Fix cgroup state vs ERROR (git-fixes). - perf test: Directory file descriptor leak (git-fixes). - perf evsel: Missed close() when probing hybrid core PMUs (git-fixes). - perf callchain: Always populate the addr_location map when adding IP (git-fixes). - perf trace: Set errpid to false for rseq and set_robust_list (git-fixes). - perf trace: Always print return value for syscalls returning a pid (git-fixes). - perf record: Fix incorrect --user-regs comments (git-fixes). - perf symbol: Fix use-after-free in filename__read_build_id (git-fixes). - perf pmu: Avoid segv for missing name/alias_name in wildcarding (git-fixes). - perf tests switch-tracking: Fix timestamp comparison (git-fixes). - perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 (git-fixes). - perf intel-pt: Fix PEBS-via-PT data_src (git-fixes). - perf tests: Fix 'perf report' tests installation (git-fixes). - perf trace: Fix leaks of 'struct thread' in set_filter_loop_pids() (git-fixes). - perf symbol-minimal: Fix double free in filename__read_build_id (git-fixes). - perf tool_pmu: Fix aggregation on duration_time (git-fixes). - perf ui browser hists: Set actions->thread before calling do_zoom_thread() (git-fixes). - perf build: Warn when libdebuginfod devel files are not available (git-fixes). - tools build: Don't show libunwind build status as it is opt-in (git-fixes). - tools build: Don't set libunwind as available if test-all.c build succeeds (git-fixes). - perf/core: Fix broken throttling when max_samples_per_tick=1 (git-fixes). - perf/x86/amd/uncore: Prevent UMC counters from saturating (git-fixes). - perf/x86/amd/uncore: Remove unused 'struct amd_uncore_ctx::node' member (git-fixes). - perf: Ensure bpf_perf_link path is properly serialized (git-fixes). - arch/powerpc/perf: Check the instruction type before creating sample with perf_mem_data_src (git-fixes). - perf/hw_breakpoint: Return EOPNOTSUPP for unsupported breakpoint type (git-fixes). - commit 4d40f30 ++++ kernel-default-base: - Add modules for confidential compute (bsc#1246502) ++++ kernel-firmware-realtek: - Update to version 20250715 (git commit 04c379b552c7): * rtw89: 8852b: update fw to v0.29.128.0 * rtw89: 8852bt: update fw to v0.29.127.0 * rtw89: 8922a: add regd fw element with version R72-R6 * rtw89: 8852c: add regd fw element with version R72-R57 * rtw89: 8922a: update BB parameter V49 ++++ kernel-rt: - seg6: Fix validation of nexthop addresses (CVE-2025-38310 bsc#1246361). - netfs: Fix oops in write-retry from mis-resetting the subreq iterator (CVE-2025-38139 bsc#1245718). - x86/sgx: Prevent attempts to reclaim poisoned pages (CVE-2025-38334 bsc#1246384). - commit 5e00081 - fs/proc/kcore.c: Clear ret value in read_kcore_iter after successful iov_iter_zero (bsc#1246620). - commit ac8d8ea - net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping (CVE-2025-38126 bsc#1245708). - bpf: fix ktls panic with sockmap (CVE-2025-38166 bsc#1245758). - commit f2dcced - objtool: Ignore end-of-section jumps for KCOV/GCOV (git-fixes). - commit cdba1ce - objtool: Silence more KCOV warnings, part 2 (git-fixes). - commit 4da0721 - objtool: Add missing endian conversion to read_annotate() (git-fixes). - commit 33dacf5 - ixgbe: add FW API version check (jsc#PED-12380 bsc#1245410 bsc#1246128). - Refresh patches.suse/bsc1170284-ixgbe_dont_check_firmware_errors.patch. - commit c263240 - ixgbe: add support for devlink reload (jsc#PED-12380 bsc#1245410 bsc#1246128). - Refresh patches.suse/bsc1170284-ixgbe_dont_check_firmware_errors.patch. - commit 207db98 - ixgbe: devlink: add devlink region support for E610 (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add E610 .set_phys_id() callback implementation (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: apply different rules for setting FC on E610 (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add support for ACPI WOL for E610 (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: create E610 specific ethtool_ops structure (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add support for FW rollback mode (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add E610 implementation of FW recovery mode (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add device flash update via devlink (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: extend .info_get() with stored versions (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add E610 functions getting PBA and FW ver info (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add .info_get extension specific for E610 devices (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: read the netlist version information (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: read the OROM version information (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add E610 functions for acquiring flash data (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add handler for devlink .info_get() (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add initial devlink support (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: wrap netdev_priv() usage (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: Fix unreachable retry logic in combined and byte I2C write functions (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add support for thermal sensor event reception (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add PTP support for E610 device (jsc#PED-12380 bsc#1245410 bsc#1246128). - commit aea9558 - objtool: Stop UNRET validation on UD2 (git-fixes). - commit 82f38be - objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() (git-fixes). - commit af1e729 - objtool: Properly disable uaccess validation (git-fixes). - commit c47d66e - objtool: Silence more KCOV warnings (git-fixes). - commit 700d945 - wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan (git-fixes). - commit bd0db70 - wifi: mt76: mt7925: fix the wrong config for tx interrupt (git-fixes). - commit 1568d0d - wifi: rt2x00: fix remove callback type mismatch (git-fixes). - commit c0ae7f4 - wifi: mwifiex: discard erroneous disassoc frames on STA interface (git-fixes). - commit decdc76 - wifi: mac80211: fix non-transmitted BSSID profile search (git-fixes). - commit 7ee21af - wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() (git-fixes). - commit c13b504 - selftests/bpf: Add tests with stack ptr register in conditional jmp (bsc#1246264 CVE-2025-38279). - bpf: Do not include stack ptr register in precision backtracking bookkeeping (bsc#1246264 CVE-2025-38279). - commit 3a79b8b - selftests/bpf: Set test path for token/obj_priv_implicit_token_envvar (git-fixes). - commit 493edb3 - perf/core: Fix the WARN_ON_ONCE is out of lock protected region (git-fixes). - commit 6223b3a - perf: Revert to requiring CAP_SYS_ADMIN for uprobes (git-fixes). - perf/aux: Fix pending disable flow when the AUX ring buffer overruns (git-fixes). - perf/core: Fix WARN in perf_cgroup_switch() (git-fixes). - perf: Fix dangling cgroup pointer in cpuctx (git-fixes). - perf: Fix cgroup state vs ERROR (git-fixes). - perf test: Directory file descriptor leak (git-fixes). - perf evsel: Missed close() when probing hybrid core PMUs (git-fixes). - perf callchain: Always populate the addr_location map when adding IP (git-fixes). - perf trace: Set errpid to false for rseq and set_robust_list (git-fixes). - perf trace: Always print return value for syscalls returning a pid (git-fixes). - perf record: Fix incorrect --user-regs comments (git-fixes). - perf symbol: Fix use-after-free in filename__read_build_id (git-fixes). - perf pmu: Avoid segv for missing name/alias_name in wildcarding (git-fixes). - perf tests switch-tracking: Fix timestamp comparison (git-fixes). - perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 (git-fixes). - perf intel-pt: Fix PEBS-via-PT data_src (git-fixes). - perf tests: Fix 'perf report' tests installation (git-fixes). - perf trace: Fix leaks of 'struct thread' in set_filter_loop_pids() (git-fixes). - perf symbol-minimal: Fix double free in filename__read_build_id (git-fixes). - perf tool_pmu: Fix aggregation on duration_time (git-fixes). - perf ui browser hists: Set actions->thread before calling do_zoom_thread() (git-fixes). - perf build: Warn when libdebuginfod devel files are not available (git-fixes). - tools build: Don't show libunwind build status as it is opt-in (git-fixes). - tools build: Don't set libunwind as available if test-all.c build succeeds (git-fixes). - perf/core: Fix broken throttling when max_samples_per_tick=1 (git-fixes). - perf/x86/amd/uncore: Prevent UMC counters from saturating (git-fixes). - perf/x86/amd/uncore: Remove unused 'struct amd_uncore_ctx::node' member (git-fixes). - perf: Ensure bpf_perf_link path is properly serialized (git-fixes). - arch/powerpc/perf: Check the instruction type before creating sample with perf_mem_data_src (git-fixes). - perf/hw_breakpoint: Return EOPNOTSUPP for unsupported breakpoint type (git-fixes). - commit 4d40f30 ++++ selinux-policy: - Update to version 20250627+git62.68c403828: * Allow virtqemud_t use its private tmpfs files (bsc#1242998) * Allow virtqemud_t setattr to /dev/userfaultfd (bsc#1242998) * Allow virtqemud_t read and write /dev/ptmx (bsc#1242998) * Extend virtqemud_t tcp_socket permissions (bsc#1242998) * Mark configfs_t as mountpoint (bsc#1246080) * healthchecker: add proper optional_policy() guards * Allow virtqemud_t to read and write generic pty (bsc#1242998) * Drop SUSE-specific /usr/etc = /etc equivalency * Allow irqbalance execute shell if irqbalance_run_unconfined is on * Allow openvswitch ioctl vduse devices * Label /dev/vduse/control and /dev/vduse/NAME devices * Allow virtstoraged the sys_rawio capability * Allow virtqemud read insights-core state files * Allow virtnodedev create mdevctl config dirs * Allow virtqemud additional permissions on scsi generic chr files * Allow local login execute gnome keyring daemon * Allow plymouthd_t read proc files of systemd_passwd_agent (bsc#1245470) * Allow virtqemud send a generic signal to passt * Allow svirt-tcg read init state * Allow irqbalance execute shell if irqbalance_run_unconfined is on * Label /run/opendkim with dkim_milter_data_t * Allow sa-update status systemd services * Introduce new cluster_service_transition_to_unconfined_user boolean (bsc#1244495) * Allow updpwd logging send audit messages * Temporary dontaudit iio-sensor-proxy sys_admin. * Allow iio-sensor-proxy sendto to journald over a unix datagram socket * Revert "Allow iio-sensor-proxy sendto to journald over a unix datagram socket" * virt: allow QEMU use of the qgs daemon for attestation * qgs: add contrib module for TDX "qgs" daemon * kernel: add interfaces for using SGX enclaves * Define file equivalency for /usr/etc * Allow mongod to receive pressure stall information * Dontaudit systemd_generator read sssd public files * Allow plymouthd read/write input event devices * Label 99-nvme-nbft-connect.sh with NetworkManager_dispatcher_nvme_script_t * Allow systemd-user-runtime-dir sendto to syslogd * Remove pcp module * Update irqbalance policy for using unconfined scripts * Allow utempter use terminal multiplexor * Allow virtqemud execute ovs-vsctl with a domain transition * Update the files_search_mnt() interface * Allow nmbd read network sysctls * Allow iio-sensor-proxy sendto to journald over a unix datagram socket * Allow logrotate stop all systemd services * systemd: rework systemd_manage_random_seed * Allow tuned-ppd connect to sssd over a unix stream socket * Drop config for /run/random-seed * Update file location for systemd random-seed file * Allow tomcat execute cracklib-check with a domain transition * Allow sssd watch lib dirs * Confine systemd-hibernate-resume * Allow login_userdomain create /run/tlog directory with user_tmp_t * Allow login_pgm read filesystem sysctls * Allow gconfd connect to system dbus * Allow NetworkManager manage NetworkManager_etc_rw_t symlinks - Syncing with upstream rawhide selinux-policy up to: * 23514206ea45e1d1d2f8a4c08288065c813fcc91 - Update embedded container-selinux version to commit: * 36e8f213b7ac8a1843e5e37b37eb8ef7bdc2af9c (version 2.238.0) ------------------------------------------------------------------ ------------------ 2025-7-15 - Jul 15 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit: - add 0001-cockpit-overview-support-SUSE_SUPPORT_PRODUCT-keys.patch - add 0002-cockpit-kdump-support-SLE-micro-6.2.patch - add 0003-branding-use-SUSE_SUPPORT_PRODUCT-and-SUSE_SUPPORT_P.patch to fix bsc#1241003 ++++ kernel-default: - dm-bufio: fix sched in atomic context (git-fixes). - commit ccc1d23 - Update patches.suse/nvme-pci-fix-queue-unquiesce-check-on-slot_reset.patch (git-fixes bsc#1240885). - commit 03e1767 - objtool: Fix error handling inconsistencies in check() (git-fixes). - commit ec79144 - x86/traps: Make exc_double_fault() consistently noreturn (git-fixes). - commit bf4b16f - objtool: Fix C jump table annotations for Clang (git-fixes). - commit 529d2a6 - objtool: Add bch2_trans_unlocked_error() to bcachefs noreturns (git-fixes). - commit 7e1fde5 - perf: Fix sample vs do_exit() (bsc#1246547). - commit 073eb4d - drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() (bsc#1245951 CVE-2025-38187) - commit 9b6cd76 - nvme-multipath: fix suspicious RCU usage warning (git-fixes). - nvme-pci: refresh visible attrs after being checked (git-fixes). - nvmet: fix memory leak of bio integrity (git-fixes). - nvme: Fix incorrect cdw15 value in passthru error logging (git-fixes). - nvme-tcp: fix I/O stalls on congested sockets (git-fixes). - commit 717d386 - tools: fix atomic_set() definition to set the value correctly (git-fixes). - Refresh patches.suse/mm-replace-vm_lock-and-detached-flag-with-a-reference-coun.patch. - commit a7fcdf3 - firewall: remove misplaced semicolon from stm32_firewall_get_firewall (git-fixes). - commit 2dc4084 - scsi: lpfc: Copyright updates for 14.4.0.10 patches (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update lpfc version to 14.4.0.10 (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Modify end-of-life adapters' model descriptions (bsc#1245260 bsc#1243100 bsc#1246125 bsc#1204142). - scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Move clearing of HBA_SETUP flag to before lpfc_sli4_queue_unset (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Relocate clearing initial phba flags from link up to link down hdlr (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Simplify error handling for failed lpfc_get_sli4_parameters cmd (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Early return out of FDMI cmpl for locally rejected statuses (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update debugfs trace ring initialization messages (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Revise logging format for failed CT MIB requests (bsc#1245260 bsc#1243100 bsc#1246125). - commit db7c71a - sched_ext: fix application of sizeof to pointer (git-fixes). - commit 7226f76 - crypto: hkdf - skip TVs with unapproved salt lengths in FIPS mode (bsc#1241200 bsc#1246134). - commit 5472af3 - Update patches.suse/net-clear-the-dst-when-changing-skb-protocol.patch (bsc#1245954 CVE-2025-38192). Fix incorrect CVE reference. - commit 0f40511 - bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() (bsc#1245980 CVE-2025-38202). - commit ca2d088 - bpf, sockmap: Avoid using sk_socket after free when sending (bsc#1245749 CVE-2025-38154). - selftest/bpf/benchs: Add benchmark for sockmap usage (bsc#1245749 CVE-2025-38154). - bpf, sockmap: Fix panic when calling skb_linearize (bsc#1245749 CVE-2025-38154). - bpf, sockmap: fix duplicated data transmission (bsc#1245749 CVE-2025-38154). - bpf, sockmap: Fix data lost during EAGAIN retries (bsc#1245749 CVE-2025-38154). - commit b7122ae - btrfs: improve the warning and error message for btrfs_remove_qgroup() (bsc#1246357). - commit 01d925c ++++ kernel-firmware-bluetooth: - Update to version 20250714 (git commit ecdbd2b8af04): * linux-firmware: Update firmware file for Intel Solar core * linux-firmware: Update firmware file for Intel BlazarU core * linux-firmware: Update firmware file for Intel BlazarI core ++++ kernel-firmware-qcom: - Update to version 20250714 (git commit ecdbd2b8af04): * qcom: Update gpu firmwares of QCS615 chipset ++++ kernel-rt: - dm-bufio: fix sched in atomic context (git-fixes). - commit ccc1d23 - Update patches.suse/nvme-pci-fix-queue-unquiesce-check-on-slot_reset.patch (git-fixes bsc#1240885). - commit 03e1767 - objtool: Fix error handling inconsistencies in check() (git-fixes). - commit ec79144 - x86/traps: Make exc_double_fault() consistently noreturn (git-fixes). - commit bf4b16f - objtool: Fix C jump table annotations for Clang (git-fixes). - commit 529d2a6 - objtool: Add bch2_trans_unlocked_error() to bcachefs noreturns (git-fixes). - commit 7e1fde5 - perf: Fix sample vs do_exit() (bsc#1246547). - commit 073eb4d - drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() (bsc#1245951 CVE-2025-38187) - commit 9b6cd76 - nvme-multipath: fix suspicious RCU usage warning (git-fixes). - nvme-pci: refresh visible attrs after being checked (git-fixes). - nvmet: fix memory leak of bio integrity (git-fixes). - nvme: Fix incorrect cdw15 value in passthru error logging (git-fixes). - nvme-tcp: fix I/O stalls on congested sockets (git-fixes). - commit 717d386 - tools: fix atomic_set() definition to set the value correctly (git-fixes). - Refresh patches.suse/mm-replace-vm_lock-and-detached-flag-with-a-reference-coun.patch. - commit a7fcdf3 - firewall: remove misplaced semicolon from stm32_firewall_get_firewall (git-fixes). - commit 2dc4084 - scsi: lpfc: Copyright updates for 14.4.0.10 patches (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update lpfc version to 14.4.0.10 (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Modify end-of-life adapters' model descriptions (bsc#1245260 bsc#1243100 bsc#1246125 bsc#1204142). - scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Move clearing of HBA_SETUP flag to before lpfc_sli4_queue_unset (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Relocate clearing initial phba flags from link up to link down hdlr (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Simplify error handling for failed lpfc_get_sli4_parameters cmd (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Early return out of FDMI cmpl for locally rejected statuses (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update debugfs trace ring initialization messages (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Revise logging format for failed CT MIB requests (bsc#1245260 bsc#1243100 bsc#1246125). - commit db7c71a - sched_ext: fix application of sizeof to pointer (git-fixes). - commit 7226f76 - crypto: hkdf - skip TVs with unapproved salt lengths in FIPS mode (bsc#1241200 bsc#1246134). - commit 5472af3 - Update patches.suse/net-clear-the-dst-when-changing-skb-protocol.patch (bsc#1245954 CVE-2025-38192). Fix incorrect CVE reference. - commit 0f40511 - bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() (bsc#1245980 CVE-2025-38202). - commit ca2d088 - bpf, sockmap: Avoid using sk_socket after free when sending (bsc#1245749 CVE-2025-38154). - selftest/bpf/benchs: Add benchmark for sockmap usage (bsc#1245749 CVE-2025-38154). - bpf, sockmap: Fix panic when calling skb_linearize (bsc#1245749 CVE-2025-38154). - bpf, sockmap: fix duplicated data transmission (bsc#1245749 CVE-2025-38154). - bpf, sockmap: Fix data lost during EAGAIN retries (bsc#1245749 CVE-2025-38154). - commit b7122ae - btrfs: improve the warning and error message for btrfs_remove_qgroup() (bsc#1246357). - commit 01d925c ++++ polkit: - CVE-2025-7519: Fixed that a XML policy file with a large number of nested elements may lead to out-of-bounds write (bsc#1246472) added 0001-Nested-.policy-files-cause-xml-parsing-overflow-lead.patch ++++ systemd: - systemd-update-helper: fix regression introduced when support for package renaming/splitting was added (bsc#1245551) The cleanup of the flags in /run/systemd/rpm was previously handled in the %pretrans/%posttrans sections of the systemd main package. However, this method was ineffective if systemd was not part of the transaction. The cleanup is now run in %transfiletriggerin instead. ++++ pam-config: - Update to version 2.13+git.20250715: * Release version 2.13 * Place himmelblau near the top of pam stack [bsc#1243418] ++++ psmisc: - Add patch 0001-fuser-Fix-expandpath.patch * Is an upstream commit which fixes https://gitlab.com/psmisc/psmisc/-/issues/57 as well as bug boo#1242093 ------------------------------------------------------------------ ------------------ 2025-7-14 - Jul 14 2025 ------------------- ------------------------------------------------------------------ ++++ accountsservice: - Update accountsservice-sysconfig.patch: Check whether sysconfig is used and fallback to display manager settings if sysconfig is not used (bsc#1246127). ++++ branding-SLE: - Update square-hicolor.svg to adapt the GNOME light color style (bsc#1243104). ++++ cockpit: - update check_cockpit_users to only check for systemd support in /etc/nsswitch.conf bsc#1246408 ++++ curl: - Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197] * tool_getparam: fix --ftp-pasv [5f805ee] * Add curl-fix--ftp-pasv.patch ++++ hwinfo: - merge gh#openSUSE/hwinfo#170 - Makefile: fix build for ARCH=i686 - 25.0 - merge gh#openSUSE/hwinfo#165 - Fix memory leaks in block device name handling - merge gh#openSUSE/hwinfo#164 - feat: capture usb alternate setting - feat: capture usb interface association - feat: use interface association descriptor first when classifying usb devices - USB improvements - merge gh#openSUSE/hwinfo#169 - add nvmeof and iscsi info (jsc#PED-13261, jsc#PED-13209) ++++ texinfo: - Add texinfo-perl-5.42.patch: Fix syntax to be unambiguous if (! $str eq '') is not really clear; is it (!$str) eq '' or !($str eq '') Perl 5.42 rightly flagges this syntax with: Possible precedence problem between ! and string eq Assuming !($str eq '') was meant, we can rewrite this as $str ne '', which happens to also be used in multiple places already (sometimes just a few lines further down in the same files) ++++ kernel-default: - scsi: core: Enforce unlimited max_segment_size when virt_boundary_mask is set (git-fixes). - scsi: sd: Fix VPD page 0xb7 length check (git-fixes). - scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() (git-fixes). - scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() (git-fixes). - scsi: megaraid_sas: Fix invalid node index (git-fixes). - aoe: clean device rq_list in aoedev_downdev() (git-fixes). - block: use plug request list tail for one-shot backmerge attempt (git-fixes). - block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work (git-fixes). - block: Clear BIO_EMULATES_ZONE_APPEND flag on BIO completion (git-fixes). - md/md-bitmap: fix dm-raid max_write_behind setting (git-fixes). - scsi: smartpqi: Add new PCI IDs (git-fixes). - block: use q->elevator with ->elevator_lock held in elv_iosched_show() (git-fixes). - commit abdb18a - mm: fix uprobe pte be overwritten when expanding vma (CVE-2025-38207 bsc#1246004). - commit b1729e5 - ipc: fix to protect IPCS lookups using RCU (CVE-2025-38212 bsc#1246029). - commit 78df593 - calipso: unlock rcu before returning -EAFNOSUPPORT (CVE-2025-38147 bsc#1245768). - calipso: Don't call calipso functions for AF_INET sk (CVE-2025-38147 bsc#1245768). - commit ddcefe6 - s390x config: set CONFIG_PCI_NR_FUNCTIONS=512 (bsc#1246470 LTC#214321) - commit 1465ef8 - x86/fred: Fix system hang during S4 resume with FRED enabled (bsc#1245084 CVE-2025-38047). - commit 622750a - hisi_acc_vfio_pci: bugfix live migration function without VF device driver (CVE-2025-38283 bsc#1246273). - configfs-tsm-report: Fix NULL dereference of tsm_ops (CVE-2025-38210 bsc#1246020). - commit fb63fb6 ++++ kernel-rt: - scsi: core: Enforce unlimited max_segment_size when virt_boundary_mask is set (git-fixes). - scsi: sd: Fix VPD page 0xb7 length check (git-fixes). - scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() (git-fixes). - scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() (git-fixes). - scsi: megaraid_sas: Fix invalid node index (git-fixes). - aoe: clean device rq_list in aoedev_downdev() (git-fixes). - block: use plug request list tail for one-shot backmerge attempt (git-fixes). - block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work (git-fixes). - block: Clear BIO_EMULATES_ZONE_APPEND flag on BIO completion (git-fixes). - md/md-bitmap: fix dm-raid max_write_behind setting (git-fixes). - scsi: smartpqi: Add new PCI IDs (git-fixes). - block: use q->elevator with ->elevator_lock held in elv_iosched_show() (git-fixes). - commit abdb18a - mm: fix uprobe pte be overwritten when expanding vma (CVE-2025-38207 bsc#1246004). - commit b1729e5 - ipc: fix to protect IPCS lookups using RCU (CVE-2025-38212 bsc#1246029). - commit 78df593 - calipso: unlock rcu before returning -EAFNOSUPPORT (CVE-2025-38147 bsc#1245768). - calipso: Don't call calipso functions for AF_INET sk (CVE-2025-38147 bsc#1245768). - commit ddcefe6 - s390x config: set CONFIG_PCI_NR_FUNCTIONS=512 (bsc#1246470 LTC#214321) - commit 1465ef8 - x86/fred: Fix system hang during S4 resume with FRED enabled (bsc#1245084 CVE-2025-38047). - commit 622750a - hisi_acc_vfio_pci: bugfix live migration function without VF device driver (CVE-2025-38283 bsc#1246273). - configfs-tsm-report: Fix NULL dereference of tsm_ops (CVE-2025-38210 bsc#1246020). - commit fb63fb6 ++++ gcc15: - Update to GCC 15 branch head, 15.1.1+git9973 - Fixes PR120995, unrecognizable insn UNSPEC_COMPARE_AND_SWAP with rv64gc_zabha_zacas ++++ libcontainers-common: - Remove subpackage libcontainers-sles-mounts and prevent auto mounting SUSEConnect credentials from host to container. SLE16 onwards, the idea is to expect users to explicitly mount secrets. (bsc#1246227) ++++ libzypp: - Add runtime check for a broken rpm-4.18.0 --runpostrans (bsc#1246149) - Add regression test for bsc#1245220 and some other filesize related tests. - version 17.37.11 (35) ++++ python-requests: - Add revert-caching-default-sslcontext.patch upstream patch to avoid problems with certificate caching in sslcontext. bsc#1246104, gh#psf/requests#6767 ++++ rust-keylime: - Update vendored crates (bsc#1242623, CVE-2025-3416) * openssl 0.10.73 - Update to version 0.2.7+117: * Increase coverage in evidence handling structure * Add Capabilities Negotiations resp. missing fields * Fix UEFI test to check file access in all cases * context_info_handler: Do not assume /var/lib/keylime exists * Fix clippy warnings about uninlined format arguments * attestation: Allow unwrap() in tests * Increase coverage (groom code, extend unit tests) * Include IMA/UEFI logs in Evidence Handling request * Include method to get all IMA entries as string * Send correct list of pcr banks and sign algorithms * Try to fix TPM tests related issues * Define attestation perform asynchronous * Perform attestation in push model agent binary * Refactor code to use new attestation.rs * Create attestation.rs for Attestation stuff * Move ContextInfo management to its own handler * Adjust context_info.rs after rebase * Add attestation function to ContextInfo structure * Add prohibited signing algorithms, avoid ecschnorr * keylime/config: Use macro to implement PushModelConfigTrait * Introduce keylime-macros and define_view_trait * config: Remove KeylimeConfig structure * config: Remove unnecessary options and lazy initialization * Fix pcr_bank function to send all possible slots * Send Content-Type:application/json on request (#1039) * Send correct 'key_algorithm' in certification_keys (#1035) * Push Model: Persist Attestation Key to file * Add Keylime push model binary to root GNUmakefile * Use singleton to avoid multiple Context allocation * tests: Do not assume `/var/lib/keylime` exists (#1030) * lib/cert: Fix race condition due to use of same file path * payloads: Fix race condition in tests * Add uefi_log_handler.rs to parse UEFI binary * Use IMA log parser to send correct entry count * Add IMA log parser * build(deps): bump once_cell from 1.19.0 to 1.21.3 * lib/config/base.rs: Add more unit tests * lib/permissions: Add unit tests * keylime-agent: move JsonWrapper from common.rs to the library * lib/agent_data: Move agent_data related tests from common * common: Replace APIVersion with the library Version structure * keylime_agent: Move secure_mount.rs to the library * lib: Rename keylime_error.rs as error.rs * config: Move config to keylime library * config: Rename push_model_config to push_model * lib: Move permissions.rs from keylime-agent to the lib * Extract Capabilities Negotiation info from TPM (#1014) ------------------------------------------------------------------ ------------------ 2025-7-13 - Jul 13 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - kasan: remove kasan_find_vm_area() to prevent possible deadlock (git-fixes). - maple_tree: fix mt_destroy_walk() on root leaf node (git-fixes). - maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() (git-fixes). - kasan: avoid sleepable page allocation from atomic context (git-fixes). - commit 3186bf7 ++++ kernel-rt: - kasan: remove kasan_find_vm_area() to prevent possible deadlock (git-fixes). - maple_tree: fix mt_destroy_walk() on root leaf node (git-fixes). - maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() (git-fixes). - kasan: avoid sleepable page allocation from atomic context (git-fixes). - commit 3186bf7 ------------------------------------------------------------------ ------------------ 2025-7-12 - Jul 12 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - drm/imagination: Fix kernel crash when hard resetting the GPU (git-fixes). - drm/tegra: nvdec: Fix dma_alloc_coherent error check (git-fixes). - drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() (git-fixes). - drm/xe/bmg: fix compressed VRAM handling (git-fixes). - Revert "drm/xe/xe2: Enable Indirect Ring State support for Xe2" (git-fixes). - drm/xe: Allocate PF queue size on pow2 boundary (git-fixes). - drm/xe/pf: Clear all LMTT pages on alloc (git-fixes). - nbd: fix uaf in nbd_genl_connect() error path (git-fixes). - can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level (git-fixes). - net: phy: microchip: limit 100M workaround to link-down events on LAN88xx (git-fixes). - net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits (git-fixes). - wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() (git-fixes). - wifi: mt76: mt7921: prevent decap offload config before STA initialization (git-fixes). - wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() (git-fixes). - wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan (git-fixes). - wifi: mt76: mt7925: fix the wrong config for tx interrupt (git-fixes). - wifi: mwifiex: discard erroneous disassoc frames on STA interface (git-fixes). - wifi: mac80211: fix non-transmitted BSSID profile search (git-fixes). - wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() (git-fixes). - commit 7d2f716 ++++ kernel-rt: - drm/imagination: Fix kernel crash when hard resetting the GPU (git-fixes). - drm/tegra: nvdec: Fix dma_alloc_coherent error check (git-fixes). - drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() (git-fixes). - drm/xe/bmg: fix compressed VRAM handling (git-fixes). - Revert "drm/xe/xe2: Enable Indirect Ring State support for Xe2" (git-fixes). - drm/xe: Allocate PF queue size on pow2 boundary (git-fixes). - drm/xe/pf: Clear all LMTT pages on alloc (git-fixes). - nbd: fix uaf in nbd_genl_connect() error path (git-fixes). - can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level (git-fixes). - net: phy: microchip: limit 100M workaround to link-down events on LAN88xx (git-fixes). - net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits (git-fixes). - wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() (git-fixes). - wifi: mt76: mt7921: prevent decap offload config before STA initialization (git-fixes). - wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() (git-fixes). - wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan (git-fixes). - wifi: mt76: mt7925: fix the wrong config for tx interrupt (git-fixes). - wifi: mwifiex: discard erroneous disassoc frames on STA interface (git-fixes). - wifi: mac80211: fix non-transmitted BSSID profile search (git-fixes). - wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() (git-fixes). - commit 7d2f716 ------------------------------------------------------------------ ------------------ 2025-7-11 - Jul 11 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit: - add a requirement on /usr/sbin/kdumptool for cockpit-kdump (bsc#1227402) - add libzypp-plugin-appdata dependency to cockpit-packagekit as this will generate the swcatalog which it depends on for calculating various cockpit packages ++++ gnutls: - Fix heap buffer overread when handling the CT SCT extension during X.509 certificate parsing [bsc#1246233, CVE-2025-32989] * Add patch gnutls-CVE-2025-32989.patch - Fix double-free due to incorrect ownership handling in the export logic of SAN entries containing an otherName [bsc#1246232, CVE-2025-32988] * Add patch gnutls-CVE-2025-32988.patch - Fix 1-byte heap buffer overflow when parsing templates with certtool [bsc#1246267, CVE-2025-32990] * Add patch gnutls-CVE-2025-32990.patch - Fix NULL pointer dereference when 2nd Client Hello omits PSK [bsc#1246299, CVE-2025-6395] * Add patch gnutls-CVE-2025-6395.patch ++++ grub2: - Enable loongarch64 build (bsc#1234248) ++++ kernel-default: - xfs: fix off-by-one error in fsmap's end_daddr usage (bsc#1235837). - commit f532c0d - hisi_acc_vfio_pci: fix XQE dma address error (CVE-2025-38158 bsc#1245750). - commit d6de051 - platform/x86: think-lmi: Create ksets consecutively (stable-fixes). - Refresh patches.suse/platform-x86-think-lmi-Fix-kobject-cleanup.patch. - commit ed9e879 - ASoC: tas2764: Extend driver to SN012776 (stable-fixes). - Refresh patches.suse/ASoC-tas2764-Reinit-cache-on-part-reset.patch. - commit d98ebe4 - drm/xe/guc: Dead CT helper (stable-fixes). - Refresh patches.suse/drm-xe-Fix-early-wedge-on-GuC-load-failure.patch. - commit f279fcb - net: phy: smsc: Fix link failure in forced mode with Auto-MDIX (git-fixes). - net: phy: smsc: Force predictable MDI-X state on LAN87xx (git-fixes). - net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap (git-fixes). - Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected (git-fixes). - Bluetooth: hci_sync: Fix not disabling advertising instance (git-fixes). - platform/x86: dell-wmi-sysman: Fix class device unregistration (git-fixes). - platform/x86: think-lmi: Fix class device unregistration (git-fixes). - platform/x86: hp-bioscfg: Fix class device unregistration (git-fixes). - usb: xhci: quirk for data loss in ISOC transfers (stable-fixes). - Logitech C-270 even more broken (stable-fixes). - Input: xpad - support Acer NGR 200 Controller (stable-fixes). - dma-buf: fix timeout handling in dma_resv_wait_timeout v2 (stable-fixes). - mmc: sdhci: Add a helper function for dump register in dynamic debug mode (stable-fixes). - drm/xe/guc: Explicitly exit CT safe mode on unwind (git-fixes). - drm/xe: move DPT l2 flush to a more sensible place (git-fixes). - drm/xe: Move DSB l2 flush to a more sensible place (git-fixes). - ACPICA: Refuse to evaluate a method if arguments are missing (stable-fixes). - mtd: spinand: fix memory leak of ECC engine conf (stable-fixes). - ASoC: amd: yc: update quirk data for HP Victus (stable-fixes). - ASoC: amd: yc: Add quirk for MSI Bravo 17 D7VF internal mic (stable-fixes). - ALSA: sb: Force to disable DMAs once when DMA mode is changed (stable-fixes). - ALSA: sb: Don't allow changing the DMA mode during operations (stable-fixes). - drm/msm: Fix another leak in the submit error path (stable-fixes). - drm/msm: Fix a fence leak in submit error path (stable-fixes). - regulator: fan53555: add enable_time support and soft-start times (stable-fixes). - wifi: ath6kl: remove WARN on bad firmware input (stable-fixes). - wifi: mac80211: drop invalid source address OCB frames (stable-fixes). - ata: pata_cs5536: fix build on 32-bit UML (stable-fixes). - platform/x86/amd/pmc: Add PCSpecialist Lafite Pro V 14M to 8042 quirks list (stable-fixes). - ACPI: thermal: Execute _SCP before reading trip points (git-fixes). - crypto: zynqmp-sha - Add locking (git-fixes). - crypto: iaa - Do not clobber req->base.data (git-fixes). - crypto: iaa - Remove dst_null support (stable-fixes). - spinlock: extend guard with spinlock_bh variants (stable-fixes). - ACPI: thermal: Fix stale comment regarding trip points (stable-fixes). - platform/x86: dell-sysman: Directly use firmware_attributes_class (stable-fixes). - platform/x86: hp-bioscfg: Directly use firmware_attributes_class (stable-fixes). - platform/x86: think-lmi: Directly use firmware_attributes_class (stable-fixes). - platform/x86: firmware_attributes_class: Simplify API (stable-fixes). - platform/x86: firmware_attributes_class: Move include linux/device/class.h (stable-fixes). - drm/xe: Allow bo mapping on multiple ggtts (stable-fixes). - drm/xe: add interface to request physical alignment for buffer objects (stable-fixes). - drm/xe: Fix DSB buffer coherency (stable-fixes). - drm/xe: Replace double space with single space after comma (stable-fixes). - commit 909dad5 - i40e: fix MMIO write access to an invalid page in i40e_clear_hw (CVE-2025-38200 bsc#1246045). - net: cadence: macb: Fix a possible deadlock in macb_halt_tx (CVE-2025-38094 bsc#1245649). - commit 13d7db9 - x86/process: Move the buffer clearing before MONITOR (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - commit 8266745 - x86/microcode/AMD: Add TSA microcode SHAs (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - commit b20882f - KVM: SVM: Advertise TSA CPUID bits to guests (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - commit eae5894 - x86/cpu: Avoid running off the end of an AMD erratum table (git-fixes). - commit 1a01a37 - x86/cpu: Move AMD erratum 1386 table over to 'x86_cpu_id' (git-fixes). - commit 00956a9 - x86/cpu: Replace PEBS use of 'x86_cpu_desc' use with 'x86_cpu_id' (git-fixes). - commit a673ad4 - x86/cpu: Introduce new microcode matching helper (git-fixes). - commit e274dab - x86/bugs: Add a Transient Scheduler Attacks mitigation (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - Update config files. - commit 8a110dc - kabi: fix dm-fix-dm_blk_report_zones.patch (CVE-2025-38140 bsc#1245717). - commit 701faad - net: clear the dst when changing skb protocol (bsc#1245954 CVE-2024-49861). - commit b34915e ++++ kernel-rt: - xfs: fix off-by-one error in fsmap's end_daddr usage (bsc#1235837). - commit f532c0d - hisi_acc_vfio_pci: fix XQE dma address error (CVE-2025-38158 bsc#1245750). - commit d6de051 - platform/x86: think-lmi: Create ksets consecutively (stable-fixes). - Refresh patches.suse/platform-x86-think-lmi-Fix-kobject-cleanup.patch. - commit ed9e879 - ASoC: tas2764: Extend driver to SN012776 (stable-fixes). - Refresh patches.suse/ASoC-tas2764-Reinit-cache-on-part-reset.patch. - commit d98ebe4 - drm/xe/guc: Dead CT helper (stable-fixes). - Refresh patches.suse/drm-xe-Fix-early-wedge-on-GuC-load-failure.patch. - commit f279fcb - net: phy: smsc: Fix link failure in forced mode with Auto-MDIX (git-fixes). - net: phy: smsc: Force predictable MDI-X state on LAN87xx (git-fixes). - net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap (git-fixes). - Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected (git-fixes). - Bluetooth: hci_sync: Fix not disabling advertising instance (git-fixes). - platform/x86: dell-wmi-sysman: Fix class device unregistration (git-fixes). - platform/x86: think-lmi: Fix class device unregistration (git-fixes). - platform/x86: hp-bioscfg: Fix class device unregistration (git-fixes). - usb: xhci: quirk for data loss in ISOC transfers (stable-fixes). - Logitech C-270 even more broken (stable-fixes). - Input: xpad - support Acer NGR 200 Controller (stable-fixes). - dma-buf: fix timeout handling in dma_resv_wait_timeout v2 (stable-fixes). - mmc: sdhci: Add a helper function for dump register in dynamic debug mode (stable-fixes). - drm/xe/guc: Explicitly exit CT safe mode on unwind (git-fixes). - drm/xe: move DPT l2 flush to a more sensible place (git-fixes). - drm/xe: Move DSB l2 flush to a more sensible place (git-fixes). - ACPICA: Refuse to evaluate a method if arguments are missing (stable-fixes). - mtd: spinand: fix memory leak of ECC engine conf (stable-fixes). - ASoC: amd: yc: update quirk data for HP Victus (stable-fixes). - ASoC: amd: yc: Add quirk for MSI Bravo 17 D7VF internal mic (stable-fixes). - ALSA: sb: Force to disable DMAs once when DMA mode is changed (stable-fixes). - ALSA: sb: Don't allow changing the DMA mode during operations (stable-fixes). - drm/msm: Fix another leak in the submit error path (stable-fixes). - drm/msm: Fix a fence leak in submit error path (stable-fixes). - regulator: fan53555: add enable_time support and soft-start times (stable-fixes). - wifi: ath6kl: remove WARN on bad firmware input (stable-fixes). - wifi: mac80211: drop invalid source address OCB frames (stable-fixes). - ata: pata_cs5536: fix build on 32-bit UML (stable-fixes). - platform/x86/amd/pmc: Add PCSpecialist Lafite Pro V 14M to 8042 quirks list (stable-fixes). - ACPI: thermal: Execute _SCP before reading trip points (git-fixes). - crypto: zynqmp-sha - Add locking (git-fixes). - crypto: iaa - Do not clobber req->base.data (git-fixes). - crypto: iaa - Remove dst_null support (stable-fixes). - spinlock: extend guard with spinlock_bh variants (stable-fixes). - ACPI: thermal: Fix stale comment regarding trip points (stable-fixes). - platform/x86: dell-sysman: Directly use firmware_attributes_class (stable-fixes). - platform/x86: hp-bioscfg: Directly use firmware_attributes_class (stable-fixes). - platform/x86: think-lmi: Directly use firmware_attributes_class (stable-fixes). - platform/x86: firmware_attributes_class: Simplify API (stable-fixes). - platform/x86: firmware_attributes_class: Move include linux/device/class.h (stable-fixes). - drm/xe: Allow bo mapping on multiple ggtts (stable-fixes). - drm/xe: add interface to request physical alignment for buffer objects (stable-fixes). - drm/xe: Fix DSB buffer coherency (stable-fixes). - drm/xe: Replace double space with single space after comma (stable-fixes). - commit 909dad5 - i40e: fix MMIO write access to an invalid page in i40e_clear_hw (CVE-2025-38200 bsc#1246045). - net: cadence: macb: Fix a possible deadlock in macb_halt_tx (CVE-2025-38094 bsc#1245649). - commit 13d7db9 - x86/process: Move the buffer clearing before MONITOR (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - commit 8266745 - x86/microcode/AMD: Add TSA microcode SHAs (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - commit b20882f - KVM: SVM: Advertise TSA CPUID bits to guests (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - commit eae5894 - x86/cpu: Avoid running off the end of an AMD erratum table (git-fixes). - commit 1a01a37 - x86/cpu: Move AMD erratum 1386 table over to 'x86_cpu_id' (git-fixes). - commit 00956a9 - x86/cpu: Replace PEBS use of 'x86_cpu_desc' use with 'x86_cpu_id' (git-fixes). - commit a673ad4 - x86/cpu: Introduce new microcode matching helper (git-fixes). - commit e274dab - x86/bugs: Add a Transient Scheduler Attacks mitigation (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - Update config files. - commit 8a110dc - kabi: fix dm-fix-dm_blk_report_zones.patch (CVE-2025-38140 bsc#1245717). - commit 701faad - net: clear the dst when changing skb protocol (bsc#1245954 CVE-2024-49861). - commit b34915e ++++ llvm19: - Add reproducible.patch to make libomp.so reproducible (boo#1199076) - Replace usage of %jobs for reproducible builds (boo#1237231) ++++ at-spi2-core: - Add upstream fixes: + at-spi2-core-grab-memory-leak.patch + at-spi2-core-key-grabs.patch (glgo#GNOME/at-spi2-core!193) + at-spi2-core-plug-crash.patch (glgo#GNOME/at-spi2-core#198) ++++ procps: - Add patch procps-ng-4.0.5-bsc1246330.patch * Do not Fail in year 2038 (bsc#1246330) ++++ nvidia-open-driver-G06-signed: - update non-CUDA variant to 570.172.08 (boo#1246327) - supersedes * 0003-nv-dmabuf-Inline-dma_buf_attachment_is_dynamic.patch * 0004-nvidia-uvm-Disable-SVA-support-for-6.16.patch - update pci_ids-supported ++++ perl: - update to 5.42.0 * new pragma "source::encoding" * new ":writer" attribute on field variables * new "any" and "all" operators * lexical method declaration using "my method" * lexical method invocation operator "->&" * switch and Smart Match operator kept, behind a feature * unicode 16.0 supported * assigning logical xor "^^=" operator * many performance enhancements - drop perl-dirdup.diff (included upstream) ------------------------------------------------------------------ ------------------ 2025-7-10 - Jul 10 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit: - Show reboot nofication after updates in packagekit * Add 0009-packagekit-reboot-notification.patch ++++ kernel-default: - dm: limit swapping tables for devices with zone write plugs (CVE-2025-38140 bsc#1245717). - commit 8c8d49f - dm: fix dm_blk_report_zones (CVE-2025-38140 bsc#1245717). - commit 6d395b8 - dm-table: check BLK_FEAT_ATOMIC_WRITES inside limits_lock (git-fixes). - commit d31c434 - coresight: prevent deactivate active config while enabling the config (CVE-2025-38131 bsc#1245677). - coresight: holding cscfg_csdev_lock while removing cscfg from csdev (CVE-2025-38132 bsc#1245679). - commit 4dcb9b9 - ACPI: PRM: Reduce unnecessary printing to avoid user confusion (bsc#1246122). - commit 13b2592 - ALSA: hda: Add missing NVIDIA HDA codec IDs (stable-fixes). - ALSA: hda/tegra: Add Tegra264 support (stable-fixes). - commit df0e4a0 - ALSA: hda/realtek: Add quirk for ASUS ExpertBook B9403CVAR (stable-fixes). - ALSA: usb-audio: Improve filtering of sample rates on Focusrite devices (stable-fixes). - ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 (stable-fixes). - commit 3d097e2 - ALSA: hda/realtek: Enable headset Mic on Positivo K116J (stable-fixes). - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fb2xxx (stable-fixes). - ALSA: hda/realtek: Add quirks for some Clevo laptops (stable-fixes). - ALSA: hda/realtek: Enable headset Mic on Positivo P15X (stable-fixes). - ALSA: hda/realtek: Add quirk for Asus GA605K (stable-fixes). - commit c130ef1 - pinctrl: amd: Clear GPIO debounce for suspend (git-fixes). - pinctrl: qcom: msm: mark certain pins as invalid for interrupts (git-fixes). - commit f2d1e17 ++++ kernel-firmware-amdgpu: - Update to version 20250708 (git commit 99d64b4f788c): * amdgpu: Add DCN 3.6 * amdgpu: Add PSP 14.0.5 * amdgpu: Add SDMA 6.1.3 * amdgpu: Add GC 11.5.3 ++++ kernel-firmware-i915: - Update to version 20250708 (git commit 99d64b4f788c): * xe: Add fan_control v203.0.0.0 for BMG ++++ kernel-firmware-mediatek: - Update to version 20250708 (git commit 99d64b4f788c): * mediatek MT7921: update bluetooth firmware to 20250625154126 ++++ kernel-firmware-qcom: - Update to version 20250708 (git commit 99d64b4f788c): * qcom/adreno: move A610 and A702 ZAP files to Adreno driver section * qcom: Add sdx61 Foxconn vendor firmware image file ++++ kernel-rt: - dm: limit swapping tables for devices with zone write plugs (CVE-2025-38140 bsc#1245717). - commit 8c8d49f - dm: fix dm_blk_report_zones (CVE-2025-38140 bsc#1245717). - commit 6d395b8 - dm-table: check BLK_FEAT_ATOMIC_WRITES inside limits_lock (git-fixes). - commit d31c434 - coresight: prevent deactivate active config while enabling the config (CVE-2025-38131 bsc#1245677). - coresight: holding cscfg_csdev_lock while removing cscfg from csdev (CVE-2025-38132 bsc#1245679). - commit 4dcb9b9 - ACPI: PRM: Reduce unnecessary printing to avoid user confusion (bsc#1246122). - commit 13b2592 - ALSA: hda: Add missing NVIDIA HDA codec IDs (stable-fixes). - ALSA: hda/tegra: Add Tegra264 support (stable-fixes). - commit df0e4a0 - ALSA: hda/realtek: Add quirk for ASUS ExpertBook B9403CVAR (stable-fixes). - ALSA: usb-audio: Improve filtering of sample rates on Focusrite devices (stable-fixes). - ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 (stable-fixes). - commit 3d097e2 - ALSA: hda/realtek: Enable headset Mic on Positivo K116J (stable-fixes). - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fb2xxx (stable-fixes). - ALSA: hda/realtek: Add quirks for some Clevo laptops (stable-fixes). - ALSA: hda/realtek: Enable headset Mic on Positivo P15X (stable-fixes). - ALSA: hda/realtek: Add quirk for Asus GA605K (stable-fixes). - commit c130ef1 - pinctrl: amd: Clear GPIO debounce for suspend (git-fixes). - pinctrl: qcom: msm: mark certain pins as invalid for interrupts (git-fixes). - commit f2d1e17 ++++ python313-core: - Fix gil/nogil package description, bsc#1246229 ++++ python313: - Fix gil/nogil package description, bsc#1246229 ++++ systemd-presets-common-SUSE: - Add cockpit.socket to improve user experience as it is replacing YaST (jsc#PED-13228) ++++ ucode-amd: - Update to version 20250708 (git commit 99d64b4f788c): * linux-firmware: Update AMD cpu microcode ------------------------------------------------------------------ ------------------ 2025-7-9 - Jul 9 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit-machines: - Explicitly set uefi as default firmware (bsc#1245145) ++++ docker: - Update to Docker 28.3.2-ce. See upstream changelog online at ++++ python-kiwi: - Bump version: 10.2.26 → 10.2.27 ++++ transactional-update: - Version 5.0.6 - Fix missing x-initrd.mount in fstab on migration [boo#1246139] When migrating overlayfs based /etc to btrfs subvolumes, then the attribute was not set - this may result in failures from services operating on /etc during initrd phase such as SELinux relabelling - Optimize execution time of tests ++++ kdump: - upgrade to version 2.1.1 * check for reserved memory on load for better error reporting * update man page * set KDUMP_CPUS to 1 on XEN (bsc#1244289) * load.sh clean up * use eval for PRESCRIPT, POSTSCRIPT and TRANSFER * sftp: fix key-based authentication * fix and improve calibrate build - update calibrate values ++++ kernel-default: - kabi: restore encap_sk in struct xfrm_state (CVE-2025-38097 bsc#1245660). - espintcp: remove encap socket caching to avoid reference leak (CVE-2025-38097 bsc#1245660). - commit 063ca35 - net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() (CVE-2025-38183 bsc#1246006). - commit 39da23e - net_sched: sch_sfq: fix a potential crash on gso_skb handling (CVE-2025-38115 bsc#1245689). - commit 9e19da0 - ALSA: usb-audio: Kill timer properly at removal (CVE-2025-38105 bsc#1245682). - commit 79e6efd - exfat: fix double free in delayed_free (bsc#1246073 CVE-2025-38206). - commit ad15d15 - pwm: mediatek: Ensure to disable clocks in error path (git-fixes). - pwm: Fix invalid state detection (git-fixes). - ASoC: cs35l56: probe() should fail if the device ID is not recognized (git-fixes). - ASoC: fsl_sai: Force a software reset when starting in consumer mode (git-fixes). - ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select SND_SOC_ACPI_INTEL_MATCH (git-fixes). - ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode (git-fixes). - ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() (git-fixes). - commit 04c53e4 ++++ kernel-rt: - kabi: restore encap_sk in struct xfrm_state (CVE-2025-38097 bsc#1245660). - espintcp: remove encap socket caching to avoid reference leak (CVE-2025-38097 bsc#1245660). - commit 063ca35 - net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() (CVE-2025-38183 bsc#1246006). - commit 39da23e - net_sched: sch_sfq: fix a potential crash on gso_skb handling (CVE-2025-38115 bsc#1245689). - commit 9e19da0 - ALSA: usb-audio: Kill timer properly at removal (CVE-2025-38105 bsc#1245682). - commit 79e6efd - exfat: fix double free in delayed_free (bsc#1246073 CVE-2025-38206). - commit ad15d15 - pwm: mediatek: Ensure to disable clocks in error path (git-fixes). - pwm: Fix invalid state detection (git-fixes). - ASoC: cs35l56: probe() should fail if the device ID is not recognized (git-fixes). - ASoC: fsl_sai: Force a software reset when starting in consumer mode (git-fixes). - ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select SND_SOC_ACPI_INTEL_MATCH (git-fixes). - ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode (git-fixes). - ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() (git-fixes). - commit 04c53e4 ++++ gcc15: - Prune the use of update-alternatives from openSUSE Factory and SLFO. - Adjust crosses to conflict consistently where they did not already and make them use unsuffixed binaries. ------------------------------------------------------------------ ------------------ 2025-7-8 - Jul 8 2025 ------------------- ------------------------------------------------------------------ ++++ dracut: - Update to version 059+suse.690.g496a1409: * fix(rngd): adjust license to match the license of the whole project * fix(dracut): kernel module name normalization in drivers lists (bsc#1241680) * fix(dracut-init): assign real path to srcmods (bsc#1241114) ++++ python-kiwi: - Fix regression in get_partition_node_name backwards compat for lsblk before 2.38 if START column not supported, fall back to default sort - Add global option --setenv Allow to set environment variables in the caller environment via the commandline, e.g --setenv SOURCE_DATE_EPOCH=42 - Seed filesystem UUIDs with SOURCE_DATE_EPOCH For reproducible builds the calculation of the filesystem UUID should be persistent with each rebuild of the image. To achieve this the UUID is calculated using the SOURCE_DATE_EPOCH from the environment plus a char-number representation of the filesystem label name as random seed. In kiwi every filesystem is created with a label, thus only in case there is no SOURCE_DATE_EPOCH available we continue to create the UUID as random data. This Fixes #2761 - Add label attribute for section Allow to specify a filesystem label as part of a definition. So far the label was set by the name of the partition. With the new label attribute, a filesystem label different from the partition name can be set. This commit also updates/fixes the documentation in this regard. - Improve log message in SystemIdentifier Add some scope information such that we know from where this log information originates from. ++++ grub2: - Backport upstream disk password retry (bsc#1245545) * 0001-disk-cryptodisk-Allow-user-to-retry-failed-passphras.patch ++++ jeos-firstboot: - Update to version 1.5.8: * Update files/usr/share/jeos-firstboot/jeos-firstboot-functions * Use SUSE_PRETTY_NAME as product name to display if it exists (bsc#1245364) * Use xterm-256color on WSL based hosts boo#1237756 ++++ kernel-default: - dm-raid: fix variable in journal device check (git-fixes). - commit 03404b3 - dm-verity: fix a memory leak if some arguments are specified multiple times (git-fixes). - commit bbecd6f - dm-mirror: fix a tiny race condition (git-fixes). - commit 0d4f8fc - dm vdo indexer: don't read request structure after enqueuing (git-fixes). - commit 4cb65b5 - dm-table: Set BLK_FEAT_ATOMIC_WRITES for target queue limits (git-fixes). - commit 2396437 - dm-flakey: make corrupting read bios work (git-fixes). - commit b0152c6 - dm-flakey: error all IOs when num_features is absent (git-fixes). - commit fd9c57b - dm: lock limits when reading them (git-fixes). - commit 153ee47 - dm: handle failures in dm_table_set_restrictions (git-fixes). - commit 78fcb29 - dm: free table mempools if not used in __bind (git-fixes). - commit 5859b3f - dm: don't change md if dm_table_set_restrictions() fails (git-fixes). - commit 4bd9525 - virtgpu: don't reset on shutdown (git-fixes). - commit 901c686 - kernel/fork: only call untrack_pfn_clear() on VMAs duplicated for fork() (git-fix for CVE-2025-22090 bsc#1241537). - commit 09cb3ff - netfilter: nft_set_pipapo: prevent overflow in lookup table allocation (CVE-2025-38162 bsc#1245752). - commit 8282c3d - vhost-scsi: protect vq->log_used with vq->mutex (CVE-2025-38074 bsc#1244735). - commit 4cc2d93 - crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() (CVE-2025-37984 bsc#1243669). - commit 743073a - virtio: break and reset virtio devices on device_shutdown() (CVE-2025-38064 bsc#1245201). - commit dec0ac7 ++++ kernel-rt: - dm-raid: fix variable in journal device check (git-fixes). - commit 03404b3 - dm-verity: fix a memory leak if some arguments are specified multiple times (git-fixes). - commit bbecd6f - dm-mirror: fix a tiny race condition (git-fixes). - commit 0d4f8fc - dm vdo indexer: don't read request structure after enqueuing (git-fixes). - commit 4cb65b5 - dm-table: Set BLK_FEAT_ATOMIC_WRITES for target queue limits (git-fixes). - commit 2396437 - dm-flakey: make corrupting read bios work (git-fixes). - commit b0152c6 - dm-flakey: error all IOs when num_features is absent (git-fixes). - commit fd9c57b - dm: lock limits when reading them (git-fixes). - commit 153ee47 - dm: handle failures in dm_table_set_restrictions (git-fixes). - commit 78fcb29 - dm: free table mempools if not used in __bind (git-fixes). - commit 5859b3f - dm: don't change md if dm_table_set_restrictions() fails (git-fixes). - commit 4bd9525 - virtgpu: don't reset on shutdown (git-fixes). - commit 901c686 - kernel/fork: only call untrack_pfn_clear() on VMAs duplicated for fork() (git-fix for CVE-2025-22090 bsc#1241537). - commit 09cb3ff - netfilter: nft_set_pipapo: prevent overflow in lookup table allocation (CVE-2025-38162 bsc#1245752). - commit 8282c3d - vhost-scsi: protect vq->log_used with vq->mutex (CVE-2025-38074 bsc#1244735). - commit 4cc2d93 - crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() (CVE-2025-37984 bsc#1243669). - commit 743073a - virtio: break and reset virtio devices on device_shutdown() (CVE-2025-38064 bsc#1245201). - commit dec0ac7 ++++ samba: - Update to 4.22.3 * samba-tool cannot add user to group whose name is exactly 16 characters long; (bso#15854); * Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName; (bsc#1246431); (bso#15876); * Startup messages of rpc deamons fills /var/log/messages; (bso#15869); ++++ libvirt: - qemu: ARM: Change default SCSI controller model from 'lsilogic' to 'virtio-scsi' bsc#1240762 ++++ ovmf: - Backport the patch from edk2-stable202505 (jsc#PED-13202) - ovmf-UefiCpuPkg-MpInitLib-Fix-SNP-AP-creation.patch dca5d26bc57e UefiCpuPkg/MpInitLib: Fix SNP AP creation when using known APIC IDs ++++ read-only-root-fs: - Update to version 1.0+git20250708.3eed5de: * writable-etc: Install findmnt instead of mountpoint * CI: Omit volatile-overlay from the initrd * Add basic CI * Only remount when [/sysroot]/etc is ro (bsc#1246021) ++++ systemd-rpm-macros: - Bump version to 26 ------------------------------------------------------------------ ------------------ 2025-7-7 - Jul 7 2025 ------------------- ------------------------------------------------------------------ ++++ container-selinux: - Update to version 2.239.0: * Allow containers to use hsa devices for ROCM ++++ python-kiwi: - Add rd.kiwi.install.devicepersistency Allow to specify which type of persistent device name should be used to build up the list of installation disk devices. For example rd.kiwi.install.devicepersistency=by-path would use the by-path representations for the available disk devices. The default (by-id) stays untouched. In case an invalid or not present device representation is selected, kiwi falls back to the non persistent unix node names. ++++ hwinfo: - merge gh#openSUSE/hwinfo#167 - fix usb network card detection (bsc#1245950) - 24.1 ++++ kernel-default: - rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu (bsc#1234810 CVE-2024-53160) - commit cc08ae0 - NFSv4: Always set NLINK even if the server doesn't support it (git-fixes). - commit ab761d1 - NFSv4.2: fix listxattr to return selinux security label (git-fixes). - commit b10a707 - NFSv4.2: fix setattr caching of TIME_[MODIFY|ACCESS]_SET when timestamps are delegated (git-fixes). - commit 3f2e95e - NFSv4: xattr handlers should check for absent nfs filehandles (git-fixes). - commit 4564984 - sunrpc: don't immediately retransmit on seqno miss (git-fixes). - commit eaac877 - usb: typec: displayport: Fix potential deadlock (git-fixes). - commit bf24223 - iio: dac: ad3552r: changes to use FIELD_PREP (stable-fixes). - Refresh patches.suse/iio-dac-ad3552r-clear-reset-status-flag.patch. - commit 9805aa5 - accel/ivpu: Make command queue ID allocated on XArray (stable-fixes). - Refresh patches.suse/accel-ivpu-Fix-locking-order-in-ivpu_job_submit.patch. - commit f24456f - accel/ivpu: Do not fail on cmdq if failed to allocate preemption buffers (stable-fixes). - Refresh patches.suse/accel-ivpu-Use-xa_alloc_cyclic-instead-of-custom-fun.patch. - commit d5a180a - drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type (git-fixes). - ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 (stable-fixes). - wifi: mac80211: finish link init before RCU publish (git-fixes). - Bluetooth: L2CAP: Fix L2CAP MTU negotiation (stable-fixes). - spi: spi-cadence-quadspi: Fix pm runtime unbalance (git-fixes). - drm/xe: Fix early wedge on GuC load failure (git-fixes). - drm/amdkfd: Fix race in GWS queue scheduling (stable-fixes). - drm/amdgpu: Fix SDMA UTC_L1 handling during start/stop sequences (stable-fixes). - drm/amd/display: Check dce_hwseq before dereferencing it (stable-fixes). - drm/amdgpu: Add kicker device detection (stable-fixes). - drm/amd/display: Fix RMCM programming seq errors (stable-fixes). - drm/amd/display: Fix mpv playback corruption on weston (stable-fixes). - drm/i915/dsi: Fix off by one in BXT_MIPI_TRANS_VTOTAL (stable-fixes). - ASoC: rt1320: fix speaker noise when volume bar is 100% (stable-fixes). - ASoC: codecs: wcd9335: Fix missing free of regulator supplies (git-fixes). - ALSA: hda: Ignore unsol events for cards being shut down (stable-fixes). - usb: dwc2: also exit clock_gating when stopping udc while suspended (stable-fixes). - usb: potential integer overflow in usbg_make_tpg() (stable-fixes). - usb: common: usb-conn-gpio: use a unique name for usb connector device (stable-fixes). - usb: Add checks for snprintf() calls in usb_alloc_dev() (stable-fixes). - usb: cdc-wdm: avoid setting WDM_READ for ZLP-s (stable-fixes). - usb: gadget: f_hid: wake up readers on disable/unbind (stable-fixes). - usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode (stable-fixes). - usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set (stable-fixes). - 8250: microchip: pci1xxxx: Add PCIe Hot reset disable support for Rev C0 and later devices (stable-fixes). - iio: pressure: zpa2326: Use aligned_s64 for the timestamp (stable-fixes). - iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos (stable-fixes). - misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe() (stable-fixes). - drm/scheduler: signal scheduled fence when kill job (stable-fixes). - drm/amd/display: Correct non-OLED pre_T11_delay (stable-fixes). - amd/amdkfd: fix a kfd_process ref leak (stable-fixes). - drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram (stable-fixes). - drm/amdgpu: seq64 memory unmap uses uninterruptible lock (stable-fixes). - Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" (stable-fixes). - dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using (stable-fixes). - dmaengine: xilinx_dma: Set dma_device directions (stable-fixes). - PCI: imx6: Add workaround for errata ERR051624 (stable-fixes). - PCI: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane (stable-fixes). - PCI: apple: Fix missing OF node reference in apple_pcie_setup_port (stable-fixes). - leds: multicolor: Fix intensity setting while SW blinking (stable-fixes). - mfd: max14577: Fix wakeup source leaks on device unbind (stable-fixes). - hwmon: (pmbus/max34440) Fix support for max34451 (stable-fixes). - wifi: mac80211: Create separate links for VLAN interfaces (stable-fixes). - wifi: mac80211: Add link iteration macro for link data (stable-fixes). - drm/bridge: ti-sn65dsi86: make use of debugfs_init callback (stable-fixes). - drm/xe: Fix taking invalid lock on wedge (stable-fixes). - ASoC: codec: wcd9335: Convert to GPIO descriptors (stable-fixes). - accel/ivpu: Separate DB ID and CMDQ ID allocations from CMDQ allocation (stable-fixes). - drm/amdkfd: Fix instruction hazard in gfx12 trap handler (stable-fixes). - types: Complement the aligned types with signed 64-bit one (stable-fixes). - drm/amdkfd: remove gfx 12 trap handler page size cap (stable-fixes). - accel/ivpu: Remove copy engine support (stable-fixes). - net: phy: realtek: add RTL8125D-internal PHY (stable-fixes). - net: phy: realtek: merge the drivers for internal NBase-T PHY's (stable-fixes). - commit 3355077 ++++ kernel-firmware-bluetooth: - Update to version 20250707 (git commit ba5e4e381494): * Revert "linux-firmware: Update firmware file for Intel Pulsar core" ++++ kernel-firmware-i915: - Update to version 20250707 (git commit ba5e4e381494): * xe: First HuC release for Pantherlake * xe: First GuC release for Pantherlake ++++ kernel-firmware-mediatek: - Update to version 20250707 (git commit ba5e4e381494): * linux-firmware: update firmware for MT7921 WiFi device ++++ kernel-firmware-qcom: - Update to version 20250707 (git commit ba5e4e381494): * qcom/adreno: sort entries in WHENCE ++++ kernel-rt: - rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu (bsc#1234810 CVE-2024-53160) - commit cc08ae0 - NFSv4: Always set NLINK even if the server doesn't support it (git-fixes). - commit ab761d1 - NFSv4.2: fix listxattr to return selinux security label (git-fixes). - commit b10a707 - NFSv4.2: fix setattr caching of TIME_[MODIFY|ACCESS]_SET when timestamps are delegated (git-fixes). - commit 3f2e95e - NFSv4: xattr handlers should check for absent nfs filehandles (git-fixes). - commit 4564984 - sunrpc: don't immediately retransmit on seqno miss (git-fixes). - commit eaac877 - usb: typec: displayport: Fix potential deadlock (git-fixes). - commit bf24223 - iio: dac: ad3552r: changes to use FIELD_PREP (stable-fixes). - Refresh patches.suse/iio-dac-ad3552r-clear-reset-status-flag.patch. - commit 9805aa5 - accel/ivpu: Make command queue ID allocated on XArray (stable-fixes). - Refresh patches.suse/accel-ivpu-Fix-locking-order-in-ivpu_job_submit.patch. - commit f24456f - accel/ivpu: Do not fail on cmdq if failed to allocate preemption buffers (stable-fixes). - Refresh patches.suse/accel-ivpu-Use-xa_alloc_cyclic-instead-of-custom-fun.patch. - commit d5a180a - drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type (git-fixes). - ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 (stable-fixes). - wifi: mac80211: finish link init before RCU publish (git-fixes). - Bluetooth: L2CAP: Fix L2CAP MTU negotiation (stable-fixes). - spi: spi-cadence-quadspi: Fix pm runtime unbalance (git-fixes). - drm/xe: Fix early wedge on GuC load failure (git-fixes). - drm/amdkfd: Fix race in GWS queue scheduling (stable-fixes). - drm/amdgpu: Fix SDMA UTC_L1 handling during start/stop sequences (stable-fixes). - drm/amd/display: Check dce_hwseq before dereferencing it (stable-fixes). - drm/amdgpu: Add kicker device detection (stable-fixes). - drm/amd/display: Fix RMCM programming seq errors (stable-fixes). - drm/amd/display: Fix mpv playback corruption on weston (stable-fixes). - drm/i915/dsi: Fix off by one in BXT_MIPI_TRANS_VTOTAL (stable-fixes). - ASoC: rt1320: fix speaker noise when volume bar is 100% (stable-fixes). - ASoC: codecs: wcd9335: Fix missing free of regulator supplies (git-fixes). - ALSA: hda: Ignore unsol events for cards being shut down (stable-fixes). - usb: dwc2: also exit clock_gating when stopping udc while suspended (stable-fixes). - usb: potential integer overflow in usbg_make_tpg() (stable-fixes). - usb: common: usb-conn-gpio: use a unique name for usb connector device (stable-fixes). - usb: Add checks for snprintf() calls in usb_alloc_dev() (stable-fixes). - usb: cdc-wdm: avoid setting WDM_READ for ZLP-s (stable-fixes). - usb: gadget: f_hid: wake up readers on disable/unbind (stable-fixes). - usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode (stable-fixes). - usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set (stable-fixes). - 8250: microchip: pci1xxxx: Add PCIe Hot reset disable support for Rev C0 and later devices (stable-fixes). - iio: pressure: zpa2326: Use aligned_s64 for the timestamp (stable-fixes). - iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos (stable-fixes). - misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe() (stable-fixes). - drm/scheduler: signal scheduled fence when kill job (stable-fixes). - drm/amd/display: Correct non-OLED pre_T11_delay (stable-fixes). - amd/amdkfd: fix a kfd_process ref leak (stable-fixes). - drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram (stable-fixes). - drm/amdgpu: seq64 memory unmap uses uninterruptible lock (stable-fixes). - Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" (stable-fixes). - dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using (stable-fixes). - dmaengine: xilinx_dma: Set dma_device directions (stable-fixes). - PCI: imx6: Add workaround for errata ERR051624 (stable-fixes). - PCI: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane (stable-fixes). - PCI: apple: Fix missing OF node reference in apple_pcie_setup_port (stable-fixes). - leds: multicolor: Fix intensity setting while SW blinking (stable-fixes). - mfd: max14577: Fix wakeup source leaks on device unbind (stable-fixes). - hwmon: (pmbus/max34440) Fix support for max34451 (stable-fixes). - wifi: mac80211: Create separate links for VLAN interfaces (stable-fixes). - wifi: mac80211: Add link iteration macro for link data (stable-fixes). - drm/bridge: ti-sn65dsi86: make use of debugfs_init callback (stable-fixes). - drm/xe: Fix taking invalid lock on wedge (stable-fixes). - ASoC: codec: wcd9335: Convert to GPIO descriptors (stable-fixes). - accel/ivpu: Separate DB ID and CMDQ ID allocations from CMDQ allocation (stable-fixes). - drm/amdkfd: Fix instruction hazard in gfx12 trap handler (stable-fixes). - types: Complement the aligned types with signed 64-bit one (stable-fixes). - drm/amdkfd: remove gfx 12 trap handler page size cap (stable-fixes). - accel/ivpu: Remove copy engine support (stable-fixes). - net: phy: realtek: add RTL8125D-internal PHY (stable-fixes). - net: phy: realtek: merge the drivers for internal NBase-T PHY's (stable-fixes). - commit 3355077 ++++ libsolv: - add support for product-obsoletes() provides in the product autopackage generation code - bump version to 0.7.34 ++++ libzypp: - BuildRequires: %{libsolv_devel_package} >= 0.7.34 (bsc#1243486) Newer rpm versions no longer allow a ':' in rpm package names or obsoletes. So injecting an Obsoletes: product:oldproductname < oldproductversion into the -release package to indicate a product rename is no longer possible. Since libsolv-0.7.34 you can and should use: Provides: product-obsoletes(oldproductname) < oldproductversion in the -release package. libsolv will then inject the appropriate Obsoletes into the Product. - version 17.37.10 (35) ++++ nvidia-open-driver-G06-signed: - empty pci_ids-570.169; PCI ID hardware Supplements get moved to gfx repository to package nvidia-open-driver-G06-signed-kmp-meta (boo#1246010) - remove 60-nvidia-$flavor.conf, since driver no longer gets autoselected without gfx/cuda repositories present and so we no longer need to disable it by default (boo#1246010) ++++ systemd-rpm-macros: - Introduce %udev_trigger_with_reload() for packages that need to trigger events in theirs scriplets. The new macro automatically triggers a reload of the udev rule files as this step is often overlooked by packages (bsc#1237143). ------------------------------------------------------------------ ------------------ 2025-7-6 - Jul 6 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - i2c/designware: Fix an initialization issue (git-fixes). - powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed (git-fixes). - firmware: arm_ffa: Fix memory leak by freeing notifier callback node (git-fixes). - regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods (git-fixes). - spi: spi-fsl-dspi: Clear completion counter before initiating transfer (git-fixes). - platform/x86: think-lmi: Fix sysfs group cleanup (git-fixes). - platform/x86: think-lmi: Fix kobject cleanup (git-fixes). - platform/mellanox: mlxreg-lc: Fix logic error in power state check (git-fixes). - platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks (git-fixes). - platform/mellanox: nvsw-sn2201: Fix bus number in adapter error message (git-fixes). - platform/mellanox: mlxbf-pmc: Fix duplicate event ID for CACHE_DATA1 (git-fixes). - platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment (git-fixes). - xhci: dbc: Flush queued requests before stopping dbc (git-fixes). - xhci: dbctty: disable ECHO flag by default (git-fixes). - xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS (git-fixes). - usb: dwc3: gadget: Fix TRB reclaim logic for short transfers and ZLPs (git-fixes). - usb: typec: altmodes/displayport: do not index invalid pin_assignments (git-fixes). - usb: cdnsp: Fix issue with CV Bad Descriptor test (git-fixes). - Revert "usb: xhci: Implement xhci_handshake_check_state() helper" (git-fixes). - usb: xhci: Skip xhci_reset in xhci_resume if xhci is being removed (git-fixes). - usb: gadget: u_serial: Fix race condition in TTY wakeup (git-fixes). - Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" (git-fixes). - usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume (git-fixes). - usb: dwc3: Abort suspend on soft disconnect failure (git-fixes). - usb: cdnsp: do not disable slot for disabled slot (git-fixes). - Input: cs40l50-vibra - fix potential NULL dereference in cs40l50_upload_owt() (git-fixes). - Input: iqs7222 - explicitly define number of external channels (git-fixes). - Input: xpad - adjust error handling for disconnect (git-fixes). - drm/exynos: fimd: Guard display clock control with runtime PM calls (git-fixes). - drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling (git-fixes). - drm/i915/gsc: mei interrupt top half should be in irq disabled context (git-fixes). - drm/i915/gt: Fix timeline left held on VMA alloc error (git-fixes). - drm/i915/selftests: Change mock_request() to return error pointers (git-fixes). - drm/v3d: Disable interrupts before resetting the GPU (git-fixes). - drm/sched: Increment job count before swapping tail spsc queue (git-fixes). - drm/bridge: aux-hpd-bridge: fix assignment of the of_node (git-fixes). - drm/bridge: panel: move prepare_prev_first handling to drm_panel_bridge_add_typed (git-fixes). - drm/ttm: fix error handling in ttm_buffer_object_transfer (git-fixes). - drm/amdkfd: Don't call mmput from MMU notifier callback (git-fixes). - commit 58c4f95 ++++ kernel-rt: - i2c/designware: Fix an initialization issue (git-fixes). - powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed (git-fixes). - firmware: arm_ffa: Fix memory leak by freeing notifier callback node (git-fixes). - regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods (git-fixes). - spi: spi-fsl-dspi: Clear completion counter before initiating transfer (git-fixes). - platform/x86: think-lmi: Fix sysfs group cleanup (git-fixes). - platform/x86: think-lmi: Fix kobject cleanup (git-fixes). - platform/mellanox: mlxreg-lc: Fix logic error in power state check (git-fixes). - platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks (git-fixes). - platform/mellanox: nvsw-sn2201: Fix bus number in adapter error message (git-fixes). - platform/mellanox: mlxbf-pmc: Fix duplicate event ID for CACHE_DATA1 (git-fixes). - platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment (git-fixes). - xhci: dbc: Flush queued requests before stopping dbc (git-fixes). - xhci: dbctty: disable ECHO flag by default (git-fixes). - xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS (git-fixes). - usb: dwc3: gadget: Fix TRB reclaim logic for short transfers and ZLPs (git-fixes). - usb: typec: altmodes/displayport: do not index invalid pin_assignments (git-fixes). - usb: cdnsp: Fix issue with CV Bad Descriptor test (git-fixes). - Revert "usb: xhci: Implement xhci_handshake_check_state() helper" (git-fixes). - usb: xhci: Skip xhci_reset in xhci_resume if xhci is being removed (git-fixes). - usb: gadget: u_serial: Fix race condition in TTY wakeup (git-fixes). - Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" (git-fixes). - usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume (git-fixes). - usb: dwc3: Abort suspend on soft disconnect failure (git-fixes). - usb: cdnsp: do not disable slot for disabled slot (git-fixes). - Input: cs40l50-vibra - fix potential NULL dereference in cs40l50_upload_owt() (git-fixes). - Input: iqs7222 - explicitly define number of external channels (git-fixes). - Input: xpad - adjust error handling for disconnect (git-fixes). - drm/exynos: fimd: Guard display clock control with runtime PM calls (git-fixes). - drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling (git-fixes). - drm/i915/gsc: mei interrupt top half should be in irq disabled context (git-fixes). - drm/i915/gt: Fix timeline left held on VMA alloc error (git-fixes). - drm/i915/selftests: Change mock_request() to return error pointers (git-fixes). - drm/v3d: Disable interrupts before resetting the GPU (git-fixes). - drm/sched: Increment job count before swapping tail spsc queue (git-fixes). - drm/bridge: aux-hpd-bridge: fix assignment of the of_node (git-fixes). - drm/bridge: panel: move prepare_prev_first handling to drm_panel_bridge_add_typed (git-fixes). - drm/ttm: fix error handling in ttm_buffer_object_transfer (git-fixes). - drm/amdkfd: Don't call mmput from MMU notifier callback (git-fixes). - commit 58c4f95 ------------------------------------------------------------------ ------------------ 2025-7-4 - Jul 4 2025 ------------------- ------------------------------------------------------------------ ++++ Mesa: - U_0001-svga-add-svga_resource_create_with_modifiers-functio.patch U_0002-svga-fix-printing-64-bit-value-for-32-bit-build.patch * fixes Wayland session when using SP7 as vmware guest (bsc#1245034) ++++ Mesa-drivers: - U_0001-svga-add-svga_resource_create_with_modifiers-functio.patch U_0002-svga-fix-printing-64-bit-value-for-32-bit-build.patch * fixes Wayland session when using SP7 as vmware guest (bsc#1245034) ++++ python-kiwi: - Update test-image-disk Add NetworkManager for better remote debugging capabilities ++++ transactional-update: - Version 5.0.5 - Add support for kdump 2.1.0 [bsc#1243758] - Integrate test to support `make check` ++++ kernel-default: - smb: client: Fix use-after-free in cifs_fill_dirent (CVE-2025-38051 bsc#1244750). - commit f65fc44 - cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks (bsc#1241166). - commit e4048e5 - rose: fix dangling neighbour pointers in rose_rt_device_down() (git-fixes). - Bluetooth: HCI: Set extended advertising data synchronously (git-fixes). - Bluetooth: MGMT: mesh_send: check instances prior disabling advertising (git-fixes). - Bluetooth: MGMT: set_mesh: update LE scan interval and window (git-fixes). - Bluetooth: hci_sync: revert some mesh modifications (git-fixes). - Bluetooth: Prevent unintended pause by checking if advertising is active (git-fixes). - net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect (git-fixes). - commit a505fc6 - gfs2: Don't clear sb->s_fs_info in gfs2_sys_fs_add (bsc#1243993 bsc#1245617). - writeback: fix false warning in inode_to_wb() (bsc#1243993 bsc#1245617). - gfs2: replace sd_aspace with sd_inode (bsc#1243993 bsc#1245617). - commit 9761d03 ++++ kernel-rt: - smb: client: Fix use-after-free in cifs_fill_dirent (CVE-2025-38051 bsc#1244750). - commit f65fc44 - cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks (bsc#1241166). - commit e4048e5 - rose: fix dangling neighbour pointers in rose_rt_device_down() (git-fixes). - Bluetooth: HCI: Set extended advertising data synchronously (git-fixes). - Bluetooth: MGMT: mesh_send: check instances prior disabling advertising (git-fixes). - Bluetooth: MGMT: set_mesh: update LE scan interval and window (git-fixes). - Bluetooth: hci_sync: revert some mesh modifications (git-fixes). - Bluetooth: Prevent unintended pause by checking if advertising is active (git-fixes). - net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect (git-fixes). - commit a505fc6 - gfs2: Don't clear sb->s_fs_info in gfs2_sys_fs_add (bsc#1243993 bsc#1245617). - writeback: fix false warning in inode_to_wb() (bsc#1243993 bsc#1245617). - gfs2: replace sd_aspace with sd_inode (bsc#1243993 bsc#1245617). - commit 9761d03 ++++ systemd: - triggers.systemd: skip update of hwdb, journal-catalog if executed during an offline update. ++++ libzypp: - Ignore DeltaRpm download errors (bsc#1245672) DeltaRpms are in fact optional resources. In case of a failure the full rpm is downloaded. - Improve fix for incorrect filesize handling (bsc#1245220) - version 17.37.9 (35) ++++ salt: - Add `minion_legacy_req_warnings` option to avoid noisy warnings - Require M2Crypto >= 0.44.0 for SUSE Family distros - Added: * add-minion_legacy_req_warnings-option-to-avoid-noisy.patch ++++ ovmf: - Revert the following change due to security concerns and potential underlying issues. - Enables UEFI Shell support for guests on X64 and AARCH64 platforms (bsc#1244266) - Build Shell.efi independently - Add ovmf-ShellPkg-Add-post-script-for-Shell-installation.patch - Install Shell.efi to EFI boot partition (/boot/efi/EFI/opensuse/ or /boot/efi/EFI/sles/) - Register Shell.efi as a boot entry ++++ zypper: - sh: Reset solver options after command (bsc#1245496) - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - version 1.14.92 ------------------------------------------------------------------ ------------------ 2025-7-3 - Jul 3 2025 ------------------- ------------------------------------------------------------------ ++++ docker: - Update to Docker 28.3.1-ce. See upstream changelog online at ++++ kernel-default: - dma-mapping: Fix warning reported for missing prototype (git-fixes). - dma/mapping.c: dev_dbg support for dma_addressing_limited (git-fixes). - commit 0c85d2b - s390/pci: Fix stale function handles in error handling (git-fixes bsc#1245644). - commit 6883c36 - s390/pci: Do not try re-enabling load/store if device is disabled (git-fixes bsc#1245643). - commit 0f86722 - NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN (git-fixes). - commit d887598 - nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails (git-fixes). - commit cebbc14 - mtk-sd: reset host->mrq on prepare_data() error (git-fixes). - commit 9cc3c5f - Revert "mmc: sdhci: Disable SD card clock before changing parameters" (git-fixes). - mtk-sd: Prevent memory corruption from DMA map failure (git-fixes). - mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data (git-fixes). - mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier (git-fixes). - commit 34daecf - RDMA/mlx5: Fix vport loopback for MPV device (git-fixes) - commit 2e17666 - RDMA/mlx5: Fix CC counters query for MPV (git-fixes) - commit 047aefd - RDMA/mlx5: Fix HW counters query for non-representor devices (git-fixes) - commit 385720a - IB/mlx5: Fix potential deadlock in MR deregistration (git-fixes) - commit e26004c - RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert (git-fixes) - commit da1aeda - RDMA/mlx5: Fix unsafe xarray access in implicit ODP handling (git-fixes) - commit 877a2f1 - RDMA/mlx5: reduce stack usage in mlx5_ib_ufile_hw_cleanup (git-fixes) - commit 95b475f ++++ kernel-firmware-realtek: - Update to version 20250630 (git commit e2dad11e8d4b): * rtw89: 8922a: update fw to v0.35.80.0 * rtw89: 8852c: update fw to v0.27.129.1 * rtw89: 8852c: update fw to v0.27.128.0 ++++ kernel-rt: - dma-mapping: Fix warning reported for missing prototype (git-fixes). - dma/mapping.c: dev_dbg support for dma_addressing_limited (git-fixes). - commit 0c85d2b - s390/pci: Fix stale function handles in error handling (git-fixes bsc#1245644). - commit 6883c36 - s390/pci: Do not try re-enabling load/store if device is disabled (git-fixes bsc#1245643). - commit 0f86722 - NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN (git-fixes). - commit d887598 - nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails (git-fixes). - commit cebbc14 - mtk-sd: reset host->mrq on prepare_data() error (git-fixes). - commit 9cc3c5f - Revert "mmc: sdhci: Disable SD card clock before changing parameters" (git-fixes). - mtk-sd: Prevent memory corruption from DMA map failure (git-fixes). - mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data (git-fixes). - mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier (git-fixes). - commit 34daecf - RDMA/mlx5: Fix vport loopback for MPV device (git-fixes) - commit 2e17666 - RDMA/mlx5: Fix CC counters query for MPV (git-fixes) - commit 047aefd - RDMA/mlx5: Fix HW counters query for non-representor devices (git-fixes) - commit 385720a - IB/mlx5: Fix potential deadlock in MR deregistration (git-fixes) - commit e26004c - RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert (git-fixes) - commit da1aeda - RDMA/mlx5: Fix unsafe xarray access in implicit ODP handling (git-fixes) - commit 877a2f1 - RDMA/mlx5: reduce stack usage in mlx5_ib_ufile_hw_cleanup (git-fixes) - commit 95b475f ++++ ovmf: - Removed ovmf-Revert-OvmfPkg-PlatformInitLib-dynamic-mmio-window-s.patch because the bsc#1205978 be fixed in qemu. And re-enabling 'dynamic mmio window size' feature in ovmf can support big GPU passthrough to guest. (bsc#1245542) ------------------------------------------------------------------ ------------------ 2025-7-2 - Jul 2 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - btrfs: remove the subpage related warning message (bsc#1241492). - commit 0e19b2b - x86/sev: Add the Secure TSC feature for SNP guests (jsc#PED-12716). - commit 3ab97c0 - x86/sev: Mark the TSC in a secure TSC guest as reliable (jsc#PED-12716). - commit 643400d - Update config files (bsc#1245603). Enable rtl8139 driver on ppc64le. - commit 61b03fb - scsi: s390: zfcp: Ensure synchronous unit_add (git-fixes bsc#1245597). - commit 3235d4d - s390/pkey: Prevent overflow in size calculation for memdup_user() (git-fixes bsc#1245596). - commit 0eac12f - Update config files. Enabled the following config on x86_64 and arm64: CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX=y (bsc#1243677, PED-12554, PED-6528) - commit 5d04048 ++++ kernel-default-base: - Add nvme support (bsc#1245533) ++++ kernel-rt: - btrfs: remove the subpage related warning message (bsc#1241492). - commit 0e19b2b - x86/sev: Add the Secure TSC feature for SNP guests (jsc#PED-12716). - commit 3ab97c0 - x86/sev: Mark the TSC in a secure TSC guest as reliable (jsc#PED-12716). - commit 643400d - Update config files (bsc#1245603). Enable rtl8139 driver on ppc64le. - commit 61b03fb - scsi: s390: zfcp: Ensure synchronous unit_add (git-fixes bsc#1245597). - commit 3235d4d - s390/pkey: Prevent overflow in size calculation for memdup_user() (git-fixes bsc#1245596). - commit 0eac12f - Update config files. Enabled the following config on x86_64 and arm64: CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX=y (bsc#1243677, PED-12554, PED-6528) - commit 5d04048 ++++ gcc15: - Tune for power10 for SLES 16. [jsc#PED-12029] - Tune for z15 for SLES 16. [jsc#PED-253] ++++ python313-core: - Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705). - Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to generate ids for audit_events using docname (reproducible builds). ++++ libzypp: - Do not trigger download data exceeded errors on HTTP non data responses (bsc#1245220) In some cases a HTTP 401 or 407 did trigger a "filesize exceeded" error, because the response payload size was compared against the expected filesize. This patch adds some checks if the response code is in the success range and only then takes expected filesize into account. Otherwise the response content-length is used or a fallback of 2Mb if no content-length is known. - version 17.37.8 (35) - Fix SEGV in MediaDISK handler (bsc#1245452) - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. DownloadAsNeeded can not be combined with the rpm singletrans installer backend because a rpm transaction requires all package headers to be available the the beginning of the transaction. So explicitly selecting this mode also turns on the classic_rpmtrans backend. - Fix evaluation of libproxy results (bsc#1244710) - version 17.37.7 (35) ++++ python313: - Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705). - Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to generate ids for audit_events using docname (reproducible builds). ++++ ovmf: - Remove 60-ovmf-x86_64-sev.json descriptor (bsc#1245497) ++++ update-alternatives: - Update to version 1.22.21 The full changelog is very large. Please check it here: https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/debian/changelog?h=1.22.21 - Changes from 1.22.20: https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/debian/changelog?h=1.22.20 - Changes from 1.22.19: https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/debian/changelog?h=1.22.19 - Release 1.22.21 includes the fix upstream for CVE-2025-6297 / bsc#1245573. ------------------------------------------------------------------ ------------------ 2025-7-1 - Jul 1 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Make mbr-id deterministic Log the value of SDE so it is available to review, even if the build system does not tell about it. Update the tests to cover the new code-path. Co-Authored-By: Marcus Schäfer - Ensure dracut initrd is reproducible This helps a bit with issue #2358 Add reproducible flag for UKI too Update tests accordingly Co-Authored-By: Marcus Schäfer ++++ kernel-default: - kABI workaround for xsk: Fix race condition in AF_XDP generic RX path (CVE-2025-37920 bsc#1243479). - xsk: Fix race condition in AF_XDP generic RX path (CVE-2025-37920 bsc#1243479). - commit 53ced4a - Update config files (jsc#PED-12554 jsc#PED-6996 bsc#1243677 ltc#213602 bsc#1243678 ltc#213596) CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX=y - commit b450a63 - net: tipc: fix refcount warning in tipc_aead_encrypt (CVE-2025-38052 bsc#1244749). - net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done (CVE-2025-38052 bsc#1244749). - commit b3f2db2 - Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT (git-fixes). - commit 106066c - treewide: Convert new and leftover hrtimer_init() users (git-fixes). - commit a0cfc87 - net: vlan: don't propagate flags on open (CVE-2025-23163 bsc#1242837). - commit aa9c6ef - ata: ahci: Use correct DMI identifier for ASUSPRO-D840SA LPM quirk (git-fixes). - commit b1c1e22 - blacklist.conf: 2 fixes to drivers we don't build - Delete patches.suse/watchdog-da9052_wdt-respect-TWDMIN.patch. - commit 493eda5 - rtc: pcf2127: add missing semicolon after statement (git-fixes). - rtc: pcf2127: fix SPI command byte for PCF2131 (git-fixes). - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - commit 1050c51 ++++ kernel-rt: - kABI workaround for xsk: Fix race condition in AF_XDP generic RX path (CVE-2025-37920 bsc#1243479). - xsk: Fix race condition in AF_XDP generic RX path (CVE-2025-37920 bsc#1243479). - commit 53ced4a - Update config files (jsc#PED-12554 jsc#PED-6996 bsc#1243677 ltc#213602 bsc#1243678 ltc#213596) CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX=y - commit b450a63 - net: tipc: fix refcount warning in tipc_aead_encrypt (CVE-2025-38052 bsc#1244749). - net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done (CVE-2025-38052 bsc#1244749). - commit b3f2db2 - Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT (git-fixes). - commit 106066c - treewide: Convert new and leftover hrtimer_init() users (git-fixes). - commit a0cfc87 - net: vlan: don't propagate flags on open (CVE-2025-23163 bsc#1242837). - commit aa9c6ef - ata: ahci: Use correct DMI identifier for ASUSPRO-D840SA LPM quirk (git-fixes). - commit b1c1e22 - blacklist.conf: 2 fixes to drivers we don't build - Delete patches.suse/watchdog-da9052_wdt-respect-TWDMIN.patch. - commit 493eda5 - rtc: pcf2127: add missing semicolon after statement (git-fixes). - rtc: pcf2127: fix SPI command byte for PCF2131 (git-fixes). - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - commit 1050c51 ++++ python313-core: - Use one core to build doc. This will make sphinx doc build reproducible. bsc#1243155 ++++ systemd: - Import commit a0dfd5de4cdc3f97ef2ad23396904f3e20769317 (merge of v257.7) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/1e42ecf5a145589954df77da05937ee69619f3e5...a0dfd5de4cdc3f97ef2ad23396904f3e20769317 ++++ libvirt: - qemu: Use numa-preplace instead of numad for numa placement advice bsc#1242979, jsc#PED-12821 ++++ python313: - Use one core to build doc. This will make sphinx doc build reproducible. bsc#1243155 ++++ salt: - Prevent tests failures when pygit2 is not present - Several fixes for security issues (bsc#1244561, CVE-2024-38822) (bsc#1244564, CVE-2024-38823) (bsc#1244565, CVE-2024-38824) (bsc#1244566, CVE-2024-38825) (bsc#1244567, CVE-2025-22240) (bsc#1244568, CVE-2025-22236) (bsc#1244570, CVE-2025-22241) (bsc#1244571, CVE-2025-22237) (bsc#1244572, CVE-2025-22238) (bsc#1244574, CVE-2025-22239) (bsc#1244575, CVE-2025-22242) * Request server hardening * Prevent traversal in local_cache::save_minions * Add test and fix for file_recv cve * Fix traversal in gitfs find_file * Fix traversal in salt.utils.virt * Fix traversal in pub_ret * Reasonable failures when pillars timeout * Make send_req_async wait longer * Remove token to prevent decoding errors * Fix checking of non-url style git remotes * Allow subdirs in GitFS find_file check - Add subsystem filter to udev.exportdb (bsc#1236621) - tornado.httputil: raise errors instead of logging in multipart/form-data parsing (CVE-2025-47287, bsc#1243268) - Fix Ubuntu 24.04 edge-case test failures - Fix broken tests for Ubuntu 24.04 - Fix refresh of osrelease and related grains on Python 3.10+ - Make "salt" package to obsolete "python3-salt" package on SLE15SP7+ - Fix issue requiring proper Python flavor for dependencies and recommended package - Added: * fix-tests-issues-in-salt-shaker-environments-721.patch * several-fixes-for-security-issues.patch * add-subsystem-filter-to-udev.exportdb-bsc-1236621-71.patch * fix-of-cve-2025-47287-bsc-1243268-718.patch * fix-ubuntu-24.04-specific-failures-716.patch * fix-debian-tests-715.patch * fix-refresh-of-osrelease-and-related-grains-on-pytho.patch ++++ supportutils: - Changes to version 3.2.11 + Collect rsyslog frule files (bsc#1244003, pr#257) + Remove proxy passwords (bsc#1244011, pr#257) + Missing NetworkManager information (bsc#1241284, pr#257) + Include agama logs bsc#1244937, pr#256) + Additional NFS conf files (pr#253) + New fadump sysfs files (pr#252) + Fixed change log dates ------------------------------------------------------------------ ------------------ 2025-6-30 - Jun 30 2025 ------------------- ------------------------------------------------------------------ ++++ crypto-policies: - Allow openssl to load when using the DEFAULT policy, and also other policies, in FIPS mode. [bsc#1243830, bsc#1242233] * Add crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch ++++ curl: - Disable insecure NTLM authentication support [bsc#1245491, jsc#PED-12960] ++++ ignition: - ignition-suse-generator: Only use Ignition platform ID when the corresponding kernel modules are found [bsc#1234315] [boo#1230668] [gh#coreos/ignition#1984] ++++ kernel-default: - vhost-scsi: Fix vhost_scsi_send_status() (git-fixes). - commit 5eeec6a - Refresh patches.suse/virtio_net-ensure-netdev_tx_reset_queue-is-called-on.patch. - commit b3cad97 - Update config files. - commit 8ef851e - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - scsi: storvsc: Increase the timeouts to storvsc_timeout (bsc#1245455). - commit daecbe1 - kernel/watchdog: always restore watchdog_softlockup(,hardlockup)_user_enabled after proc show (bsc#1245522). Refresh patches.suse/watchdog-fix-watchdog-may-detect-false-positive-of-s.patch (bsc#1245523). - commit 789b353 - tools/power turbostat: Fix AMD package-energy reporting (git-fixes). - commit 053070b - vsock: avoid timeout during connect() if the socket is closing (git-fixes). - commit 7192292 - vhost-scsi: Return queue full for page alloc failures during copy (git-fixes). - commit 4420b10 - vhost-scsi: Add better resource allocation failure handling (git-fixes). - Refresh patches.suse/vhost-scsi-Fix-vhost_scsi_send_bad_target.patch. - commit 575b441 - kABI: update kABI symbols kABI exceptions were allowed for a couple of branches. Update kABI symbols after the merge. Since kABI symbols are being updated, remove current kABI workaround patches before the update. - commit 0c9b3ad - virtio_net: xsk: bind/unbind xsk for tx (git-fixes). - Update patches.suse/virtio-net-free-xsk_buffs-on-error-in-virtnet_xsk_po.patch (git-fixes). - Refresh patches.suse/virtio_net-ensure-netdev_tx_reset_queue-is-called-on.patch. - commit 0050a39 - KVM: VMX: Flush shadow VMCS on emergency reboot (git-fixes). - commit dec589f - KVM: x86/mmu: Use kvm_x86_call() instead of manual static_call() (git-fixes). - commit bfaf83d - KVM: SVM: Clear current_vmcb during vCPU free for all *possible* CPUs (git-fixes). - commit e71b652 - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - commit 8f58b75 - NFSD: Implement FATTR4_CLONE_BLKSIZE attribute (git-fixes). - commit 4f434fe - overflow: Introduce __DEFINE_FLEX for having no initializer (git-fixes). - commit 99c412c - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - commit d974da9 - NFSD: fix race between nfsd registration and exports_proc (git-fixes). - commit 7c3e6b5 - netlink: specs: tc: replace underscores with dashes in names (git-fixes). - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - netlink: specs: nfsd: replace underscores with dashes in names (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - ice: fix eswitch code memory leak in reset scenario (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net: ethtool: remove duplicate defines for family info (git-fixes). - bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start() (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/mlx5: HWS, make sure the uplink is the last destination (git-fixes). - net/mlx5: HWS, fix missing ip_version handling in definer (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - e1000: Move cancel_work_sync to avoid deadlock (git-fixes). - iavf: fix reset_task for early reset event (git-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - iavf: iavf_suspend(): take RTNL before netdev_lock() (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - idpf: avoid mailbox timeout delays during reset (git-fixes). - idpf: fix a race in txq wakeup (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback (git-fixes). - octeontx2-pf: QOS: Perform cache sync on send queue teardown (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - net/mlx5: HWS, Fix matcher action template attach (git-fixes). - overflow: Fix direct struct member initialization in _DEFINE_FLEX() (git-fixes). - idpf: fix idpf_vport_splitq_napi_poll() (git-fixes). - idpf: fix null-ptr-deref in idpf_features_check (CVE-2025-38053 bsc#1244746). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: fix vf->num_mac count with port representors (git-fixes). - commit af82899 - x86/xen: disable CPU idle and frequency drivers for PVH dom0 (git-fixes). - commit 1d99be7 - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - commit 70cda63 - xen/pci: Do not register devices with segments >= 0x10000 (git-fixes). - commit 1940a47 - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - commit 6e1a750 - xen: Add support for XenServer 6.1 platform device (git-fixes). - commit 7dd2df0 - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - commit 4ff5446 - Grab mm lock before grabbing pt lock (git-fixes). - commit 26a77ff - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - serial: core: restore of_node information in sysfs (git-fixes). - commit 3895da7 - RDMA/hns: initialize db in update_srq_db() (git-fixes) - commit 980c53d ++++ kernel-firmware-amdgpu: - Update to version 20250627 (git commit f40eafe21683): * amdgpu: DMCUB updates for DCN401 ++++ kernel-firmware-bnx2: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ++++ kernel-firmware-chelsio: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ++++ kernel-firmware-media: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts * qcom: update firmware binary for SM8550 ++++ kernel-firmware-network: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ++++ kernel-firmware-platform: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: expand the advansys license statement * WHENCE: some older AMD drivers are MIT licensed ++++ kernel-firmware-radeon: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: some older AMD drivers are MIT licensed ++++ kernel-firmware-serial: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ++++ kernel-firmware-sound: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ++++ kernel-rt: - vhost-scsi: Fix vhost_scsi_send_status() (git-fixes). - commit 5eeec6a - Refresh patches.suse/virtio_net-ensure-netdev_tx_reset_queue-is-called-on.patch. - commit b3cad97 - Update config files. - commit 8ef851e - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - scsi: storvsc: Increase the timeouts to storvsc_timeout (bsc#1245455). - commit daecbe1 - kernel/watchdog: always restore watchdog_softlockup(,hardlockup)_user_enabled after proc show (bsc#1245522). Refresh patches.suse/watchdog-fix-watchdog-may-detect-false-positive-of-s.patch (bsc#1245523). - commit 789b353 - tools/power turbostat: Fix AMD package-energy reporting (git-fixes). - commit 053070b - vsock: avoid timeout during connect() if the socket is closing (git-fixes). - commit 7192292 - vhost-scsi: Return queue full for page alloc failures during copy (git-fixes). - commit 4420b10 - vhost-scsi: Add better resource allocation failure handling (git-fixes). - Refresh patches.suse/vhost-scsi-Fix-vhost_scsi_send_bad_target.patch. - commit 575b441 - kABI: update kABI symbols kABI exceptions were allowed for a couple of branches. Update kABI symbols after the merge. Since kABI symbols are being updated, remove current kABI workaround patches before the update. - commit 0c9b3ad - virtio_net: xsk: bind/unbind xsk for tx (git-fixes). - Update patches.suse/virtio-net-free-xsk_buffs-on-error-in-virtnet_xsk_po.patch (git-fixes). - Refresh patches.suse/virtio_net-ensure-netdev_tx_reset_queue-is-called-on.patch. - commit 0050a39 - KVM: VMX: Flush shadow VMCS on emergency reboot (git-fixes). - commit dec589f - KVM: x86/mmu: Use kvm_x86_call() instead of manual static_call() (git-fixes). - commit bfaf83d - KVM: SVM: Clear current_vmcb during vCPU free for all *possible* CPUs (git-fixes). - commit e71b652 - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - commit 8f58b75 - NFSD: Implement FATTR4_CLONE_BLKSIZE attribute (git-fixes). - commit 4f434fe - overflow: Introduce __DEFINE_FLEX for having no initializer (git-fixes). - commit 99c412c - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - commit d974da9 - NFSD: fix race between nfsd registration and exports_proc (git-fixes). - commit 7c3e6b5 - netlink: specs: tc: replace underscores with dashes in names (git-fixes). - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - netlink: specs: nfsd: replace underscores with dashes in names (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - ice: fix eswitch code memory leak in reset scenario (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net: ethtool: remove duplicate defines for family info (git-fixes). - bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start() (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/mlx5: HWS, make sure the uplink is the last destination (git-fixes). - net/mlx5: HWS, fix missing ip_version handling in definer (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - e1000: Move cancel_work_sync to avoid deadlock (git-fixes). - iavf: fix reset_task for early reset event (git-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - iavf: iavf_suspend(): take RTNL before netdev_lock() (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - idpf: avoid mailbox timeout delays during reset (git-fixes). - idpf: fix a race in txq wakeup (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback (git-fixes). - octeontx2-pf: QOS: Perform cache sync on send queue teardown (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - net/mlx5: HWS, Fix matcher action template attach (git-fixes). - overflow: Fix direct struct member initialization in _DEFINE_FLEX() (git-fixes). - idpf: fix idpf_vport_splitq_napi_poll() (git-fixes). - idpf: fix null-ptr-deref in idpf_features_check (CVE-2025-38053 bsc#1244746). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: fix vf->num_mac count with port representors (git-fixes). - commit af82899 - x86/xen: disable CPU idle and frequency drivers for PVH dom0 (git-fixes). - commit 1d99be7 - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - commit 70cda63 - xen/pci: Do not register devices with segments >= 0x10000 (git-fixes). - commit 1940a47 - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - commit 6e1a750 - xen: Add support for XenServer 6.1 platform device (git-fixes). - commit 7dd2df0 - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - commit 4ff5446 - Grab mm lock before grabbing pt lock (git-fixes). - commit 26a77ff - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - serial: core: restore of_node information in sysfs (git-fixes). - commit 3895da7 - RDMA/hns: initialize db in update_srq_db() (git-fixes) - commit 980c53d ++++ numactl: - Update to version 2.0.19.14.g690a72c: * numastat command fails on LPAR which is not having node0 Patch is now upstream: https://github.com/numactl/numactl/pull/246 D 4abeee1aac20a7a2552870e0359b8df013ae9037.patch Patches are wrong or not needed anymore: https://github.com/numactl/numactl/pull/246 D 0001-Fixed-segfault-when-no-node-could-be-found-in-sysfs-.patch D numactl-clearcache-pie.patch ++++ sudo: - Update to 1.9.17p1 * Fix a possible local privilege escalation via the --host option [bsc#1245274, CVE-2025-32462] * Fix a possible local privilege Escalation via chroot option [bsc#1245275, CVE-2025-32463] - Update to 1.9.17 * Sudo now uses the NODEV macro consistently. Bug #1074. Fixed a bug where the ALL command in a sudoers rule would override a previous NOSETENV tag. Command tags are inherited from previous Cmnds in a Cmnd_Spec_List. There is a special case for the SETENV tag with the ALL command, where SETENV is implied if no explicit SETENV or NOSETENV tag is specified. This special case did not take into account that a NOSETENV tag that was inherited should override this behavior. * If sudo is run via ssh without a terminal and a password is required, it now suggest using ssh’s -t option. * Fixed the display of timeout values in the sudo -V output on systems without a C99-compliant snprintf() function. * Quieted a number of minor Coverity warnings. * Fixed a problem running sudo from a serial console on Linux when the command is run in a pseudo-terminal (the default). * Fixed a crash in sudo which could occur if there was a fatal error after the user was validated but before the command was actually run. * Fixed a number of man page style warnings. The “lint” make target in the docs directory will now run groff with warnings enabled if it is available. Bug #1075. * The ignore_dot sudoers setting is now on by default. There is now a - -disable-ignore-dot configure option to disable it. The - -with-ignore-dot configure option has been deprecated. * Fixed a problem with the pwfeedback option where an initial backspace would reduce the maximum length allowed for the password. GitHub issue #439. * Fixed minor grammar and spelling problems in the man pages. * Fixed a bug where a user could avoid entering a password for sudo -l command if they specified their own user or group name via the -u or - g options. * Avoid potential password guessing based on timing attacks on the strcmp() function on systems without PAM or a crypt() function where plaintext passwords are stored in the shadow password file. * Fixed a potential information leak where sudo -l command could be used to determine whether an executable exists in a directory that they do not have search access to. * Sudo uses TCSAFLUSH, not TCSADRAIN, when disabling echo once again. A long time ago sudo changed from using TCSAFLUSH to TCSADRAIN due to some systems having bugs related to TCSAFLUSH. That should no longer be a concern. Using TCSAFLUSH ensures that password input that has been received by the kernel, but not yet read by sudo, will be discarded and not echoed. * Added the SUDO_TTY environment variable if the user has a terminal. This can be used to find the user’s original tty device when sudo runs the command in its own pseudo-terminal. GitHub issue #447. * New Cantonese translation for sudo. ++++ toolbox: - Update to version 2.4+git20250630.5e08e45: * Forbid --user if running as root ------------------------------------------------------------------ ------------------ 2025-6-29 - Jun 29 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - wifi: rtw88: usb: Upload the firmware in bigger chunks (stable-fixes). - commit 1df8f6c - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt7925: introduce thermal protection (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: ath12k: fix a possible dead lock caused by ab->base_lock (stable-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: mac80211: validate SCAN_FLAG_AP in scan request during MLO (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - wifi: rtw89: 8922a: fix TX fail with wrong VCO setting (stable-fixes). - wifi: iwlwifi: mvm: fix beacon CCK flag (stable-fixes). - wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: ath12k: using msdu end descriptor to check for rx multicast packets (stable-fixes). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - commit b75f8f8 - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - PCI: Add ACS quirk for Loongson PCIe (stable-fixes). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - power: supply: max17040: adjust thermal channel scaling (stable-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - platform-msi: Add msi_remove_device_irq_domain() in platform_device_msi_free_irqs_all() (stable-fixes). - wifi: rtw89: phy: add dummy C2H event handler for report of TAS power (stable-fixes). - commit 132d8d6 - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - hid-asus: check ROG Ally MCU version and warn (stable-fixes). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - gpiolib: of: Add polarity quirk for s5m8767 (stable-fixes). - Make 'cc-option' work correctly for the -Wno-xyzzy pattern (stable-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - commit 1379ece - drm/xe/gt: Update handling of xe_force_wake_get return (stable-fixes). - Refresh patches.suse/drm-xe-Fix-GT-for-each-engine-workarounds.patch. - commit b01435e - drm/xe: Process deferred GGTT node removals on device unwind (git-fixes). - drm/xe/display: Add check for alloc_ordered_workqueue() (git-fixes). - drm/i915: fix build error some more (git-fixes). - drm/amd: Adjust output for discovery error handling (git-fixes). - drm/xe/bmg: Update Wa_16023588340 (git-fixes). - drm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()` (stable-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - drm/amdgpu: read back register after written for VCN v4.0.5 (stable-fixes). - drm/xe: Wire up device shutdown handler (stable-fixes). - commit 425e83a - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: hda/realtek: Add quirk for Asus GU605C (stable-fixes). - ALSA: hda/realtek - Add mute LED support for HP Victus 16-s1xxx and HP Victus 15-fa1xxx (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - Bluetooth: btusb: Add new VID/PID 13d3/3584 for MT7922 (stable-fixes). - Bluetooth: btusb: Add new VID/PID 13d3/3630 for MT7925 (stable-fixes). - ACPI: Add missing prototype for non CONFIG_SUSPEND/CONFIG_X86 case (stable-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ACPICA: Apply pack(1) to union aml_resource (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: intel/sdw_utils: Assign initial value in asoc_sdw_rt_amp_spk_rtd_init() (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - commit 36941d3 ++++ kernel-rt: - wifi: rtw88: usb: Upload the firmware in bigger chunks (stable-fixes). - commit 1df8f6c - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt7925: introduce thermal protection (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: ath12k: fix a possible dead lock caused by ab->base_lock (stable-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: mac80211: validate SCAN_FLAG_AP in scan request during MLO (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - wifi: rtw89: 8922a: fix TX fail with wrong VCO setting (stable-fixes). - wifi: iwlwifi: mvm: fix beacon CCK flag (stable-fixes). - wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: ath12k: using msdu end descriptor to check for rx multicast packets (stable-fixes). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - commit b75f8f8 - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - PCI: Add ACS quirk for Loongson PCIe (stable-fixes). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - power: supply: max17040: adjust thermal channel scaling (stable-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - platform-msi: Add msi_remove_device_irq_domain() in platform_device_msi_free_irqs_all() (stable-fixes). - wifi: rtw89: phy: add dummy C2H event handler for report of TAS power (stable-fixes). - commit 132d8d6 - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - hid-asus: check ROG Ally MCU version and warn (stable-fixes). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - gpiolib: of: Add polarity quirk for s5m8767 (stable-fixes). - Make 'cc-option' work correctly for the -Wno-xyzzy pattern (stable-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - commit 1379ece - drm/xe/gt: Update handling of xe_force_wake_get return (stable-fixes). - Refresh patches.suse/drm-xe-Fix-GT-for-each-engine-workarounds.patch. - commit b01435e - drm/xe: Process deferred GGTT node removals on device unwind (git-fixes). - drm/xe/display: Add check for alloc_ordered_workqueue() (git-fixes). - drm/i915: fix build error some more (git-fixes). - drm/amd: Adjust output for discovery error handling (git-fixes). - drm/xe/bmg: Update Wa_16023588340 (git-fixes). - drm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()` (stable-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - drm/amdgpu: read back register after written for VCN v4.0.5 (stable-fixes). - drm/xe: Wire up device shutdown handler (stable-fixes). - commit 425e83a - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: hda/realtek: Add quirk for Asus GU605C (stable-fixes). - ALSA: hda/realtek - Add mute LED support for HP Victus 16-s1xxx and HP Victus 15-fa1xxx (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - Bluetooth: btusb: Add new VID/PID 13d3/3584 for MT7922 (stable-fixes). - Bluetooth: btusb: Add new VID/PID 13d3/3630 for MT7925 (stable-fixes). - ACPI: Add missing prototype for non CONFIG_SUSPEND/CONFIG_X86 case (stable-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ACPICA: Apply pack(1) to union aml_resource (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: intel/sdw_utils: Assign initial value in asoc_sdw_rt_amp_spk_rtd_init() (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - commit 36941d3 ++++ at-spi2-core: - Update to version 2.56.3: + DeviceEventController: update mouse coordinates before sending button events + atspi-device-legacy: Don't crash when XkbGetMap fails + Return localized role name for ATSPI_ROLE_EDITBAR ------------------------------------------------------------------ ------------------ 2025-6-28 - Jun 28 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - Revert "block/bdev: enable large folio support for large logical block" (bsc#1245444) This reverts commit 03e169f9e789f08bac7bdb238dbd9bd7cfd00142. - commit f46bdc5 ++++ kernel-rt: - Revert "block/bdev: enable large folio support for large logical block" (bsc#1245444) This reverts commit 03e169f9e789f08bac7bdb238dbd9bd7cfd00142. - commit f46bdc5 ------------------------------------------------------------------ ------------------ 2025-6-27 - Jun 27 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Bump version: 10.2.25 → 10.2.26 - Add kernel parameter support for dm-verity options Implement rd.kiwi.verity_options= parameter to allow runtime customization of veritysetup options Closes #2837 - Fix shim lookup for arm on SUSE Add missing search path for shim binary on arm based SUSE systems. Also update the tumbleweed/test-image-live-disk integration test for arm to build with secure boot enabled to actually test a secure boot enabled ISO build. This Fixes #2842 ++++ kernel-default: - Update patches.suse/ALSA-pcm-Fix-race-of-buffer-access-at-PCM-OSS-layer.patch (stable-fixes CVE-2025-38078 bsc#1244737). - Update patches.suse/ASoC-SOF-Intel-hda-Fix-UAF-when-reloading-module.patch (git-fixes CVE-2025-38056 bsc#1244748). - Update patches.suse/HID-bpf-abort-dispatch-if-device-destroyed.patch (git-fixes CVE-2025-38016 bsc#1244745). - Update patches.suse/HID-uclogic-Add-NULL-check-in-uclogic_input_configur.patch (git-fixes CVE-2025-38007 bsc#1244938). - Update patches.suse/KVM-arm64-Fix-uninitialized-memcache-pointer-in-user.patch (git-fixes CVE-2025-37996 bsc#1243828). - Update patches.suse/PCI-endpoint-pci-epf-test-Fix-double-free-that-cause.patch (stable-fixes CVE-2025-38069 bsc#1245246). - Update patches.suse/RDMA-core-Fix-KASAN-slab-use-after-free-Read-in-ib_r.patch (git-fixes CVE-2025-38022 bsc#1245003). - Update patches.suse/RDMA-rxe-Fix-slab-use-after-free-Read-in-rxe_queue_c.patch (git-fixes CVE-2025-38024 bsc#1245025). - Update patches.suse/block-fix-race-between-set_blocksize-and-read-paths.patch (git-fixes CVE-2025-38073 bsc#1244741). - Update patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-csu.patch (bsc#1243342 CVE-2025-38059 bsc#1244759). - Update patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-ext.patch (bsc#1236208 CVE-2025-21658). - Update patches.suse/btrfs-zoned-fix-extent-range-end-unlock-in-cow_file_.patch (bsc#1239514 CVE-2025-21942 bsc#1240704). - Update patches.suse/can-bcm-add-locking-for-bcm_op-runtime-updates.patch (git-fixes CVE-2025-38004 bsc#1244274). - Update patches.suse/can-bcm-add-missing-rcu-read-protection-for-procfs-c.patch (git-fixes CVE-2025-38003 bsc#1244275). - Update patches.suse/can-m_can-m_can_class_allocate_dev-initialize-spin-l.patch (git-fixes CVE-2025-37993 bsc#1243822). - Update patches.suse/crypto-algif_hash-fix-double-free-in-hash_accept.patch (git-fixes CVE-2025-38079 bsc#1245217). - Update patches.suse/crypto-lzo-Fix-compression-buffer-overrun.patch (stable-fixes CVE-2025-38068 bsc#1245210). - Update patches.suse/dm-cache-prevent-BUG_ON-by-blocking-retries-on-faile.patch (git-fixes CVE-2025-38066 bsc#1244909). - Update patches.suse/dm-fix-unconditional-IO-throttle-caused-by-REQ_PREFL.patch (git-fixes CVE-2025-38063 bsc#1245202). - Update patches.suse/dmaengine-idxd-Refactor-remove-call-with-idxd_cleanu.patch (git-fixes CVE-2025-38014 bsc#1244732). - Update patches.suse/dmaengine-idxd-fix-memory-leak-in-error-handling-pat-46a5cca.patch (git-fixes CVE-2025-38015 bsc#1244789). - Update patches.suse/dmaengine-ti-k3-udma-Add-missing-locking.patch (git-fixes CVE-2025-38005 bsc#1244727). - Update patches.suse/drm-amd-display-Fix-invalid-context-error-in-dml-hel.patch (git-fixes CVE-2025-37965 bsc#1244174). - Update patches.suse/drm-amd-display-Increase-block_sequence-array-size.patch (stable-fixes CVE-2025-38080 bsc#1244738). - Update patches.suse/drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch (stable-fixes CVE-2025-38011 bsc#1244729). - Update patches.suse/espintcp-fix-skb-leaks.patch (git-fixes CVE-2025-38057 bsc#1244862). - Update patches.suse/ext4-avoid-journaling-sb-update-on-error-if-journal-is-des.patch (bsc#1241967 CVE-2025-22113 bsc#1241617). - Update patches.suse/ext4-goto-right-label-out_mmap_sem-in-ext4_setattr.patch (bsc#1242556 CVE-2025-22120 bsc#1241592). - Update patches.suse/firmware-arm_ffa-Set-dma_mask-for-ffa-devices.patch (stable-fixes CVE-2025-38043 bsc#1245081). - Update patches.suse/fs-erofs-fileio-call-erofs_onlinefolio_split-after-bio_add_folio.patch (git-fixes CVE-2025-37999 bsc#1243846). - Update patches.suse/gpio-virtuser-fix-potential-out-of-bound-write.patch (stable-fixes CVE-2025-38082 bsc#1244740). - Update patches.suse/md-fix-mddev-uaf-while-iterating-all_mddevs-list.patch (git-fixes CVE-20255-22126 bsc#1241597 CVE-2025-22126). - Update patches.suse/media-cx231xx-set-device_caps-for-417.patch (stable-fixes CVE-2025-38044 bsc#1245082). - Update patches.suse/net-mlx5e-Disable-MACsec-offload-for-uplink-represen.patch (git-fixes CVE-2025-38020 bsc#1245001). - Update patches.suse/net-pktgen-fix-access-outside-of-user-given-buffer-i.patch (git-fixes CVE-2025-38061 bsc#1245440). - Update patches.suse/net-tls-fix-kernel-panic-when-alloc_page-failed.patch (git-fixes CVE-2025-38018 bsc#1244999). - Update patches.suse/net_sched-prio-fix-a-race-in-prio_tune.patch (git-fixes CVE-2025-38083 bsc#1245183). - Update patches.suse/nfs-handle-failure-of-nfs_get_lock_context-in-unlock-path.patch (git-fixes CVE-2025-38023 bsc#1245004). - Update patches.suse/nvmet-tcp-don-t-restore-null-sk_state_change.patch (git-fixes CVE-2025-38035 bsc#1244801). - Update patches.suse/padata-do-not-leak-refcount-in-reorder_work.patch (git-fixes CVE-2025-38031 bsc#1245046). - Update patches.suse/perf-x86-intel-Fix-segfault-with-PEBS-via-PT-with-sample_f.patch (git-fixes CVE-2025-38055 bsc#1244747). - Update patches.suse/phy-tegra-xusb-Use-a-bitmask-for-UTMI-pad-power-stat.patch (git-fixes CVE-2025-38010 bsc#1244996). - Update patches.suse/platform-x86-dell-wmi-sysman-Avoid-buffer-overflow-i.patch (git-fixes CVE-2025-38077 bsc#1244736). - Update patches.suse/ptp-ocp-Limit-signal-freq-counts-in-summary-output-f.patch (git-fixes CVE-2025-38054 bsc#1244752). - Update patches.suse/regulator-max20086-fix-invalid-memory-access.patch (git-fixes CVE-2025-38027 bsc#1245042). - Update patches.suse/sched-numa-fix-memory-leak-due-to-the-overwritten-vma-numab_state.patch (git fixes (sched/numa) CVE-2024-56613 bsc#1244176). - Update patches.suse/serial-mctrl_gpio-split-disable_ms-into-sync-and-no_.patch (git-fixes CVE-2025-38040 bsc#1245078). - Update patches.suse/spi-rockchip-Fix-register-out-of-bounds-access.patch (stable-fixes CVE-2025-38081 bsc#1244739). - Update patches.suse/staging-bcm2835-camera-Initialise-dev-in-v4l2_dev.patch (git-fixes CVE-2025-37971 bsc#1244173). - Update patches.suse/tracing-Have-process_string-also-allow-arrays.patch (git-fixes CVE-2024-57930 bsc#1236194). - Update patches.suse/usb-typec-ucsi-displayport-Fix-NULL-pointer-access.patch (git-fixes CVE-2025-37994 bsc#1243823). - Update patches.suse/wifi-cfg80211-fix-out-of-bounds-access-during-multi-.patch (git-fixes CVE-2025-37973 bsc#1244172). - Update patches.suse/wifi-iwlwifi-fix-debug-actions-order.patch (stable-fixes CVE-2025-38045 bsc#1245083). - Update patches.suse/wifi-mac80211-Set-n_channels-after-allocating-struct.patch (git-fixes CVE-2025-38013 bsc#1244731). - Update patches.suse/wifi-mt76-disable-napi-on-driver-removal.patch (git-fixes CVE-2025-38009 bsc#1244995). - Update patches.suse/x86-microcode-AMD-Fix-__apply_microcode_amd-s-return-value.patch (git-fixes CVE-2025-22047 bsc#1241437). - commit db15093 - cpufreq/ondemand: Set io_is_busy to 1 by default on all platforms (bsc#1233975). - commit e5c69ac - Delete patches.suse/cpufreq-amd-pstate-Default-to-powersave-governor-whe.patch (jsc#PED-13111). - commit e2263cb - HID: wacom: fix crash in wacom_aes_battery_handler() (git-fixes). - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - commit ea1fa22 ++++ kernel-rt: - Update patches.suse/ALSA-pcm-Fix-race-of-buffer-access-at-PCM-OSS-layer.patch (stable-fixes CVE-2025-38078 bsc#1244737). - Update patches.suse/ASoC-SOF-Intel-hda-Fix-UAF-when-reloading-module.patch (git-fixes CVE-2025-38056 bsc#1244748). - Update patches.suse/HID-bpf-abort-dispatch-if-device-destroyed.patch (git-fixes CVE-2025-38016 bsc#1244745). - Update patches.suse/HID-uclogic-Add-NULL-check-in-uclogic_input_configur.patch (git-fixes CVE-2025-38007 bsc#1244938). - Update patches.suse/KVM-arm64-Fix-uninitialized-memcache-pointer-in-user.patch (git-fixes CVE-2025-37996 bsc#1243828). - Update patches.suse/PCI-endpoint-pci-epf-test-Fix-double-free-that-cause.patch (stable-fixes CVE-2025-38069 bsc#1245246). - Update patches.suse/RDMA-core-Fix-KASAN-slab-use-after-free-Read-in-ib_r.patch (git-fixes CVE-2025-38022 bsc#1245003). - Update patches.suse/RDMA-rxe-Fix-slab-use-after-free-Read-in-rxe_queue_c.patch (git-fixes CVE-2025-38024 bsc#1245025). - Update patches.suse/block-fix-race-between-set_blocksize-and-read-paths.patch (git-fixes CVE-2025-38073 bsc#1244741). - Update patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-csu.patch (bsc#1243342 CVE-2025-38059 bsc#1244759). - Update patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-ext.patch (bsc#1236208 CVE-2025-21658). - Update patches.suse/btrfs-zoned-fix-extent-range-end-unlock-in-cow_file_.patch (bsc#1239514 CVE-2025-21942 bsc#1240704). - Update patches.suse/can-bcm-add-locking-for-bcm_op-runtime-updates.patch (git-fixes CVE-2025-38004 bsc#1244274). - Update patches.suse/can-bcm-add-missing-rcu-read-protection-for-procfs-c.patch (git-fixes CVE-2025-38003 bsc#1244275). - Update patches.suse/can-m_can-m_can_class_allocate_dev-initialize-spin-l.patch (git-fixes CVE-2025-37993 bsc#1243822). - Update patches.suse/crypto-algif_hash-fix-double-free-in-hash_accept.patch (git-fixes CVE-2025-38079 bsc#1245217). - Update patches.suse/crypto-lzo-Fix-compression-buffer-overrun.patch (stable-fixes CVE-2025-38068 bsc#1245210). - Update patches.suse/dm-cache-prevent-BUG_ON-by-blocking-retries-on-faile.patch (git-fixes CVE-2025-38066 bsc#1244909). - Update patches.suse/dm-fix-unconditional-IO-throttle-caused-by-REQ_PREFL.patch (git-fixes CVE-2025-38063 bsc#1245202). - Update patches.suse/dmaengine-idxd-Refactor-remove-call-with-idxd_cleanu.patch (git-fixes CVE-2025-38014 bsc#1244732). - Update patches.suse/dmaengine-idxd-fix-memory-leak-in-error-handling-pat-46a5cca.patch (git-fixes CVE-2025-38015 bsc#1244789). - Update patches.suse/dmaengine-ti-k3-udma-Add-missing-locking.patch (git-fixes CVE-2025-38005 bsc#1244727). - Update patches.suse/drm-amd-display-Fix-invalid-context-error-in-dml-hel.patch (git-fixes CVE-2025-37965 bsc#1244174). - Update patches.suse/drm-amd-display-Increase-block_sequence-array-size.patch (stable-fixes CVE-2025-38080 bsc#1244738). - Update patches.suse/drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch (stable-fixes CVE-2025-38011 bsc#1244729). - Update patches.suse/espintcp-fix-skb-leaks.patch (git-fixes CVE-2025-38057 bsc#1244862). - Update patches.suse/ext4-avoid-journaling-sb-update-on-error-if-journal-is-des.patch (bsc#1241967 CVE-2025-22113 bsc#1241617). - Update patches.suse/ext4-goto-right-label-out_mmap_sem-in-ext4_setattr.patch (bsc#1242556 CVE-2025-22120 bsc#1241592). - Update patches.suse/firmware-arm_ffa-Set-dma_mask-for-ffa-devices.patch (stable-fixes CVE-2025-38043 bsc#1245081). - Update patches.suse/fs-erofs-fileio-call-erofs_onlinefolio_split-after-bio_add_folio.patch (git-fixes CVE-2025-37999 bsc#1243846). - Update patches.suse/gpio-virtuser-fix-potential-out-of-bound-write.patch (stable-fixes CVE-2025-38082 bsc#1244740). - Update patches.suse/md-fix-mddev-uaf-while-iterating-all_mddevs-list.patch (git-fixes CVE-20255-22126 bsc#1241597 CVE-2025-22126). - Update patches.suse/media-cx231xx-set-device_caps-for-417.patch (stable-fixes CVE-2025-38044 bsc#1245082). - Update patches.suse/net-mlx5e-Disable-MACsec-offload-for-uplink-represen.patch (git-fixes CVE-2025-38020 bsc#1245001). - Update patches.suse/net-pktgen-fix-access-outside-of-user-given-buffer-i.patch (git-fixes CVE-2025-38061 bsc#1245440). - Update patches.suse/net-tls-fix-kernel-panic-when-alloc_page-failed.patch (git-fixes CVE-2025-38018 bsc#1244999). - Update patches.suse/net_sched-prio-fix-a-race-in-prio_tune.patch (git-fixes CVE-2025-38083 bsc#1245183). - Update patches.suse/nfs-handle-failure-of-nfs_get_lock_context-in-unlock-path.patch (git-fixes CVE-2025-38023 bsc#1245004). - Update patches.suse/nvmet-tcp-don-t-restore-null-sk_state_change.patch (git-fixes CVE-2025-38035 bsc#1244801). - Update patches.suse/padata-do-not-leak-refcount-in-reorder_work.patch (git-fixes CVE-2025-38031 bsc#1245046). - Update patches.suse/perf-x86-intel-Fix-segfault-with-PEBS-via-PT-with-sample_f.patch (git-fixes CVE-2025-38055 bsc#1244747). - Update patches.suse/phy-tegra-xusb-Use-a-bitmask-for-UTMI-pad-power-stat.patch (git-fixes CVE-2025-38010 bsc#1244996). - Update patches.suse/platform-x86-dell-wmi-sysman-Avoid-buffer-overflow-i.patch (git-fixes CVE-2025-38077 bsc#1244736). - Update patches.suse/ptp-ocp-Limit-signal-freq-counts-in-summary-output-f.patch (git-fixes CVE-2025-38054 bsc#1244752). - Update patches.suse/regulator-max20086-fix-invalid-memory-access.patch (git-fixes CVE-2025-38027 bsc#1245042). - Update patches.suse/sched-numa-fix-memory-leak-due-to-the-overwritten-vma-numab_state.patch (git fixes (sched/numa) CVE-2024-56613 bsc#1244176). - Update patches.suse/serial-mctrl_gpio-split-disable_ms-into-sync-and-no_.patch (git-fixes CVE-2025-38040 bsc#1245078). - Update patches.suse/spi-rockchip-Fix-register-out-of-bounds-access.patch (stable-fixes CVE-2025-38081 bsc#1244739). - Update patches.suse/staging-bcm2835-camera-Initialise-dev-in-v4l2_dev.patch (git-fixes CVE-2025-37971 bsc#1244173). - Update patches.suse/tracing-Have-process_string-also-allow-arrays.patch (git-fixes CVE-2024-57930 bsc#1236194). - Update patches.suse/usb-typec-ucsi-displayport-Fix-NULL-pointer-access.patch (git-fixes CVE-2025-37994 bsc#1243823). - Update patches.suse/wifi-cfg80211-fix-out-of-bounds-access-during-multi-.patch (git-fixes CVE-2025-37973 bsc#1244172). - Update patches.suse/wifi-iwlwifi-fix-debug-actions-order.patch (stable-fixes CVE-2025-38045 bsc#1245083). - Update patches.suse/wifi-mac80211-Set-n_channels-after-allocating-struct.patch (git-fixes CVE-2025-38013 bsc#1244731). - Update patches.suse/wifi-mt76-disable-napi-on-driver-removal.patch (git-fixes CVE-2025-38009 bsc#1244995). - Update patches.suse/x86-microcode-AMD-Fix-__apply_microcode_amd-s-return-value.patch (git-fixes CVE-2025-22047 bsc#1241437). - commit db15093 - cpufreq/ondemand: Set io_is_busy to 1 by default on all platforms (bsc#1233975). - commit e5c69ac - Delete patches.suse/cpufreq-amd-pstate-Default-to-powersave-governor-whe.patch (jsc#PED-13111). - commit e2263cb - HID: wacom: fix crash in wacom_aes_battery_handler() (git-fixes). - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - commit ea1fa22 ++++ pango: - Update to version 1.56.4: + fontconfig: - Improve the add_font_file implementation - Combine font features and style variants - Make sure font faces stay alive + win32: - Drop some caching - Make sure font faces stay alive - Modernize and simplify the code - Stop synthesizing fonts - Implement list models + coretext: Support synthetic small caps + layout: Avoid assertions in line breaking + build: Require GLib 2.82 ++++ libxml2: - security update - added patches CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS) CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS) + libxml2-CVE-2025-49794,49796.patch CVE-2025-49795 [bsc#1244555], null pointer dereference may lead to Denial of service (DoS) + libxml2-CVE-2025-49795.patch - security update - added patches CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash + libxml2-CVE-2025-6170,6021.patch ++++ libxml2-python: - security update - added patches CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS) CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS) + libxml2-CVE-2025-49794,49796.patch CVE-2025-49795 [bsc#1244555], null pointer dereference may lead to Denial of service (DoS) + libxml2-CVE-2025-49795.patch - security update - added patches CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash + libxml2-CVE-2025-6170,6021.patch ++++ ovmf: - Enables UEFI Shell support for virtual machines on X64 and AARCH64 platforms (bsc#1244266) - Build Shell.efi and install it to /usr/share/ovmf/ - Add ovmf-ShellPkg-Add-post-script-for-Shell-installation.patch - Add post-install and post-uninstall scripts in /usr/share/ovmf/ - Install Shell.efi to the EFI boot partition (/boot/efi/EFI/opensuse/ or /boot/efi/EFI/sles/) - Register Shell.efi as a UEFI boot entry ++++ selinux-policy: - Update to version 20250627+git0.1805634d: * Set /srv/www = /var/www as equivalent file context (bsc#1239177) * Add a smoke test to the gitlab-ci * Add a default PR template * allow openvpn to attach to wicked owned tun interfaces (bsc#1243291) * allow wicked to connect to networkmanager and mange pid files for it (bsc#1243291) * allow wicked to transition to openvswitch domain (bsc#1243291) * allow wicked to start systemd services (bsc#1243291) * allow wicked to controll firewalld services (bsc1243291) * allow wicked interaction with tmpfs files and creation of sysfs files (bsc#1243291) * introduce fs_dontaudit_exec_tmpfs_files interface * Trigger the gitlab-ci tests only for merge requests to factory * Move 'logging_mounton_syslog_pid_socket' to end of file * Revert "Allow init_t create syslog files (bsc#1230134)" * Allow mdadm nosuid_transition * Label plasma user service files as xdm_unit_file_t. * Revert "Allow systemd-homed to start services." * Allow virtstoraged write qemu runtime files * Allow virtqemud read/write/setattr input event devices * Allow systemd create journal pid files * Allow networkmanager send a general signal to iptables * Allow syslogd watch syslog_conf_t directories * Revert downstream fix for bsc#1199630 due to regression (bsc#1243242) * Allow systemd-machined work with its private tmp and tmpfs files * Allow geoclue read virt lib files * Fix files_dontaudit_delete_all_files() * Label /run/polkit-1 with policykit_var_run_t * Label /dev/diag as diagnostic_device_t * Allow systemd-homed to start services. * Allow named_t to read NetworkManager's runtime files * Improve README* documentation * Add missing permissions for ftpd_anon_write to manage NFS directories * Add missing permissions for ftpd_anon_write to manage CIFS directories * Allow nut-upsmon write systemd inhibit pipes * Allow systemd-user-runtime-dir connect to systemd-userdbd over a unix socket * Remove permissive domain for systemd_vsftpd_generator_t * Change generator-specific rules to apply to systemd_generator * Define file equivalency for /var/etc * Allow tuned-ppd create ppd_base_profile with a file transition * Allow lldpd connect to systemd-homed over a unix socket * Allow sysadm_sudo_t signal rpm script * Fix the "/var/cache/systemd/home(/.*)?" regex * allow selinux_autorelabel_generator_t dac_read_search (bsc#1237511) * do not set sulogin_no_pam (bsc#1237511) - Replace internal slfo-main git branch with factory ------------------------------------------------------------------ ------------------ 2025-6-26 - Jun 26 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit-machines: - Patch cockpit-machines to ignore domain not found errors when domain is deleted (bsc#1236383) * added nic-domain-not-found.patch ++++ gpg2: - Security fix: [bsc#1236931, bsc#1239119, CVE-2025-30258] * gpg: Fix another regression due to the T7547 fix. * The fix for CVE-2025-30258 was introduced in 2.5.5 * Add gnupg-gpg-Fix-another-regression-due-to-the-T7547-fix.patch ++++ kernel-default: - mm/memory-tier: Fix abstract distance calculation overflow (bsc#1244051). - commit 3248628 - x86/xen: Fix __xen_hypercall_setfunc() (git-fixes). - commit 76c9b78 - x86: don't re-generate cpufeaturemasks.h so eagerly (git-fixes). - commit 1bde9b6 - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - btrfs: prepare btrfs_page_mkwrite() for large folios (git-fixes). - commit e702032 - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - commit ecc292a - kabi/severities: ignore nf_flow_register_bpf() that depends on CONFIG_DEBUG_* (bsc#1245399) - commit f7994ea - x86/cpufeatures: Use AWK to generate {REQUIRED|DISABLED}_MASK_BIT_SET in (git-fixes). - Refresh patches.suse/kabi-reserve-cpuid-leaves.patch. - commit c797ea7 - x86/cpufeatures: Remove {disabled,required}-features.h (git-fixes). - Refresh patches.suse/kabi-reserve-cpuid-leaves.patch. - commit 7c1ff00 - x86/cpufeatures: Generate the header based on build config (git-fixes). - commit aa4d1af - x86/cpufeatures: Add {REQUIRED,DISABLED} feature configs (git-fixes). - commit 130db28 - x86/cpufeatures: Rename X86_CMPXCHG64 to X86_CX8 (git-fixes). - commit c39c8b4 - KVM: SVM: Add Idle HLT intercept support (jsc#PED-12577). - commit 9b4ced8 - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - commit 4553ae3 - x86/cpufeatures: Add CPUID feature bit for Idle HLT intercept (jsc#PED-12577). - commit c78722e - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - cgroup/cpuset: Don't allow creation of local partition over a remote one (bsc#1241166). - commit 0392529 - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - commit 1216762 - vmxnet3: update MTU after device quiesce (bsc#1244626). - commit d22f709 ++++ kernel-rt: - mm/memory-tier: Fix abstract distance calculation overflow (bsc#1244051). - commit 3248628 - x86/xen: Fix __xen_hypercall_setfunc() (git-fixes). - commit 76c9b78 - x86: don't re-generate cpufeaturemasks.h so eagerly (git-fixes). - commit 1bde9b6 - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - btrfs: prepare btrfs_page_mkwrite() for large folios (git-fixes). - commit e702032 - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - commit ecc292a - kabi/severities: ignore nf_flow_register_bpf() that depends on CONFIG_DEBUG_* (bsc#1245399) - commit f7994ea - x86/cpufeatures: Use AWK to generate {REQUIRED|DISABLED}_MASK_BIT_SET in (git-fixes). - Refresh patches.suse/kabi-reserve-cpuid-leaves.patch. - commit c797ea7 - x86/cpufeatures: Remove {disabled,required}-features.h (git-fixes). - Refresh patches.suse/kabi-reserve-cpuid-leaves.patch. - commit 7c1ff00 - x86/cpufeatures: Generate the header based on build config (git-fixes). - commit aa4d1af - x86/cpufeatures: Add {REQUIRED,DISABLED} feature configs (git-fixes). - commit 130db28 - x86/cpufeatures: Rename X86_CMPXCHG64 to X86_CX8 (git-fixes). - commit c39c8b4 - KVM: SVM: Add Idle HLT intercept support (jsc#PED-12577). - commit 9b4ced8 - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - commit 4553ae3 - x86/cpufeatures: Add CPUID feature bit for Idle HLT intercept (jsc#PED-12577). - commit c78722e - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - cgroup/cpuset: Don't allow creation of local partition over a remote one (bsc#1241166). - commit 0392529 - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - commit 1216762 - vmxnet3: update MTU after device quiesce (bsc#1244626). - commit d22f709 ++++ kmod: - Fix testsuite on Leap 16.0 (bsc#1240126) * Revert-build-check-for-__xstat-declarations.patch ++++ gcc15: - Update to GCC 15 branch head, 15.1.1+git9866 - Fix PR120827, ICE due to splitter emitting constant loads directly ++++ ovmf: - Add patch to make Ovmf builds reproducible in OvmfPkg and ArmVirtPkg (bsc#1244218) - Add ovmf-OvmfPkg-ArmVirtPkg-Keep-JSON-stack-cookie-files.patch ------------------------------------------------------------------ ------------------ 2025-6-25 - Jun 25 2025 ------------------- ------------------------------------------------------------------ ++++ docker: - Update to Docker 28.3.0-ce. See upstream changelog online at bsc#1246556 - Rebase patches: * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch ++++ python-kiwi: - Add container_import template test - Bump version: 10.2.24 → 10.2.25 - Fixed get_partition_node_name The function get_partition_node_name takes the disk device and the partition index as arguments to match against the respective device node for this partition index. The partition index is the position of the partition in the partition table according to their start offset. For the code to function properly it is required that the list of partitions provided by lsblk is ordered according to the start address of the partitions in the table. The way lsblk was called did not enforce this ordering. This commit enforces the order to be done against the start offset and fixes bsc#1245190 ++++ kernel-default: - btrfs: factor out nocow ordered extent and extent map generation into a helper (git-fixes). - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - btrfs: move ordered extent cleanup to where they are allocated (git-fixes). - btrfs: remove the unused locked_folio parameter from btrfs_cleanup_ordered_extents() (git-fixes). - btrfs: use unsigned types for constants defined as bit shifts (git-fixes). - Refresh patches.suse/0005-btrfs-do-proper-folio-cleanup-when-run_delalloc_noco.patch. - commit a1f80d1 - tracing: Fix compilation warning on arm32 (bsc#1243551). - commit 5ab4900 - cpufreq/amd-pstate: Add support for the "Requested CPU Min frequency" BIOS option (jsc#PED-13164). - cpufreq/amd-pstate: Add offline, online and suspend callbacks for amd_pstate_driver (jsc#PED-13164). - cpufreq/amd-pstate: Move max_perf limiting in amd_pstate_update (jsc#PED-13164). - commit c625c71 - cpufreq/amd-pstate: Enable ITMT support after initializing core rankings (jsc#PED-13164). - cpufreq/amd-pstate: Fix min_limit perf and freq updation for performance governor (jsc#PED-13164). - commit f84536f - cpufreq/amd-pstate: Set different default EPP policy for Epyc and Ryzen (jsc#PED-13164). - Refresh patches.suse/cpufreq-amd-pstate-Default-to-powersave-governor-whe.patch. - commit f5fec72 - ata: ahci: Disallow LPM for Asus B550-F motherboard (git-fixes). - commit 50509e4 - ata: ahci: Disallow LPM for ASUSPRO-D840SA motherboard (git-fixes). - commit 1162257 - ata: ahci: Use correct BIOS build date for ThinkPad W541 quirk (git-fixes). - commit be1e349 - pidfs: ensure that PIDFS_INFO_EXIT is available (jsc#PED-13113). - blacklist.conf: Guard against unused prerequisite - commit 872e385 - exit: fix the usage of delay_group_leader->exit_code in do_notify_parent() and pidfs_exit() (jsc#PED-13113). - pidfs: improve multi-threaded exec and premature thread-group leader exit polling (jsc#PED-13113). - commit c5e2e6c - ata: Fix typos in the comment (git-fixes). - commit c056491 - cpufreq/amd-pstate: Drop actions in amd_pstate_epp_cpu_offline() (jsc#PED-13164). - cpufreq/amd-pstate: Stop caching EPP (jsc#PED-13164). - cpufreq/amd-pstate: Rework CPPC enabling (jsc#PED-13164). - cpufreq/amd-pstate: Drop debug statements for policy setting (jsc#PED-13164). - cpufreq/amd-pstate: Update cppc_req_cached for shared mem EPP writes (jsc#PED-13164). - cpufreq/amd-pstate: Move all EPP tracing into *_update_perf and *_set_epp functions (jsc#PED-13164). - cpufreq/amd-pstate: Cache CPPC request in shared mem case too (jsc#PED-13164). - cpufreq/amd-pstate: Replace all AMD_CPPC_* macros with masks (jsc#PED-13164). - cpufreq/amd-pstate-ut: Adjust variable scope (jsc#PED-13164). - cpufreq/amd-pstate-ut: Run on all of the correct CPUs (jsc#PED-13164). - cpufreq/amd-pstate-ut: Drop SUCCESS and FAIL enums (jsc#PED-13164). - cpufreq/amd-pstate-ut: Allow lowest nonlinear and lowest to be the same (jsc#PED-13164). - cpufreq/amd-pstate-ut: Use _free macro to free put policy (jsc#PED-13164). - cpufreq/amd-pstate: Drop `cppc_cap1_cached` (jsc#PED-13164). - cpufreq/amd-pstate: Overhaul locking (jsc#PED-13164). - cpufreq/amd-pstate: Move perf values into a union (jsc#PED-13164). - cpufreq/amd-pstate: Drop min and max cached frequencies (jsc#PED-13164). - cpufreq/amd-pstate: Show a warning when a CPU fails to setup (jsc#PED-13164). - cpufreq/amd-pstate: Invalidate cppc_req_cached during suspend (jsc#PED-13164). - cpufreq/amd-pstate: Fix the clamping of perf values (jsc#PED-13164). - commit 0b848ba - bpf: abort verification if env->cur_state->loop_entry != NULL (CVE-2025-38060 bsc#1245155). - commit 3e1f9c9 - tracing: Fix oob write in trace_seq_to_buffer() (CVE-2025-37923 bsc#1243551). - commit 3a99a12 - cpufreq/amd-pstate: Remove the unncecessary driver_lock in amd_pstate_update_limits (jsc#PED-13164). - cpufreq/amd-pstate: Use scope based cleanup for cpufreq_policy refs (jsc#PED-13164). - cpufreq/amd-pstate: Remove the unnecessary cpufreq_update_policy call (jsc#PED-13164). - cpufreq/amd-pstate: Modularize perf<->freq conversion (jsc#PED-13164). - Refresh patches.suse/cpufreq-amd-pstate-Add-missing-NULL-ptr-check-in-amd.patch. - cpufreq/amd-pstate: Convert all perf values to u8 (jsc#PED-13164). - Refresh patches.suse/cpufreq-amd-pstate-Add-missing-NULL-ptr-check-in-amd.patch. - cpufreq/amd-pstate: Pass min/max_limit_perf as min/max_perf to amd_pstate_update (jsc#PED-13164). - cpufreq/amd-pstate: Remove the redundant des_perf clamping in adjust_perf (jsc#PED-13164). - cpufreq/amd-pstate: Modify the min_perf calculation in adjust_perf callback (jsc#PED-13164). - commit 21b14f2 - tracing: Fix use-after-free in print_graph_function_flags during tracer switching (CVE-2025-22035 bsc#1241544). - commit 49f381e - bpf: free verifier states when they are no longer referenced (CVE-2025-38060 bsc#1245155). - Refresh patches.suse/kABI-padding-for-bpf.patch. - commit 06e2482 - bpf: fix env->peak_states computation (CVE-2025-38060 bsc#1245155). - commit 53d5bd3 - bpf: use list_head to track explored states and free list (CVE-2025-38060 bsc#1245155). - bpf: do not update state->loop_entry in get_loop_entry() (CVE-2025-38060 bsc#1245155). - bpf: make state->dfs_depth < state->loop_entry->dfs_depth an invariant (CVE-2025-38060 bsc#1245155). - bpf: detect infinite loop in get_loop_entry() (CVE-2025-38060 bsc#1245155). - selftests/bpf: check states pruning for deeply nested iterator (CVE-2025-38060 bsc#1245155). - bpf: don't do clean_live_states when state->loop_entry->branches > 0 (CVE-2025-38060 bsc#1245155). - selftests/bpf: test correct loop_entry update in copy_verifier_state (CVE-2025-38060 bsc#1245155). - bpf: copy_verifier_state() should copy 'loop_entry' field (CVE-2025-38060 bsc#1245155). - commit 6388e16 - bpf: Fix deadlock between rcu_tasks_trace and event_mutex (CVE-2025-37884 bsc#1243060). - commit 1feaa51 ++++ kernel-firmware-media: - Update to version 20250624 (git commit b05fabcd6f2a): * qcom: venus-5.4: add the firmware binary for qcs615 ++++ kernel-rt: - btrfs: factor out nocow ordered extent and extent map generation into a helper (git-fixes). - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - btrfs: move ordered extent cleanup to where they are allocated (git-fixes). - btrfs: remove the unused locked_folio parameter from btrfs_cleanup_ordered_extents() (git-fixes). - btrfs: use unsigned types for constants defined as bit shifts (git-fixes). - Refresh patches.suse/0005-btrfs-do-proper-folio-cleanup-when-run_delalloc_noco.patch. - commit a1f80d1 - tracing: Fix compilation warning on arm32 (bsc#1243551). - commit 5ab4900 - cpufreq/amd-pstate: Add support for the "Requested CPU Min frequency" BIOS option (jsc#PED-13164). - cpufreq/amd-pstate: Add offline, online and suspend callbacks for amd_pstate_driver (jsc#PED-13164). - cpufreq/amd-pstate: Move max_perf limiting in amd_pstate_update (jsc#PED-13164). - commit c625c71 - cpufreq/amd-pstate: Enable ITMT support after initializing core rankings (jsc#PED-13164). - cpufreq/amd-pstate: Fix min_limit perf and freq updation for performance governor (jsc#PED-13164). - commit f84536f - cpufreq/amd-pstate: Set different default EPP policy for Epyc and Ryzen (jsc#PED-13164). - Refresh patches.suse/cpufreq-amd-pstate-Default-to-powersave-governor-whe.patch. - commit f5fec72 - ata: ahci: Disallow LPM for Asus B550-F motherboard (git-fixes). - commit 50509e4 - ata: ahci: Disallow LPM for ASUSPRO-D840SA motherboard (git-fixes). - commit 1162257 - ata: ahci: Use correct BIOS build date for ThinkPad W541 quirk (git-fixes). - commit be1e349 - pidfs: ensure that PIDFS_INFO_EXIT is available (jsc#PED-13113). - blacklist.conf: Guard against unused prerequisite - commit 872e385 - exit: fix the usage of delay_group_leader->exit_code in do_notify_parent() and pidfs_exit() (jsc#PED-13113). - pidfs: improve multi-threaded exec and premature thread-group leader exit polling (jsc#PED-13113). - commit c5e2e6c - ata: Fix typos in the comment (git-fixes). - commit c056491 - cpufreq/amd-pstate: Drop actions in amd_pstate_epp_cpu_offline() (jsc#PED-13164). - cpufreq/amd-pstate: Stop caching EPP (jsc#PED-13164). - cpufreq/amd-pstate: Rework CPPC enabling (jsc#PED-13164). - cpufreq/amd-pstate: Drop debug statements for policy setting (jsc#PED-13164). - cpufreq/amd-pstate: Update cppc_req_cached for shared mem EPP writes (jsc#PED-13164). - cpufreq/amd-pstate: Move all EPP tracing into *_update_perf and *_set_epp functions (jsc#PED-13164). - cpufreq/amd-pstate: Cache CPPC request in shared mem case too (jsc#PED-13164). - cpufreq/amd-pstate: Replace all AMD_CPPC_* macros with masks (jsc#PED-13164). - cpufreq/amd-pstate-ut: Adjust variable scope (jsc#PED-13164). - cpufreq/amd-pstate-ut: Run on all of the correct CPUs (jsc#PED-13164). - cpufreq/amd-pstate-ut: Drop SUCCESS and FAIL enums (jsc#PED-13164). - cpufreq/amd-pstate-ut: Allow lowest nonlinear and lowest to be the same (jsc#PED-13164). - cpufreq/amd-pstate-ut: Use _free macro to free put policy (jsc#PED-13164). - cpufreq/amd-pstate: Drop `cppc_cap1_cached` (jsc#PED-13164). - cpufreq/amd-pstate: Overhaul locking (jsc#PED-13164). - cpufreq/amd-pstate: Move perf values into a union (jsc#PED-13164). - cpufreq/amd-pstate: Drop min and max cached frequencies (jsc#PED-13164). - cpufreq/amd-pstate: Show a warning when a CPU fails to setup (jsc#PED-13164). - cpufreq/amd-pstate: Invalidate cppc_req_cached during suspend (jsc#PED-13164). - cpufreq/amd-pstate: Fix the clamping of perf values (jsc#PED-13164). - commit 0b848ba - bpf: abort verification if env->cur_state->loop_entry != NULL (CVE-2025-38060 bsc#1245155). - commit 3e1f9c9 - tracing: Fix oob write in trace_seq_to_buffer() (CVE-2025-37923 bsc#1243551). - commit 3a99a12 - cpufreq/amd-pstate: Remove the unncecessary driver_lock in amd_pstate_update_limits (jsc#PED-13164). - cpufreq/amd-pstate: Use scope based cleanup for cpufreq_policy refs (jsc#PED-13164). - cpufreq/amd-pstate: Remove the unnecessary cpufreq_update_policy call (jsc#PED-13164). - cpufreq/amd-pstate: Modularize perf<->freq conversion (jsc#PED-13164). - Refresh patches.suse/cpufreq-amd-pstate-Add-missing-NULL-ptr-check-in-amd.patch. - cpufreq/amd-pstate: Convert all perf values to u8 (jsc#PED-13164). - Refresh patches.suse/cpufreq-amd-pstate-Add-missing-NULL-ptr-check-in-amd.patch. - cpufreq/amd-pstate: Pass min/max_limit_perf as min/max_perf to amd_pstate_update (jsc#PED-13164). - cpufreq/amd-pstate: Remove the redundant des_perf clamping in adjust_perf (jsc#PED-13164). - cpufreq/amd-pstate: Modify the min_perf calculation in adjust_perf callback (jsc#PED-13164). - commit 21b14f2 - tracing: Fix use-after-free in print_graph_function_flags during tracer switching (CVE-2025-22035 bsc#1241544). - commit 49f381e - bpf: free verifier states when they are no longer referenced (CVE-2025-38060 bsc#1245155). - Refresh patches.suse/kABI-padding-for-bpf.patch. - commit 06e2482 - bpf: fix env->peak_states computation (CVE-2025-38060 bsc#1245155). - commit 53d5bd3 - bpf: use list_head to track explored states and free list (CVE-2025-38060 bsc#1245155). - bpf: do not update state->loop_entry in get_loop_entry() (CVE-2025-38060 bsc#1245155). - bpf: make state->dfs_depth < state->loop_entry->dfs_depth an invariant (CVE-2025-38060 bsc#1245155). - bpf: detect infinite loop in get_loop_entry() (CVE-2025-38060 bsc#1245155). - selftests/bpf: check states pruning for deeply nested iterator (CVE-2025-38060 bsc#1245155). - bpf: don't do clean_live_states when state->loop_entry->branches > 0 (CVE-2025-38060 bsc#1245155). - selftests/bpf: test correct loop_entry update in copy_verifier_state (CVE-2025-38060 bsc#1245155). - bpf: copy_verifier_state() should copy 'loop_entry' field (CVE-2025-38060 bsc#1245155). - commit 6388e16 - bpf: Fix deadlock between rcu_tasks_trace and event_mutex (CVE-2025-37884 bsc#1243060). - commit 1feaa51 ++++ ldmtool: - Update to version 0.2.5 (jsc#PED-12706) * Fix crash while creating mapper for a volume which lacks of partitions * Make libldm to parse and return volume GUID * Change the way we sanitise LDM partition name * Set UUID for device mapper devices (partitions and volumes) * Fix potential memory leak * Use device mapper device UUID instead of name to find device in a tree * New API: ldm_volume_dm_get_device * New API: ldm_partition_dm_get_device * Fix bug in libldm to allow for all spanned LDM volumes to bex correctly identified/mounted - Upstream fixes post 0.2.5 001-Add-example-systemd-unit-file.patch 002-ldmtool-fix-NULL-pointer-dereference.patch 003-Add-ability-to-override-device-mapper-UUID.patch 004-src-Fix-declaration-of-ldm_new.patch 005-Update-gtkdocize.patch - Drop patch contained in new tarball Remove-deprecated-g_type_class_add_private.patch ++++ xfsprogs: - update to 6.15.0 - xfs_mdrestore: don't allow restoring onto zoned block devices - man: adjust description of the statx manpage - xfs_protofile: fix permission octet when suid/guid is set - xfs_repair: fix libxfs abstraction mess - xfs_growfs: support internal RT devices - xfs_mdrestore: support internal RT devices - xfs_scrub: support internal RT device - xfs_spaceman: handle internal RT devices - xfs_io: handle internal RT devices in fsmap output - xfs_io: don't re-query fs_path information in fsmap_f - xfs_io: correctly report RGs with internal rt dev in bmap output - man: document XFS_FSOP_GEOM_FLAGS_ZONED - xfs_mkfs: document the new zoned options in the man page - xfs_mkfs: reflink conflicts with zoned file systems for now - xfs_mkfs: default to rtinherit=1 for zoned file systems - xfs_mkfs: calculate zone overprovisioning when specifying size - xfs_mkfs: support creating file system with zoned RT devices - xfs_mkfs: factor out a validate_rtgroup_geometry helper - xfs_repair: validate rt groups vs reported hardware zones - xfs_repair: fix the RT device check in process_dinode_int - xfs_repair: support repairing zoned file systems - libfrog: report the zoned geometry - xfs_repair: phase6: scan longform entries before header check - xfs_repair: Bump link count if longform_dir2_rebuild yields shortform dir - mkfs: fix the issue of maxpct set to 0 not taking effect - mkfs: fix blkid probe API violations causing weird output - xfs_io: make statx mask parsing more generally useful - xfs_io: redefine what statx -m all does - xfs_io: catch statx fields up to 6.15 - man: fix missing cachestat manpage ------------------------------------------------------------------ ------------------ 2025-6-24 - Jun 24 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Add support for container-snap as a container-image engine With this commit, we can now pre-load images using container-snap directly during the kiwi image build - Update test-image-MicroOS for local build Fix bootstrap setup such that micro-os patterns can resolve - Fix logging of stderr data in command calls The stderr data was presented as one blob without line breaks. Hard to read and smells like a bug. This commit fixes the output to become readable - Update test-image-MicroOS/disk.sh Add a findmnt for / to check if there is a proper root device reference ++++ kernel-default: - netfilter: nft_exthdr: fix offset with ipv4_find_option() (git-fixes). - commit be2a228 - netfilter: conntrack: Bound nf_conntrack sysctl writes (git-fixes). - commit 0ac13d2 - netfilter: nf_tables: Only use nf_skip_indirect_calls() when MITIGATION_RETPOLINE (git-fixes). - commit 114a1de - netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only (git-fixes). - commit fd8be75 - netfilter: nft_quota: match correctly when the quota just depleted (git-fixes). - commit 563b1e8 - netfilter: nf_set_pipapo_avx2: fix initial map fill (git-fixes). - commit 5316618 - netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it (git-fixes). - commit 3a5285b - netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy (git-fixes). - commit 18d1e67 - netfilter: nf_tables: nft_fib: consistent l3mdev handling (git-fixes). - commit 2b7f119 - s390/pci: Fix s390_mmio_read/write syscall page fault handling (git-fixes bsc#1245291). - commit 2f37aef - s390: Fix linker error when -no-pie option is unavailable (git-fixes bsc#1245290). - commit 788b161 - Delete patches.suse/nvdimm-disable-namespace-on-error.patch. We think the patch is not needed and the issue bsc#1166486 has actually been resolved by upstream commit c1f45d86a522. The upstream submission never got any reply [*], so if we decide we in the end want the patch, it should be resent there first. [*] https://lore.kernel.org/nvdimm/20211201164844.125296-1-colyli@suse.de/ - commit ecc0f57 - s390/vfio-ap: Fix no AP queue sharing allowed message written to kernel log (git-fixes bsc#1245285). - commit 9d4cdf8 - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - commit 1fc590c ++++ kernel-firmware-amdgpu: - Update to version 20250623 (git commit dbfe16e9e8ac): * amdgpu: update dmcub fw for dcn401 ++++ kernel-firmware-brcm: - Update to version 20250623 (git commit dbfe16e9e8ac): * brcm: Fix symlinks for Khadas VIM SDIO wifi config ++++ kernel-rt: - netfilter: nft_exthdr: fix offset with ipv4_find_option() (git-fixes). - commit be2a228 - netfilter: conntrack: Bound nf_conntrack sysctl writes (git-fixes). - commit 0ac13d2 - netfilter: nf_tables: Only use nf_skip_indirect_calls() when MITIGATION_RETPOLINE (git-fixes). - commit 114a1de - netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only (git-fixes). - commit fd8be75 - netfilter: nft_quota: match correctly when the quota just depleted (git-fixes). - commit 563b1e8 - netfilter: nf_set_pipapo_avx2: fix initial map fill (git-fixes). - commit 5316618 - netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it (git-fixes). - commit 3a5285b - netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy (git-fixes). - commit 18d1e67 - netfilter: nf_tables: nft_fib: consistent l3mdev handling (git-fixes). - commit 2b7f119 - s390/pci: Fix s390_mmio_read/write syscall page fault handling (git-fixes bsc#1245291). - commit 2f37aef - s390: Fix linker error when -no-pie option is unavailable (git-fixes bsc#1245290). - commit 788b161 - Delete patches.suse/nvdimm-disable-namespace-on-error.patch. We think the patch is not needed and the issue bsc#1166486 has actually been resolved by upstream commit c1f45d86a522. The upstream submission never got any reply [*], so if we decide we in the end want the patch, it should be resent there first. [*] https://lore.kernel.org/nvdimm/20211201164844.125296-1-colyli@suse.de/ - commit ecc0f57 - s390/vfio-ap: Fix no AP queue sharing allowed message written to kernel log (git-fixes bsc#1245285). - commit 9d4cdf8 - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - commit 1fc590c ++++ util-linux-systemd: - Update to version 2.41.1: * cfdisk: fix memory leak and possible NULL dereference * fdisk: fix possible memory leak * findmnt: fix -k option parsing regression (boo#1242705, drop util-linux-libblkid-econf-parse.patch) * hardlink: fix performance regression * include/cctype: fix string comparison * libblkid: * Fix crash while parsing config with libeconf * befs fix underflow * avoid strcasecmp() for ASCII-only strings * libblkid/src/topology/dm: fix fscanf return value check to match expected number of parsed items * libmount: * (subdir) restrict for real mounts only * (subdir) remove unused code * avoid calling memset() unnecessarily * fix --no-canonicalize regression (boo#1244251, drop libmount-fix-no-canonicalize-regression.patch) * lsblk: * use ID_PART_ENTRY_SCHEME as fallback for PTTYPE * avoid strcasecmp() for ASCII-only strings * lscpu: * fix possible buffer overflow in cpuinfo parser * Fix loongarch op-mode output with recent kernel * lsfd: * scan the protocol field of /proc/net/packet as a hex number * fix the description for PACKET.PROTOCOL column * lsns: * enhance compilation without USE_NS_GET_API * fix undefined reference to add_namespace_for_nsfd #3483 * more: * fix broken ':!command' command key * fix implicit previous shell_line execution #3508 * tests: (test_mkfds::mapped-packet-socket) add a new parameter, protocol * treewide: * add ul_ to parse_timestamp() function name (drop util-linux-rename-common-symbols-4.patch) * add ul_ to parse_switch() function name (drop util-linux-rename-common-symbols-3.patch) * add ul_ to parse_size() function name (drop util-linux-rename-common-symbols-2.patch) * add ul_ to parse_range() function name (drop util-linux-rename-common-symbols-1.patch) * fix optional arguments usage * avoid strcasecmp() for ASCII-only strings * Wipefs: improve --all descriptions for whole-disks * Misc: Do not call exit() on code ending in shared libraries * Other fixes. For complete list see https://kernel.org/pub/linux/utils/util-linux/v2.41/v2.41.1-ReleaseNotes - Fix problem with uname26 listed twice. ++++ util-linux: - Update to version 2.41.1: * cfdisk: fix memory leak and possible NULL dereference * fdisk: fix possible memory leak * findmnt: fix -k option parsing regression (boo#1242705, drop util-linux-libblkid-econf-parse.patch) * hardlink: fix performance regression * include/cctype: fix string comparison * libblkid: * Fix crash while parsing config with libeconf * befs fix underflow * avoid strcasecmp() for ASCII-only strings * libblkid/src/topology/dm: fix fscanf return value check to match expected number of parsed items * libmount: * (subdir) restrict for real mounts only * (subdir) remove unused code * avoid calling memset() unnecessarily * fix --no-canonicalize regression (boo#1244251, drop libmount-fix-no-canonicalize-regression.patch) * lsblk: * use ID_PART_ENTRY_SCHEME as fallback for PTTYPE * avoid strcasecmp() for ASCII-only strings * lscpu: * fix possible buffer overflow in cpuinfo parser * Fix loongarch op-mode output with recent kernel * lsfd: * scan the protocol field of /proc/net/packet as a hex number * fix the description for PACKET.PROTOCOL column * lsns: * enhance compilation without USE_NS_GET_API * fix undefined reference to add_namespace_for_nsfd #3483 * more: * fix broken ':!command' command key * fix implicit previous shell_line execution #3508 * tests: (test_mkfds::mapped-packet-socket) add a new parameter, protocol * treewide: * add ul_ to parse_timestamp() function name (drop util-linux-rename-common-symbols-4.patch) * add ul_ to parse_switch() function name (drop util-linux-rename-common-symbols-3.patch) * add ul_ to parse_size() function name (drop util-linux-rename-common-symbols-2.patch) * add ul_ to parse_range() function name (drop util-linux-rename-common-symbols-1.patch) * fix optional arguments usage * avoid strcasecmp() for ASCII-only strings * Wipefs: improve --all descriptions for whole-disks * Misc: Do not call exit() on code ending in shared libraries * Other fixes. For complete list see https://kernel.org/pub/linux/utils/util-linux/v2.41/v2.41.1-ReleaseNotes - Fix problem with uname26 listed twice. ++++ libguestfs: - Update to version 1.56.1 (jsc#PED-12706) * lib: Enable ACPI for the libvirt backend for x86_64 and arm - Only build the inspect-icons RPM for Tumbleweed. Tumbleweed is the only place where icoutils package exists which it requires. ++++ numactl: - Fix Node0 does not exist (bsc#1244492) A 4abeee1aac20a7a2552870e0359b8df013ae9037.patch ++++ libssh: - Update to version 0.11.2 * Security: * CVE-2025-4877 - Write beyond bounds in binary to base64 conversion (bsc#1245309) * CVE-2025-4878 - Use of uninitialized variable in privatekey_from_file() (bsc#1245310) * CVE-2025-5318 - Likely read beyond bounds in sftp server handle management (bsc#1245311) * CVE-2025-5351 - Double free in functions exporting keys (bsc#1245312) * CVE-2025-5372 - ssh_kdf() returns a success code on certain failures (bsc#1245314) * CVE-2025-5449 - Likely read beyond bounds in sftp server message decoding (bsc#1245316) * CVE-2025-5987 - Invalid return code for chacha20 poly1305 with OpenSSL (bsc#1245317) * Compatibility * Fixed compatibility with CPM.cmake * Compatibility with OpenSSH 10.0 * Tests compatibility with new Dropbear releases * Removed p11-kit remoting from the pkcs11 testsuite * Bugfixes * Implement missing packet filter for DH GEX * Properly process the SSH2_MSG_DEBUG message * Allow escaping quotes in quoted arguments to ssh configuration * Do not fail with unknown match keywords in ssh configuration * Process packets before selecting signature algorithm during authentication * Do not fail hard when the SFTP status message is not sent by noncompliant servers - Removed libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch - Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch ++++ nvidia-open-driver-G06-signed: - 0003-nv-dmabuf-Inline-dma_buf_attachment_is_dynamic.patch 0004-nvidia-uvm-Disable-SVA-support-for-6.16.patch * buildfixes against Kernel 6.16 picked up from https://github.com/CachyOS/CachyOS-PKGBUILDS.git - -> nvidia/nvidia-utils ------------------------------------------------------------------ ------------------ 2025-6-23 - Jun 23 2025 ------------------- ------------------------------------------------------------------ ++++ busybox: - enable halt, poweroff, reboot commands (bsc#1243201) ++++ busybox-links: - Blacklist creating links for halt, reboot, shutdown commands to avoid accidental use in a fully booted system (bsc#1243201) ++++ docker: [ This update is a no-op, only needed to work around unfortunate automated packaging script behaviour on SLES. ] - The following patches were removed in openSUSE in the Docker 28.1.1-ce update, but the patch names were later renamed in a SLES-only update before Docker 28.1.1-ce was submitted to SLES. This causes the SLES build scripts to refuse the update because the patches are not referenced in the changelog. There is no obvious place to put the patch removals (the 28.1.1-ce update removing the patches chronologically predates their renaming in SLES), so they are included here a dummy changelog entry to work around the issue. - 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch - 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch ++++ python-kiwi: - Fix mount system for root_is_snapper_snapshot If root is a snapper snapshot we have to tell the chroot a proper root mount point which can be achieved by a bind mount pointing to itself. This Fixes bsc#1244668 ++++ kernel-default: - fs/mpage: use blocks_per_folio instead of blocks_per_page (bsc#1245219). - commit 6f61662 - fs/mpage: avoid negative shift for large blocksize (bsc#1245219). - commit f40b15c - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245230). - commit 5f783ee - pidfs: never refuse ppid == 0 in PIDFD_GET_INFO (jsc#PED-13113). - commit 4327fa2 - iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (CVE-2025-37927 bsc#1243620). - commit 0e060e5 - Move upstreamed patch "genksyms: Fix enum consts from a reference affecting new values" into the sorted section (git-fixes). - commit 7c87e2b - s390/boot: Use -D__DISABLE_EXPORTS (bsc#1245126). - commit 79382ab - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme-tcp: remove tag set when second admin queue config fails (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - nvme: fix command limits status code (git-fixes). - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvmet-fcloop: don't wait for lport cleanup (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - commit 60761a1 - btrfs: fix fsync of files with no hard links not persisting deletion (bsc#1245068). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (bsc#1245068). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (bsc#1245068). - commit 188ca65 - btrfs: always fallback to buffered write if the inode requires checksum (bsc#1245067). - commit b160824 - cpufreq: Default to performance governor on servers (jsc#PED-13111). - commit 0f4c2f8 - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - commit 753d7ae - nfsd: use threads array as-is in netlink interface (git-fixes). - commit 3a8806c - Refresh patches.suse/x86-entry-Add-__init-to-ia32_emulation_override_cmdline.patch. - commit 15f587c - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - commit 0b0ecd8 - x86/virt/tdx: Avoid indirect calls to TDX assembly functions (git-fixes). - Refresh patches.suse/x86-virt-tdx-Mark-memory-cache-state-incoherent-when-making-seamcall.patch. - commit a3e640a - Revert "mm/execmem: Unify early execmem_cache behaviour" (git-fixes). - commit 99e2ca1 - x86/its: explicitly manage permissions for ITS pages (git-fixes). - commit 4d57729 - x86/Kconfig: only enable ROX cache in execmem when STRICT_MODULE_RWX is set (git-fixes). - commit d3bec4e ++++ kernel-rt: - fs/mpage: use blocks_per_folio instead of blocks_per_page (bsc#1245219). - commit 6f61662 - fs/mpage: avoid negative shift for large blocksize (bsc#1245219). - commit f40b15c - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245230). - commit 5f783ee - pidfs: never refuse ppid == 0 in PIDFD_GET_INFO (jsc#PED-13113). - commit 4327fa2 - iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (CVE-2025-37927 bsc#1243620). - commit 0e060e5 - Move upstreamed patch "genksyms: Fix enum consts from a reference affecting new values" into the sorted section (git-fixes). - commit 7c87e2b - s390/boot: Use -D__DISABLE_EXPORTS (bsc#1245126). - commit 79382ab - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme-tcp: remove tag set when second admin queue config fails (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - nvme: fix command limits status code (git-fixes). - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvmet-fcloop: don't wait for lport cleanup (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - commit 60761a1 - btrfs: fix fsync of files with no hard links not persisting deletion (bsc#1245068). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (bsc#1245068). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (bsc#1245068). - commit 188ca65 - btrfs: always fallback to buffered write if the inode requires checksum (bsc#1245067). - commit b160824 - cpufreq: Default to performance governor on servers (jsc#PED-13111). - commit 0f4c2f8 - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - commit 753d7ae - nfsd: use threads array as-is in netlink interface (git-fixes). - commit 3a8806c - Refresh patches.suse/x86-entry-Add-__init-to-ia32_emulation_override_cmdline.patch. - commit 15f587c - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - commit 0b0ecd8 - x86/virt/tdx: Avoid indirect calls to TDX assembly functions (git-fixes). - Refresh patches.suse/x86-virt-tdx-Mark-memory-cache-state-incoherent-when-making-seamcall.patch. - commit a3e640a - Revert "mm/execmem: Unify early execmem_cache behaviour" (git-fixes). - commit 99e2ca1 - x86/its: explicitly manage permissions for ITS pages (git-fixes). - commit 4d57729 - x86/Kconfig: only enable ROX cache in execmem when STRICT_MODULE_RWX is set (git-fixes). - commit d3bec4e ++++ libblockdev: - suppress privilege escalation during xfs fs resize (CVE-2025-6019) (bsc#1243285) * add 0001-dont-allow-suid-and-dev-set-on-fs-resize.patch ++++ python-urllib3: - Update to 2.5.0: * Security issues Pool managers now properly control redirects when retries is passed (CVE-2025-50181, GHSA-pq67-6m6q-mj2v, bsc#1244925) Redirects are now controlled by urllib3 in the Node.js runtime (CVE-2025-50182, GHSA-48p4-8xcf-vxj5, bsc#1244924) * Features Added support for the compression.zstd module that is new in Python 3.14. Added support for version 0.5 of hatch-vcs * Bugfixes Raised exception for HTTPResponse.shutdown on a connection already released to the pool. Fixed incorrect CONNECT statement when using an IPv6 proxy with connection_from_host. Previously would not be wrapped in []. ------------------------------------------------------------------ ------------------ 2025-6-22 - Jun 22 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - md/raid1,raid10: don't handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - commit 0ec5b97 - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - commit 58c3f30 ++++ kernel-rt: - md/raid1,raid10: don't handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - commit 0ec5b97 - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - commit 58c3f30 ------------------------------------------------------------------ ------------------ 2025-6-21 - Jun 21 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - commit 0071891 - ALSA: hda: Apply volume control on speaker+lineout for HP EliteStudio AIO (stable-fixes). - commit ba1a979 - ALSA: hda/realtek - Support mute led function for HP platform (stable-fixes). - commit 74fc8d1 - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - gpio: pca953x: fix wrong error probe return value (git-fixes). - drm/xe: Fix memset on iomem (git-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE (git-fixes). - drm/msm: Fix CP_RESET_CONTEXT_STATE bitfield names (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - ALSA: hda/realtek: Add support for Acer Helios Laptops using CS35L41 HDA (stable-fixes). - commit 26d96c5 ++++ kernel-firmware-amdgpu: - Update to version 20250620 (git commit 49c833a10ad9): * amdgpu: update renoir firmware * amdgpu: update vcn 5.0.0 firmware * amdgpu: update smu 14.0.3 firmware * amdgpu: update sdma 7.0.1 firmware * amdgpu: update psp 14.0.3 firmware * amdgpu: update gc 12.0.1 firmware * amdgpu: update navy flounder firmware * amdgpu: update psp 14.0.4 firmware * amdgpu: update gc 11.5.2 firmware * amdgpu: update sienna cichlid firmware * amdgpu: add raven2 ip discovery firmware * amdgpu: update smu 14.0.2 firmware * amdgpu: update sdma 7.0.0 firmware * amdgpu: update psp 14.0.2 firmware * amdgpu: update gc 12.0.0 firmware * amdgpu: update vcn 4.0.6 firmware * amdgpu: update psp 14.0.1 firmware * amdgpu: update gc 11.5.1 firmware * amdgpu: update psp 13.0.11 firmware * amdgpu: update gc 11.0.4 firmware * amdgpu: add picasso ip discovery firmware * amdgpu: add raven ip discovery firmware * amdgpu: update vega20 firmware * amdgpu: update vega12 firmware * amdgpu: update smu 13.0.7 firmware * amdgpu: update vcn 4.0.4 firmware * amdgpu: update psp 13.0.7 firmware * amdgpu: update gc 11.0.2 firmware * amdgpu: update navi14 firmware * amdgpu: update vega10 firmware * amdgpu: update gc 10.3.6 firmware * amdgpu: update smu 13.0.10 firmware * amdgpu: update psp 13.0.10 firmware * amdgpu: update gc 11.0.3 firmware * amdgpu: update navi12 firmware * amdgpu: update vangogh firmware * amdgpu: update navi10 firmware * amdgpu: add smu 13.0.0 kicker firmware * amdgpu: add psp 13.0.0 kicker firmware * amdgpu: add gc 11.0.0 kicker firmware * amdgpu: add vcn 5.0.1 firmware * amdgpu: add sdma 4.4.4 firmware * amdgpu: add psp 13.0.12 firmware * amdgpu: add gc 9.5.0 firmware * amdgpu: add arcturus IP discovery firmware * amdgpu: update vcn 4.0.0 firmware * amdgpu: update smu 13.0.0 firmware * amdgpu: update psp 13.0.0 firmware * amdgpu: update gc 11.0.0 firmware * amdgpu: update psp 13.0.14 firmware * amdgpu: update gc 9.4.4 firmware * amdgpu: update psp 13.0.6 firmware * amdgpu: update gc 9.4.3 firmware * amdgpu: update beige_goby firmware * amdgpu: update vcn 4.0.5 firmware * amdgpu: update gc 11.5.0 firmware * amdgpu: update vcn 4.0.2 firmware * amdgpu: update gc 11.0.1 firmware * amdgpu: update dimgrey_cavefish firmware * amdgpu: update aldebaran firmware ++++ kernel-firmware-iwlwifi: - Update aliases ++++ kernel-firmware-mediatek: - Update aliases ++++ kernel-firmware-network: - Update aliases ++++ kernel-firmware-platform: - Update aliases ++++ kernel-firmware-realtek: - Update aliases ++++ kernel-firmware-sound: - Update aliases ++++ kernel-rt: - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - commit 0071891 - ALSA: hda: Apply volume control on speaker+lineout for HP EliteStudio AIO (stable-fixes). - commit ba1a979 - ALSA: hda/realtek - Support mute led function for HP platform (stable-fixes). - commit 74fc8d1 - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - gpio: pca953x: fix wrong error probe return value (git-fixes). - drm/xe: Fix memset on iomem (git-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE (git-fixes). - drm/msm: Fix CP_RESET_CONTEXT_STATE bitfield names (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - ALSA: hda/realtek: Add support for Acer Helios Laptops using CS35L41 HDA (stable-fixes). - commit 26d96c5 ++++ python313-core: - adjusted sofilename for "nogil" build correctly. ++++ python313: - adjusted sofilename for "nogil" build correctly. ------------------------------------------------------------------ ------------------ 2025-6-20 - Jun 20 2025 ------------------- ------------------------------------------------------------------ ++++ transactional-update: - Add correct SELinux policy version dependency for SLE 16 ++++ kernel-default: - libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743, CVE-2025-38072). - commit 100db61 - mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios (CVE-2025-38050 bsc#1244751). - commit 805754b - config: enable rbd and libceph (jsc#PED-13108) - commit 793f4d9 - s390/purgatory: Use -D__DISABLE_EXPORTS (bsc#1245126). - commit 490ac3b - wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 (git-fixes). - commit 6b57cd2 - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - NFC: nci: uart: Set tty->disc_data only in success path (git-fixes). - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - hwmon: (ltc4282) avoid repeated register write (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: don't wait when there is no vdev started (git-fixes). - wifi: ath11k: don't use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - net: wwan: mhi_wwan_mbim: use correct mux_id for multiplexing (git-fixes). - pinctrl: samsung: add gs101 specific eint suspend/resume callbacks (git-fixes). - pinctrl: samsung: add dedicated SoC eint suspend/resume callbacks (stable-fixes). - pinctrl: samsung: refactor drvdata suspend & resume callbacks (stable-fixes). - Bluetooth: ISO: Fix not using SID from adv report (stable-fixes). - wifi: ath12k: refactor ath12k_hw_regs structure (stable-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - thermal/drivers/mediatek/lvts: Remove unused lvts_debugfs_exit (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - commit 9415389 - workqueue: Initialize wq_isolated_cpumask in workqueue_init_early() (bsc#1245101). - commit 6bd2836 - Revert "rpm/config.sh: Use suse-kabi-tools (jsc#PED-12618)" This breaking build on s390x and blocking upcoming submissions: Failed to read symtypes from '.': arch/s390/lib/string.symtypes:3: Export 'strlen' is duplicate, previous occurrence found in 'arch/s390/purgatory/string.symtypes' This reverts commit a0854fc92f0d8c56e48e96980cea7efe15509265. - commit 672894a - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - commit 666ce5b - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - commit bd3ade1 - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - commit 035ae9a - net_sched: tbf: fix a race in tbf_change() (git-fixes). - commit 4131c83 - net_sched: red: fix a race in __red_change() (git-fixes). - commit f0af35e - net_sched: prio: fix a race in prio_tune() (git-fixes). - commit 13ce5f2 - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - commit dc06830 - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - commit 9d72614 - KEYS: trusted: don't fail module __init if SHA1 is unavailable (bsc#1240423 jsc#PED-12225). - commit 93f363a - pidfs: lookup pid through rbtree (jsc#PED-13113). - commit eead84f ++++ kernel-firmware-amdgpu: - Update to version 20250619 (git commit dcd2ee2f57a7): * amdgpu: update dmcub fw for dcn32 and dcn401 ++++ kernel-firmware-mediatek: - Update to version 20250619 (git commit dcd2ee2f57a7): * mediatek: Update mt8186 SCP firmware ++++ kernel-rt: - libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743, CVE-2025-38072). - commit 100db61 - mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios (CVE-2025-38050 bsc#1244751). - commit 805754b - config: enable rbd and libceph (jsc#PED-13108) - commit 793f4d9 - s390/purgatory: Use -D__DISABLE_EXPORTS (bsc#1245126). - commit 490ac3b - wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 (git-fixes). - commit 6b57cd2 - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - NFC: nci: uart: Set tty->disc_data only in success path (git-fixes). - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - hwmon: (ltc4282) avoid repeated register write (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: don't wait when there is no vdev started (git-fixes). - wifi: ath11k: don't use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - net: wwan: mhi_wwan_mbim: use correct mux_id for multiplexing (git-fixes). - pinctrl: samsung: add gs101 specific eint suspend/resume callbacks (git-fixes). - pinctrl: samsung: add dedicated SoC eint suspend/resume callbacks (stable-fixes). - pinctrl: samsung: refactor drvdata suspend & resume callbacks (stable-fixes). - Bluetooth: ISO: Fix not using SID from adv report (stable-fixes). - wifi: ath12k: refactor ath12k_hw_regs structure (stable-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - thermal/drivers/mediatek/lvts: Remove unused lvts_debugfs_exit (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - commit 9415389 - workqueue: Initialize wq_isolated_cpumask in workqueue_init_early() (bsc#1245101). - commit 6bd2836 - Revert "rpm/config.sh: Use suse-kabi-tools (jsc#PED-12618)" This breaking build on s390x and blocking upcoming submissions: Failed to read symtypes from '.': arch/s390/lib/string.symtypes:3: Export 'strlen' is duplicate, previous occurrence found in 'arch/s390/purgatory/string.symtypes' This reverts commit a0854fc92f0d8c56e48e96980cea7efe15509265. - commit 672894a - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - commit 666ce5b - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - commit bd3ade1 - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - commit 035ae9a - net_sched: tbf: fix a race in tbf_change() (git-fixes). - commit 4131c83 - net_sched: red: fix a race in __red_change() (git-fixes). - commit f0af35e - net_sched: prio: fix a race in prio_tune() (git-fixes). - commit 13ce5f2 - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - commit dc06830 - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - commit 9d72614 - KEYS: trusted: don't fail module __init if SHA1 is unavailable (bsc#1240423 jsc#PED-12225). - commit 93f363a - pidfs: lookup pid through rbtree (jsc#PED-13113). - commit eead84f ++++ open-vm-tools: - Update to open-vm-tools 13.0.0 based on build 24696409. (boo#1245169): There are no new features in the open-vm-tools 13.0.0 release. This is primarily a maintenance release that addresses a few issues, including: - The vm-support script has been updated to collect the open-vm-tools log files from the Linux guest and information from the systemd journal. - Github pull requests has been integrated and issues fixed. Please see the Resolved Issues section of the Release Notes. For a more complete list of issues resolved in this release, see the Resolved Issues section of the Release Notes. For complete details, see: https://github.com/vmware/open-vm-tools/releases/tag/stable-13.0.0 Release Notes are available at: https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/ReleaseNotes.md The granular changes that have gone into the 13.0.0 release are in the ChangeLog at: https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/open-vm-tools/ChangeLog - Add patch: 0001-GOSC-Update-Guest-OS-Customization-to-utilize-system.patch Currently the "telinit 6" command is used to reboot a Linux VM following Guest OS Customization. As the classic Linux init system, SysVinit, is deprecated in favor of a newer init system, systemd, the telinit command may not be available on the base Linux OS. This change adds support to Guest OS Customization for the systemd init system. If the modern init system, systemd, is available, then a "systemctl reboot" command will be used to trigger reboot. Otherwise, the "telinit 6" command will be used assuming the traditional init system, SysVinit, is still available. - Drop patch now contained in 13.0.0: open-vm-tools-12.5.0-gcc15.patch - Ran /usr/lib/obs/service/source_validators/helpers/fix_changelog to fix changes file where source validator was failing. ++++ qemu: - Add Live migration support for QEMU-emulated AMD IOMMU (jsc#PED-13144): * hw/i386/amd_iommu: Allow migration when explicitly create the AMDVI-PCI device (jsc#PED-PED-13144) * hw/i386/amd_iommu: Isolate AMDVI-PCI from amd-iommu device to allow full control over the PCI device creation (jsc#PED-13144) ++++ ovmf: - Enable TDVF firmware to boot TDX guest VM with Secure boot (jsc#PED-13070) - Add ovmf-x86_64-tdx-secureboot.bin - Add 60-ovmf-x86_64-tdx.json ------------------------------------------------------------------ ------------------ 2025-6-19 - Jun 19 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit: - Add kdump-nfs-fixes.patch to fix bsc#1241949 ++++ kernel-default: - Update patches.suse/dlm-mask-sk_shutdown-value.patch (bsc#1241278). - Update patches.suse/dlm-use-SHUT_RDWR-for-SCTP-shutdown.patch (bsc#1241278). Original bsc number was wrong. Fix it. - commit 4a3a0a7 - selftests/ftrace: Use readelf to find entry point in uprobe test (bsc#1242836). - commit c5198f9 - selftests/ftrace: Make uprobe test more robust against binary name (bsc#1242836). - commit 97eea6a ++++ kernel-rt: - Update patches.suse/dlm-mask-sk_shutdown-value.patch (bsc#1241278). - Update patches.suse/dlm-use-SHUT_RDWR-for-SCTP-shutdown.patch (bsc#1241278). Original bsc number was wrong. Fix it. - commit 4a3a0a7 - selftests/ftrace: Use readelf to find entry point in uprobe test (bsc#1242836). - commit c5198f9 - selftests/ftrace: Make uprobe test more robust against binary name (bsc#1242836). - commit 97eea6a ++++ systemd: - Import commit 1e42ecf5a145589954df77da05937ee69619f3e5 1e42ecf5a1 firstboot: make sure labelling is enabled 3bdb2efbe0 tmpfiles: fix symlink creation when replacing 61c228d2cc firstboot: use WRITE_STRING_FILE_LABEL more f5148acf37 env-file: port write_env_file() to label_ops_pre() bbff8b5523 fs-util: replace symlink_atomic_full_label() by a flag to symlinkat_atomic_full() (bsc#1244237) 2b39393efa env-file: rework write_env_file() to make use of O_TMPFILE ------------------------------------------------------------------ ------------------ 2025-6-18 - Jun 18 2025 ------------------- ------------------------------------------------------------------ ++++ docker: - Update to docker-buildx v0.25.0. Upstream changelog: ++++ python-kiwi: - There is no shim for aarch64 on SUSE Fix integration test for standard EFI (no secure boot) setup on arm ++++ kernel-default: - rpm/config.sh: Use suse-kabi-tools (jsc#PED-12618) Fix for bsc#1245126 was merged. - rpm/config.sh: Use suse-kabi-tools (jsc#PED-12618) - commit 90af69e - net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (CVE-2025-38001 bsc#1244234). - commit 031f2d0 - block: flip iter directions in blk_rq_integrity_map_user() (git-fixes). - loop: add file_start_write() and file_end_write() (git-fixes). - brd: fix discard end sector (git-fixes). - brd: fix aligned_sector from brd_do_discard() (git-fixes). - block: only update request sector if needed (git-fixes). - block: fix race between set_blocksize and read paths (git-fixes). - badblocks: Fix a nonsense WARN_ON() which checks whether a u64 variable < 0 (git-fixes). - blk-throttle: don't take carryover for prioritized processing of metadata (git-fixes). - ublk: enforce ublks_max only for unprivileged devices (git-fixes). - block: mark bounce buffering as incompatible with integrity (git-fixes). - ublk: complete command synchronously on error (git-fixes). - loop: check in LO_FLAGS_DIRECT_IO in loop_default_blocksize (git-fixes). - commit 9c6fb7f - packaging: Add support for suse-kabi-tools The current workflow to check kABI stability during the RPM build of SUSE kernels consists of the following steps: * The downstream script rpm/modversions unpacks the consolidated kABI symtypes reference data from kabi//symtypes- and creates individual symref files. * The build performs a regular kernel make. During this operation, genksyms is invoked for each source file. The tool determines type signatures of all exports within the file, reports any differences compared to the associated symref reference, calculates symbol CRCs from the signatures and writes new type data into a symtypes file. * The script rpm/modversions is invoked again, this time it packs all new symtypes files to a consolidated kABI file. * The downstream script rpm/kabi.pl checks symbol CRCs in the new build and compares them to a reference from kabi//symvers-, taking kabi/severities into account. suse-kabi-tools is a new set of tools to improve the kABI checking process. The suite includes two tools, ksymtypes and ksymvers, which replace the existing scripts rpm/modversions and rpm/kabi.pl, as well as the comparison functionality previously provided by genksyms. The tools have their own source repository and package. The tools provide faster operation and more detailed, unified output. In addition, they allow the use of the new upstream tool gendwarfksyms, which lacks any built-in comparison functionality. The updated workflow is as follows: * The build performs a regular kernel make. During this operation, genksyms (gendwarfksyms) is invoked as usual, determinining signatures and CRCs of all exports and writing the type data to symtypes files. However, genksyms no longer performs any comparison. * 'ksymtypes consolidate' packs all new symtypes files to a consolidated kABI file. * 'ksymvers compare' checks symbol CRCs in the new build and compares them to a reference from kabi//symvers-, taking kabi/severities into account. The tool writes its result in a human-readable form on standard output and also writes a list of all changed exports (not ignored by kabi/severities) to the changed-exports file. * 'ksymtypes compare' takes the changed-exports file, the consolidated kABI symtypes reference data from kabi//symtypes- and the new consolidated data. Based on this data, it produces a detailed report explaining why the symbols changed. The patch enables the use of suse-kabi-tools via rpm/config.sh, providing explicit control to each branch. To enable the support, set USE_SUSE_KABI_TOOLS=Yes in the config file. - commit a2c6f89 - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86/amd: pmf: Prevent amd_pmf_tee_deinit() from running twice (git-fixes). - platform/x86/amd: pmf: Use device managed allocations (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - commit 89154c9 ++++ kernel-rt: - rpm/config.sh: Use suse-kabi-tools (jsc#PED-12618) Fix for bsc#1245126 was merged. - rpm/config.sh: Use suse-kabi-tools (jsc#PED-12618) - commit 90af69e - net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (CVE-2025-38001 bsc#1244234). - commit 031f2d0 - block: flip iter directions in blk_rq_integrity_map_user() (git-fixes). - loop: add file_start_write() and file_end_write() (git-fixes). - brd: fix discard end sector (git-fixes). - brd: fix aligned_sector from brd_do_discard() (git-fixes). - block: only update request sector if needed (git-fixes). - block: fix race between set_blocksize and read paths (git-fixes). - badblocks: Fix a nonsense WARN_ON() which checks whether a u64 variable < 0 (git-fixes). - blk-throttle: don't take carryover for prioritized processing of metadata (git-fixes). - ublk: enforce ublks_max only for unprivileged devices (git-fixes). - block: mark bounce buffering as incompatible with integrity (git-fixes). - ublk: complete command synchronously on error (git-fixes). - loop: check in LO_FLAGS_DIRECT_IO in loop_default_blocksize (git-fixes). - commit 9c6fb7f - packaging: Add support for suse-kabi-tools The current workflow to check kABI stability during the RPM build of SUSE kernels consists of the following steps: * The downstream script rpm/modversions unpacks the consolidated kABI symtypes reference data from kabi//symtypes- and creates individual symref files. * The build performs a regular kernel make. During this operation, genksyms is invoked for each source file. The tool determines type signatures of all exports within the file, reports any differences compared to the associated symref reference, calculates symbol CRCs from the signatures and writes new type data into a symtypes file. * The script rpm/modversions is invoked again, this time it packs all new symtypes files to a consolidated kABI file. * The downstream script rpm/kabi.pl checks symbol CRCs in the new build and compares them to a reference from kabi//symvers-, taking kabi/severities into account. suse-kabi-tools is a new set of tools to improve the kABI checking process. The suite includes two tools, ksymtypes and ksymvers, which replace the existing scripts rpm/modversions and rpm/kabi.pl, as well as the comparison functionality previously provided by genksyms. The tools have their own source repository and package. The tools provide faster operation and more detailed, unified output. In addition, they allow the use of the new upstream tool gendwarfksyms, which lacks any built-in comparison functionality. The updated workflow is as follows: * The build performs a regular kernel make. During this operation, genksyms (gendwarfksyms) is invoked as usual, determinining signatures and CRCs of all exports and writing the type data to symtypes files. However, genksyms no longer performs any comparison. * 'ksymtypes consolidate' packs all new symtypes files to a consolidated kABI file. * 'ksymvers compare' checks symbol CRCs in the new build and compares them to a reference from kabi//symvers-, taking kabi/severities into account. The tool writes its result in a human-readable form on standard output and also writes a list of all changed exports (not ignored by kabi/severities) to the changed-exports file. * 'ksymtypes compare' takes the changed-exports file, the consolidated kABI symtypes reference data from kabi//symtypes- and the new consolidated data. Based on this data, it produces a detailed report explaining why the symbols changed. The patch enables the use of suse-kabi-tools via rpm/config.sh, providing explicit control to each branch. To enable the support, set USE_SUSE_KABI_TOOLS=Yes in the config file. - commit a2c6f89 - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86/amd: pmf: Prevent amd_pmf_tee_deinit() from running twice (git-fixes). - platform/x86/amd: pmf: Use device managed allocations (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - commit 89154c9 ++++ libsoup: - Add libsoup-CVE-2025-4945.patch: add value checks for date/time parsing (boo#1243314 CVE-2025-4945). ++++ libzypp: - Enhancements regarding mirror handling during repo refresh. Added means to disable the use of mirrors when downloading security relevant files. Requires updaing zypper to 1.14.91. - Fix autotestcase writer if ZYPP_FULLLOG=1 (bsc#1244042) If ZYPP_FULLLOG=1 a solver testcase to "/var/log/YaST2/autoTestcase" should be written for each solver run. There was no testcase written for the very first solver run. This is now fixed. - Pass $1==2 to %posttrans script if it's an update (bsc#1243279) - version 17.37.6 (35) ++++ pam: - hardcode disabling elogind, meson detection is unreliable in OBS - Update to version 1.7.1 - pam_access: do not resolve ttys or display variables as hostnames. - pam_access: added "nodns" option to disallow resolving of tokens as hostnames (CVE-2024-10963). - pam_limits: added support for rttime (RLIMIT_RTTIME). - pam_namespace: fixed potential privilege escalation (CVE-2025-6020). - meson: added support of elogind as a logind provider. - Multiple minor bug fixes, build fixes, portability fixes, documentation improvements, and translation updates. - pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted ++++ pam-config: - Update to version 2.12+git.20250516: * Don't add pam_env twice ++++ pam-full-src: - hardcode disabling elogind, meson detection is unreliable in OBS - Update to version 1.7.1 - pam_access: do not resolve ttys or display variables as hostnames. - pam_access: added "nodns" option to disallow resolving of tokens as hostnames (CVE-2024-10963). - pam_limits: added support for rttime (RLIMIT_RTTIME). - pam_namespace: fixed potential privilege escalation (CVE-2025-6020). - meson: added support of elogind as a logind provider. - Multiple minor bug fixes, build fixes, portability fixes, documentation improvements, and translation updates. - pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted ++++ virt-manager: - bsc#1244685 - Could not find an installable distribution with virt-install command virtinst-add-sle16-detection-support.patch ++++ zypper: - BuildRequires: libzypp-devel >= 17.37.6. Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes. (bsc#1230267) - version 1.14.91 ------------------------------------------------------------------ ------------------ 2025-6-17 - Jun 17 2025 ------------------- ------------------------------------------------------------------ ++++ afterburn: - Fix Requires in noarch package to not be arch specific (bsc#1244675) ++++ drbd-utils: - merge upstream patch to fix build error * add patch + DRBDmon-Add-missing-default_types.h-include-in-strin.patch - Fix SELinux equivalency rules in module (bsc#1242915) * add patch + 0001-Fix-selinux-policy-for-usr-bin-equivalency-rules.patch + 0002-Fix-selinux-module-for-run-lock-equivalency-rules.patch + 0003-Fix-selinux-module-for-run-equivalency-rules.patch ++++ glibc: - ppc64le-revert-power10-strcmp.patch: Revert optimized POWER10 strcmp, strncmp implementations (CVE-2025-5745, CVE-2025-5702, bsc#1244184, bsc#1244182, BZ #33060, BZ #33056) - ppc64le-revert-power10-memcmp.patch: Revert optimized POWER10 memcmp implementation (BZ #33059) ++++ gpg2: - Don't install expired sks certificate [bsc#1243069] * Add patch gnupg-dirmngr-Don-t-install-expired-sks-certificate.patch ++++ kernel-default: - loop: factor out a loop_assign_backing_file helper (git-fixes). - Refresh patches.suse/loop-Add-sanity-check-for-read-write_iter.patch. - commit 6b2b09e - platform/x86/amd/hsmp: mark hsmp_msg_desc_table as maybe_unused (git-fixes). - commit a5ad60f - iommu: Clear iommu-dma ops on cleanup (CVE-2025-37877 bsc#1243058). - commit 5ecb9e1 - kernel-source: Remove log.sh from sources - commit 96bd779 - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - commit e772925 ++++ kernel-firmware-amdgpu: - Update to version 20250616 (git commit 1d98972a5635): * amdgpu: Update DMCUB fw for DCN401 & DCN315 ++++ kernel-firmware-qcom: - Update to version 20250616 (git commit 1d98972a5635): * qcom: add gpu firmwares for X1P42100 chipset ++++ kernel-rt: - loop: factor out a loop_assign_backing_file helper (git-fixes). - Refresh patches.suse/loop-Add-sanity-check-for-read-write_iter.patch. - commit 6b2b09e - platform/x86/amd/hsmp: mark hsmp_msg_desc_table as maybe_unused (git-fixes). - commit a5ad60f - iommu: Clear iommu-dma ops on cleanup (CVE-2025-37877 bsc#1243058). - commit 5ecb9e1 - kernel-source: Remove log.sh from sources - commit 96bd779 - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - commit e772925 ++++ vim: - Fix bsc#1228776 / CVE-2024-41965. - Fix bsc#1239602 / CVE-2025-29768. - Refresh patch: vim-7.3-sh_is_bash.patch - Update to 9.1.1406: 9.1.1406: crash when importing invalid tuple 9.1.1405: tests: no test for mapping with special keys in session file 9.1.1404: wrong link to Chapter 2 in new-tutor 9.1.1403: expansion of 'tabpanelopt' value adds wrong values 9.1.1402: multi-byte mappings not properly stored in session file 9.1.1401: list not materialized in prop_list() 9.1.1400: [security]: use-after-free when evaluating tuple fails 9.1.1399: tests: test_codestyle fails for auto-generated files 9.1.1398: completion: trunc does not follow Pmenu highlighting attributes 9.1.1397: tabpanel not correctly updated on :tabonly 9.1.1396: 'errorformat' is a global option 9.1.1395: search_stat not reset when pattern differs in case 9.1.1394: tabpanel not correctly redrawn on tabonly 9.1.1393: missing test for switching buffers and reusing curbuf 9.1.1392: missing patch number 9.1.1391: Vim does not have a vertical tabpanel 9.1.1390: style: more wrong indentation 9.1.1389: completion: still some issue when 'isexpand' contains a space 9.1.1388: Scrolling one line too far with 'nosmoothscroll' page scrolling 9.1.1387: memory leak when buflist_new() fails to reuse curbuf 9.1.1386: MS-Windows: some minor problems building on AARCH64 9.1.1385: inefficient loop for 'nosmoothscroll' scrolling 9.1.1384: still some problem with the new tutors filetype plugin 9.1.1383: completion: 'isexpand' option does not handle space char correct 9.1.1382: if_ruby: unused compiler warnings from ruby internals 9.1.1381: completion: cannot return to original text 9.1.1380: 'eventignorewin' only checked for current buffer 9.1.1379: MS-Windows: error when running evim when space in path 9.1.1378: sign without text overwrites number option 9.1.1377: patch v9.1.1370 causes some GTK warning messages 9.1.1376: quickfix dummy buffer may remain as dummy buffer 9.1.1375: [security]: possible heap UAF with quickfix dummy buffer 9.1.1374: completion: 'smartcase' not respected when filtering matches 9.1.1373: 'completeopt' checking logic can be simplified 9.1.1372: style: braces issues in various files 9.1.1371: style: indentation and brace issues in insexpand.c 9.1.1370: CI Tests favor GTK2 over GTK3 9.1.1369: configure still using autoconf 2.71 9.1.1368: GTK3 and GTK4 will drop numeric cursor support. 9.1.1367: too many strlen() calls in gui.c 9.1.1366: v9.1.1364 unintentionally changed sign.c and sound.c 9.1.1365: MS-Windows: compile warnings and too many strlen() calls 9.1.1364: style: more indentation issues 9.1.1363: style: inconsistent indentation in various files 9.1.1362: Vim9: type ignored when adding tuple to instance list var 9.1.1361: [security]: possible use-after-free when closing a buffer 9.1.1360: filetype: GNU Radio companion files are not recognized 9.1.1359: filetype: GNU Radio config files are not recognized 9.1.1358: if_lua: compile warnings with gcc15 9.1.1357: Vim incorrectly escapes tags with "[" in a help buffer 9.1.1356: Vim9: crash when unletting variable 9.1.1355: The pum_redraw() function is too complex 9.1.1354: tests: Test_terminalwinscroll_topline() fails on Windows 9.1.1353: missing change from v9.1.1350 9.1.1352: style: inconsistent indent in insexpand.c 9.1.1351: Return value of getcmdline() inconsistent in CmdlineLeavePre 9.1.1350: tests: typo in Test_CmdlineLeavePre_cabbr() 9.1.1349: CmdlineLeavePre may trigger twice 9.1.1348: still E315 with the terminal feature 9.1.1347: small problems with gui_w32.c 9.1.1346: missing out-of-memory check in textformat.c 9.1.1345: tests: Test_xxd_color2() test failure dump diff is misleading 9.1.1344: double free in f_complete_match() (after v9.1.1341) 9.1.1343: filetype: IPython files are not recognized 9.1.1342: Shebang filetype detection can be improved 9.1.1341: cannot define completion triggers 9.1.1340: cannot complete :filetype arguments 9.1.1339: missing out-of-memory checks for enc_to_utf16()/utf16_to_enc() 9.1.1338: Calling expand() interferes with cmdcomplete_info() 9.1.1337: Undo corrupted with 'completeopt' "preinsert" when switching buffer 9.1.1336: comment plugin does not support case-insensitive 'commentstring' 9.1.1335: Coverity complains about Null pointer dereferences 9.1.1334: Coverity complains about unchecked return value 9.1.1333: Coverity: complains about unutilized variable 9.1.1332: Vim9: segfault when using super within a lambda 9.1.1331: Leaking memory with cmdcomplete() ------------------------------------------------------------------ ------------------ 2025-6-16 - Jun 16 2025 ------------------- ------------------------------------------------------------------ ++++ cifs-utils: - Update cifs-utils to 7.4 * mount.cifs: retry mount on -EINPROGRESS * cifs.upcall: correctly treat UPTARGET_UNSPECIFIED as UPTARGET_APP * cifs.upcall: fix memory leaks in check_service_ticket_exits() * cifs-utils: bump version to 7.4 * getcifsacl, setcifsacl: use for basename * cifscreds: use for basename ++++ cockpit: - Update to 340 * Detect multiple mount points when creating btrfs subvolumes * Disk Self-Test error warnings on the overview page * Prevent modifying partitions in unsupported places * Bug fixes and translation updates ++++ cockpit-machines: - Update to 333 * Bug fixes * The "shareable" attribute of disks is no longer modified by Cockpit * Virtual network interfaces can now select source mode ++++ cockpit-podman: - Update to 107 * Bug fixes * Translation updates ++++ python-kiwi: - Add driver configuration support for dracut initrd Add driver configuration support for dracut initrd Add support for specifying kernel drivers to be included or omitted in the dracut initrd configuration. This extends the existing dracut configuration capabilities like in the following example ++++ kernel-default: - block/bdev: enable large folio support for large logical block sizes (git-fixes). - commit 03e169f - x86/amd_node: Add support for debugfs access to SMN registers (jsc#PED-13094). - commit 718f7f2 - x86/amd_node: Add SMN offsets to exclusive region access (jsc#PED-13094). - commit 8b0488f - x86/amd_node: Use defines for SMN register offsets (jsc#PED-13094). - commit fdceb0c - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - Refresh patches.suse/0008-ima-track-the-set-of-PCRs-ever-extended.patch. - commit 87b6eff - wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash (bsc#1240998). - wifi: ath12k: Resolve multicast packet drop by populating key_cipher in ath12k_install_key() (bsc#1240998). - commit 7530032 - wifi: ath12k: ath12k_mac_op_set_key(): fix uninitialized symbol 'ret' (bsc#1240998). - commit f7be9d8 - wifi: ath12k: Fix for out-of bound access error (bsc#1240998 CVE-2024-58015 bsc#1238995). - blacklist.conf: - commit 3c5bf1f - wifi: ath12k: fix key cache handling (bsc#1240998). - commit dcb3d62 - wifi: ath12k: convert tasklet to BH workqueue for CE interrupts (bsc#1240998). - wifi: ath12k: fix A-MSDU indication in monitor mode (bsc#1240998). - wifi: ath12k: use tail MSDU to get MSDU information (bsc#1240998). - wifi: ath12k: delete NSS and TX power setting for monitor vdev (bsc#1240998). - wifi: ath12k: fix struct hal_rx_mpdu_start (bsc#1240998). - wifi: ath12k: fix struct hal_rx_phyrx_rssi_legacy_info (bsc#1240998). - wifi: ath12k: fix struct hal_rx_ppdu_start (bsc#1240998). - wifi: ath12k: fix struct hal_rx_ppdu_end_user_stats (bsc#1240998). - wifi: ath12k: remove unused variable monitor_present (bsc#1240998). - commit 8ed2a0a - wifi: ath12k: modify link arvif creation and removal for MLO (bsc#1240998). - Refresh patches.suse/wifi-ath12k-fix-read-pointer-after-free-in-ath12k_ma.patch. - commit 66e4cb1 - wifi: ath12k: update ath12k_mac_op_update_vif_offload() for MLO (bsc#1240998). - wifi: ath12k: update ath12k_mac_op_conf_tx() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_mac_op_set_key() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_mac_op_bss_info_changed() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_get_arvif_iter() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_mac_vif_chan() for MLO (bsc#1240998). - wifi: ath12k: prepare vif config caching for MLO (bsc#1240998). - wifi: ath12k: prepare sta data structure for MLO handling (bsc#1240998). - wifi: ath12k: pass ath12k_link_vif instead of vif/ahvif (bsc#1240998). - commit e2a68c7 - wifi: ath12k: prepare vif data structure for MLO handling (bsc#1240998). - Refresh patches.suse/wifi-ath12k-Handle-error-cases-during-extended-skb-a.patch. - Refresh patches.suse/wifi-ath12k-fix-tx-power-max-reg-power-update-to-fir.patch. - commit be086ca - wifi: ath12k: Add firmware coredump collection support (bsc#1240998). - Update config files. - commit 13fc60a - wifi: ath12k: Support BE OFDMA Pdev Rate Stats (bsc#1240998). - wifi: ath12k: Support Pdev Scheduled Algorithm Stats (bsc#1240998). - wifi: ath12k: Support DMAC Reset Stats (bsc#1240998). - wifi: ath12k: add missing lockdep_assert_wiphy() for ath12k_mac_op_ functions (bsc#1240998). - wifi: ath12k: ath12k_mac_op_sta_state(): clean up update_wk cancellation (bsc#1240998). - wifi: ath12k: ath12k_mac_set_key(): remove exit label (bsc#1240998). - commit 4d42f04 - wifi: ath12k: switch to using wiphy_lock() and remove ar->conf_mutex (bsc#1240998). - Refresh patches.suse/wifi-ath12k-fix-node-corruption-in-ar-arvifs-list.patch. - Refresh patches.suse/wifi-ath12k-fix-read-pointer-after-free-in-ath12k_ma.patch. - commit 728526a - wifi: ath12k: convert struct ath12k_sta::update_wk to use struct wiphy_work (bsc#1240998). - commit 91ddf3a - wifi: ath12k: Support Pdev OBSS Stats (bsc#1240998). - wifi: ath12k: Support pdev CCA Stats (bsc#1240998). - wifi: ath12k: Support pdev Transmit Multi-user stats (bsc#1240998). - wifi: ath12k: Support Ring and SFM stats (bsc#1240998). - wifi: ath12k: Support Self-Generated Transmit stats (bsc#1240998). - wifi: ath12k: Modify print_array_to_buf() to support arrays with 1-based semantics (bsc#1240998). - wifi: ath12k: move txbaddr/rxbaddr into struct ath12k_dp (bsc#1240998). - wifi: ath12k: make read-only array svc_id static const (bsc#1240998). - commit 3509024 - x86/bugs: Restructure ITS mitigation (git-fixes). - commit 085abef - x86/bugs: Fix spectre_v2 mitigation default on Intel (git-fixes). - commit f344e75 - KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions (git-fixes). - commit b648f1d - platform/x86/amd/hsmp: fix building with CONFIG_HWMON=m (jsc#PED-13094). - commit dc03ed2 - platform/x86/amd/hsmp: acpi: Add sysfs files to display HSMP telemetry (jsc#PED-13094). - commit d63496c - platform/x86/amd/hsmp: Report power via hwmon sensors (jsc#PED-13094). - commit 357c2f9 - platform/x86/amd/hsmp: Use a single DRIVER_VERSION for all usmp modules (jsc#PED-13094). - commit 60b1624 - platform/x86/amd/hsmp: Make amd_hsmp and hsmp_acpi as mutually exclusive drivers (jsc#PED-13094). - Refresh patches.suse/x86-platform-amd-Move-the-asm-amd_hsmp.h-header-to-asm-amd.patch. - commit 02efe4c - x86/platform/amd: Move the header to (jsc#PED-13094). - commit cd8f689 - x86/amd_node, platform/x86/amd/hsmp: Have HSMP use SMN through AMD_NODE (jsc#PED-13094). - commit 84c6aed - x86/amd_node: Remove dependency on AMD_NB (jsc#PED-13094). - commit 7a96278 - x86/amd_node: Update __amd_smn_rw() error paths (jsc#PED-13094). - commit 4c71e32 - x86/amd_nb: Move SMN access code to a new amd_node driver (jsc#PED-13094). - commit e227b52 - x86/amd_nb, hwmon: (k10temp): Simplify amd_pci_dev_to_node_id() (jsc#PED-13094). - commit 4ab060a - x86/amd_nb: Simplify function 3 search (jsc#PED-13094). - commit 995c30f - x86/amd_nb: Use topology info to get AMD node count (jsc#PED-13094). - commit 92a3127 - x86/amd_nb: Simplify root device search (jsc#PED-13094). - commit 99743f8 - x86/amd_nb: Simplify function 4 search (jsc#PED-13094). - commit 969836a - x86: Start moving AMD node functionality out of AMD_NB (jsc#PED-13094). - commit dedae8e - x86/amd_nb: Clean up early_is_amd_nb() (jsc#PED-13094). - commit 3e7ae58 - x86/amd_nb: Restrict init function to AMD-based systems (jsc#PED-13094). - commit 4581815 - x86/mce/amd: Remove shared threshold bank plumbing (jsc#PED-13094). - commit 5e367df - platform/x86: amd: Use *-y instead of *-objs in Makefiles (jsc#PED-13094). - commit 80da452 - platform/x86/amd/hsmp: Constify 'struct bin_attribute' (jsc#PED-13094). - commit ed01393 - Refresh patches.suse/drm-panel-simple-Update-timings-for-AUO-G101EVN010.patch. - Refresh patches.suse/drm-xe-Fix-and-re-enable-xe_print_blob_ascii85.patch. - commit 7527c99 - platform/x86/amd/hsmp: Add support for HSMP protocol version 7 messages (jsc#PED-13094). - commit 98c4882 - platform/x86/amd/hsmp: Change the error type (jsc#PED-13094). - commit a450822 - platform/x86/amd/hsmp: Add new error code and error logs (jsc#PED-13094). - commit 2c1e1e0 - platform/x86/amd/hsmp: Make hsmp_pdev static instead of global (jsc#PED-13094). - commit 25dfaea ++++ kernel-rt: - block/bdev: enable large folio support for large logical block sizes (git-fixes). - commit 03e169f - x86/amd_node: Add support for debugfs access to SMN registers (jsc#PED-13094). - commit 718f7f2 - x86/amd_node: Add SMN offsets to exclusive region access (jsc#PED-13094). - commit 8b0488f - x86/amd_node: Use defines for SMN register offsets (jsc#PED-13094). - commit fdceb0c - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - Refresh patches.suse/0008-ima-track-the-set-of-PCRs-ever-extended.patch. - commit 87b6eff - wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash (bsc#1240998). - wifi: ath12k: Resolve multicast packet drop by populating key_cipher in ath12k_install_key() (bsc#1240998). - commit 7530032 - wifi: ath12k: ath12k_mac_op_set_key(): fix uninitialized symbol 'ret' (bsc#1240998). - commit f7be9d8 - wifi: ath12k: Fix for out-of bound access error (bsc#1240998 CVE-2024-58015 bsc#1238995). - blacklist.conf: - commit 3c5bf1f - wifi: ath12k: fix key cache handling (bsc#1240998). - commit dcb3d62 - wifi: ath12k: convert tasklet to BH workqueue for CE interrupts (bsc#1240998). - wifi: ath12k: fix A-MSDU indication in monitor mode (bsc#1240998). - wifi: ath12k: use tail MSDU to get MSDU information (bsc#1240998). - wifi: ath12k: delete NSS and TX power setting for monitor vdev (bsc#1240998). - wifi: ath12k: fix struct hal_rx_mpdu_start (bsc#1240998). - wifi: ath12k: fix struct hal_rx_phyrx_rssi_legacy_info (bsc#1240998). - wifi: ath12k: fix struct hal_rx_ppdu_start (bsc#1240998). - wifi: ath12k: fix struct hal_rx_ppdu_end_user_stats (bsc#1240998). - wifi: ath12k: remove unused variable monitor_present (bsc#1240998). - commit 8ed2a0a - wifi: ath12k: modify link arvif creation and removal for MLO (bsc#1240998). - Refresh patches.suse/wifi-ath12k-fix-read-pointer-after-free-in-ath12k_ma.patch. - commit 66e4cb1 - wifi: ath12k: update ath12k_mac_op_update_vif_offload() for MLO (bsc#1240998). - wifi: ath12k: update ath12k_mac_op_conf_tx() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_mac_op_set_key() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_mac_op_bss_info_changed() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_get_arvif_iter() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_mac_vif_chan() for MLO (bsc#1240998). - wifi: ath12k: prepare vif config caching for MLO (bsc#1240998). - wifi: ath12k: prepare sta data structure for MLO handling (bsc#1240998). - wifi: ath12k: pass ath12k_link_vif instead of vif/ahvif (bsc#1240998). - commit e2a68c7 - wifi: ath12k: prepare vif data structure for MLO handling (bsc#1240998). - Refresh patches.suse/wifi-ath12k-Handle-error-cases-during-extended-skb-a.patch. - Refresh patches.suse/wifi-ath12k-fix-tx-power-max-reg-power-update-to-fir.patch. - commit be086ca - wifi: ath12k: Add firmware coredump collection support (bsc#1240998). - Update config files. - commit 13fc60a - wifi: ath12k: Support BE OFDMA Pdev Rate Stats (bsc#1240998). - wifi: ath12k: Support Pdev Scheduled Algorithm Stats (bsc#1240998). - wifi: ath12k: Support DMAC Reset Stats (bsc#1240998). - wifi: ath12k: add missing lockdep_assert_wiphy() for ath12k_mac_op_ functions (bsc#1240998). - wifi: ath12k: ath12k_mac_op_sta_state(): clean up update_wk cancellation (bsc#1240998). - wifi: ath12k: ath12k_mac_set_key(): remove exit label (bsc#1240998). - commit 4d42f04 - wifi: ath12k: switch to using wiphy_lock() and remove ar->conf_mutex (bsc#1240998). - Refresh patches.suse/wifi-ath12k-fix-node-corruption-in-ar-arvifs-list.patch. - Refresh patches.suse/wifi-ath12k-fix-read-pointer-after-free-in-ath12k_ma.patch. - commit 728526a - wifi: ath12k: convert struct ath12k_sta::update_wk to use struct wiphy_work (bsc#1240998). - commit 91ddf3a - wifi: ath12k: Support Pdev OBSS Stats (bsc#1240998). - wifi: ath12k: Support pdev CCA Stats (bsc#1240998). - wifi: ath12k: Support pdev Transmit Multi-user stats (bsc#1240998). - wifi: ath12k: Support Ring and SFM stats (bsc#1240998). - wifi: ath12k: Support Self-Generated Transmit stats (bsc#1240998). - wifi: ath12k: Modify print_array_to_buf() to support arrays with 1-based semantics (bsc#1240998). - wifi: ath12k: move txbaddr/rxbaddr into struct ath12k_dp (bsc#1240998). - wifi: ath12k: make read-only array svc_id static const (bsc#1240998). - commit 3509024 - x86/bugs: Restructure ITS mitigation (git-fixes). - commit 085abef - x86/bugs: Fix spectre_v2 mitigation default on Intel (git-fixes). - commit f344e75 - KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions (git-fixes). - commit b648f1d - platform/x86/amd/hsmp: fix building with CONFIG_HWMON=m (jsc#PED-13094). - commit dc03ed2 - platform/x86/amd/hsmp: acpi: Add sysfs files to display HSMP telemetry (jsc#PED-13094). - commit d63496c - platform/x86/amd/hsmp: Report power via hwmon sensors (jsc#PED-13094). - commit 357c2f9 - platform/x86/amd/hsmp: Use a single DRIVER_VERSION for all usmp modules (jsc#PED-13094). - commit 60b1624 - platform/x86/amd/hsmp: Make amd_hsmp and hsmp_acpi as mutually exclusive drivers (jsc#PED-13094). - Refresh patches.suse/x86-platform-amd-Move-the-asm-amd_hsmp.h-header-to-asm-amd.patch. - commit 02efe4c - x86/platform/amd: Move the header to (jsc#PED-13094). - commit cd8f689 - x86/amd_node, platform/x86/amd/hsmp: Have HSMP use SMN through AMD_NODE (jsc#PED-13094). - commit 84c6aed - x86/amd_node: Remove dependency on AMD_NB (jsc#PED-13094). - commit 7a96278 - x86/amd_node: Update __amd_smn_rw() error paths (jsc#PED-13094). - commit 4c71e32 - x86/amd_nb: Move SMN access code to a new amd_node driver (jsc#PED-13094). - commit e227b52 - x86/amd_nb, hwmon: (k10temp): Simplify amd_pci_dev_to_node_id() (jsc#PED-13094). - commit 4ab060a - x86/amd_nb: Simplify function 3 search (jsc#PED-13094). - commit 995c30f - x86/amd_nb: Use topology info to get AMD node count (jsc#PED-13094). - commit 92a3127 - x86/amd_nb: Simplify root device search (jsc#PED-13094). - commit 99743f8 - x86/amd_nb: Simplify function 4 search (jsc#PED-13094). - commit 969836a - x86: Start moving AMD node functionality out of AMD_NB (jsc#PED-13094). - commit dedae8e - x86/amd_nb: Clean up early_is_amd_nb() (jsc#PED-13094). - commit 3e7ae58 - x86/amd_nb: Restrict init function to AMD-based systems (jsc#PED-13094). - commit 4581815 - x86/mce/amd: Remove shared threshold bank plumbing (jsc#PED-13094). - commit 5e367df - platform/x86: amd: Use *-y instead of *-objs in Makefiles (jsc#PED-13094). - commit 80da452 - platform/x86/amd/hsmp: Constify 'struct bin_attribute' (jsc#PED-13094). - commit ed01393 - Refresh patches.suse/drm-panel-simple-Update-timings-for-AUO-G101EVN010.patch. - Refresh patches.suse/drm-xe-Fix-and-re-enable-xe_print_blob_ascii85.patch. - commit 7527c99 - platform/x86/amd/hsmp: Add support for HSMP protocol version 7 messages (jsc#PED-13094). - commit 98c4882 - platform/x86/amd/hsmp: Change the error type (jsc#PED-13094). - commit a450822 - platform/x86/amd/hsmp: Add new error code and error logs (jsc#PED-13094). - commit 2c1e1e0 - platform/x86/amd/hsmp: Make hsmp_pdev static instead of global (jsc#PED-13094). - commit 25dfaea ++++ ovmf: - Add the patch from edk2-stable202505 (bsc#1243199) - ovmf-OvmfPkg-CcExitLib-Use-the-proper-register-when-filte.patch 856bdc8eec0f OvmfPkg/CcExitLib: Use the proper register when filtering MSRs ------------------------------------------------------------------ ------------------ 2025-6-15 - Jun 15 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-firmware-bluetooth: - Update to version 20250613 (git commit 12fe085fa409): * QCA: Update WCN785x btusb firmware to 2.0.0-00799-5 ++++ kernel-firmware-mediatek: - Update to version 20250613 (git commit 12fe085fa409): * linux-firmware: update firmware for MT7986 * linux-firmware: update firmware for MT7981 * linux-firmware: update firmware for MT7916 ++++ kernel-firmware-qcom: - Update to version 20250613 (git commit 12fe085fa409): * qcom: sc8280xp: Updated power FW for X13s ++++ kernel-firmware-realtek: - Update to version 20250613 (git commit 12fe085fa409): * rtl_nic: update firmware of RTL8153A ++++ kernel-firmware-sound: - Update to version 20250613 (git commit 12fe085fa409): * cirrus: cs35l41: Add Firmware for ASUS NUC using CS35L41 ++++ nvidia-open-driver-G06-signed: - update non-CUDA variant to 570.169 (boo#1244614) ------------------------------------------------------------------ ------------------ 2025-6-14 - Jun 14 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - udmabuf: use sgtable-based scatterlist wrappers (git-fixes). - drm/meson: fix more rounding issues with 59.94Hz modes (git-fixes). - drm/meson: use vclk_freq instead of pixel_freq in debug print (git-fixes). - drm/meson: fix debug log statement when setting the HDMI clocks (git-fixes). - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - spi: omap2-mcspi: Disable multi-mode when the previous message kept CS asserted (git-fixes). - spi: omap2-mcspi: Disable multi mode when CS should be kept asserted after message (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - commit 8d2d704 ++++ kernel-rt: - udmabuf: use sgtable-based scatterlist wrappers (git-fixes). - drm/meson: fix more rounding issues with 59.94Hz modes (git-fixes). - drm/meson: use vclk_freq instead of pixel_freq in debug print (git-fixes). - drm/meson: fix debug log statement when setting the HDMI clocks (git-fixes). - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - spi: omap2-mcspi: Disable multi-mode when the previous message kept CS asserted (git-fixes). - spi: omap2-mcspi: Disable multi mode when CS should be kept asserted after message (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - commit 8d2d704 ------------------------------------------------------------------ ------------------ 2025-6-13 - Jun 13 2025 ------------------- ------------------------------------------------------------------ ++++ glib2: - Update to version 2.84.3: + Bug fixed: gstring: Fix overflow check when expanding the string (CVE-2025-6052, boo#1244596). ++++ kernel-default: - Revert "openvswitch: switch to per-action label counting in conntrack" (CVE-2025-21958 bsc#1240758). - commit 99845fa - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - commit bbb8b6d - platform/x86/amd/hsmp: Use dev_groups in the driver structure (jsc#PED-13094). - commit 0d0227e - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - commit 1e81e5c - platform/x86/amd/hsmp: Use name space while exporting module symbols (jsc#PED-13094). - commit 43e9d2b - platform/x86/amd/hsmp: Create separate ACPI, plat and common drivers (jsc#PED-13094). - Update config files. - commit 1820255 - mm/damon: fix order of arguments in damos_before_apply tracepoint (git-fixes). - commit 573e8fc - platform/x86/amd/hsmp: Change generic plat_dev name to hsmp_pdev (jsc#PED-13094). - commit e81369a - platform/x86/amd/hsmp: Move ACPI code to acpi.c (jsc#PED-13094). - commit 4d8807d - platform/x86/amd/hsmp: Move platform device specific code to plat.c (jsc#PED-13094). - commit a6d1274 - platform/x86/amd/hsmp: Move structure and macros to header file (jsc#PED-13094). - commit 226e6d8 - platform/x86/amd/hsmp: Convert amd_hsmp_rdwr() to a function pointer (jsc#PED-13094). - commit cfa6b2b - platform/x86/amd/hsmp: Create wrapper function init_acpi() (jsc#PED-13094). - commit 7b2aa8b - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - commit b955896 - platform/x86/amd/hsmp: Create hsmp/ directory (jsc#PED-13094). - Refresh patches.suse/sysfs-treewide-constify-attribute-callback-of-bin_is.patch. - commit fb1429d - tracing: Fix function name for trampoline (git-fixes). - commit db0dd06 - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - commit 58aed75 - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - commit 4902f47 - x86/bugs: Restructure SRSO mitigation (git-fixes). - commit b308adf - x86/bugs: KVM: Add support for SRSO_MSR_FIX (git-fixes). - commit d3911cf - x86/bugs: Restructure L1TF mitigation (git-fixes). - Refresh patches.suse/x86-sme-Use-percpu-boolean-to-control-wbinvd-during-kexec.patch. - commit 1d465a8 - x86/bugs: Restructure SSB mitigation (git-fixes). - commit 4fad51e - x86/bugs: Restructure spectre_v2 mitigation (git-fixes). - commit 811ec5d - x86/bugs: Restructure BHI mitigation (git-fixes). - commit 185e70f - x86/bugs: Restructure spectre_v2_user mitigation (git-fixes). - commit 7ec3712 - x86/bugs: Remove X86_FEATURE_USE_IBPB (git-fixes). - commit fa88ebe - KVM: nVMX: Always use IBPB to properly virtualize IBRS (git-fixes). - blacklist.conf: Removed the patch - commit 557f9fb - x86/bugs: Use a static branch to guard IBPB on vCPU switch (git-fixes). - commit e724e81 - x86/bugs: Remove the X86_FEATURE_USE_IBPB check in ib_prctl_set() (git-fixes). - commit 42db235 - x86/mm: Remove X86_FEATURE_USE_IBPB checks in cond_mitigation() (git-fixes). - commit 4022f33 - x86/bugs: Move the X86_FEATURE_USE_IBPB check into callers (git-fixes). - Refresh patches.suse/x86-bugs-Fix-RSB-clearing-in-indirect_branch_prediction_ba.patch. - commit 68a66c6 - x86/bugs: Use the cpu_smt_possible() helper instead of open-coded code (git-fixes). - commit a3f48f2 - x86/bugs: Restructure retbleed mitigation (git-fixes). - commit 57e9149 - x86/bugs: Allow retbleed=stuff only on Intel (git-fixes). - commit be36749 - x86/bugs: Restructure spectre_v1 mitigation (git-fixes). - commit 9d9c4f9 - x86/bugs: Restructure GDS mitigation (git-fixes). - commit 07ce138 - x86/bugs: Restructure SRBDS mitigation (git-fixes). - commit 985324a - x86/bugs: Remove md_clear_*_mitigation() (git-fixes). - commit 3670fb7 - x86/bugs: Restructure RFDS mitigation (git-fixes). - commit 5f6d514 - x86/bugs: Restructure MMIO mitigation (git-fixes). - commit fbecfda - x86/bugs: Rename mmio_stale_data_clear to cpu_buf_vm_clear (git-fixes). - commit 6562e0a - x86/bugs: Restructure TAA mitigation (git-fixes). - commit 2b3c942 - x86/bugs: Restructure MDS mitigation (git-fixes). - commit d61c636 - x86/bugs: Add AUTO mitigations for mds/taa/mmio/rfds (git-fixes). - commit 8f40133 - x86/bugs: Relocate mds/taa/mmio/rfds defines (git-fixes). - commit dd6ad69 - x86/bugs: Add X86_BUG_SPECTRE_V2_USER (git-fixes). - Refresh patches.suse/x86-its-Add-vmexit-option-to-skip-mitigation-on-some-CPUs.patch. - Refresh patches.suse/x86-its-Enumerate-Indirect-Target-Selection-ITS-bug.patch. - commit 2251acf - net: ibmveth: Refactored veth_pool_store for better maintainability (jsc#PED-3944). - net: ibmveth: added KUnit tests for some buffer pool functions (jsc#PED-3944). - net: ibmveth: Reset the adapter when unexpected states are detected (jsc#PED-3944). - net: ibmveth: Indented struct ibmveth_adapter correctly (jsc#PED-3944). - commit 8a53c7b - patches.suse/block-make-sure-nr_integrity_segments-is-cloned-in-blk_rq_.patch: (git-fixes, bsc#1243874). Patch metadata - commit 3065561 - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - commit 497daab - Bluetooth: MGMT: Fix sparse errors (git-fixes). - commit f4127bc - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - Revert "wifi: mwifiex: Fix HT40 bandwidth issue." (git-fixes). - Bluetooth: eir: Fix possible crashes on eir_create_adv_data (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: btintel_pcie: Reduce driver buffer posting to prevent race condition (git-fixes). - Bluetooth: btintel_pcie: Increase the tx and rx descriptor count (git-fixes). - Bluetooth: btintel_pcie: Fix driver not posting maximum rx buffers (git-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - ptp: ocp: Limit signal/freq counts in summary output functions (git-fixes). - ptp: ocp: fix start time alignment in ptp_ocp_signal_set (git-fixes). - ptp: ocp: reject unsupported periodic output flags (git-fixes). - ptp: Properly handle compat ioctls (git-fixes). - commit ad94026 - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PCI/pwrctrl: Cancel outstanding rescan work when unregistering (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - PCI: apple: Use helper function for_each_child_of_node_scoped() (git-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - commit f6125e9 ++++ kernel-rt: - Revert "openvswitch: switch to per-action label counting in conntrack" (CVE-2025-21958 bsc#1240758). - commit 99845fa - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - commit bbb8b6d - platform/x86/amd/hsmp: Use dev_groups in the driver structure (jsc#PED-13094). - commit 0d0227e - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - commit 1e81e5c - platform/x86/amd/hsmp: Use name space while exporting module symbols (jsc#PED-13094). - commit 43e9d2b - platform/x86/amd/hsmp: Create separate ACPI, plat and common drivers (jsc#PED-13094). - Update config files. - commit 1820255 - mm/damon: fix order of arguments in damos_before_apply tracepoint (git-fixes). - commit 573e8fc - platform/x86/amd/hsmp: Change generic plat_dev name to hsmp_pdev (jsc#PED-13094). - commit e81369a - platform/x86/amd/hsmp: Move ACPI code to acpi.c (jsc#PED-13094). - commit 4d8807d - platform/x86/amd/hsmp: Move platform device specific code to plat.c (jsc#PED-13094). - commit a6d1274 - platform/x86/amd/hsmp: Move structure and macros to header file (jsc#PED-13094). - commit 226e6d8 - platform/x86/amd/hsmp: Convert amd_hsmp_rdwr() to a function pointer (jsc#PED-13094). - commit cfa6b2b - platform/x86/amd/hsmp: Create wrapper function init_acpi() (jsc#PED-13094). - commit 7b2aa8b - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - commit b955896 - platform/x86/amd/hsmp: Create hsmp/ directory (jsc#PED-13094). - Refresh patches.suse/sysfs-treewide-constify-attribute-callback-of-bin_is.patch. - commit fb1429d - tracing: Fix function name for trampoline (git-fixes). - commit db0dd06 - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - commit 58aed75 - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - commit 4902f47 - x86/bugs: Restructure SRSO mitigation (git-fixes). - commit b308adf - x86/bugs: KVM: Add support for SRSO_MSR_FIX (git-fixes). - commit d3911cf - x86/bugs: Restructure L1TF mitigation (git-fixes). - Refresh patches.suse/x86-sme-Use-percpu-boolean-to-control-wbinvd-during-kexec.patch. - commit 1d465a8 - x86/bugs: Restructure SSB mitigation (git-fixes). - commit 4fad51e - x86/bugs: Restructure spectre_v2 mitigation (git-fixes). - commit 811ec5d - x86/bugs: Restructure BHI mitigation (git-fixes). - commit 185e70f - x86/bugs: Restructure spectre_v2_user mitigation (git-fixes). - commit 7ec3712 - x86/bugs: Remove X86_FEATURE_USE_IBPB (git-fixes). - commit fa88ebe - KVM: nVMX: Always use IBPB to properly virtualize IBRS (git-fixes). - blacklist.conf: Removed the patch - commit 557f9fb - x86/bugs: Use a static branch to guard IBPB on vCPU switch (git-fixes). - commit e724e81 - x86/bugs: Remove the X86_FEATURE_USE_IBPB check in ib_prctl_set() (git-fixes). - commit 42db235 - x86/mm: Remove X86_FEATURE_USE_IBPB checks in cond_mitigation() (git-fixes). - commit 4022f33 - x86/bugs: Move the X86_FEATURE_USE_IBPB check into callers (git-fixes). - Refresh patches.suse/x86-bugs-Fix-RSB-clearing-in-indirect_branch_prediction_ba.patch. - commit 68a66c6 - x86/bugs: Use the cpu_smt_possible() helper instead of open-coded code (git-fixes). - commit a3f48f2 - x86/bugs: Restructure retbleed mitigation (git-fixes). - commit 57e9149 - x86/bugs: Allow retbleed=stuff only on Intel (git-fixes). - commit be36749 - x86/bugs: Restructure spectre_v1 mitigation (git-fixes). - commit 9d9c4f9 - x86/bugs: Restructure GDS mitigation (git-fixes). - commit 07ce138 - x86/bugs: Restructure SRBDS mitigation (git-fixes). - commit 985324a - x86/bugs: Remove md_clear_*_mitigation() (git-fixes). - commit 3670fb7 - x86/bugs: Restructure RFDS mitigation (git-fixes). - commit 5f6d514 - x86/bugs: Restructure MMIO mitigation (git-fixes). - commit fbecfda - x86/bugs: Rename mmio_stale_data_clear to cpu_buf_vm_clear (git-fixes). - commit 6562e0a - x86/bugs: Restructure TAA mitigation (git-fixes). - commit 2b3c942 - x86/bugs: Restructure MDS mitigation (git-fixes). - commit d61c636 - x86/bugs: Add AUTO mitigations for mds/taa/mmio/rfds (git-fixes). - commit 8f40133 - x86/bugs: Relocate mds/taa/mmio/rfds defines (git-fixes). - commit dd6ad69 - x86/bugs: Add X86_BUG_SPECTRE_V2_USER (git-fixes). - Refresh patches.suse/x86-its-Add-vmexit-option-to-skip-mitigation-on-some-CPUs.patch. - Refresh patches.suse/x86-its-Enumerate-Indirect-Target-Selection-ITS-bug.patch. - commit 2251acf - net: ibmveth: Refactored veth_pool_store for better maintainability (jsc#PED-3944). - net: ibmveth: added KUnit tests for some buffer pool functions (jsc#PED-3944). - net: ibmveth: Reset the adapter when unexpected states are detected (jsc#PED-3944). - net: ibmveth: Indented struct ibmveth_adapter correctly (jsc#PED-3944). - commit 8a53c7b - patches.suse/block-make-sure-nr_integrity_segments-is-cloned-in-blk_rq_.patch: (git-fixes, bsc#1243874). Patch metadata - commit 3065561 - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - commit 497daab - Bluetooth: MGMT: Fix sparse errors (git-fixes). - commit f4127bc - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - Revert "wifi: mwifiex: Fix HT40 bandwidth issue." (git-fixes). - Bluetooth: eir: Fix possible crashes on eir_create_adv_data (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: btintel_pcie: Reduce driver buffer posting to prevent race condition (git-fixes). - Bluetooth: btintel_pcie: Increase the tx and rx descriptor count (git-fixes). - Bluetooth: btintel_pcie: Fix driver not posting maximum rx buffers (git-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - ptp: ocp: Limit signal/freq counts in summary output functions (git-fixes). - ptp: ocp: fix start time alignment in ptp_ocp_signal_set (git-fixes). - ptp: ocp: reject unsupported periodic output flags (git-fixes). - ptp: Properly handle compat ioctls (git-fixes). - commit ad94026 - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PCI/pwrctrl: Cancel outstanding rescan work when unregistering (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - PCI: apple: Use helper function for_each_child_of_node_scoped() (git-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - commit f6125e9 ++++ libguestfs: - Drop gzip mtime from base.tar.gz (bsc#1216986) ++++ osinfo-db: - Update to database version 20250606 (jsc#PED-12706) osinfo-db-20250606.tar.xz - Drop add-Windows-Server-2025.patch ------------------------------------------------------------------ ------------------ 2025-6-12 - Jun 12 2025 ------------------- ------------------------------------------------------------------ ++++ transactional-update: - Version 5.0.4 - Don't override soft-reboot with hard reboot - Fix stdio when returning from selfupdate [boo#1243910], [gh#openSUSE/transactional-update#151] ++++ jq: - Add patch CVE-2024-23337.patch (CVE-2024-23337, bsc#1243450) ++++ kernel-default: - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - commit 6750876 - scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels (git-fixes). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: logging: Fix scsi_logging_level bounds (git-fixes). - scsi: mpi3mr: Update timestamp only for supervisor IOCs (git-fixes). - scsi: scsi_debug: First fixes for tapes (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - commit edc8361 - sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (CVE-2025-38000 bsc#1244277). - commit 57fc275 - ring-buffer: Limit time with disabled interrupts in rb_check_pages() (git-fixes). - commit eb4c51a - bpf: Force uprobe bpf program to always return 0 (git-fixes). - commit 8c62ccf - tracing: Fix function timing profiler to initialize hashtable (git-fixes). - commit bb3c8fc - xfs: don't lose solo dquot update transactions (bsc#1244502). - commit de784a3 - xfs: don't lose solo superblock counter update transactions (bsc#1244502). - commit d46099b - xfs: avoid nested calls to __xfs_trans_commit (bsc#1244502). - commit 0e219be - netfilter: ipset: fix region locking in hash types (CVE-2025-37997 bsc#1243832). - commit 7805bf7 - Revert "sysctl: update common tuning parameters for SAP workloads" This reverts commit 86d9b0692912bbfa298dbe77683f16d0872aaf27. jsc#PED-11676 has been rejected. - commit 346a6d9 - supported.conf: mark mana drivers as external - uio_hv_generic: Set event for all channels on the device (git-fixes). - Drivers: hv: Always select CONFIG_SYSFB for Hyper-V guests (git-fixes). - Drivers: hv: vmbus: Add comments about races with "channels" sysfs dir (git-fixes). - PCI: hv: Remove unnecessary flex array in struct pci_packet (git-fixes). - Drivers: hv: Use kzalloc for panic page allocation (git-fixes). - uio_hv_generic: Align ring size to system page (git-fixes). - uio_hv_generic: Use correct size for interrupt and monitor pages (git-fixes). - Drivers: hv: Allocate interrupt and monitor pages aligned to system page boundary (git-fixes). - x86/hyperv: Fix APIC ID and VP index confusion in hv_snp_boot_ap() (git-fixes). - Drivers: hv: vmbus: Introduce hv_get_vmbus_root_device() (git-fixes). - Drivers: hv: vmbus: Get the IRQ number from DeviceTree (git-fixes). - arm64, x86: hyperv: Report the VTL the system boots in (git-fixes). - arm64: hyperv: Initialize the Virtual Trust Level field (git-fixes). - Drivers: hv: Provide arch-neutral implementation of get_vtl() (git-fixes). - Drivers: hv: Enable VTL mode for arm64 (git-fixes). - tools: hv: Enable debug logs for hv_kvp_daemon (git-fixes). - net: mana: Add support for auxiliary device servicing events (git-fixes). - RDMA/mana_ib: unify mana_ib functions to support any gdma device (git-fixes). - RDMA/mana_ib: Add support of mana_ib for RNIC and ETH nic (git-fixes). - net: mana: Probe rdma device in mana driver (git-fixes). - RDMA/mana_ib: Add support of 4M, 1G, and 2G pages (git-fixes). - RDMA/mana_ib: support of the zero based MRs (git-fixes). - RDMA/mana_ib: Access remote atomic for MRs (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - commit e5bb2a2 ++++ kernel-firmware-nvidia: - Fix zypper conflict about directory -> symlink workaround (bsc#1244458) ++++ kernel-firmware-qcom: - Better workaround for directory -> symlink change (bsc#1244458) ++++ kernel-rt: - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - commit 6750876 - scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels (git-fixes). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: logging: Fix scsi_logging_level bounds (git-fixes). - scsi: mpi3mr: Update timestamp only for supervisor IOCs (git-fixes). - scsi: scsi_debug: First fixes for tapes (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - commit edc8361 - sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (CVE-2025-38000 bsc#1244277). - commit 57fc275 - ring-buffer: Limit time with disabled interrupts in rb_check_pages() (git-fixes). - commit eb4c51a - bpf: Force uprobe bpf program to always return 0 (git-fixes). - commit 8c62ccf - tracing: Fix function timing profiler to initialize hashtable (git-fixes). - commit bb3c8fc - xfs: don't lose solo dquot update transactions (bsc#1244502). - commit de784a3 - xfs: don't lose solo superblock counter update transactions (bsc#1244502). - commit d46099b - xfs: avoid nested calls to __xfs_trans_commit (bsc#1244502). - commit 0e219be - netfilter: ipset: fix region locking in hash types (CVE-2025-37997 bsc#1243832). - commit 7805bf7 - Revert "sysctl: update common tuning parameters for SAP workloads" This reverts commit 86d9b0692912bbfa298dbe77683f16d0872aaf27. jsc#PED-11676 has been rejected. - commit 346a6d9 - supported.conf: mark mana drivers as external - uio_hv_generic: Set event for all channels on the device (git-fixes). - Drivers: hv: Always select CONFIG_SYSFB for Hyper-V guests (git-fixes). - Drivers: hv: vmbus: Add comments about races with "channels" sysfs dir (git-fixes). - PCI: hv: Remove unnecessary flex array in struct pci_packet (git-fixes). - Drivers: hv: Use kzalloc for panic page allocation (git-fixes). - uio_hv_generic: Align ring size to system page (git-fixes). - uio_hv_generic: Use correct size for interrupt and monitor pages (git-fixes). - Drivers: hv: Allocate interrupt and monitor pages aligned to system page boundary (git-fixes). - x86/hyperv: Fix APIC ID and VP index confusion in hv_snp_boot_ap() (git-fixes). - Drivers: hv: vmbus: Introduce hv_get_vmbus_root_device() (git-fixes). - Drivers: hv: vmbus: Get the IRQ number from DeviceTree (git-fixes). - arm64, x86: hyperv: Report the VTL the system boots in (git-fixes). - arm64: hyperv: Initialize the Virtual Trust Level field (git-fixes). - Drivers: hv: Provide arch-neutral implementation of get_vtl() (git-fixes). - Drivers: hv: Enable VTL mode for arm64 (git-fixes). - tools: hv: Enable debug logs for hv_kvp_daemon (git-fixes). - net: mana: Add support for auxiliary device servicing events (git-fixes). - RDMA/mana_ib: unify mana_ib functions to support any gdma device (git-fixes). - RDMA/mana_ib: Add support of mana_ib for RNIC and ETH nic (git-fixes). - net: mana: Probe rdma device in mana driver (git-fixes). - RDMA/mana_ib: Add support of 4M, 1G, and 2G pages (git-fixes). - RDMA/mana_ib: support of the zero based MRs (git-fixes). - RDMA/mana_ib: Access remote atomic for MRs (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - commit e5bb2a2 ++++ ndctl: - Update to version 82 * adds libcxl enumeration of FWCTL character devices - Linux 6.15 compatibility ++++ virt-manager: - Upstream bug fixes (bsc#1027942) 050-Validation-allow-spaces-disallow-slashes.patch 051-fix-default-start_folder-to-None.patch 052-Add-Ctrl+Alt+Shift+Esc-key-command-for-loginds-SecureAttentionKey.patch ------------------------------------------------------------------ ------------------ 2025-6-11 - Jun 11 2025 ------------------- ------------------------------------------------------------------ ++++ NetworkManager: - document static ip setup on boot (bsc#1244072) add 0001-man-document-static-ip-setup-differences-to-dracut-n.patch ++++ fde-tools: - Add fde-tools-bsc1244323-firstboot-fix-lsinitrd.patch to fix the empty LUKS header checksum from lsinitrd (bsc#1244323) ++++ kernel-default: - Revert "ipv6: save dontfrag in cork (git-fixes)." This reverts commit f07ae24f52481201baa11e1e91aab0812e1043c6. See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/ and https://bugzilla.suse.com/show_bug.cgi?id=1244313. - commit a4337cd - Revert "kABI: ipv6: save dontfrag in cork (git-fixes)." This reverts commit c19b92367fe535ac505c72a32609b2b5aa190746. See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/ and https://bugzilla.suse.com/show_bug.cgi?id=1244313. - commit d9787d8 - rxrpc: Fix handling of received connection abort (CVE-2024-58053 bsc#1238982). - commit 6192989 - tipc: fix memory leak in tipc_link_xmit (CVE-2025-37757 bsc#1242521) - commit c36615f - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). Return the correct upper limit of the allocated cpumask. modified: - patches.suse/lib-group_cpus-honor-housekeeping-config-when-grouping-cpus.patch. - patches.suse/lib-group_cpus-let-group_cpu_evenly-return-number-initialized-masks.patch. - commit 55c520e - Refresh patches.suse/sd-always-retry-READ-CAPACITY-for-ALUA-state-transit.patch This patch has two identical hunks but there is only one site where the hunk can be applied. - commit da23587 - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - commit 5fb1a6c - Revert "arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - commit 0ba4e57 - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - commit 1f1b63d - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - commit ba34170 - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - commit db6d17b - ALSA: hda: Add new pci id for AMD GPU display HD audio controller (stable-fixes). - ALSA: hda: hda-intel: add Wildcat Lake support (stable-fixes). - ALSA: hda: add HDMI codec ID for Intel WCL (stable-fixes). - PCI: Add Intel Wildcat Lake audio Device ID (stable-fixes). - ALSA: hda: cs35l41: Fix swapped l/r audio channels for Acer Helios laptops (stable-fixes). - commit b41ea81 - accel/ivpu: Trigger device recovery on engine reset/resume failure (git-fixes). - accel/ivpu: Use firmware names from upstream repo (git-fixes). - commit cfcd050 - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands (git-fixes). - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - net: lan743x: Fix memleak issue when GSO enabled (git-fixes). - accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW (stable-fixes). - PCI/ASPM: Disable L1 before disabling L1 PM Substates (stable-fixes). - accel/ivpu: Update power island delays (stable-fixes). - accel/ivpu: Add initial Panther Lake support (stable-fixes). - commit 122402d ++++ kernel-rt: - Revert "ipv6: save dontfrag in cork (git-fixes)." This reverts commit f07ae24f52481201baa11e1e91aab0812e1043c6. See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/ and https://bugzilla.suse.com/show_bug.cgi?id=1244313. - commit a4337cd - Revert "kABI: ipv6: save dontfrag in cork (git-fixes)." This reverts commit c19b92367fe535ac505c72a32609b2b5aa190746. See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/ and https://bugzilla.suse.com/show_bug.cgi?id=1244313. - commit d9787d8 - rxrpc: Fix handling of received connection abort (CVE-2024-58053 bsc#1238982). - commit 6192989 - tipc: fix memory leak in tipc_link_xmit (CVE-2025-37757 bsc#1242521) - commit c36615f - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). Return the correct upper limit of the allocated cpumask. modified: - patches.suse/lib-group_cpus-honor-housekeeping-config-when-grouping-cpus.patch. - patches.suse/lib-group_cpus-let-group_cpu_evenly-return-number-initialized-masks.patch. - commit 55c520e - Refresh patches.suse/sd-always-retry-READ-CAPACITY-for-ALUA-state-transit.patch This patch has two identical hunks but there is only one site where the hunk can be applied. - commit da23587 - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - commit 5fb1a6c - Revert "arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - commit 0ba4e57 - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - commit 1f1b63d - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - commit ba34170 - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - commit db6d17b - ALSA: hda: Add new pci id for AMD GPU display HD audio controller (stable-fixes). - ALSA: hda: hda-intel: add Wildcat Lake support (stable-fixes). - ALSA: hda: add HDMI codec ID for Intel WCL (stable-fixes). - PCI: Add Intel Wildcat Lake audio Device ID (stable-fixes). - ALSA: hda: cs35l41: Fix swapped l/r audio channels for Acer Helios laptops (stable-fixes). - commit b41ea81 - accel/ivpu: Trigger device recovery on engine reset/resume failure (git-fixes). - accel/ivpu: Use firmware names from upstream repo (git-fixes). - commit cfcd050 - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands (git-fixes). - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - net: lan743x: Fix memleak issue when GSO enabled (git-fixes). - accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW (stable-fixes). - PCI/ASPM: Disable L1 before disabling L1 PM Substates (stable-fixes). - accel/ivpu: Update power island delays (stable-fixes). - accel/ivpu: Add initial Panther Lake support (stable-fixes). - commit 122402d ++++ libguestfs: - Update to version 1.56.0 (jsc#PED-12706) * Add support for Windows 2025 (thanks Ming Xie). * Add support for TencentOS (Denise Cheng). * Inspection of Ubuntu 22+ guests that use a split /usr configuration now works properly (thanks Jaroslav Spanko, Daniel Berrange). * Inspecting guests that have duplicated root mountpoints now works. * Inspection of SUSE Linux guests using btrfs snapshots now ignores snapshots that mirror content in the root filesystem (thanks Ming Xie). * Inspection of SUSE Linux >= 15 now returns the correct osinfo short name (eg. "sle15") (thanks Ming Xie). * New command_out and sh_out APIs which allow you to capture output from guest commands that generate more output than the protocol limit allows. * New btrfs_scrub_full API which runs a full Btrfs scrub, synchronously. It works more like fsck for other filesystems. * The fstrim API has been modified to work around several issues in upstream and RHEL 9 kernels related to XFS support (Eric Sandeen, Dave Chinner). * The existing e2fsck API has a new FORCENO option enabling use of the command line -n flag. * json-c is now required. This replaces Jansson which was previously used for parsing JSON input files. * OCaml ≥ 4.08 is now required. * When using ./configure --disable-daemon we no longer require augeas and hivex (thanks Mohamed Akram). * zfs-fuse support has been dropped. The project is unmaintained upstream (thanks Paul Bolle, Gwyn Ciesla, Timothée Ravier). * Fix compatibility with GNU gettext 0.25. * Fix dhcpcd failing on systemd-resolved stub (Thomas Wouters). * Add support for dhcpcd and sfdisk on Debian (Daniel Gomez). * Print the kernel utsname in debug output. * We no longer emit a false warning about BLKDISCARD when creating a block device. * If qemu-img(1) commands fail during snapshot creation, make sure we capture and print stderr from the qemu command (Cole Robinson). * For a complete list of changes and bug fixes see, https://libguestfs.org/guestfs-release-notes-1.56.1.html - bsc#1216986 - libguestfs: embeds /etc/hosts reproducible-builds.patch ++++ python313-core: - Update to 3.13.5: - Tests - gh-135120: Add test.support.subTests(). - Library - gh-133967: Do not normalize locale name ‘C.UTF-8’ to ‘en_US.UTF-8’. - gh-135326: Restore support of integer-like objects with __index__() in random.getrandbits(). - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the BINSTRING opcode in the C implementation of pickle. - gh-135276: Backported bugfixes in zipfile.Path from zipp 3.23. Fixed .name, .stem and other basename-based properties on Windows when working with a zipfile on disk. - gh-134151: email: Fix TypeError in email.utils.decode_params() when sorting RFC 2231 continuations that contain an unnumbered section. - gh-134152: email: Fix parsing of email message ID with invalid domain. - gh-127081: Fix libc thread safety issues with os by replacing getlogin with getlogin_r re-entrant version. - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - Core and Builtins - gh-135171: Roll back changes to generator and list comprehensions that went into 3.13.4 to fix gh-127682, but which involved semantic and bytecode changes not appropriate for a bugfix release. - C API - gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE macros in the limited C API 3.11 and older: don’t treat Py_None, Py_True and Py_False as immortal. Patch by Victor Stinner. - gh-134989: Implement PyObject_DelAttr() and PyObject_DelAttrString() as macros in the limited C API 3.12 and older. Patch by Victor Stinner. - Substantially rewritten doc-py38-to-py36.patch patch to be more flexible and covering even unexpected changes. ++++ nvidia-open-driver-G06-signed: - 60-nvidia-$flavor.conf * Don't try to load the driver if config and GSP firmware files are not available. Otherwise let the default install rule 'install nvidia-drm /sbin/modprobe --ignore-install nvidia-drm' of 50-nvidia.conf win, which comes together with config and GSP firmware files (package nvidia-common-G06). ++++ python313: - Update to 3.13.5: - Tests - gh-135120: Add test.support.subTests(). - Library - gh-133967: Do not normalize locale name ‘C.UTF-8’ to ‘en_US.UTF-8’. - gh-135326: Restore support of integer-like objects with __index__() in random.getrandbits(). - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the BINSTRING opcode in the C implementation of pickle. - gh-135276: Backported bugfixes in zipfile.Path from zipp 3.23. Fixed .name, .stem and other basename-based properties on Windows when working with a zipfile on disk. - gh-134151: email: Fix TypeError in email.utils.decode_params() when sorting RFC 2231 continuations that contain an unnumbered section. - gh-134152: email: Fix parsing of email message ID with invalid domain. - gh-127081: Fix libc thread safety issues with os by replacing getlogin with getlogin_r re-entrant version. - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - Core and Builtins - gh-135171: Roll back changes to generator and list comprehensions that went into 3.13.4 to fix gh-127682, but which involved semantic and bytecode changes not appropriate for a bugfix release. - C API - gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE macros in the limited C API 3.11 and older: don’t treat Py_None, Py_True and Py_False as immortal. Patch by Victor Stinner. - gh-134989: Implement PyObject_DelAttr() and PyObject_DelAttrString() as macros in the limited C API 3.12 and older. Patch by Victor Stinner. - Substantially rewritten doc-py38-to-py36.patch patch to be more flexible and covering even unexpected changes. ++++ python-argcomplete: - Remove executable bit on files installed outside of the path. (bsc#1244435) ++++ xfsprogs: - update to 6.14.0 - xfs_scrub_all: localize the strings in the program - xfs_protofile: add messages to localization catalog - Makefile: inject package name/version/bugreport into pot file - xfs_scrub_all: rename source code to .py.in - xfs_protofile: rename source code to .py.in - xfs_repair: handling a block with bad crc, bad uuid, and bad magic number needs fixing - xfs_repair: fix stupid argument error in verify_inode_chunk - xfs_repair: fix infinite loop in longform_dir2_entry_check* - xfs_repair: fix crash in reset_rt_metadir_inodes - xfs_repair: don't recreate /quota metadir if there are no quota inodes - xfs_repair: fix wording of error message about leftover CoW blocks on the rt device - xfs_io: Add cachestat syscall support - xfs_io: Add RWF_DONTCACHE support to preadv2 - xfs_io: Add RWF_DONTCACHE support to pwritev2 - xfs_io: Add support for preadv2 - make: remove the .extradep file in libxfs on "make clean" - xfs_{admin,repair},man5: tell the user to mount with nouuid for snapshots - xfsprogs: Fix mismatched return type of filesize() - xfs_io: don't fail FS_IOC_FSGETXATTR on filesystems that lack support - configure: additionally get icu-uc from pkg-config - xfs_scrub: use the display mountpoint for reporting file corruptions - xfs_scrub: don't warn about zero width joiner control characters - xfs_scrub: fix buffer overflow in string_escape - xfs_db: add command to copy directory trees out of filesystems - xfs_db: make listdir more generally useful - xfs_db: use an empty transaction to try to prevent livelocks in path_navigate - xfs_db: pass const pointers when we're not modifying them - mkfs: enable reflink on the realtime device - mkfs: validate CoW extent size hint when rtinherit is set - xfs_logprint: report realtime CUIs - xfs_repair: validate CoW extent size hint on rtinherit directories - xfs_repair: allow realtime files to have the reflink flag set - xfs_repair: rebuild the realtime refcount btree - xfs_repair: reject unwritten shared extents - xfs_repair: check existing realtime refcountbt entries against observed refcounts - xfs_repair: compute refcount data for the realtime groups - xfs_repair: find and mark the rtrefcountbt inode - xfs_repair: use realtime refcount btree data to check block types - xfs_repair: allow CoW staging extents in the realtime rmap records - xfs_spaceman: report health of the realtime refcount btree - xfs_db: add rtrefcount reservations to the rgresv command - xfs_db: copy the realtime refcount btree - xfs_db: support the realtime refcountbt - xfs_db: display the realtime refcount btree contents - man: document userspace API changes due to rt reflink - mkfs: create the realtime rmap inode - xfs_logprint: report realtime RUIs - xfs_repair: reserve per-AG space while rebuilding rt metadata - xfs_repair: rebuild the bmap btree for realtime files - xfs_repair: check for global free space concerns with default btree slack levels - xfs_repair: rebuild the realtime rmap btree - xfs_repair: always check realtime file mappings against incore info - xfs_repair: check existing realtime rmapbt entries against observed rmaps - xfs_repair: find and mark the rtrmapbt inodes - xfs_repair: refactor realtime inode check - xfs_repair: create a new set of incore rmap information for rt groups - xfs_repair: use realtime rmap btree data to check block types - xfs_repair: flag suspect long-format btree blocks - xfs_repair: tidy up rmap_diffkeys - xfs_spaceman: report health status of the realtime rmap btree - xfs_db: add an rgresv command - xfs_db: make fsmap query the realtime reverse mapping tree - xfs_db: copy the realtime rmap btree - xfs_db: support the realtime rmapbt - xfs_db: display the realtime rmap btree contents - xfs_db: don't abort when bmapping on a non-extents/bmbt fork - xfs_db: compute average btree height - man: document userspace API changes due to rt rmap - xfs_scrub: try harder to fill the bulkstat array with bulkstat() - xfs_scrub: ignore freed inodes when single-stepping during phase 3 - xfs_scrub: hoist the phase3 bulkstat single stepping code - xfs_scrub: don't blow away new inodes in bulkstat_single_step - xfs_scrub: return early from bulkstat_for_inumbers if no bulkstat data - xfs_scrub: don't complain if bulkstat fails - xfs_scrub: don't - xfs_scrub: don't double-scan inodes during phase 3 - xfs_scrub: actually iterate all the bulkstat records - xfs_scrub: selectively re-run bulkstat after re-running inumbers - xfs_scrub: remove flags argument from scrub_scan_all_inodes - xfs_scrub: call bulkstat directly if we're only scanning user files - xfs_scrub: don't report data loss in unlinked inodes twice - man: document new XFS_BULK_IREQ_METADIR flag to bulkstat - xfs_db: obfuscate rt superblock label when metadumping - mkfs,xfs_repair: don't pass a daddr as the flags argument - drop mkfs-fix-filesize-function-compilation-error-on-32-b.patch - now part of the release (merged in v6.14.0) ------------------------------------------------------------------ ------------------ 2025-6-10 - Jun 10 2025 ------------------- ------------------------------------------------------------------ ++++ branding-SLE: - Merge all files from distributions-logos-SLE into distributions-logos-branding-SLE. ++++ python-kiwi: - Fixed rootfs size calculation with spare part In case a spare_part setup is combined with the root_clone feature, the size calculation for the rootfs did not take the cloning into account and lead to the wrong value. In addition when requesting the spare part to be last and no size information was given, the partition was not created at all. This commit fixes both defects and Fixes #2831 ++++ iputils: - Security fix [bsc#1243772, CVE-2025-48964] * Fix integer overflow in ping statistics via zero timestamp * Add iputils-CVE-2025-48964_01.patch * Add iputils-CVE-2025-48964_02.patch * Add iputils-CVE-2025-48964_03.patch * Add iputils-CVE-2025-48964_regression.patch ++++ kernel-default: - net: lan743x: Fix memleak issue when GSO enabled (CVE-2025-37909 bsc#1243467). - vxlan: vnifilter: Fix unlocked deletion of default FDB entry (CVE-2025-37921 bsc#1243480). - commit 1e0ef1b - ucsi_debugfs_entry: restore u32 respectively s32 for int (git-fixes). - commit 94a62e7 - tracing: Verify event formats that have "%*p.." (CVE-2025-37938 bsc#1243544). - tracing: Have process_string() also allow arrays (git-fixes). - tracing: Check "%s" dereference via the field and not the TP_printk format (git-fixes). - tracing: Add "%s" check in test_event_printk() (git-fixes). - tracing: Add missing helper functions in event pointer dereference check (git-fixes). - tracing: Fix test_event_printk() to process entire print argument (git-fixes). - tracing: Add __print_dynamic_array() helper (git-fixes). - commit 4da5a05 - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - Refresh patches.suse/paddings-add-paddings-to-TypeC-stuff.patch. - commit f07681a - usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink() (git-fixes). - commit 31571ee - module: ensure that kobject_put() is safe for module type kobjects (CVE-2025-37995 bsc#1243827) - commit ca96390 - ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations (CVE-2025-37910 bsc#1243468) - commit c0e3266 - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - commit 7c95ae0 - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - commit 43c5814 - xen/x86: fix initial memory balloon target (git-fixes). - commit af7a319 - kABI: kabi fix after vsock/virtio: fix `rx_bytes` accounting (git-fixes). - commit d25e930 - vsock/virtio: fix `rx_bytes` accounting for stream sockets (git-fixes). - commit 86c965e - Delete patches.suse/Restore-kABI-for-NVidia-vGPU-driver.patch. - commit 56249f7 - gfs2: Don't start unnecessary transactions during log flush (bsc#1243993). - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dlm: mask sk_shutdown value (bsc#1228854). - commit 691de31 - bpf: Search and add kfuncs in struct_ops prologue and epilogue (git-fixes). - selftests/bpf: Fix stdout race condition in traffic monitor (git-fixes). - selftests/bpf: Fix freplace_link segfault in tailcalls prog test (git-fixes). - selftests: bpf: test batch lookup on array of maps with holes (git-fixes). - bpf: skip non exist keys in generic_map_lookup_batch (git-fixes). - commit 63fb01b - selftests/bpf: Add distilled BTF test about marking BTF_IS_EMBEDDED (git-fixes). - libbpf: Fix incorrect traversal end type ID when marking BTF_IS_EMBEDDED (git-fixes). - libbpf: Fix return zero when elf_begin failed (git-fixes). - selftests/bpf: Fix btf leak on new btf alloc failure in btf_distill test (git-fixes). - libbpf: Fix segfault due to libelf functions not setting errno (git-fixes). - libbpf: Prevent compiler warnings/errors (git-fixes). - resolve_btfids: Fix compiler warnings (git-fixes). - commit f3a284f ++++ kernel-firmware-iwlwifi: - Update to version 20250609 (git commit 0d92efb540f4): * Revert "iwlwifi: add Bz/gl FW for core96-76 release" ++++ kernel-rt: - net: lan743x: Fix memleak issue when GSO enabled (CVE-2025-37909 bsc#1243467). - vxlan: vnifilter: Fix unlocked deletion of default FDB entry (CVE-2025-37921 bsc#1243480). - commit 1e0ef1b - ucsi_debugfs_entry: restore u32 respectively s32 for int (git-fixes). - commit 94a62e7 - tracing: Verify event formats that have "%*p.." (CVE-2025-37938 bsc#1243544). - tracing: Have process_string() also allow arrays (git-fixes). - tracing: Check "%s" dereference via the field and not the TP_printk format (git-fixes). - tracing: Add "%s" check in test_event_printk() (git-fixes). - tracing: Add missing helper functions in event pointer dereference check (git-fixes). - tracing: Fix test_event_printk() to process entire print argument (git-fixes). - tracing: Add __print_dynamic_array() helper (git-fixes). - commit 4da5a05 - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - Refresh patches.suse/paddings-add-paddings-to-TypeC-stuff.patch. - commit f07681a - usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink() (git-fixes). - commit 31571ee - module: ensure that kobject_put() is safe for module type kobjects (CVE-2025-37995 bsc#1243827) - commit ca96390 - ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations (CVE-2025-37910 bsc#1243468) - commit c0e3266 - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - commit 7c95ae0 - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - commit 43c5814 - xen/x86: fix initial memory balloon target (git-fixes). - commit af7a319 - kABI: kabi fix after vsock/virtio: fix `rx_bytes` accounting (git-fixes). - commit d25e930 - vsock/virtio: fix `rx_bytes` accounting for stream sockets (git-fixes). - commit 86c965e - Delete patches.suse/Restore-kABI-for-NVidia-vGPU-driver.patch. - commit 56249f7 - gfs2: Don't start unnecessary transactions during log flush (bsc#1243993). - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dlm: mask sk_shutdown value (bsc#1228854). - commit 691de31 - bpf: Search and add kfuncs in struct_ops prologue and epilogue (git-fixes). - selftests/bpf: Fix stdout race condition in traffic monitor (git-fixes). - selftests/bpf: Fix freplace_link segfault in tailcalls prog test (git-fixes). - selftests: bpf: test batch lookup on array of maps with holes (git-fixes). - bpf: skip non exist keys in generic_map_lookup_batch (git-fixes). - commit 63fb01b - selftests/bpf: Add distilled BTF test about marking BTF_IS_EMBEDDED (git-fixes). - libbpf: Fix incorrect traversal end type ID when marking BTF_IS_EMBEDDED (git-fixes). - libbpf: Fix return zero when elf_begin failed (git-fixes). - selftests/bpf: Fix btf leak on new btf alloc failure in btf_distill test (git-fixes). - libbpf: Fix segfault due to libelf functions not setting errno (git-fixes). - libbpf: Prevent compiler warnings/errors (git-fixes). - resolve_btfids: Fix compiler warnings (git-fixes). - commit f3a284f ++++ util-linux-systemd: - Fix libmount --no-canonicalize regression (boo#1244251, gh#util-linux/util-linux#3479, libmount-fix-no-canonicalize-regression.patch). ++++ gcc15: - Remove all %gcc_icecream mode cross-compilers and the corresponding icecream backend subpackages. Instead use glibc-bootstrap only configs for cross-x86_64-gcc (ipxe,ovmf,qemu), cross-ppc64-gcc (qemu) and cross-arm-gcc (ovmf). ++++ util-linux: - Fix libmount --no-canonicalize regression (boo#1244251, gh#util-linux/util-linux#3479, libmount-fix-no-canonicalize-regression.patch). ++++ python-requests: - update to 2.32.4: * CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file * Numerous documentation improvements * Added support for pypy 3.11 for Linux and macOS. * Dropped support for pypy 3.9 following its end of support. - drop CVE-2024-47081.patch (merged upstream) ------------------------------------------------------------------ ------------------ 2025-6-9 - Jun 9 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1244280). - commit d830b32 - MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b ("bs-upload-kernel: Pass limit_packages also on multibuild") - commit f4c6047 - MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed. - commit e4c2851 - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1244278). - commit fb0286b - uprobes/x86: Harden uretprobe syscall trampoline check (CVE-2025-22046 bsc#1241434). - commit 5cc86ac - MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ("MyBS: Use buildflags to set which package to build") - commit 27588c9 - bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ("MyBS: Use buildflags to set which package to build") Fixes: 747f601d4156 ("bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)") - commit 8ef486c - ftrace: Avoid potential division by zero in function_stat_show() (CVE-2025-21898 bsc#1240610). - commit 13235ba - x86/microcode/AMD: Fix __apply_microcode_amd()'s return value (git-fixes). - commit 2343c8f - sort series.conf - commit 7c822ea - tracing: Fix bad hist from corrupting named_triggers list (CVE-2025-21899 bsc#1240577). - commit b162509 - ring-buffer: Validate the persistent meta data subbuf array (CVE-2025-21777 bsc#1238764). - commit b030dbe - x86/usercopy: Fix kernel-doc func param name in clean_cache_range()'s description (git-fixes). - commit 2e19a8b - x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2 (git-fixes). - commit 895937c - x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches (git-fixes). - commit a46ec06 - x86/microcode/AMD: Add some forgotten models to the SHA check (git-fixes). - commit 5ed1d64 - x86/microcode/AMD: Load only SHA256-checksummed patches (git-fixes). - commit c395380 - x86/alternative: Remove unused header #defines (git-fixes). - commit 0ced93a - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - commit 1051216 - x86/microcode/AMD: Add get_patch_level() (git-fixes). - commit 08a178d - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - commit 563faf8 - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - commit 409c545 - x86/microcode/AMD: Remove unused save_microcode_in_initrd_amd() declarations (git-fixes). - commit 5d4cce2 - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - commit dc8a454 - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - commit 3dd0b23 - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - commit 31a173d - Sort series.conf - commit 4948d54 - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - commit 913f1ca - selftests/bpf: Add selftest for may_goto (bsc#1241460 CVE-2025-22087). - selftests/bpf: Introduce __load_if_JITed annotation for tests (bsc#1241460 CVE-2025-22087). - bpf: Fix array bounds error with may_goto (bsc#1241460 CVE-2025-22087). - commit 4c36585 - selftests/bpf: Check for timeout in perf_link test (git-fixes). - commit 73ccf26 ++++ kernel-rt: - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1244280). - commit d830b32 - MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b ("bs-upload-kernel: Pass limit_packages also on multibuild") - commit f4c6047 - MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed. - commit e4c2851 - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1244278). - commit fb0286b - uprobes/x86: Harden uretprobe syscall trampoline check (CVE-2025-22046 bsc#1241434). - commit 5cc86ac - MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ("MyBS: Use buildflags to set which package to build") - commit 27588c9 - bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ("MyBS: Use buildflags to set which package to build") Fixes: 747f601d4156 ("bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)") - commit 8ef486c - ftrace: Avoid potential division by zero in function_stat_show() (CVE-2025-21898 bsc#1240610). - commit 13235ba - x86/microcode/AMD: Fix __apply_microcode_amd()'s return value (git-fixes). - commit 2343c8f - sort series.conf - commit 7c822ea - tracing: Fix bad hist from corrupting named_triggers list (CVE-2025-21899 bsc#1240577). - commit b162509 - ring-buffer: Validate the persistent meta data subbuf array (CVE-2025-21777 bsc#1238764). - commit b030dbe - x86/usercopy: Fix kernel-doc func param name in clean_cache_range()'s description (git-fixes). - commit 2e19a8b - x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2 (git-fixes). - commit 895937c - x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches (git-fixes). - commit a46ec06 - x86/microcode/AMD: Add some forgotten models to the SHA check (git-fixes). - commit 5ed1d64 - x86/microcode/AMD: Load only SHA256-checksummed patches (git-fixes). - commit c395380 - x86/alternative: Remove unused header #defines (git-fixes). - commit 0ced93a - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - commit 1051216 - x86/microcode/AMD: Add get_patch_level() (git-fixes). - commit 08a178d - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - commit 563faf8 - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - commit 409c545 - x86/microcode/AMD: Remove unused save_microcode_in_initrd_amd() declarations (git-fixes). - commit 5d4cce2 - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - commit dc8a454 - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - commit 3dd0b23 - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - commit 31a173d - Sort series.conf - commit 4948d54 - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - commit 913f1ca - selftests/bpf: Add selftest for may_goto (bsc#1241460 CVE-2025-22087). - selftests/bpf: Introduce __load_if_JITed annotation for tests (bsc#1241460 CVE-2025-22087). - bpf: Fix array bounds error with may_goto (bsc#1241460 CVE-2025-22087). - commit 4c36585 - selftests/bpf: Check for timeout in perf_link test (git-fixes). - commit 73ccf26 ++++ libgcrypt: - Security fix [bsc#1221107, CVE-2024-2236] * Add --enable-marvin-workaround to spec to enable workaround * Fix timing based side-channel in RSA implementation ( Marvin attack ) * Add libgcrypt-CVE-2024-2236.patch ++++ python313-core: - Update to 3.13.4: - Security - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138 (bsc#1244059), CVE-2025-4330 (bsc#1244060), and CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435 (gh#135034, bsc#1244061). - gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler (CVE-2025-4516, bsc#1243273). - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-134718: ast.dump() now only omits None and [] values if they are default values. - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134696: Built-in HACL* and OpenSSL implementations of hash function constructors now correctly accept the same documented named arguments. For instance, md5() could be previously invoked as md5(data=data) or md5(string=string) depending on the underlying implementation but these calls were not compatible. Patch by Bénédikt Tran. - gh-134210: curses.window.getch() now correctly handles signals. Patch by Bénédikt Tran. - gh-80334: multiprocessing.freeze_support() now checks for work on any “spawn” start method platform rather than only on Windows. - gh-114177: Fix asyncio to not close subprocess pipes which would otherwise error out when the event loop is already closed. - gh-134152: Fixed UnboundLocalError that could occur during email header parsing if an expected trailing delimiter is missing in some contexts. - gh-62184: Remove import of C implementation of io.FileIO from Python implementation which has its own implementation - gh-133982: Emit RuntimeWarning in the Python implementation of io when the file-like object is not closed explicitly in the presence of multiple I/O layers. - gh-133890: The tarfile module now handles UnicodeEncodeError in the same way as OSError when cannot extract a member. - gh-134097: Fix interaction of the new REPL and -X showrefcount command line option. - gh-133889: The generated directory listing page in http.server.SimpleHTTPRequestHandler now only shows the decoded path component of the requested URL, and not the query and fragment. - gh-134098: Fix handling paths that end with a percent-encoded slash (%2f or %2F) in http.server.SimpleHTTPRequestHandler. - gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and IPv6Network objects. - gh-133745: In 3.13.3 we accidentally changed the signature of the asyncio create_task() family of methods and how it calls a custom task factory in a backwards incompatible way. Since some 3rd party libraries have already made changes to work around the issue that might break if we simply reverted the changes, we’re instead changing things to be backwards compatible with 3.13.2 while still supporting those workarounds for 3.13.3. In particular, the special-casing of name and context is back (until 3.14) and consequently eager tasks may still find that their name hasn’t been set before they execute their first yielding await. - gh-71253: Raise ValueError in open() if opener returns a negative file-descriptor in the Python implementation of io to match the C implementation. - gh-77057: Fix handling of invalid markup declarations in html.parser.HTMLParser. - gh-133489: random.getrandbits() can now generate more that 231 bits. random.randbytes() can now generate more that 256 MiB. - gh-133290: Fix attribute caching issue when setting ctypes._Pointer._type_ in the undocumented and deprecated ctypes.SetPointerType() function and the undocumented set_type() method. - gh-132876: ldexp() on Windows doesn’t round subnormal results before Windows 11, but should. Python’s math.ldexp() wrapper now does round them, so results may change slightly, in rare cases of very small results, on Windows versions before 11. - gh-133089: Use original timeout value for subprocess.TimeoutExpired when the func subprocess.run() is called with a timeout instead of sometimes a confusing partial remaining time out value used internally on the final wait(). - gh-133009: xml.etree.ElementTree: Fix a crash in Element.__deepcopy__ when the element is concurrently mutated. Patch by Bénédikt Tran. - gh-132995: Bump the version of pip bundled in ensurepip to version 25.1.1 - gh-132017: Fix error when pyrepl is suspended, then resumed and terminated. - gh-132673: Fix a crash when using _align_ = 0 and _fields_ = [] in a ctypes.Structure. - gh-132527: Include the valid typecode ‘w’ in the error message when an invalid typecode is passed to array.array. - gh-132439: Fix PyREPL on Windows: characters entered via AltGr are swallowed. Patch by Chris Eibl. - gh-132429: Fix support of Bluetooth sockets on NetBSD and DragonFly BSD. - gh-132106: QueueListener.start now raises a RuntimeError if the listener is already started. - gh-132417: Fix a NULL pointer dereference when a C function called using ctypes with restype py_object returns NULL. - gh-132385: Fix instance error suggestions trigger potential exceptions in object.__getattr__() in traceback. - gh-132308: A traceback.TracebackException now correctly renders the __context__ and __cause__ attributes from falsey Exception, and the exceptions attribute from falsey ExceptionGroup. - gh-132250: Fixed the SystemError in cProfile when locating the actual C function of a method raises an exception. - gh-132063: Prevent exceptions that evaluate as falsey (namely, when their __bool__ method returns False or their __len__ method returns 0) from being ignored by concurrent.futures.ProcessPoolExecutor and concurrent.futures.ThreadPoolExecutor. - gh-119605: Respect follow_wrapped for __init__() and __new__() methods when getting the class signature for a class with inspect.signature(). Preserve class signature after wrapping with warnings.deprecated(). Patch by Xuehai Pan. - gh-91555: Ignore log messages generated during handling of log messages, to avoid deadlock or infinite recursion. - gh-131434: Improve error reporting for incorrect format in time.strptime(). - gh-131127: Systems using LibreSSL now successfully build. - gh-130999: Avoid exiting the new REPL and offer suggestions even if there are non-string candidates when errors occur. - gh-130941: Fix configparser.ConfigParser parsing empty interpolation with allow_no_value set to True. - gh-129098: Fix REPL traceback reporting when using compile() with an inexisting file. Patch by Bénédikt Tran. - gh-130631: http.cookiejar.join_header_words() is now more similar to the original Perl version. It now quotes the same set of characters and always quote values that end with "\n". - gh-129719: Fix missing socket.CAN_RAW_ERR_FILTER constant in the socket module on Linux systems. It was missing since Python 3.11. - gh-124096: Turn on virtual terminal mode and enable bracketed paste in REPL on Windows console. (If the terminal does not support bracketed paste, enabling it does nothing.) - gh-122559: Remove __reduce__() and __reduce_ex__() methods that always raise TypeError in the C implementation of io.FileIO, io.BufferedReader, io.BufferedWriter and io.BufferedRandom and replace them with default __getstate__() methods that raise TypeError. This restores fine details of behavior of Python 3.11 and older versions. - gh-122179: hashlib.file_digest() now raises BlockingIOError when no data is available during non-blocking I/O. Before, it added spurious null bytes to the digest. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the