------------------------------------------------------------------ --- Changelog.all ----------- Wed Nov 26 17:47:31 UTC 2025 ------ ------------------------------------------------------------------ ------------------------------------------------------------------ ------------------ 2025-11-19 - Nov 19 2025 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fix: [bsc#1253757, CVE-2025-11563] * curl: wcurl path traversal with percent-encoded slashes * Add curl-CVE-2025-11563.patch ------------------------------------------------------------------ ------------------ 2025-11-11 - Nov 11 2025 ------------------- ------------------------------------------------------------------ ++++ multipath-tools: - Update to version 0.11.3+184+suse.e1501732: - Fixes from upstream 0.11.3 (see also NEWS.md) (bsc#1253260) * Improved the communication with **udev** and **systemd** by triggering uevents when path devices are added to or removed from multipath maps, or when `multipathd reconfigure` is executed after changing blacklist directives in `multipath.conf`. * Failed paths should be checked every `polling_interval`. In certain cases, this wouldn't happen, because the check interval wasn't reset by multipathd. * It could happen that multipathd would accidentally release a SCSI persistent reservation held by another node. Fix it. * After manually failing some paths and then reinstating them, sometimes the reinstated paths were immediately failed again by multipathd. Fix it. * Various minor fixes reported by coverity. ------------------------------------------------------------------ ------------------ 2025-11-10 - Nov 10 2025 ------------------- ------------------------------------------------------------------ ++++ cyrus-sasl: - Python3 error log upon importing pycurl (bsc#1233529) Remove senceless log message. * add remove-senceless-log.patch ------------------------------------------------------------------ ------------------ 2025-11-5 - Nov 5 2025 ------------------- ------------------------------------------------------------------ ++++ runc: - Update to runc v1.3.3. Upstream changelog is available from . bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 - Remove upstreamed patches for bsc#1252232: - 2025-11-05-CVEs.patch ------------------------------------------------------------------ ------------------ 2025-10-27 - Oct 27 2025 ------------------- ------------------------------------------------------------------ ++++ docker: - Enable SELinux in default daemon.json config (--selinux-enabled). This has no practical impact on non-SELinux systems. bsc#1252290 ------------------------------------------------------------------ ------------------ 2025-10-23 - Oct 23 2025 ------------------- ------------------------------------------------------------------ ++++ osinfo-db: - bsc#1252429 - virt-manager does not detect Leap 16.0 offline ISO add-opensuse-leap-16.0-support.patch ------------------------------------------------------------------ ------------------ 2025-10-20 - Oct 20 2025 ------------------- ------------------------------------------------------------------ ++++ selinux-policy: - Update to version 20250627+git239.fcbf2d509: * fail2ban: bump module version * fail2ban: allow fail2ban to watch all log files and dirs (bsc#1251952) * fail2ban: fix typos in interface descriptions * fail2ban: tweak file context regex for /run/fail2ban * fail2ban: drop file context for old rc.d file * Allow wicket to manage its proc directories (bsc#1235731) * Allow NM to manage wicked pid files (bsc#1235731) * Allow NM to reach systemd unit files (bsc#1235731) * Make wicked script backwards compatible (bsc#1251923) * Allow snapper grub plugin to domtrans to bootloader_t (bsc#1251862) * Allow salt_t transition to rpm_script_t (bsc#1250696) * grub snapper plugin is now named 00-grub (bsc#1251793) * Assign alts_exec_t exec_file attribute (bsc#1250974) * Add equivalency between /srv/tomcat and /var/lib/tomcat (bsc#1251227) * Allow sshd_session_t write to wtmpdb * Support /usr/libexec/ssh as well as openssh folder * Set xenstored_use_store_type_domain boolean true(bsc#1247875) * Adjust guest and xguest users policy for sshd-session * Allow valkey-server create and use netlink_rdma_socket * Allow blueman get attributes of filesystems with extended attributes * Update files_search_base_file_types() * Introduce unconfined wicked_script_t (bsc#1205770, bsc#1250661) * Allow geoclue get attributes of the /dev/shm filesystem * Allow apcupsd get attributes of the /dev/shm filesystem * Allow sshd-session read cockpit pid files * Add /opt/.snapshots to the snapper file context (bsc#1232226) * Allow nfs generator create and use netlink sockets * Conditionally allow virt guests to read certificates in user home directories * xenstored_t needs CAP_SYS_ADMIN for XENSTORETYPE=domain (bsc#1247875) * Allow nfs-generator create and use udp sockets * Allow kdump search kdumpctl_tmp_t directories * Allow init open and read user tmp files * Fix the systemd_logind_stream_connect() interface * Allow staff and sysadm execute iotop using sudo * Allow sudodomains connect to systemd-logind over a unix socket * /boot/efi is dosfs_t and kdump needs to access it (bsc#1249370) * Add default contexts for sshd-seesion * Define types for new openssh executables * Fix systemd_manage_unit_symlinks() interface definition * Support coreos installation methods * Add a new type for systemd-ssh-issue PID files * Allow gnome-remote-desktop connect to unreserved ports * Zypper moves files in /var/tmp to /var/cache (bsc#1249052, bsc#1249435) * Allow mdadm the CAP_SYS_PTRACE capability * Allow iptables manage its private fifo_files in /tmp * Allow auditd manage its private run dirs * Revert "Allow virt_domain write to virt_image_t files" * Allow gdm create /etc/.pwd.lock with a file transition * Allow gdm bind a socket in the /run/systemd/userdbd directory * Allow nsswitch_domain connect to xdm over a unix domain socket * Allow systemd homed getattr all tmpfs files (bsc#1240883) * Allow systemd (PID 1) create lastlog entries * Allow systemd_homework_t transition pid files to lvm_var_run_t (bsc#1240883) * Allow gnome-remote-desktop speak with tabrmd over dbus (bsc#1244573) * Allow nm-dispatcher iscsi and sendmail plugins get pidfs attributes * Allow systemd-oomd watch tmpfs dirs * Allow chronyc the setgid and setuid capabilities * Label /usr/lib/systemd/systemd-ssh-issue with systemd_ssh_issue_exec_t * Allow stalld map sysfs files * Allow NetworkManager-dispatcher-winbind get pidfs attributes * Allow openvpn create and use generic netlink socket * policy_capabilities: remove estimated from released versions * policy_capabilities: add stub for userspace_initial_context * add netlink_xperm policy capability and nlmsg permission definitions * policy_capabilities: add ioctl_skip_cloexec * selinux-policy: add allow rule for tuned_ppd_t * selinux-policy: add allow rule for switcheroo_control_t * Label /run/audit with auditd_var_run_t * Allow virtqemud start a vm which uses nbdkit * Add nbdkit_signal() and nbdkit_signull() interfaces * Fix insights_client interfaces names * Add insights_core and insights_client interfaces * Fix selinux-autorelabel-generator label after upstream changes * Revert "Remove the mysql module sources" * Revert "Allow rasdaemon write access to sysfs (bsc#1229587)" * Reset postfix.fc to upstream, add alias instead * dist/targeted/modules.conf: enable slrnpull module * Allow bootupd delete symlinks in the /boot directory * Allow systemd-coredumpd capabilities in the user namespace * Allow openvswitch read virtqemud process state * Allow systemd-networkd to create leases directory * Apply generator template to selinux-autorelabel generator * Support virtqemud handle hotplug hostdev devices * Allow virtstoraged create qemu /var/run files * Allow unconfined_domain_type cap2_userns capabilities * Label /usr/libexec/postfix/tlsproxy with postfix_smtp_exec_t * Remove the mysql module sources * dist/targeted/modules.conf: Enable kmscon module (bsc#1238137) * Update kmscon policy module to kmscon version 9 (bsc#1238137) * Allow login to getattr pidfs * Allow systemd to map files under /sys * systemd: drop duplicate init_nnp_daemon_domain lines * Fix typo * Allow logwatch stream connect to opensmtpd * Allow geoclue read NetworkManager pid files * Allow unconfined user a file transition for creating sudo log directory * Allow virtqemud read/write inherited dri devices * Allow xdm_t create user namespaces * Update policy for login_userdomain * Add ppd_base_profile to file transition to get tuned_rw_etc_t type * Update policy for bootupd * Allow logwatch work with opensmtpd * Update dovecot policy for dovecot 2.4.1 * Allow ras-mc-ctl write to sysfs files * Allow anaconda-generator get attributes of all filesystems * Add the rhcd_rw_fifo_files() interface * Allow systemd-coredump the sys_chroot capability * Allow hostapd write to socket files in /tmp * Recognize /var/home as an alternate path for /home * Label /var/lib/lastlog with lastlog_t * Allow virtqemud write to sysfs files * Allow irqbalance search sssd lib directories * Allow samba-dcerpcd send sigkills to passwd * Allow systemd-oomd watch dbus pid sock files * Allow some confined users read and map generic log files * Allow login_userdomain watch the /run/log/journal directory * Allow login_userdomain dbus chat with tuned-ppd * Allow login_userdomain dbus chat with switcheroo-control * Allow userdomain to connect to systemd-oomd over a unix socket * Add insights_client_delete_lib_dirs() interface * Allow virtqemud_t use its private tmpfs files (bsc#1242998) * Allow virtqemud_t setattr to /dev/userfaultfd (bsc#1242998) * Allow virtqemud_t read and write /dev/ptmx (bsc#1242998) * Extend virtqemud_t tcp_socket permissions (bsc#1242998) * Allow virtqemud_t to read and write generic pty (bsc#1242998) * Allow systemd-importd create and unlink init pid socket * Allow virtqemud handle virt_content_t chr files * Allow svirt read virtqemud fifo files * All sblim-sfcbd the dac_read_search capability * Allow sblim domain read systemd session files * Allow sblim-sfcbd execute dnsdomainname * Confine nfs-server generator * Allow systemd-timedated start/stop timemaster services * Allow "hostapd_cli ping" run as a systemd service * Allow power-profiles-daemon get attributes of filesystems with extended attributes * Allow 'oomctl dump' to interact with systemd-oomd * Basic functionality for systemd-oomd * Basic enablement for systemd-oomd * Allow samba-bgqd send to smbd over a unix datagram socket * Update kernel_secretmem_use() * Add the file/watch_mountns permission * Update systemd-generators policy * Allow plymouthd_t read proc files of systemd_passwd_agent (bsc#1245470) * Allow insights-client file transition for files in /var/tmp * Allow tuned-ppd manage tuned log files * Allow systemd-coredump mount on tmpfs filesystems * Update sssd_dontaudit_read_public_files() * Allow zram-generator raw read fixed disk device * Add fs_write_cgroup_dirs() and fs_setattr_cgroup_dirs() interfaces ------------------------------------------------------------------ ------------------ 2025-10-17 - Oct 17 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency (stable-fixes git-fixes). - commit 41821ef - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay (stable-fixes). - commit 4f5afab - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus() (git-fixes). - commit e9a9ed4 - cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table() (stable-fixes). - commit 1b00366 - cpufreq: armada-8k: make both cpu masks static (git-fixes). - commit 3ab6135 - cpufreq: sun50i: prevent out-of-bounds access (git-fixes). - commit 815165b - cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() (git-fixes). - commit 330c599 - skmsg: Return copied bytes in sk_msg_memcopy_from_iter (bsc#1250650). - commit 6650ce1 ------------------------------------------------------------------ ------------------ 2025-10-16 - Oct 16 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - scsi: mpi3mr: Update driver version to 8.15.0.5.50 (bsc#1251186). - scsi: mpi3mr: Fix premature TM timeouts on virtual drives (bsc#1251186). - scsi: mpi3mr: Update MPI headers to revision 37 (bsc#1251186). - scsi: mpi3mr: Fix I/O failures during controller reset (bsc#1251186). - scsi: mpi3mr: Fix controller init failure on fault during queue creation (bsc#1251186). - scsi: mpi3mr: Fix device loss during enclosure reboot due to zero link speed (bsc#1251186). - scsi: mpi3mr: Event processing debug improvement (bsc#1251186). - commit 15f7129 - iommu/amd: Fix alias device DTE setting (git-fixes). - iommu/arm-smmu-v3: Fix smmu_domain->nr_ats_masters decrement (git-fixes). - iommu/amd: Enable PASID and ATS capabilities in the correct order (git-fixes). - commit 6e3bf58 - tls: make sure to abort the stream if headers are bogus (CVE-2025-39946 bsc#1251114). - commit 97adb08 - selftests/bpf: Add test for unpinning htab with internal timer struct (git-fixes). - commit 54bbdc7 - bpf: Avoid RCU context warning when unpinning htab with internal structs (git-fixes). - commit 6cf3a66 - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} (git-fixes). - commit 939b57e ++++ nvidia-open-driver-G06-signed: - renamed check to %name-check package ++++ runc: [ This update was only released for SLE 12 and 15. ] - Backport patches for three CVEs. All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files. bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 + 2025-11-05-CVEs.patch ------------------------------------------------------------------ ------------------ 2025-10-15 - Oct 15 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - Update patches.suse/ASoC-qcom-q6apm-lpass-dais-Fix-NULL-pointer-derefere.patch (git-fixes CVE-2025-39938 bsc#1251134). - Update patches.suse/crypto-af_alg-Set-merge-to-zero-early-in-af_alg_send.patch (git-fixes CVE-2025-39931 bsc#1251100). - Update patches.suse/drm-bridge-anx7625-Fix-NULL-pointer-dereference-with.patch (git-fixes CVE-2025-39934 bsc#1251146). - Update patches.suse/net-rfkill-gpio-Fix-crash-due-to-dereferencering-uni.patch (git-fixes CVE-2025-39937 bsc#1251143). - Update patches.suse/wifi-mac80211-increase-scan_ies_len-for-S1G.patch (stable-fixes CVE-2025-39957 bsc#1251810). - Update patches.suse/wifi-wilc1000-avoid-buffer-overflow-in-WID-string-co.patch (stable-fixes CVE-2025-39952 bsc#1251216). - commit 6d21f77 - iommu/vt-d: Disallow dirty tracking if incoherent page walk (git-fixes). - iommu/vt-d: PRS isn't usable if PDS isn't supported (git-fixes). - commit 9da8433 - wifi: iwlwifi: Add missing firmware info for bz-b0-* models (bsc#1252084). - commit 7b5c81c - wifi: iwlwifi: config: unify fw/pnvm MODULE_FIRMWARE (bsc#1252084). - commit 2e309d0 - mm/page_alloc: fix race condition in unaccepted memory handling (CVE-2025-38008 bsc#1244939). - commit c480181 - mm/slub: avoid accessing metadata when pointer is invalid in object_err() (CVE-2025-39902 bsc#1250702). - commit 507e4ea - NFSD: Define a proc_layoutcommit for the FlexFiles layout type (git-fixes). - commit d3322a8 - selftests/tracing: Fix false failure of subsystem event test (git-fixes). - commit 95dc965 - tracing: Fix filter string testing (git-fixes). - commit aca40c5 - tracing: fprobe events: Fix possible UAF on modules (git-fixes). - commit afb00f2 - tracing: tprobe-events: Fix leakage of module refcount (git-fixes). - commit c1d1f90 - powerpc/ftrace: ensure ftrace record ops are always set for NOPs (git-fixes). - commit afe3ecd - bpf: Check link_create.flags parameter for multi_kprobe (git-fixes). - commit 0da9eff - bpf: Check link_create.flags parameter for multi_uprobe (git-fixes). - commit 5ee2013 - ftrace: fix incorrect hash size in register_ftrace_direct() (git-fixes). - commit 7b2465b - bpf: Use preempt_count() directly in bpf_send_signal_common() (git-fixes). - commit 840bc07 - tracing: Correct the refcount if the hist/hist_debug file fails to open (git-fixes). - commit 66499d7 - module: Prevent silent truncation of module name in delete_module(2) (git-fixes). - commit 97db76c - tracing: Add down_write(trace_event_sem) when adding trace event (bsc#1248211 CVE-2025-38539). - commit 7396877 - tracing: Limit access to parser->buffer when trace_get_user failed (bsc#1249286 CVE-2025-39683). - tracing: Remove unneeded goto out logic (bsc#1249286). - commit 1685cce ++++ libxslt: - security update - added patches CVE-2025-11731 [bsc#1251979], type confusion in exsltFuncResultCompfunction leading to denial of service * libxslt-CVE-2025-11731.patch ++++ samba: - Update to 4.22.5 * CVE-2025-10230: Command injection via WINS server hook script (bso#15903); (bsc#1251280). * CVE-2025-9640: uninitialized memory disclosure via vfs_streams_xattr; (bso#15885); (bsc#1251279). ------------------------------------------------------------------ ------------------ 2025-10-14 - Oct 14 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - ftrace: Also allocate and copy hash for reading of filter files (bsc#1250032 CVE-2025-39813). - commit cef7211 - media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe (git-fixes). - commit a1733f5 - Disable CET before shutdown by tboot (bsc#1247950). Tboot isn't compatible with CET (yet). So use an out-of-tree patch provided by Intel to disable CET before jumping into tboot as part of the shutdown sequence. - commit 25a6f98 - drm/amd/display: Enable Dynamic DTBCLK Switch (bsc#1243112). - drm/amdgpu: Report individual reset error (bsc#1243112). - drm/amd: Check whether secure display TA loaded successfully (bsc#1243112). - drm/amdkfd: Fix mmap write lock not release (bsc#1243112). - drm/amdgpu: Fix for GPU reset being blocked by KIQ I/O (bsc#1243112). - drm/amd: Avoid evicting resources at S5 (bsc#1243112). - drm/amdgpu/mes12: implement detect and reset callback (bsc#1243112). - drm/amdgpu/mes11: implement detect and reset callback (bsc#1243112). - drm/amdgpu/mes: add front end for detect and reset hung queue (bsc#1243112). - drm/amd/amdgpu: Implement MES suspend/resume gang functionality for v12 (bsc#1243112). - drm/amdgpu/vpe: cancel delayed work in hw_fini (bsc#1243112). - commit d1679a6 - ftrace: Fix potential warning in trace_printk_seq during ftrace_dump (bsc#1250032 CVE-2025-39813). - commit 596515e - x86/bugs: Fix GDS mitigation selecting when mitigation is off (git-fixes). - commit 75fb73f - x86/bugs: Add attack vector controls for SSB (git-fixes). - commit ae652b4 - drm/amd: Only restore cached manual clock settings in restore if OD enabled (bsc#1243112). - drm/amd/display: Add NULL check for stream before dereference in 'dm_vupdate_high_irq' (bsc#1243112). - drm/amd/display: Fix vupdate_offload_work doc (bsc#1243112). - drm/amdgpu: fix link error for !PM_SLEEP (bsc#1243112). - commit 5e5cc07 - drm/amd/display: more liberal vmin/vmax update for freesync (bsc#1243112). - drm/amd/display: fix dmub access race condition (bsc#1243112). - commit 3d8614e - Drop bogus AMDGPU backport patch from 6.12.y stable Deleted: patches.suse/drm-amdgpu-VCN-v5_0_1-to-prevent-FW-checking-RB-duri.patch The backport was a mess, and the added code wasn't actually used at all. - commit 4e052cc - drm/amdgpu: Avoid rma causes GPU duplicate reset (bsc#1243112). - drm/amd: Restore cached manual clock settings during resume (bsc#1243112). - PM: hibernate: Fix pm_hibernation_mode_is_suspend() build breakage (bsc#1243112). - drm/amd: Fix hybrid sleep (bsc#1243112). - PM: hibernate: Add pm_hibernation_mode_is_suspend() (bsc#1243112). - PM: hibernate: Add stub for pm_hibernate_is_recovering() (bsc#1243112). - drm/amdgpu: do not resume device in thaw for normal hibernation (bsc#1243112). - PM: hibernate: add new api pm_hibernate_is_recovering() (bsc#1243112). - commit f6582d3 - mm: memory-tiering: fix PGPROMOTE_CANDIDATE counting - kabi (bsc#1245630). - commit cf64417 - trace/fgraph: Fix error handling (git-fixes). - commit 96a9de8 - trace/fgraph: Fix the warning caused by missing unregister notifier (bsc#1248211 CVE-2025-38539). - commit 0901700 - x86/bugs: Select best SRSO mitigation (git-fixes). - commit b4f33d4 - x86/bugs: Print enabled attack vectors (git-fixes). - commit b08aa53 - x86/bugs: Add attack vector controls for TSA (git-fixes). - commit 7acc191 - cpu: Define attack vectors (git-fixes). - commit c8fa133 - x86/pti: Add attack vector controls for PTI (git-fixes). - commit 78147b6 - x86/bugs: Add attack vector controls for ITS (git-fixes). - commit 3b568ea - x86/bugs: Add attack vector controls for SRSO (git-fixes). - commit 0e4f2f2 - x86/bugs: Add attack vector controls for L1TF (git-fixes). - commit 987b389 - x86/bugs: Add attack vector controls for spectre_v2 (git-fixes). - commit dd53eb3 - x86/bugs: Add attack vector controls for BHI (git-fixes). - commit 5656bb2 - x86/bugs: Add attack vector controls for spectre_v2_user (git-fixes). - commit 16df3c7 - x86/bugs: Add attack vector controls for retbleed (git-fixes). - commit 5580d6e - x86/bugs: Add attack vector controls for spectre_v1 (git-fixes). - commit cc85e5a - x86/bugs: Add attack vector controls for GDS (git-fixes). - commit 6711126 - x86/bugs: Add attack vector controls for SRBDS (git-fixes). - commit 1fea28a - x86/bugs: Add attack vector controls for RFDS (git-fixes). - commit 9771c45 - x86/bugs: Add attack vector controls for MMIO (git-fixes). - commit 2753f65 - x86/bugs: Add attack vector controls for TAA (git-fixes). - commit c1e124c - x86/bugs: Add attack vector controls for MDS (git-fixes). - commit 052575a - x86/bugs: Define attack vectors relevant for each bug (git-fixes). - commit 83936cf - x86/Kconfig: Add arch attack vector support (git-fixes). - commit bb7b76d - Documentation/x86: Document new attack vector controls (git-fixes). - commit 507712f - RDMA/mana_ib: Extend modify QP (bsc#1251135). - RDMA/mana_ib: Drain send wrs of GSI QP (bsc#1251135). - net: mana: Use page pool fragments for RX buffers instead of full pages to improve memory efficiency (bsc#1248754). - cnic: Fix use-after-free bugs in cnic_delete_task (CVE-2025-39945 bsc#1251230). - commit b1cda45 ++++ nvidia-open-driver-G06-signed: - changed Requires to * nvidia-modprobe = %version * nvidia-persitenced = %version it has been >= before ... ------------------------------------------------------------------ ------------------ 2025-10-13 - Oct 13 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - powerpc/ftrace: ensure ftrace record ops are always set for NOPs (jsc#PED-10909 git-fixes). - commit 27e3939 - powerpc/powernv/pci: Fix underflow and leak issue (bsc#1215199). - powerpc/pseries/msi: Fix potential underflow and leak issue (bsc#1215199). - powerpc/kvm: Fix ifdef to remove build warning (bsc#1215199). - KVM: PPC: Fix misleading interrupts comment in kvmppc_prepare_to_enter() (bsc#1215199). - powerpc: floppy: Add missing checks after DMA map (bsc#1215199). - commit 1ed7d5a - powerpc64/modules: correctly iterate over stubs in setup_ftrace_ool_stubs (jsc#PED-10909 git-fixes). - commit 5325db8 - USB: serial: option: add SIMCom 8230C compositions (stable-fixes). - Bluetooth: btusb: Add USB ID 2001:332a for D-Link AX9U rev. A1 (stable-fixes). - wifi: rtl8xxxu: Don't claim USB ID 07b8:8188 (stable-fixes). - wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188 (stable-fixes). - drm/amdgpu: Enable MES lr_compute_wa by default (stable-fixes). - driver core/PM: Set power.no_callbacks along with power.no_pm (stable-fixes). - platform/x86/amd/pmc: Add Stellaris Slim Gen6 AMD to spurious 8042 quirks list (stable-fixes). - can: rcar_canfd: Fix controller mode setting (stable-fixes). - can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled (stable-fixes). - ASoC: rt5682s: Adjust SAR ADC button mode to fix noise issue (stable-fixes). - ASoC: amd: acp: Adjust pdm gain value (stable-fixes). - platform/x86/amd/pmf: Support new ACPI ID AMDI0108 (stable-fixes). - platform/x86/amd/pmc: Add MECHREVO Yilong15Pro to spurious_8042 list (stable-fixes). - hid: fix I2C read buffer overflow in raw_event() for mcp2221 (stable-fixes). - drm/amd/include : Update MES v12 API for fence update (stable-fixes). - drm/amd/include : MES v11 and v12 API header update (stable-fixes). - drm/amd : Update MES API header file for v11 & v12 (stable-fixes). - commit 0f46bd5 ------------------------------------------------------------------ ------------------ 2025-10-12 - Oct 12 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - rtc: optee: fix memory leak on driver removal (git-fixes). - rtc: x1205: Fix Xicor X1205 vendor prefix (git-fixes). - commit b6c4ddb ------------------------------------------------------------------ ------------------ 2025-10-11 - Oct 11 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - drm/amd/display: Disable scaling on DCE6 for now (git-fixes). - drm/amd/display: Properly disable scaling on DCE6 (git-fixes). - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6 (git-fixes). - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs (git-fixes). - drm/amdgpu: Add additional DCE6 SCL registers (git-fixes). - drm/xe/hw_engine_group: Fix double write lock release in error path (git-fixes). - drm/xe/uapi: loosen used tracking restriction (git-fixes). - drm/nouveau: fix bad ret code in nouveau_bo_move_prep (git-fixes). - drm/vmwgfx: Fix copy-paste typo in validation (git-fixes). - drm/vmwgfx: Fix Use-after-free in validation (git-fixes). - drm/vmwgfx: Fix a null-ptr access in the cursor snooper (git-fixes). - of: unittest: Fix device reference count leak in of_unittest_pci_node_verify (git-fixes). - ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel (git-fixes). - ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead of buffer time (git-fixes). - ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer size (git-fixes). - ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size (git-fixes). - ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down (git-fixes). - fbdev: Fix logic error in "offb" name match (git-fixes). - fbdev: simplefb: Fix use after free in simplefb_detach_genpds() (git-fixes). - gpio: wcd934x: mark the GPIO controller as sleeping (git-fixes). - crypto: essiv - Check ssize for decryption and in-place encryption (git-fixes). - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single (git-fixes). - commit 850e21e ------------------------------------------------------------------ ------------------ 2025-10-10 - Oct 10 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - x86/topology: Implement topology_is_core_online() to address SMT regression (jsc#PED-13815). - commit 13d76d5 - x86/smp: Fix mwait_play_dead() and acpi_processor_ffh_play_dead() noreturn behavior (jsc#PED-13815). - commit 24aa526 - ACPI/processor_idle: Export acpi_processor_ffh_play_dead() (jsc#PED-13815). - commit 7d8dbc7 - drm/amd/display: update sequential pg logic DCN35 (CVE-2025-38360 bsc#1247078). - Refresh patches.suse/drm-amd-display-Add-more-checks-for-DSC-HUBP-ONO-gua.patch. - commit ad27636 - drm/amd/display: add workaround flag to link to force FFE preset (stable-fixes). - commit 61c6ea5 - Refresh patches.suse/drm-amdgpu-Fix-Circular-Locking-Dependency-in-AMDGPU.patch Correct the wrong bool arguments, to align with the upstream behavior - commit 8db2492 - mm: memory-tiering: fix PGPROMOTE_CANDIDATE counting (bsc#1245630). - commit 0cbd971 - Reapply "x86/smp: Eliminate mwait_play_dead_cpuid_hint()" (jsc#PED-13815). - commit 5f6e3a3 - ACPI: processor: Rescan "dead" SMT siblings during initialization (jsc#PED-13815). - commit 6cf1b0e - intel_idle: Rescan "dead" SMT siblings during initialization (jsc#PED-13815). - commit 19451cd - x86/smp: PM/hibernate: Split arch_resume_nosmt() (jsc#PED-13815). - commit 88ac4d0 - intel_idle: Use subsys_initcall_sync() for initialization (jsc#PED-13815). - commit 05a8782 - intel_idle: Provide the default enter_dead() handler (jsc#PED-13815). - commit 3fe4d1d - ACPI/processor_idle: Add FFH state handling (jsc#PED-13815). - commit bbf694a - x86/smp: Allow calling mwait_play_dead with an arbitrary hint (jsc#PED-13815). - commit ce38e7e - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock (git-fixes). - commit 377678d ------------------------------------------------------------------ ------------------ 2025-10-9 - Oct 9 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated (CVE-2025-38700 bsc#1249182). - commit b82e3fc - Update patches.suse/scsi-lpfc-Fix-buffer-free-clear-order-in-deferred-re.patch (bsc#1250519 bsc#1250247/CVE-2025-39841). Added in new bug number and CVE number. - commit 778e5da - netfilter: nft_objref: validate objref and objrefmap expressions (bsc#1250237). No CVE available yet, please see the bugzilla ticket referenced. - commit d6e82ec - README.BRANCH: mfranc@suse.cz leaving SUSE - commit 29cd3a3 - drm/amdgpu: Fix allocating extra dwords for rings (v2) (git-fixes). - drm/amd/display: remove output_tf_change flag (git-fixes). - drm/amd/display: Init DCN35 clocks from pre-os HW values (git-fixes). - drm/amd/amdgpu: Declare isp firmware binary file (stable-fixes). - drm/amd/display: Don't warn when missing DCE encoder caps (stable-fixes). - drm/amdgpu/gfx10: fix KGQ reset sequence (git-fixes). - drm/amd/display: Don't check for NULL divisor in fixpt code (git-fixes). - drm/amdgpu/mes: enable compute pipes across all MEC (git-fixes). - drm/amdgpu/mes: optimize compute loop handling (stable-fixes). - drm/amdgpu/vcn: fix ref counting for ring based profile handling (git-fixes). - commit 328f37b - mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data() (git-fixes). - mailbox: zynqmp-ipi: Fix SGI cleanup on unbind (git-fixes). - mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop (git-fixes). - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes (git-fixes). - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call (git-fixes). - Input: psxpad-spi - add a check for the return value of spi_setup() (git-fixes). - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak (git-fixes). - crypto: rng - Ensure set_ent is always present (git-fixes). - commit 342754b - net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y (CVE-2025-39900 bsc#1250758). - commit b0580b7 - arm64: mte: Do not flag the zero page as PG_mte_tagged (git-fixes) - commit a6bcfac ------------------------------------------------------------------ ------------------ 2025-10-8 - Oct 8 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - ext4: fix checks for orphan inodes (bsc#1250119). - commit c65de7e - kABI: add back tx_stopped to kcm_sock struct (bsc#1249167 CVE-2025-38717). The upstream commit 52565a935213 ("net: kcm: Fix race condition in kcm_unattach()") removed the tx_stopped field from the kcm_sock structure. Bring it back to preserve kABI, even though it isn't used. - commit dfccc64 - net: kcm: Fix race condition in kcm_unattach() (CVE-2025-38717 bsc#1249167). - commit e60fdb9 - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls (git-fixes). - commit edc8bfe - misc: fastrpc: Skip reference for DMA handles (git-fixes). - misc: fastrpc: fix possible map leak in fastrpc_put_args (git-fixes). - misc: fastrpc: Fix fastrpc_map_lookup operation (git-fixes). - misc: fastrpc: Save actual DMA size in fastrpc_map structure (git-fixes). - staging: axis-fifo: flush RX FIFO on read errors (git-fixes). - staging: axis-fifo: fix TX handling on copy_from_user() failure (git-fixes). - staging: axis-fifo: fix maximum TX packet length check (git-fixes). - ACPI: battery: Add synchronization between interface updates (git-fixes). - cpufreq: tegra186: Set target frequency for all cpus in policy (git-fixes). - cpufreq: mediatek: fix device leak on probe failure (git-fixes). - clk: at91: peripheral: fix return value (git-fixes). - clk: mediatek: clk-mux: Do not pass flags to clk_mux_determine_rate_flags() (git-fixes). - clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m (git-fixes). - clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk (git-fixes). - clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register() (git-fixes). - clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init() (git-fixes). - clk: tegra: do not overallocate memory for bpmp clocks (git-fixes). - commit bba55ef ++++ nvidia-open-driver-G06-signed: - Check4WrongSupplements.sh * check for wrong Supplements in generated KMPs after build by misusing %post of a dummy "check" subpackage ------------------------------------------------------------------ ------------------ 2025-10-7 - Oct 7 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - ice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset (jsc#PED-13728). - commit 4569920 - idpf: set mac type when adding and removing MAC filters (jsc#PED-13728). - idpf: fix UAF in RDMA core aux dev deinitialization (jsc#PED-13728). - idpf: remove obsolete stashing code (jsc#PED-13728). - idpf: stop Tx if there are insufficient buffer resources (jsc#PED-13728). - idpf: replace flow scheduling buffer ring with buffer pool (jsc#PED-13728). - idpf: simplify and fix splitq Tx packet rollback error path (jsc#PED-13728). - idpf: improve when to set RE bit logic (jsc#PED-13728). - idpf: add support for Tx refillqs in flow scheduling mode (jsc#PED-13728). - idpf: preserve coalescing settings across resets (jsc#PED-13728). - idpf: add cross timestamping (jsc#PED-13728). - idpf: add flow steering support (jsc#PED-13728). - virtchnl2: add flow steering support (jsc#PED-13728). - virtchnl2: rename enum virtchnl2_cap_rss (jsc#PED-13728). - idpf: implement get LAN MMIO memory regions (jsc#PED-13728 jsc#PED-13762). - idpf: implement IDC vport aux driver MTU change handler (jsc#PED-13728 jsc#PED-13762). - idpf: implement remaining IDC RDMA core callbacks and handlers (jsc#PED-13728 jsc#PED-13762). - idpf: implement RDMA vport auxiliary dev create, init, and destroy (jsc#PED-13728 jsc#PED-13762). - idpf: implement core RDMA auxiliary dev create, init, and destroy (jsc#PED-13728 jsc#PED-13762). - idpf: use reserved RDMA vectors from control plane (jsc#PED-13728 jsc#PED-13762). - idpf: add support for Rx timestamping (jsc#PED-13728 jsc#PED-13762). - idpf: add Tx timestamp flows (jsc#PED-13728 jsc#PED-13762). - idpf: add Tx timestamp capabilities negotiation (jsc#PED-13728 jsc#PED-13762). - idpf: add PTP clock configuration (jsc#PED-13728 jsc#PED-13762). - idpf: add mailbox access to read PTP clock time (jsc#PED-13728 jsc#PED-13762). - idpf: negotiate PTP capabilities and get PTP clock (jsc#PED-13728 jsc#PED-13762). - idpf: move virtchnl structures to the header file (jsc#PED-13728 jsc#PED-13762). - virtchnl: add PTP virtchnl definitions (jsc#PED-13728 jsc#PED-13762). - idpf: add initial PTP support (jsc#PED-13728 jsc#PED-13762). - idpf: change the method for mailbox workqueue allocation (jsc#PED-13728 jsc#PED-13762). - iidc/ice/irdma: Update IDC to support multiple consumers (jsc#PED-13728 jsc#PED-13762). - ice: Replace ice specific DSCP mapping num with a kernel define (jsc#PED-13728 jsc#PED-13762). - iidc/ice/irdma: Break iidc.h into two headers (jsc#PED-13728 jsc#PED-13762). - iidc/ice/irdma: Rename to iidc_* convention (jsc#PED-13728 jsc#PED-13762). - iidc/ice/irdma: Rename IDC header file (jsc#PED-13728 jsc#PED-13762). - idpf: remove unreachable code from setting mailbox (jsc#PED-13728 jsc#PED-13762). - idpf: assign extracted ptype to struct libeth_rqe_info field (jsc#PED-13728 jsc#PED-13762). - libeth: move idpf_rx_csum_decoded and idpf_rx_extracted (jsc#PED-13728 jsc#PED-13762). - resource: Add resource set range and size helpers (jsc#PED-13728 jsc#PED-13762). - commit 7610740 - smb: client: fix crypto buffers in non-linear memory (bsc#1250491, boo#1239206). - commit 95451c8 - tcp_bpf: Fix copied value in tcp_bpf_sendmsg (bsc#1250650). - commit 458b7be - Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running" (git-fixes). - commit 888e234 - kABI workaround for struct atmdev_ops extension (CVE-2025-39828 bsc#1250205). - commit e17abcd - atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control() (CVE-2025-39828 bsc#1250205). - commit a33e596 - nfsd: fix access checking for NLM under XPRTSEC policies (git-fixes). - commit 373e2d2 - nfsd: Fix NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT (git-fixes). - commit 8f7d330 - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul() (git-fixes). - commit f2f0b4c - sunrpc: fix null pointer dereference on zero-length checksum (git-fixes). - commit 77680ce - kABI fix for net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime (CVE-2025-38470 bsc#1247288). - commit 872debf - genetlink: fix genl_bind() invoking bind() after -EPERM (CVE-2025-39926 bsc#1250737). - e1000e: fix heap overflow in e1000_set_eeprom (CVE-2025-39898 bsc#1250742). - vxlan: Fix NPD when refreshing an FDB entry with a nexthop object (CVE-2025-39851 bsc#1250296). - commit b1c6264 - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message (git-fixes). - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog (git-fixes). - PCI/ACPI: Fix pci_acpi_preserve_config() memory leak (git-fixes). - PCI: xilinx-nwl: Fix ECAM programming (git-fixes). - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock (git-fixes). - PCI: tegra194: Fix duplicate PLL disable in pex_ep_event_pex_rst_assert() (git-fixes). - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation (git-fixes). - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock (git-fixes). - PCI: rcar-host: Drop PMSR spinlock (git-fixes). - PCI: rcar-gen4: Fix inverted break condition in PHY initialization (git-fixes). - PCI: rcar-gen4: Assure reset occurs before DBI access (git-fixes). - PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion (git-fixes). - PCI: rcar-gen4: Fix PHY initialization (git-fixes). - PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit (git-fixes). - PCI: j721e: Fix incorrect error message in probe() (git-fixes). - PCI: j721e: Fix programming sequence of "strap" settings (git-fixes). - PCI: tegra194: Handle errors in BPMP response (git-fixes). - PCI: tegra194: Reset BARs when running in PCIe endpoint mode (git-fixes). - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq() (git-fixes). - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV (git-fixes). - PCI/pwrctrl: Fix device leak at registration (git-fixes). - PCI/sysfs: Ensure devices are powered for config reads (git-fixes). - PCI/AER: Fix missing uevent on recovery when a reset is requested (git-fixes). - PCI/ERR: Fix uevent on failure to recover (git-fixes). - dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation (git-fixes). - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568 (git-fixes). - media: rc: fix races with imon_disconnect() (git-fixes). - commit 89c34cb - arm64: dts: apple: Add ethernet0 alias for J375 template (git-fixes) - commit bf06513 - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map (git-fixes) - commit d06126a - arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid (git-fixes) - commit d730190 - arm64: dts: imx93-kontron: Fix USB port assignment (git-fixes) - commit 986b7b9 - arm64: dts: imx93-kontron: Fix GPIO for panel regulator (git-fixes) - commit 2c413ce - bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free() (git-fixes) - commit e47726c - arm64: map [_text, _stext) virtual address range (git-fixes) - commit 10168ba - arm64: dts: imx8mp: Correct thermal sensor index (git-fixes) - commit 7d86bf9 - arm64: dts: marvell: cn9132-clearfog: fix multi-lane pci x2 and x4 (git-fixes) - commit da906fa - arm64: dts: marvell: cn9132-clearfog: disable eMMC high-speed modes (git-fixes) - commit 8fbea30 - Refresh new ".init.text.ftrace_trampoline" kABI fix. First version made modules build before patch [1] fail to load. [1] a7ed7b9d0ebb0 "arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module with CONFIG_DYNAMIC_FTRACE" - commit 6910b1a ------------------------------------------------------------------ ------------------ 2025-10-6 - Oct 6 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - wifi: ath12k: Add MODULE_FIRMWARE() entries (bsc#1250952). - commit 2e6fdfd - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp() (git-fixes). - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES() (git-fixes). - scsi: qla2xxx: edif: Fix incorrect sign of error code (git-fixes). - scsi: qla2xxx: Use secs_to_jiffies() instead of msecs_to_jiffies() (git-fixes). - scsi: qla2xxx: Remove firmware URL (git-fixes). - scsi: qla2xxx: Avoid stack frame size warning in qla_dfs (git-fixes). - commit f40dfff - scsi: lpfc: Copyright updates for 14.4.0.11 patches (bsc#1250519). - scsi: lpfc: Update lpfc version to 14.4.0.11 (bsc#1250519). - scsi: lpfc: Convert debugfs directory counts from atomic to unsigned int (bsc#1250519). - scsi: lpfc: Clean up extraneous phba dentries (bsc#1250519). - scsi: lpfc: Use switch case statements in DIF debugfs handlers (bsc#1250519). - scsi: lpfc: Define size of debugfs entry for xri rebalancing (bsc#1250519). - scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point topology (bsc#1250519). - scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET (bsc#1250519). - scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted (bsc#1250519). - scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in lpfc_cleanup (bsc#1250519). - scsi: lpfc: Clean up allocated queues when queue setup mbox commands fail (bsc#1250519). - scsi: lpfc: Abort outstanding ELS WQEs regardless of if rmmod is in progress (bsc#1250519). - scsi: lpfc: Remove unused member variables in struct lpfc_hba and lpfc_vport (bsc#1250519). - scsi: lpfc: Use int type to store negative error codes (bsc#1250519). - scsi: fc: Avoid -Wflex-array-member-not-at-end warnings (bsc#1250519). - scsi: lpfc: use min() to improve code (bsc#1250519). - scsi: lpfc: Fix buffer free/clear order in deferred receive path (bsc#1250519). - scsi: lpfc: Remove redundant assignment to avoid memory leak (bsc#1250519). - scsi: lpfc: Fix wrong function reference in a comment (bsc#1250519). - lpfc: don't use file->f_path.dentry for comparisons (bsc#1250519). - commit 833345a - nvme-tcp: send only permitted commands for secure concat (git-fixes). - nvme-auth: update bi_directional flag (git-fixes). - nvme: fix PI insert on write (git-fixes). - commit bfff0fa - nvme-fc: use lock accessing port_state and rport state (bsc#1245193 bsc#1247500). - nvmet-fcloop: call done callback even when remote port is gone (bsc#1245193 bsc#1247500). - nvmet-fc: avoid scheduling association deletion twice (bsc#1245193 bsc#1247500). - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op (bsc#1245193 bsc#1247500). - commit 343e69e - ppp: fix memory leak in pad_compress_skb (CVE-2025-39847 bsc#1250292). - ixgbe: fix incorrect map used in eee linkmode (CVE-2025-39922 bsc#1250722). - ice: fix NULL access of tx->in_use in ice_ll_ts_intr (CVE-2025-39854 bsc#1250297). - vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects (CVE-2025-39850 bsc#1250276). - commit bb7194b - NFSv4.1: fix backchannel max_resp_sz verification check (git-fixes). - commit 875c2e0 - igb: Fix NULL pointer dereference in ethtool loopback test (CVE-2025-39875 bsc#1250398) - commit 42c851b - sched/deadline: Initialize dl_servers after SMP (git-fixes) - commit 6da3701 - sched_ext, sched/core: Don't call scx_group_set_weight() (git-fixes) - commit ea277bd - cpufreq/sched: Explicitly synchronize limits_changed flag (git-fixes) - commit aa9d54c - cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS (git-fixes) - commit 74fd037 - sched_ext: Fix invalid irq restore in scx_ops_bypass() (bsc#1235953 CVE-2024-57891) - commit 9fe8fce - Update patches.suse/ACPI-APEI-send-SIGBUS-to-current-task-if-synchronous.patch (stable-fixes CVE-2025-39763 bsc#1249615). - Update patches.suse/ACPI-pfr_update-Fix-the-driver-update-version-check.patch (git-fixes CVE-2025-39701 bsc#1249308). - Update patches.suse/ALSA-hda-ca0132-Fix-buffer-overflow-in-add_tuning_co.patch (stable-fixes CVE-2025-39751 bsc#1249538). - Update patches.suse/ALSA-timer-fix-ida_free-call-while-not-allocated.patch (git-fixes CVE-2025-39765 bsc#1249509). - Update patches.suse/ALSA-usb-audio-Validate-UAC3-cluster-segment-descrip.patch (git-fixes CVE-2025-39757 bsc#1249515). - Update patches.suse/ALSA-usb-audio-Validate-UAC3-power-domain-descriptor.patch (git-fixes CVE-2025-38729 bsc#1249164). - Update patches.suse/ASoC-core-Check-for-rtd-NULL-in-snd_soc_remove_pcm_r.patch (stable-fixes CVE-2025-38706 bsc#1249195). - Update patches.suse/Bluetooth-Fix-use-after-free-in-l2cap_sock_cleanup_l.patch (git-fixes CVE-2025-39860 bsc#1250247). - Update patches.suse/Bluetooth-l2cap-Check-encryption-key-size-on-incomin.patch (git-fixes CVE-2025-39889 bsc#1249833). - Update patches.suse/Bluetooth-vhci-Prevent-use-after-free-by-removing-de.patch (git-fixes CVE-2025-39861 bsc#1250249). - Update patches.suse/HID-asus-fix-UAF-via-HID_CLAIMED_INPUT-validation.patch (git-fixes CVE-2025-39824 bsc#1250007). - Update patches.suse/HID-hid-ntrig-fix-unable-to-handle-page-fault-in-ntr.patch (stable-fixes CVE-2025-39808 bsc#1250088). - Update patches.suse/HID-multitouch-fix-slab-out-of-bounds-access-in-mt_r.patch (git-fixes CVE-2025-39806 bsc#1249888). - Update patches.suse/NFS-Fix-a-race-when-updating-an-existing-write.patch (git-fixes CVE-2025-39697 bsc#1249319). - Update patches.suse/NFS-Fix-filehandle-bounds-checking-in-nfs_fh_to_dentry.patch (git-fixes CVE-2025-39730 bsc#1249296). - Update patches.suse/NFS-Fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch (git-fixes CVE-2025-39798 bsc#1249774). - Update patches.suse/PCI-endpoint-Fix-configfs-group-list-head-handling.patch (git-fixes CVE-2025-39783 bsc#1249486). - Update patches.suse/RDMA-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch (git-fixes CVE-2025-39742 bsc#1249479). - Update patches.suse/RDMA-rxe-Flush-delayed-SKBs-while-releasing-RXE-reso.patch (git-fixes CVE-2025-39695 bsc#1249306). - Update patches.suse/RDMA-siw-Fix-the-sendmsg-byte-count-in-siw_tcp_sendp.patch (git-fixes CVE-2025-39758 bsc#1249490). - Update patches.suse/accel-ivpu-Prevent-recovery-work-from-being-queued-d.patch (git-fixes CVE-2025-39896 bsc#1250716). - Update patches.suse/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch (git-fixes CVE-2025-39848 bsc#1250298). - Update patches.suse/batman-adv-fix-OOB-read-write-in-network-coding-deco.patch (git-fixes CVE-2025-39839 bsc#1250291). - Update patches.suse/bnxt_en-Fix-memory-corruption-when-FW-resources-chan.patch (git-fixes CVE-2025-39810 bsc#1249975). - Update patches.suse/bpf-Forget-ranges-when-refining-tnum-after-JSET.patch (git-fixes CVE-2025-39748 bsc#1249587). - Update patches.suse/btrfs-abort-transaction-on-unexpected-eb-generation-.patch (git-fixes CVE-2025-39800 bsc#1250177). - Update patches.suse/btrfs-do-not-allow-relocation-of-partially-dropped-s.patch (bsc#1249540 CVE-2025-39738). - Update patches.suse/btrfs-fix-subvolume-deletion-lockup-caused-by-inodes.patch (git-fixes CVE-2025-39884 bsc#1250386). - Update patches.suse/btrfs-qgroup-fix-race-between-quota-disable-and-quot.patch (git-fixes CVE-2025-39759 bsc#1249522). - Update patches.suse/bus-mhi-host-Detect-events-pointing-to-unexpected-TR.patch (git-fixes CVE-2025-39790 bsc#1249548). - Update patches.suse/can-j1939-implement-NETDEV_UNREGISTER-notification-h.patch (git-fixes CVE-2025-39925 bsc#1250736). - Update patches.suse/can-xilinx_can-xcan_write_frame-fix-use-after-free-o.patch (git-fixes CVE-2025-39873 bsc#1250371). - Update patches.suse/comedi-Fix-use-of-uninitialized-memory-in-do_insn_io.patch (git-fixes CVE-2025-39684 bsc#1249281). - Update patches.suse/comedi-Make-insn_rw_emulate_bits-do-insn-n-samples.patch (git-fixes CVE-2025-39686 bsc#1249312). - Update patches.suse/comedi-fix-race-between-polling-and-detaching.patch (git-fixes CVE-2025-38687 bsc#1249177). - Update patches.suse/comedi-pcl726-Prevent-invalid-irq-number.patch (git-fixes CVE-2025-39685 bsc#1249282). - Update patches.suse/crypto-caam-Prevent-crash-on-suspend-with-iMX8QM-iMX.patch (git-fixes CVE-2025-39722 bsc#1249301). - Update patches.suse/crypto-qat-flush-misc-workqueue-during-device-shutdo.patch (git-fixes CVE-2025-39721 bsc#1249323). - Update patches.suse/dmaengine-idxd-Fix-double-free-in-idxd_setup_wqs.patch (git-fixes CVE-2025-39870 bsc#1250402). - Update patches.suse/dmaengine-idxd-Remove-improper-idxd_free.patch (git-fixes CVE-2025-39871 bsc#1250377). - Update patches.suse/dmaengine-qcom-bam_dma-Fix-DT-error-handling-for-num.patch (git-fixes CVE-2025-39923 bsc#1250741). - Update patches.suse/dmaengine-ti-edma-Fix-memory-allocation-size-for-que.patch (git-fixes CVE-2025-39869 bsc#1250406). - Update patches.suse/drm-amd-display-Add-null-pointer-check-in-mod_hdcp_h.patch (git-fixes CVE-2025-39675 bsc#1249263). - Update patches.suse/drm-amd-display-Avoid-a-NULL-pointer-dereference.patch (stable-fixes CVE-2025-39693 bsc#1249279). - Update patches.suse/drm-amd-display-fix-a-Null-pointer-dereference-vulne.patch (stable-fixes CVE-2025-39705 bsc#1249295). - Update patches.suse/drm-amd-pm-fix-null-pointer-access.patch (stable-fixes CVE-2025-38705 bsc#1249334). - Update patches.suse/drm-amdgpu-check-if-hubbub-is-NULL-in-debugfs-amdgpu.patch (stable-fixes CVE-2025-39707 bsc#1249333). - Update patches.suse/drm-amdkfd-Destroy-KFD-debugfs-after-destroy-KFD-wq.patch (stable-fixes CVE-2025-39706 bsc#1249413). - Update patches.suse/drm-hisilicon-hibmc-fix-the-hibmc-loaded-failed-bug.patch (git-fixes CVE-2025-39772 bsc#1249506). - Update patches.suse/drm-mediatek-Add-error-handling-for-old-state-CRTC-i.patch (git-fixes CVE-2025-39807 bsc#1249887). - Update patches.suse/drm-mediatek-fix-potential-OF-node-use-after-free.patch (git-fixes CVE-2025-39882 bsc#1250389). - Update patches.suse/drm-msm-Add-error-handling-for-krealloc-in-metadata-.patch (stable-fixes CVE-2025-39747 bsc#1249566). - Update patches.suse/drm-nouveau-nvif-Fix-potential-memory-leak-in-nvif_v.patch (git-fixes CVE-2025-39679 bsc#1249338). - Update patches.suse/drm-xe-Make-dma-fences-compliant-with-the-safe-acces.patch (stable-fixes CVE-2025-38703 bsc#1249193). - Update patches.suse/drm-xe-vm-Clear-the-scratch_pt-pointer-on-error.patch (git-fixes CVE-2025-39811 bsc#1249915). - Update patches.suse/efi-stmm-Fix-incorrect-buffer-allocation-method.patch (git-fixes CVE-2025-39836 bsc#1249904). - Update patches.suse/exfat-add-cluster-chain-loop-check-for-dir.patch (git-fixes CVE-2025-38692 bsc#1249221). - Update patches.suse/fbdev-Fix-vmalloc-out-of-bounds-write-in-fast_imageb.patch (stable-fixes CVE-2025-38685 bsc#1249220). - Update patches.suse/fbdev-fix-potential-buffer-overflow-in-do_register_f.patch (stable-fixes CVE-2025-38702 bsc#1249254). - Update patches.suse/gve-prevent-ethtool-ops-after-shutdown.patch (git-fixes CVE-2025-38735 bsc#1249288). - Update patches.suse/habanalabs-fix-UAF-in-export_dmabuf.patch (git-fixes CVE-2025-38722 bsc#1249163). - Update patches.suse/iio-imu-bno055-fix-OOB-access-of-hw_xlate-array.patch (git-fixes CVE-2025-39719 bsc#1249271). - Update patches.suse/iio-light-as73211-Ensure-buffer-holes-are-zeroed.patch (git-fixes CVE-2025-39687 bsc#1249316). - Update patches.suse/iommu-arm-smmu-qcom-Add-SM6115-MDSS-compatible.patch (git-fixes CVE-2025-39739 bsc#1249542). - Update patches.suse/mISDN-hfcpci-Fix-warning-when-deleting-uninitialized.patch (git-fixes CVE-2025-39833 bsc#1250028). - Update patches.suse/media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch (stable-fixes CVE-2025-38694 bsc#1249272). - Update patches.suse/media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch (stable-fixes CVE-2025-38693 bsc#1249190). - Update patches.suse/media-ivsc-Fix-crash-at-shutdown-due-to-missing-mei_.patch (git-fixes CVE-2025-39711 bsc#1249274). - Update patches.suse/media-mt9m114-Fix-deadlock-in-get_frame_interval-set.patch (git-fixes CVE-2025-39712 bsc#1249269). - Update patches.suse/media-rainshadow-cec-fix-TOCTOU-race-condition-in-ra.patch (git-fixes CVE-2025-39713 bsc#1249321). - Update patches.suse/media-usbtv-Lock-resolution-while-streaming.patch (git-fixes CVE-2025-39714 bsc#1249273). - Update patches.suse/media-uvcvideo-Fix-1-byte-out-of-bounds-read-in-uvc_.patch (git-fixes CVE-2025-38680 bsc#1249203). - Update patches.suse/media-venus-Add-a-check-for-packet-size-after-readin.patch (git-fixes CVE-2025-39710 bsc#1249304). - Update patches.suse/media-venus-Fix-OOB-read-due-to-missing-payload-boun.patch (git-fixes CVE-2025-38679 bsc#1249202). - Update patches.suse/media-venus-protect-against-spurious-interrupts-duri.patch (git-fixes CVE-2025-39709 bsc#1249278). - Update patches.suse/mm-damon-lru_sort-avoid-divide-by-zero-in-damon_lru_.patch (git-fixes CVE-2025-39909 bsc#1250711). - Update patches.suse/mm-damon-ops-common-ignore-migration-request-to-inva.patch (git-fixes CVE-2025-39700 bsc#1249309). - Update patches.suse/mm-damon-reclaim-avoid-divide-by-zero-in-damon_recla.patch (git-fixes CVE-2025-39916 bsc#1250719). - Update patches.suse/mm-damon-sysfs-fix-use-after-free-in-state_show.patch (git-fixes CVE-2025-39877 bsc#1250408). - Update patches.suse/mm-move-page-table-sync-declarations-to-linux-pgtabl.patch (git-fixes CVE-2025-39844 bsc#1250268). - Update patches.suse/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_.patch (git-fixes CVE-2025-38681 bsc#1249204). - Update patches.suse/mm-swap-fix-potential-buffer-overflow-in-setup_clust.patch (git-fixes CVE-2025-39727 bsc#1249297). - Update patches.suse/mm-userfaultfd-fix-kmap_local-LIFO-ordering-for-CONF.patch (git-fixes CVE-2025-39899 bsc#1250739). - Update patches.suse/msft-hv-3329-hv_netvsc-Fix-panic-during-namespace-deletion-with-V.patch (bsc#1248111 CVE-2025-38683 bsc#1249159). - Update patches.suse/mtd-rawnand-stm32_fmc2-avoid-overlapping-mappings-on.patch (git-fixes CVE-2025-39907 bsc#1250713). - Update patches.suse/net-mlx5-Fix-lockdep-assertion-on-sync-reset-unload-.patch (git-fixes CVE-2025-39832 bsc#1249901). - Update patches.suse/net-mlx5-HWS-Fix-memory-leak-in-hws_action_get_share.patch (git-fixes CVE-2025-39834 bsc#1250021). - Update patches.suse/net-rose-convert-use-field-to-refcount_t.patch (git-fixes CVE-2025-39826 bsc#1250203). - Update patches.suse/net-rose-include-node-references-in-rose_neigh-refco.patch (git-fixes CVE-2025-39827 bsc#1250204). - Update patches.suse/net-usb-asix_devices-Fix-PHY-address-mask-in-MDIO-bu.patch (git-fixes CVE-2025-38736 bsc#1249318). - Update patches.suse/net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-b.patch (git-fixes CVE-2025-38725 bsc#1249170). - Update patches.suse/netfilter-ctnetlink-fix-refcount-leak-on-table-dump.patch (git-fixes CVE-2025-38721 bsc#1249176). - Update patches.suse/netlink-avoid-infinite-retry-looping-in-netlink_unic.patch (CVE-2025-38465 bsc#1247118 CVE-2025-38727 bsc#1249166). - Update patches.suse/nfsd-handle-get_client_locked-failure-in-nfsd4_setclientid_confirm.patch (git-fixes CVE-2025-38724 bsc#1249169). - Update patches.suse/pNFS-Fix-uninited-ptr-deref-in-block-scsi-layout.patch (git-fixes CVE-2025-38691 bsc#1249215). - Update patches.suse/platform-x86-amd-hsmp-Ensure-sock-metric_tbl_addr-is.patch (git-fixes CVE-2025-39678 bsc#1249290). - Update patches.suse/s390-ism-fix-concurrency-management-in-ism_cmd.patch (git-fixes bsc#1247372 CVE-2025-39726 bsc#1249266). - Update patches.suse/s390-mm-Do-not-map-lowcore-with-identity-mapping.patch (git-fixes bsc#1249066 CVE-2025-38733 bsc#1249313). - Update patches.suse/s390-sclp-Fix-SCCB-present-check.patch (git-fixes bsc#1249065 CVE-2025-39694 bsc#1249299). - Update patches.suse/scsi-lpfc-Check-for-hdwq-null-ptr-when-cleaning-up-l.patch (bsc#1245260 bsc#1243100 bsc#1246125 CVE-2025-38695 bsc#1249285). - Update patches.suse/scsi-ufs-exynos-Fix-programming-of-HCI_UTRL_NEXUS_TYPE.patch (git-fixes CVE-2025-39788 bsc#1249547). - Update patches.suse/serial-8250-fix-panic-due-to-PSLVERR.patch (git-fixes CVE-2025-39724 bsc#1249265). - Update patches.suse/soc-qcom-mdt_loader-Ensure-we-don-t-read-past-the-EL.patch (git-fixes CVE-2025-39787 bsc#1249545). - Update patches.suse/usb-core-config-Prevent-OOB-read-in-SS-endpoint-comp.patch (stable-fixes CVE-2025-39760 bsc#1249598). - Update patches.suse/usb-dwc3-Remove-WARN_ON-for-device-endpoint-command-.patch (stable-fixes CVE-2025-39801 bsc#1250450). - Update patches.suse/vsock-virtio-Validate-length-in-packet-header-before.patch (git-fixes CVE-2025-39718 bsc#1249305). - Update patches.suse/wifi-ath10k-shutdown-driver-when-hardware-is-unrelia.patch (stable-fixes CVE-2025-39746 bsc#1249516). - Update patches.suse/wifi-ath11k-fix-sleeping-in-atomic-in-ath11k_mac_op_.patch (git-fixes CVE-2025-39732 bsc#1249292). - Update patches.suse/wifi-ath12k-Correct-tid-cleanup-when-tid-setup-fails.patch (stable-fixes CVE-2025-39750 bsc#1249523). - Update patches.suse/wifi-ath12k-Decrement-TID-on-RX-peer-frag-setup-erro.patch (stable-fixes CVE-2025-39761 bsc#1249554). - Update patches.suse/wifi-ath12k-fix-memory-leak-in-ath12k_service_ready_.patch (git-fixes CVE-2025-39890 bsc#1250334). - Update patches.suse/wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch (git-fixes CVE-2025-39863 bsc#1250281). - Update patches.suse/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch (git-fixes CVE-2025-39864 bsc#1250242). - Update patches.suse/wifi-cfg80211-sme-cap-SSID-length-in-__cfg80211_conn.patch (git-fixes CVE-2025-39849 bsc#1250266). - Update patches.suse/wifi-mt76-fix-linked-list-corruption.patch (git-fixes CVE-2025-39918 bsc#1250729). - Update patches.suse/wifi-mwifiex-Initialize-the-chan_stats-array-to-zero.patch (git-fixes CVE-2025-39891 bsc#1250712). - Update patches.suse/x86-mm-64-define-ARCH_PAGE_TABLE_SYNC_MASK-and-arch_.patch (git-fixes CVE-2025-39845 bsc#1250262). - Update patches.suse/xfs-do-not-propagate-ENODATA-disk-errors-into-xattr-code.patch (git-fixes CVE-2025-39835 bsc#1250025). - commit ccb1ac6 - i40e: Fix potential invalid access when MAC list is empty (CVE-2025-39853 bsc#1250275) - commit eaef03f - RDMA/siw: Always report immediate post SQ errors (git-fixes) - commit 6353dba - RDMA/rxe: Fix race in do_task() when draining (git-fixes) - commit b9fe6cd - IB/sa: Fix sa_local_svc_timeout_ms read race (git-fixes) - commit d793b3b - RDMA/core: Resolve MAC of next-hop device without ARP support (git-fixes) - commit 5f77a41 - RDMA/cm: Rate limit destroy CM ID timeout error message (git-fixes) - commit 8c45dbb - RDMA/mlx5: Fix vport loopback forcing for MPV device (git-fixes) - commit d3a8859 - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count (git-fixes) - commit d4e0310 ++++ nvidia-open-driver-G06-signed: - update CUDA variant to 580.95.05 ------------------------------------------------------------------ ------------------ 2025-10-5 - Oct 5 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - bus: mhi: ep: Fix chained transfer handling in read path (git-fixes). - bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup() (git-fixes). - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume (git-fixes). - iio: consumers: Fix offset handling in iio_convert_raw_to_processed() (git-fixes). - iio: consumers: Fix handling of negative channel scale in iio_convert_raw_to_processed() (git-fixes). - iio: dac: ad5421: use int type to store negative error codes (git-fixes). - iio: dac: ad5360: use int type to store negative error codes (git-fixes). - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE (git-fixes). - iio: frequency: adf4350: Fix prescaler usage (git-fixes). - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK (git-fixes). - iio: xilinx-ams: Unmask interrupts after updating alarms (git-fixes). - iio/adc/pac1934: fix channel disable configuration (git-fixes). - misc: genwqe: Fix incorrect cmd field being reported in error (git-fixes). - uio: uio_pdrv_genirq: Remove MODULE_DEVICE_TABLE (git-fixes). - usb: vhci-hcd: Prevent suspending virtually attached devices (git-fixes). - thunderbolt: Compare HMAC values in constant time (git-fixes). - Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running" (git-fixes). - usb: typec: tipd: Clear interrupts first (git-fixes). - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call (git-fixes). - usb: gadget: configfs: Correctly set use_os_string at bind (git-fixes). - usb: phy: twl6030: Fix incorrect type for ret (git-fixes). - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls (git-fixes). - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup (git-fixes). - tty: n_gsm: Don't block input queue by waiting MSC (git-fixes). - serial: max310x: Add error checking in probe() (git-fixes). - mtd: rawnand: omap2: fix device leak on probe failure (git-fixes). - mtd: rawnand: atmel: Fix error handling path in atmel_nand_controller_add_nands (git-fixes). - HID: intel-ish-ipc: Remove redundant ready check after timeout function (git-fixes). - HID: hidraw: tighten ioctl command parsing (git-fixes). - KEYS: trusted_tpm1: Compare HMAC values in constant time (git-fixes). - hwrng: ks-sa - fix division by zero in ks_sa_rng_init (git-fixes). - KEYS: X.509: Fix Basic Constraints CA flag parsing (git-fixes). - crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs (git-fixes). - crypto: aspeed - Fix dma_unmap_sg() direction (git-fixes). - crypto: atmel - Fix dma_unmap_sg() direction (git-fixes). - crypto: rockchip - Fix dma_unmap_sg() nents value (git-fixes). - crypto: hisilicon/qm - check whether the input function and PF are on the same device (git-fixes). - crypto: hisilicon - re-enable address prefetch after device resuming (git-fixes). - crypto: hisilicon/zip - remove unnecessary validation for high-performance mode configurations (git-fixes). - crypto: octeontx2 - Call strscpy() with correct size argument (git-fixes). - hwrng: nomadik - add ARM_AMBA dependency (git-fixes). - crypto: keembay - Add missing check after sg_nents_for_len() (git-fixes). - commit 619851e ------------------------------------------------------------------ ------------------ 2025-10-4 - Oct 4 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - drivers/base/node: fix double free in register_one_node() (git-fixes). - commit 3766861 - net: nfc: nci: Add parameter validation for packet data (git-fixes). - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast (git-fixes). - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again (git-fixes). - wifi: ath10k: avoid unnecessary wait for service ready message (git-fixes). - wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load() (git-fixes). - wifi: ath12k: fix wrong logging ID used for CE (git-fixes). - wifi: ath12k: fix the fetching of combined rssi (git-fixes). - wifi: rtw89: avoid circular locking dependency in ser_state_run() (git-fixes). - wifi: mac80211: fix Rx packet handling when pubsta information is not available (git-fixes). - wifi: mt76: mt7915: fix mt7981 pre-calibration (git-fixes). - wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE (git-fixes). - wifi: mt76: mt7996: Fix RX packets configuration for primary WED device (git-fixes). - wifi: mt76: fix potential memory leak in mt76_wmac_probe() (git-fixes). - wifi: iwlwifi: Remove redundant header files (git-fixes). - wifi: mwifiex: send world regulatory domain to driver (git-fixes). - wifi: virt_wifi: Fix page fault on connect (stable-fixes). - net: phy: fix phy_uses_state_machine() (git-fixes). - mmc: sdhci-cadence: add Mobileye eyeQ support (stable-fixes). - usb: core: Add 0x prefix to quirks debug output (stable-fixes). - commit 5a62af8 - media: tuner: xc5000: Fix use-after-free in xc5000_release (git-fixes). - media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove (git-fixes). - media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID (git-fixes). - media: i2c: mt9v111: fix incorrect type for ret (git-fixes). - media: venus: firmware: Use correct reset sequence for IRIS2 (git-fixes). - media: s5p-mfc: remove an unused/uninitialized variable (git-fixes). - media: cec: extron-da-hd-4k-plus: drop external-module make commands (git-fixes). - media: pci: mg4b: fix uninitialized iio scan data (git-fixes). - media: pci: ivtv: Add missing check after DMA map (git-fixes). - media: cx18: Add missing check after DMA map (git-fixes). - media: st-delta: avoid excessive stack usage (git-fixes). - media: mc: Fix MUST_CONNECT handling for pads with no links (git-fixes). - media: ti: j721e-csi2rx: Fix source subdev link creation (git-fixes). - media: ti: j721e-csi2rx: Use devm_of_platform_populate (git-fixes). - media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() (git-fixes). - media: rj54n1cb0c: Fix memleak in rj54n1_probe() (git-fixes). - media: lirc: Fix error handling in lirc_register() (git-fixes). - media: zoran: Remove zoran_fh structure (git-fixes). - commit 776580e - docs: admin-guide: update to current minimum pipe size default (git-fixes). - maple_tree: fix testing for 32 bit builds (git-fixes). - maple_tree: fix MAPLE_PARENT_RANGE32 and parent pointer docs (git-fixes). - Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements (git-fixes). - Bluetooth: ISO: don't leak skb in ISO_CONT RX (git-fixes). - drm/amdgpu: remove the redeclaration of variable i (git-fixes). - drm/msm/dpu: fix incorrect type for ret (git-fixes). - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl() (git-fixes). - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3) (git-fixes). - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2) (git-fixes). - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3) (git-fixes). - drm/amd/pm: Adjust si_upload_smc_data register programming (v3) (git-fixes). - drm/amd/pm: Fix si_upload_smc_data (v3) (git-fixes). - drm/amd/pm: Disable ULV even if unsupported (v3) (git-fixes). - drm/amdgpu: Power up UVD 3 for FW validation (v2) (git-fixes). - drm/rcar-du: dsi: Fix 1/2/3 lane support (git-fixes). - drm/amd/display: Remove redundant semicolons (git-fixes). - drm/radeon/r600_cs: clean up of dead code in r600_cs (git-fixes). - drm/bridge: it6505: select REGMAP_I2C (git-fixes). - drm/panel: novatek-nt35560: Fix invalid return value (git-fixes). - drm/panthor: Fix memory leak in panthor_ioctl_group_create() (git-fixes). - firmware: firmware: meson-sm: fix compile-test default (git-fixes). - HID: asus: add support for missing PX series fn keys (stable-fixes). - can: rcar_can: rcar_can_resume(): fix s2ram with PSCI (stable-fixes). - i2c: designware: Add quirk for Intel Xe (stable-fixes). - drm/i915/backlight: Return immediately when scale() finds invalid parameters (stable-fixes). - commit 5415587 - drivers/base/node: handle error properly in register_one_node() (git-fixes). - Bluetooth: ISO: free rx_skb if not consumed (git-fixes). - Bluetooth: ISO: Fix possible UAF on iso_conn_free (git-fixes). - Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO (git-fixes). - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data() (git-fixes). - ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback (git-fixes). - ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free (git-fixes). - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping (git-fixes). - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (git-fixes). - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping (git-fixes). - ASoC: qcom: audioreach: fix potential null pointer dereference (git-fixes). - ASoC: imx-hdmi: remove cpu_pdev related code (git-fixes). - ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT (git-fixes). - ALSA: lx_core: use int type to store negative error codes (git-fixes). - ALSA: usb-audio: Add mute TLV for playback volumes on more devices (stable-fixes). - ALSA: usb-audio: move mixer_quirks' min_mute into common quirk (stable-fixes). - ALSA: usb-audio: Add DSD support for Comtrue USB Audio device (stable-fixes). - ALSA: usb-audio: Fix build with CONFIG_INPUT=n (git-fixes). - ALSA: hda/realtek: Add support for ASUS NUC using CS35L41 HDA (stable-fixes). - ALSA: usb-audio: Convert comma to semicolon (git-fixes). - ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 (stable-fixes). - ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks (stable-fixes). - ALSA: usb-audio: Simplify NULL comparison in mixer_quirks (stable-fixes). - ALSA: usb-audio: Avoid multiple assignments in mixer_quirks (stable-fixes). - ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks (stable-fixes). - ALSA: usb-audio: Fix block comments in mixer_quirks (stable-fixes). - ALSA: usb-audio: Fix code alignment in mixer_quirks (stable-fixes). - commit 3e06154 - scsi: smartpqi: Update driver version to 2.1.34-035 (bsc#1246631). - scsi: smartpqi: Enhance WWID logging logic (bsc#1246631). - scsi: smartpqi: Take drives offline when controller is offline (bsc#1246631). - commit 64644a2 ++++ runc: - Update to runc v1.3.2. Upstream changelog is available from bsc#1252110 - Includes an important fix for the CPUSet translation for cgroupv2. ------------------------------------------------------------------ ------------------ 2025-10-3 - Oct 3 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - Squashfs: reject negative file sizes in squashfs_read_inode() (git-fixes). - commit 1c9018f - Squashfs: add additional inode sanity checking (git-fixes). - commit 1064852 - Squashfs: fix uninit-value in squashfs_get_parent (git-fixes). - commit fa0095c - kbuild/modpost: Continue processing all unresolved symbols when KLP_SYM_RELA is found (bsc#1218644, bsc#1250655). - commit 4741268 ------------------------------------------------------------------ ------------------ 2025-10-2 - Oct 2 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - fs/proc/task_mmu: check p->vec_buf for NULL (git-fixes). - commit 98a15a1 - Update patches.suse/HID-asus-fix-UAF-via-HID_CLAIMED_INPUT-validation.patch (CVE-2025-39824 bsc#1250007). Added CVE reference - commit abe8096 - smb: client: fix race with concurrent opens in rename(2) (bsc#1250179, CVE-2025-39825). - commit 37c11fc - bus: fsl-mc: Check return value of platform_get_resource() (git-fixes). - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe (git-fixes). - firmware: meson_sm: fix device leak at probe (git-fixes). - soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure (git-fixes). - soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure (git-fixes). - firmware: arm_scmi: Mark VirtIO ready before registering scmi_virtio_driver (git-fixes). - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS (git-fixes). - thermal/drivers/qcom/lmh: Add missing IRQ includes (git-fixes). - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT (git-fixes). - ACPI: property: Fix buffer properties extraction for subnodes (git-fixes). - ACPI: processor: idle: Fix memory leak when register cpuidle device failed (git-fixes). - ACPICA: Fix largest possible resource descriptor index (git-fixes). - ACPI: debug: fix signedness issues in read/write helpers (git-fixes). - PM: sleep: core: Clear power.must_resume in noirq suspend error path (git-fixes). - PM / devfreq: rockchip-dfi: double count on RK3588 (git-fixes). - PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() (git-fixes). - i3c: master: svc: Recycle unused IBI slot (git-fixes). - i3c: master: svc: Use manual response for IBI events (git-fixes). - i3c: Fix default I2C adapter timeout value (git-fixes). - i2c: designware: Add disabling clocks when probe fails (git-fixes). - i2c: designware: Fix clock issue when PM is disabled (git-fixes). - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD (git-fixes). - pinctrl: renesas: Use int type to store negative error codes (git-fixes). - pinctrl: samsung: Drop unused S3C24xx driver data (git-fixes). - pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read() (git-fixes). - pinctrl: meson-gxl: add missing i2c_d pinmux (git-fixes). - pinctrl: equilibrium: Remove redundant semicolons (git-fixes). - power: supply: max77976_charger: fix constant current reporting (git-fixes). - power: supply: cw2015: Fix a alignment coding style issue (git-fixes). - leds: leds-lp55xx: Use correct address for memory programming (git-fixes). - leds: flash: leds-qcom-flash: Update torch current clamp setting (git-fixes). - mfd: rz-mtu3: Fix MTU5 NFCR register offset (git-fixes). - mmc: core: Fix variable shadowing in mmc_route_rpmb_frames() (git-fixes). - spi: fix return code when spi device has too many chipselects (git-fixes). - spi: cadence-quadspi: Fix cqspi_setup_flash() (git-fixes). - spi: cadence-quadspi: Flush posted register writes before DAC access (git-fixes). - spi: cadence-quadspi: Flush posted register writes before INDAC access (git-fixes). - spi: mtk-snfi: Remove redundant semicolons (git-fixes). - spi: bcm2835: Remove redundant semicolons (git-fixes). - regulator: scmi: Use int type to store negative error codes (git-fixes). - regmap: Remove superfluous check for !config in __regmap_init() (git-fixes). - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() (git-fixes). - pwm: tiehrpwm: Fix corner case in clock divisor calculation (git-fixes). - pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation (git-fixes). - pwm: tiehrpwm: Make code comment in .free() more useful (git-fixes). - pwm: tiehrpwm: Don't drop runtime PM reference in .free() (git-fixes). - pwm: berlin: Fix wrong register in suspend/resume (git-fixes). - hwmon: (mlxreg-fan) Separate methods of fan setting coming from different subsystems (git-fixes). - soc: qcom: mdt_loader: Deal with zero e_shentsize (git-fixes). - commit faf07bc - Drop patches.suse/drm-amd-display-Disable-PSR-SU-on-eDP-panels.patch (bsc#1243112) The patch caused a regression wrt s2idle on AMD laptops - commit d42f41f - net/smc: fix UAF on smcsk after smc_listen_out() (CVE-2025-38734 bsc#1249324). - commit 4a22467 - net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM (CVE-2025-39770 bsc#1249508). - commit 6df7556 - Update patches.suse/dmaengine-ti-edma-Fix-memory-allocation-size-for-que.patch (CVE-2025-39869 bsc#1250406). Added CVE reference - commit 464897c - writeback: Avoid contention on wb->list_lock when switching inodes (kABI fixup) (bsc#1237776). - commit f7f2303 - Fix bugzilla and CVE references (CVE-2025-38552 bsc#1248230) Patches patches.suse/mptcp-plug-races-between-subflow-fail-and-subflow-cr.patch patches.kabi/kabi-hide-new-member-allow_subflows-in-struct-mptcp_.patch had wrong bugzilla and CVE references (belonging to previous CVE bug related to similar code). Replace them with the correct ones. - commit f5079d3 - net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 (CVE-2025-39852 bsc#1250258). - commit c9b08eb - Update patches.suse/netfilter-ctnetlink-remove-refcounting-in-expectation-dump.patch references (add CVE-2025-39764 bsc#1249513). - commit 8f60b19 - net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit (CVE-2025-39766 bsc#1249510). - commit b1cb568 - net/sched: Fix backlog accounting in qdisc_dequeue_internal (CVE-2025-39677 bsc#1249300). - commit 910f097 - tls: handle data disappearing from under the TLS ULP (CVE-2025-38616 bsc#1248512). - commit ac9ae3e ++++ libxslt: - security update - added patches CVE-2025-10911 [bsc#1250553], use-after-free with key data stored cross-RVT * libxslt-CVE-2025-10911.patch ------------------------------------------------------------------ ------------------ 2025-10-1 - Oct 1 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - cifs: prevent NULL pointer dereference in UTF16 conversion (bsc#1250365, CVE-2025-39838). - commit 759c64b - writeback: Avoid excessively long inode switching times (bsc#1237776). - commit b26feb2 - writeback: Avoid softlockup when switching many inodes (bsc#1237776). - commit a8e4925 - writeback: Avoid contention on wb->list_lock when switching inodes (bsc#1237776). - commit 02a1b52 - btrfs: return any hit error from extent_writepage_io() (git-fixes). - commit b307677 ++++ samba: - Relax samba-gpupdate requirement for cepces, certmonger, and sscep to a recommends. They are only required if utilizing certificate auto enrollment (bsc#1249087). ++++ nvidia-open-driver-G06-signed: - fixed 'osc service run download_files' ------------------------------------------------------------------ ------------------ 2025-9-30 - Sep 30 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - x86/microcode: Update the Intel processor flag scan check (git-fixes). - commit b729bda - x86/microcode/AMD: Handle the case of no BIOS microcode (git-fixes). - commit 2fbcb40 - kabi/severities: ignore asus-wmi kABI breakage The recent fix for asus WMI drivers (commit 132bfcd24925 backport) breaks kABI. As the symbols are used only internally for asus WMI drivers and the kABI workaround isn't trivial, let's just ignore kABI breakage. - commit d543a77 - erofs: avoid reading more for fragment maps (git-fixes). - commit a9573c6 - ocfs2: fix recursive semaphore deadlock in fiemap call (bsc#1250407 CVE-2025-39885). - ocfs2: prevent release journal inode after journal shutdown (bsc#1250267 CVE-2025-39842). - commit aeb8389 - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too fast (git-fixes bsc#1250671). - commit 1ea074e - mm/smaps: fix race between smaps_hugetlb_range and migration (CVE-2025-39754 bsc#1249524). - commit 8df5ff7 - tty: hvc_console: Call hvc_kick in hvc_write unconditionally (bsc#1230062). - commit 544e413 ------------------------------------------------------------------ ------------------ 2025-9-29 - Sep 29 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() (CVE-2025-39857 bsc#1250251) - commit a9b3df4 - net/mlx5: HWS, Fix memory leak in hws_pool_buddy_init error path (CVE-2025-39830 bsc#1249974) - commit 163399c - platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk (git-fixes). - platform/x86: asus-wmi: Fix ROG button mapping, tablet mode on ASUS ROG Z13 (stable-fixes). - commit 20f9cff - i2c: riic: Allow setting frequencies lower than 50KHz (git-fixes). - commit 43a1dc1 - kABI workaround for amd_sfh (git-fixes). - commit 2e4b180 - HID: amd_sfh: Add sync across amd sfh work functions (git-fixes). - commit ba93a25 - selftests/cpufreq: Fix cpufreq basic read and update testcases (bsc#1250344). - commit a092a13 - hv_netvsc: Link queues to NAPIs (git-fixes). - commit c52cbb3 - KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush (bsc#1246782 CVE-2025-38351). - commit 28ac15f - net/sched: ets: use old 'nbands' while purging unused classes (CVE-2025-38684 bsc#1249156). - commit ecd1ae5 - tee: fix NULL pointer dereference in tee_shm_put (CVE-2025-39865 bsc#1250294). - commit 5275cd3 - cpufreq: Initialize cpufreq-based invariance before subsys (git-fixes). - commit 378dc28 - PM: cpufreq: powernv/tracing: Move powernv_throttle trace event (git-fixes). Allow kabi breakage: declaring powernv_throttle moved from global to local powernv only header file. - commit 28a4607 - cpufreq: Add SM8650 to cpufreq-dt-platdev blocklist (stable-fixes). - commit fab468d - cpufreq: tegra186: Share policy per cluster (stable-fixes). - commit a730531 - x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper (CVE-2025-39681 bsc#1249303). - commit ecf77f1 ++++ expat: - Fix CVE-2025-59375 / bsc#1249584. - Add patch file: * CVE-2025-59375.patch ++++ patterns-base: - Bump to 6.2 - Micro 6.2 Thunderbolt enablement code-o-o#leap/features#242 ------------------------------------------------------------------ ------------------ 2025-9-28 - Sep 28 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - Bluetooth: MGMT: Fix possible UAFs (git-fixes). - Refresh patches.kabi/hci_dev-centralize-extra-lock.patch. - commit 40462f6 - fbcon: Fix OOB access in font allocation (git-fixes). - commit 3d28b38 - platform/x86: lg-laptop: Fix WMAB call in fan_mode_store() (git-fixes). - gpiolib: Extend software-node support to support secondary software-nodes (git-fixes). - drm/panthor: Defer scheduler entitiy destruction to queue release (git-fixes). - fbcon: fix integer overflow in fbcon_do_set_font (git-fixes). - drm/gma500: Fix null dereference in hdmi teardown (git-fixes). - drm/ast: Use msleep instead of mdelay for edid read (git-fixes). - can: peak_usb: fix shift-out-of-bounds issue (git-fixes). - can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow (git-fixes). - can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow (git-fixes). - can: hi311x: populate ndo_change_mtu() to prevent buffer overflow (git-fixes). - can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow (git-fixes). - Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix hci_resume_advertising_sync (git-fixes). - reset: eyeq: fix OF node leak (git-fixes). - firewire: core: fix overlooked update of subsystem ABI version (git-fixes). - ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx (stable-fixes). - net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer (git-fixes). - wifi: wilc1000: avoid buffer overflow in WID string configuration (stable-fixes). - wifi: mac80211: increase scan_ies_len for S1G (stable-fixes). - wifi: mac80211: fix incorrect type for ret (stable-fixes). - ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported (stable-fixes). - commit a203b7e ------------------------------------------------------------------ ------------------ 2025-9-26 - Sep 26 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() (git-fixes). - commit 1d0bd57 - mm/mremap: fix WARN with uffd that has remap events disabled (CVE-2025-39775 bsc#1249500). - commit ec812cb - kabi: Restore layout of parallel_data (bsc1248343). - commit 3819e36 - padata: Fix pd UAF once and for all (CVE-2025-38584 bsc1248343). - commit 0631965 - x86/CPU/AMD: Add CPUID faulting support (jsc#PED-13704). - commit f69b3f2 - xfrm: xfrm_alloc_spi shouldn't use 0 as SPI (CVE-2025-39797 bsc#1249608). - commit 169508a - xfrm: Duplicate SPI Handling (CVE-2025-39797 bsc#1249608). - commit 05dc0f3 - kernel-source.spec: Depend on python3-base for build Both kernel-binary and kernel-docs already have this dependency. Adding it to kernel-source makes it possible to use python in shared build scripts. - commit 72fdedd - kernel-source: Do not list mkspec and its inputs as sources (bsc#1250522). This excludes the files from the src.rpm. The next step is to remove these files in tar-up so that they do not get uploaded to OBS either. As there is only one version of tar-up these files need to be removed from all kernels. - commit e72b8a2 ------------------------------------------------------------------ ------------------ 2025-9-25 - Sep 25 2025 ------------------- ------------------------------------------------------------------ ++++ dracut: - Update to version 059+suse.700.g40f7c5c4: Additional fixes for PXE boot with filled-in NBFT (bsc#1238848): * fix(74nvmf): make sure autoconnect script is run at least once * fix(74nvmf): only set netroot if it's yet empty ++++ kernel-default: - rpm: Link arch-symbols script from scripts directory. - commit 90b2abb - mm/rmap: avoid -EBUSY from make_device_exclusive() (CVE-2025-22034 bsc#1241435). - commit 3fde912 - cgroup: llist: avoid memory tears for llist_node (bsc#1247963). - commit c443f2f - mm/rmap: keep mapcount untouched for device-exclusive entries (CVE-2025-22034 bsc#1241435). - commit 1f6e890 - mm/damon: handle device-exclusive entries correctly in damon_folio_mkold_one() (CVE-2025-22034 bsc#1241435). - commit 51352f5 - mm/damon: handle device-exclusive entries correctly in damon_folio_young_one() (CVE-2025-22034 bsc#1241435). - commit ece262f - mm/page_idle: handle device-exclusive entries correctly in page_idle_clear_pte_refs_one() (CVE-2025-22034 bsc#1241435). - commit f9cfa84 - mm/rmap: handle device-exclusive entries correctly in page_vma_mkclean_one() (CVE-2025-22034 bsc#1241435). - commit dfbbdbb - mm/rmap: handle device-exclusive entries correctly in try_to_migrate_one() (CVE-2025-22034 bsc#1241435). - commit 622f2ca - mm/rmap: handle device-exclusive entries correctly in try_to_unmap_one() (CVE-2025-22034 bsc#1241435). - commit 6ce6bcc - mm/ksm: handle device-exclusive entries correctly in write_protect_page() (CVE-2025-22034 bsc#1241435). - commit 36a9f94 - kernel/events/uprobes: handle device-exclusive entries correctly in __replace_page() (CVE-2025-22034 bsc#1241435). - commit 2b51ee2 - mm/page_vma_mapped: device-exclusive entries are not migration entries (CVE-2025-22034 bsc#1241435). - commit 3e96420 - mm: use single SWP_DEVICE_EXCLUSIVE entry type (CVE-2025-22034 bsc#1241435). - commit 4f438a1 - mm/memory: detect writability in restore_exclusive_pte() through can_change_pte_writable() (CVE-2025-22034 bsc#1241435). - commit 2cf7b2d - mm/rmap: implement make_device_exclusive() using folio_walk instead of rmap walk (CVE-2025-22034 bsc#1241435). - commit f6443ef - mm/rmap: convert make_device_exclusive_range() to make_device_exclusive() (CVE-2025-22034 bsc#1241435). - commit a8eb13b - mm/rmap: reject hugetlb folios in folio_make_device_exclusive() (CVE-2025-22034 bsc#1241435). - commit 147fff4 - mm/gup: reject FOLL_SPLIT_PMD with hugetlb VMAs (CVE-2025-22034 bsc#1241435). - commit a005761 ++++ samba: - Disable timeouts for smb.service so that possibly slow running ExecStartPre script 'update-samba-security-profile' doesn't cause service start to fail due to timeouts;(bsc#1249181). - Ensure semanage is pulled in as a requirement when samba in installed when selinux security access mechanism that is used; (bsc#1249180). - don't attempt to label paths that don't exist, also remove unecessary evaluation of semange & restorecon cmds;(bsc#1249179). - Update to 4.22.4 * netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0; (bso#14981). * getpwuid does not shift to new DC when current DC is down; (bso#15844). * Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName-; (bso#15876). * Unresponsive second DC can cause idmapping failure when using idmap_ad-; (bso#15881). * kinit command is failing with Missing cache Error; (bso#15840). * Figuring out the DC name from IP address fails and breaks fork_domain_child(); (bso#15891). * vfs_streams_depot fstatat broken; (bso#15816). * Delayed leader broadcast can block ctdb forever; (bso#15892). * Apparently there is a conflict between shadow_copy2 module and virusfilter (action quarantine); (bso#15663). * Fix handling of empty GPO link; (bso#15877). * SMB ACL inheritance doesn't work for files created; (bso#15880). ++++ nvidia-open-driver-G06-signed: - update to version 580.95.05 (boo#1250536) ------------------------------------------------------------------ ------------------ 2025-9-24 - Sep 24 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - rcu: Fix racy re-initialization of irq_work causing hangs (git-fixes) - commit d2a13f5 - rcu: Fix rcu_read_unlock() deadloop due to IRQ work (bsc#1249494 CVE-2025-39744) - commit 765c8d9 - rcu: Protect ->defer_qs_iw_pending from data race (bsc#1249533 CVE-2025-39749) - commit 5fd1692 - use uniform permission checks for all mount propagation changes (git-fixes). - commit f53ccd0 - rpm: Link guards script from scripts directory. - commit e19a893 - Update patches.suse/netfilter-nf_reject-don-t-leak-dst-refcount-for-loopback-p.patch (git-fixes bsc#1249262 CVE-2025-38732). Update references to include bsc#1249262 and CVE-2025-38732. - commit 760e804 - KVM: x86: use array_index_nospec with indices that come from guest (CVE-2025-39823 bsc#1250002). - commit 6411ad9 - btrfs: do not allow relocation of partially dropped subvolumes (bsc#1249540). - commit 84e3cf7 - perf test: Fix a build error in x86 topdown test (git-fixes). - commit 4e90429 ------------------------------------------------------------------ ------------------ 2025-9-23 - Sep 23 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - nfs/localio: add direct IO enablement with sync and async IO support (git-fixes). - commit 2e09183 - fs/nfs/io: make nfs_start_io_*() killable (git-fixes). - commit da6c18a - nfs/localio: remove extra indirect nfs_to call to check {read,write}_iter (git-fixes). - commit 66b491e - btrfs: initialize inode::file_extent_tree after i_mode has been set (git-fixes). - commit ba7d857 - btrfs: fix the inode leak in btrfs_iget() (git-fixes). - commit 86df556 - btrfs: fix invalid inode pointer after failure to create reloc inode (git-fixes). - commit 195186f - btrfs: make btrfs_iget_path() return a btrfs inode instead (git-fixes). - commit 5c2fa5a - btrfs: make btrfs_iget() return a btrfs inode instead (git-fixes). - Refresh patches.suse/btrfs-fix-inode-lookup-error-handling-during-log-rep.patch. - commit f577da7 - btrfs: pass a btrfs_inode to fixup_inode_link_count() (git-fixes). - commit 0a542a8 - btrfs: send: remove unnecessary inode lookup at send_encoded_inline_extent() (git-fixes). - commit 4b03a51 - btrfs: use struct btrfs_inode inside btrfs_get_name() (git-fixes). - commit 9e54445 - btrfs: use struct btrfs_inode inside btrfs_get_parent() (git-fixes). - commit f8234ff - btrfs: use struct btrfs_inode inside btrfs_remap_file_range_prep() (git-fixes). - commit 7cd3ceb - btrfs: use struct btrfs_inode inside btrfs_remap_file_range() (git-fixes). - commit 7bd3156 - btrfs: pass struct btrfs_inode to btrfs_extent_same_range() (git-fixes). - commit 7f4ce8b - btrfs: pass struct btrfs_inode to btrfs_double_mmap_unlock() (git-fixes). - commit 6e85b98 - btrfs: pass struct btrfs_inode to btrfs_double_mmap_lock() (git-fixes). - commit 7a41133 - btrfs: pass struct btrfs_inode to clone_copy_inline_extent() (git-fixes). - commit c5e9fe5 - btrfs: props: switch prop_handler::extract to struct btrfs_inode (git-fixes). - commit c7faedf - btrfs: props: switch prop_handler::apply to struct btrfs_inode (git-fixes). - commit a007bab - btrfs: pass struct btrfs_inode to btrfs_inode_inherit_props() (git-fixes). - commit da6d69a - btrfs: pass struct btrfs_inode to btrfs_load_inode_props() (git-fixes). - commit 0b464f7 - btrfs: pass struct btrfs_inode to btrfs_fill_inode() (git-fixes). - commit 3bafa62 - btrfs: pass struct btrfs_inode to fill_stack_inode_item() (git-fixes). - commit 74968ef - btrfs: use struct btrfs_inode inside create_pending_snapshot() (git-fixes). - commit eb860e0 - btrfs: pass struct btrfs_inode to btrfs_defrag_file() (git-fixes). - commit 66d00cf - btrfs: pass struct btrfs_inode to btrfs_inode_type() (git-fixes). - commit 0cf8d55 - btrfs: pass struct btrfs_inode to new_simple_dir() (git-fixes). - commit d0fd694 - btrfs: pass struct btrfs_inode to btrfs_iget_locked() (git-fixes). - commit abfb73d - btrfs: pass struct btrfs_inode to btrfs_read_locked_inode() (git-fixes). - commit 7580ad2 - btrfs: pass struct btrfs_inode to extent_range_clear_dirty_for_io() (git-fixes). - commit 5bffc21 - btrfs: pass struct btrfs_inode to can_nocow_extent() (git-fixes). - commit 3883a42 - btrfs: unify ordering of btrfs_key initializations (git-fixes). - Refresh patches.suse/btrfs-simplify-error-detection-flow-during-log-repla.patch. - commit 33fd53f - btrfs: add assertions and comment about path expectations to btrfs_cross_ref_exist() (git-fixes). - commit 00d3657 - btrfs: add function comment for check_committed_ref() (git-fixes). - commit e6f6ede - btrfs: simplify arguments for btrfs_cross_ref_exist() (git-fixes). - commit 95ec2cf - btrfs: simplify return logic at check_committed_ref() (git-fixes). - commit 13f3e6d - btrfs: avoid redundant call to get inline ref type at check_committed_ref() (git-fixes). - commit 4676cb7 - btrfs: remove the snapshot check from check_committed_ref() (git-fixes). - commit 8aa9a59 - btrfs: remove no longer needed strict argument from can_nocow_extent() (git-fixes). - commit c8b943a - btrfs: remove conditional path allocation in btrfs_read_locked_inode() (git-fixes). - commit 653c0e7 - btrfs: push cleanup into btrfs_read_locked_inode() (git-fixes). - commit 7e4da3e - btrfs: use filemap_get_folio() helper (git-fixes). - Refresh patches.suse/btrfs-remove-the-unused-locked_folio-parameter-from-.patch. - commit 28ed9e4 - IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions (git-fixes) - commit 8085078 - btrfs: tree-checker: fix the incorrect inode ref size check (git-fixes). - commit 0cdf433 - btrfs: fix corruption reading compressed range when block size is smaller than page size (git-fixes). - commit cbb42db ++++ nvidia-open-driver-G06-signed: - get rid of multiversion for the KMPs, since it only brought/brings us trouble and no benefit at all (jsc#PED-12049) * remove any ^Conflicts and ^Provides: multiversion from /usr/lib/rpm/kernel-module-subpackage * set INSTALL_MOD_DIR back to %{kernel_module_package_moddir}, i.e. updates/ subdir ++++ ovmf: - Add backported patch to enable iSCSI boot support by default (bsc#1245454) - ovmf-OvmfPkg-Add-NETWORK_ISCSI_DEFAULT_ENABLE-build-flag.patch 502f0dfda4 OvmfPkg: Add NETWORK_ISCSI_DEFAULT_ENABLE build flag - Add build flag NETWORK_ISCSI_DEFAULT_ENABLE for x64 OVMF to enable iSCSI boot support by default ------------------------------------------------------------------ ------------------ 2025-9-22 - Sep 22 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths (CVE-2025-39816 bsc#1249906). - commit 5f1b3b6 - perf bpf-utils: Harden get_bpf_prog_info_linear (git-fixes). - perf bpf-utils: Constify bpil_array_desc (git-fixes). - perf bpf-event: Fix use-after-free in synthesis (git-fixes). - perf symbol-minimal: Fix ehdr reading in filename__read_build_id (git-fixes). - perf record: Cache build-ID of hit DSOs only (git-fixes). - perf tools: Remove libtraceevent in .gitignore (git-fixes). - perf topdown: Use attribute to see an event is a topdown metic or slots (git-fixes). - perf hwmon_pmu: Avoid shortening hwmon PMU name (git-fixes). - perf tests bp_account: Fix leaked file descriptor (git-fixes). - perf sched: Fix memory leaks in 'perf sched latency' (git-fixes). - perf sched: Use RC_CHK_EQUAL() to compare pointers (git-fixes). - perf sched: Fix memory leaks for evsel->priv in timehist (git-fixes). - perf sched: Fix thread leaks in 'perf sched timehist' (git-fixes). - perf sched: Fix memory leaks in 'perf sched map' (git-fixes). - perf sched: Free thread->priv using priv_destructor (git-fixes). - perf sched: Make sure it frees the usage string (git-fixes). - perf dso: Add missed dso__put to dso__load_kcore (git-fixes). - perf parse-events: Set default GH modifier properly (git-fixes). - perf trace: Remove --map-dump documentation (git-fixes). - commit ab29dec - kabi: restore layout of struct cgroup_rstat_cpu (bsc#1247963). - commit 4968d41 - cgroup: remove per-cpu per-subsystem locks (bsc#1247963). - cgroup: make css_rstat_updated nmi safe (bsc#1247963). - cgroup: support to enable nmi-safe css_rstat_updated (bsc#1247963). - commit 8bebd47 - KVM: arm64: vgic: fix incorrect spinlock API usage (git-fixes). - commit 3e87b0e - Refresh patches.suse/net-usb-qmi_wwan-add-Telit-Cinterion-LE910C4-WWX-new.patch. Adding alt commit ID - commit 620e1f8 - Refresh patches.suse/net-usb-qmi_wwan-add-Telit-Cinterion-FN990A-w-audio-.patch. Add alt commit ID - commit ce1eebe - KVM: arm64: Mark freed S2 MMUs as invalid (git-fixes). - commit 7df42be ------------------------------------------------------------------ ------------------ 2025-9-20 - Sep 20 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - NFSv4/flexfiles: Fix layout merge mirror check (git-fixes). - commit d3e4ea4 - SUNRPC: call xs_sock_process_cmsg for all cmsg (git-fixes). - commit e20ec8c - Revert "SUNRPC: Don't allow waiting for exiting tasks" (git-fixes). - commit d3bd385 - NFS: nfs_invalidate_folio() must observe the offset and size arguments (git-fixes). - commit 3067280 - flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read (git-fixes). - commit fba14d9 - NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server (git-fixes). - commit 59365a8 - NFSv4: Clear NFS_CAP_OPEN_XOR and NFS_CAP_DELEGTIME if not supported (git-fixes). - commit 1bfae45 - NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set (git-fixes). - commit 36a8789 - NFSv4: Don't clear capabilities that won't be reset (git-fixes). - commit e82d989 - xfs: fix scrub trace with null pointer in quotacheck (git-fixes). - commit df9ef9b - Delete patches.suse/drm-amd-display-Optimize-cursor-position-updates.patch (git-fixes) reverted in the upstream - commit fb65ee4 - mmc: mvsdio: Fix dma_unmap_sg() nents value (git-fixes). - crypto: af_alg - Set merge to zero early in af_alg_sendmsg (git-fixes). - ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S (git-fixes). - ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface (git-fixes). - ASoC: Intel: catpt: Expose correct bit depth to userspace (git-fixes). - ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed (git-fixes). - ASoC: wm8974: Correct PLL rate rounding (git-fixes). - ASoC: wm8940: Correct typo in control name (git-fixes). - ASoC: wm8940: Correct PLL rate rounding (git-fixes). - ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message (git-fixes). - ALSA: hda: intel-dsp-config: Prevent SEGFAULT if ACPI_HANDLE() is NULL (git-fixes). - ALSA: hda/realtek: Add ALC295 Dell TAS2781 I2C fixup (git-fixes). - drm/amd/display: Allow RX6xxx & RX7700 to invoke amdgpu_irq_get/put (git-fixes). - drm/xe: Fix a NULL vs IS_ERR() in xe_vm_add_compute_exec_queue() (git-fixes). - drm/xe/tile: Release kobject for the failure path (git-fixes). - drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path (git-fixes). - drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ (git-fixes). - USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions (stable-fixes). - USB: serial: option: add Telit Cinterion FN990A w/audio compositions (stable-fixes). - Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table (stable-fixes). - Input: iqs7222 - avoid enabling unused interrupts (stable-fixes). - drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time (stable-fixes). - drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages (stable-fixes). - compiler-clang.h: define __SANITIZE_*__ macros only when undefined (stable-fixes). - i2c: i801: Hide Intel Birch Stream SoC TCO WDT (git-fixes). - commit 65f2bb8 ------------------------------------------------------------------ ------------------ 2025-9-19 - Sep 19 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - btrfs: fix invalid extref key setup when replaying dentry (git-fixes). - commit d3ba0e7 - mm/memory-failure: fix redundant updates for already poisoned pages (bsc#1250087). - commit 2742d4a - KVM: s390: Fix incorrect usage of mmu_notifier_register() (git-fixes bsc#1250123). - KVM: s390: Fix access to unavailable adapter indicator pages during postcopy (git-fixes bsc#1250124). - commit 4b89509 - kabi: hide new member allow_subflows in struct mptcp_sock (CVE-2025-38491 bsc#1247280). - commit 0d82424 - mptcp: plug races between subflow fail and subflow creation (CVE-2025-38491 bsc#1247280). - Refresh patches.kabi/kabi-hide-new-member-fallback_lock-in-struct-mptcp_s.patch. - commit 7b433f3 - Update patches.kabi/kabi-hide-new-member-fallback_lock-in-struct-mptcp_s.patch. Original kABI workaround relied on the fact that struct mptcp has a 4-byte padding which the new member fallback_lock (of type spinlock_t) can fit into. Unfortunately this is not true in realtime builds where spinlock_t is 32 bytes long. Thankfully we do not have to preserve the length of struct mptcp_sock as explained in the patch commit message. - commit 7542a84 - gfs2: Validate i_depth for exhash directories (bsc#1249201 CVE-2025-38710). - commit 1cd54df ------------------------------------------------------------------ ------------------ 2025-9-18 - Sep 18 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - Refresh patches.kabi/kabi-hide-new-member-allow_subflows-in-struct-mptcp_.patch - Refresh patches.kabi/xsk-Fix-race-condition-in-AF_XDP-generic-RX-path.patch Automated edit git grep -l static_assert patches.kabi/ | xargs sed -i '/^+/s/static_assert/suse_kabi_static_assert/' plus modified guards in kabi-hide-new-member-allow_subflows-in-struct-mptcp_.patch. - commit ee20154 - Revert "Refresh patches.kabi/xsk-Fix-race-condition-in-AF_XDP-generic-RX-path.patch" This reverts commit e7bb4bfabf763f6feebe9b971c01a1746b67afc6. - commit d1ce41e - Update config files. (bsc#1249186) Enable where we define KABI refs + rely on Kconfig deps. - commit 2bf74df - Update config files. Run run_oldconfig. Re-unset CONFIG_DRM_MSM_VALIDATE_XML, disappeared in 9ca53363a24bc40dd0bda686354dfa6687847f48. - commit 269a088 - jbd2: prevent softlockup in jbd2_log_do_checkpoint() (bsc#1249526 CVE-2025-39782). - commit 7f18cbf - ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr (bsc#1249258 CVE-2025-38701). - commit 364a60b - loop: Avoid updating block size under exclusive owner (bsc#1249199 CVE-2025-38709). - commit 4262a77 - eventpoll: Fix semi-unbounded recursion (bsc#1248392 CVE-2025-38614). - commit 7646f9d - fs/buffer: fix use-after-free when call bh_read() helper (bsc#1249374 CVE-2025-39691). - commit 632fdc7 - net: bridge: fix soft lockup in br_multicast_query_expired() (CVE-2025-39773 bsc#1249504). - commit 69dfa3b ++++ tiff: - Update to 4.7.1: Software configuration changes: * Define HAVE_JPEGTURBO_DUAL_MODE_8_12 and LERC_STATIC in tif_config.h. * CMake: define WORDS_BIGENDIAN via tif_config.h * doc/CMakeLists.txt: remove useless cmake_minimum_required() * CMake: fix build with LLVM/Clang 17 (fixes issue #651) * CMake: set CMP0074 new policy * Set LINKER_LANGUAGE for C targets with C deps * Export tiffxx cmake target (fixes issue #674) * autogen.sh: Enable verbose wget. * configure.ac: Syntax updates for Autoconf 2.71 * autogen.sh: Re-implement based on autoreconf. Failure to update config.guess/config.sub does not return error (fixes issue #672) * CMake: fix CMake 4.0 warning when minimum required version is < 3.10. * CMake: Add build option tiff-static (fixes issue #709) Library changes: * Add TIFFOpenOptionsSetWarnAboutUnknownTags() for explicit control about emitting warnings for unknown tags. No longer emit warnings about unknown tags by default * tif_predict.c: speed-up decompression in some cases. Bug fixes: * tif_fax3: For fax group 3 data if no EOL is detected, reading is retried without synchronisation for EOLs. (fixes issue #54) * Updating TIFFMergeFieldInfo() with read_count=write_count=0 for FIELD_IGNORE. Updating TIFFMergeFieldInfo() with read_count=write_count=0 for FIELD_IGNORE. Improving handling when field_name = NULL. (fixes issue #532) * tiff.h: add COMPRESSION_JXL_DNG_1_7=52546 as used for JPEGXL compression in the DNG 1.7 specification * TIFFWriteDirectorySec: Increment string length for ASCII tags for codec tags defined with FIELD_xxx bits, as it is done for FIELD_CUSTOM tags. (fixes issue #648) * Do not error out on a tag whose tag count value is zero, just issue a warning. Fix parsing a private tag 0x80a6 (fixes issue #647) * TIFFDefaultTransferFunction(): give up beyond td_bitspersample = 24 Fixes https://github.com/OSGeo/gdal/issues/10875) * tif_getimage.c: Remove unnecessary calls to TIFFRGBAImageOK() (fixes issue #175) * Fix writing a Predictor=3 file with non-native endianness * _TIFFVSetField(): fix potential use of unallocated memory (out-of-bounds * read / nullptr dereference) in case of out-of-memory situation when dealing with custom tags (fixes issue #663) * tif_fax3.c: Error out for CCITT fax encoding if SamplesPerPixel is not equal 1 and PlanarConfiguration = Contiguous (fixes issue #26) * tif_fax3.c: error out after a number of times end-of-line or unexpected bad code words have been reached. (fixes issue #670) * Fix memory leak in TIFFSetupStrips() (fixes issue #665) * tif_zip.c: Provide zlib allocation functions. Otherwise for zlib built with - DZ_SOLO inflating will fail. * Fix memory leak in _TIFFSetDefaultCompressionState. (fixes issue #676) * tif_predict.c: Don’t overwrite input buffer of TIFFWriteScanline() if "prediction" is enabled. Use extra working buffer in PredictorEncodeRow(). (fixes issue #5) * tif_getimage.c: update some integer overflow checks (fixes issue #79) * tif_getimage.c: Fix buffer underflow crash for less raster rows at TIFFReadRGBAImageOriented() (fixes issue #704, bsc#1250413, CVE-2025-9900) * TIFFReadRGBAImage(): several fixes to avoid buffer overflows. * Correct passing arguments to TIFFCvtIEEEFloatToNative() and TIFFCvtIEEEDoubleToNative() if HAVE_IEEEFP is not defined. (fixes issue #699) * LZWDecode(): avoid nullptr dereference when trying to read again after EOI marker has been found with remaining output bytes (fixes issue #698) * TIFFSetSubDirectory(): check _TIFFCheckDirNumberAndOffset() return. * TIFFUnlinkDirectory() and TIFFWriteDirectorySec(): clear tif_rawcp when clearing tif_rawdata (fixes issue #711) * JPEGEncodeRaw(): error out if a previous scanline failed to be written, to avoid out-of-bounds access (fixes issue #714) * tif_jpeg: Fix bug in JPEGDecodeRaw() if JPEG_LIB_MK1_OR_12BIT is defined for 8/12bit dual mode, introduced in libjpeg-turbo 2.2, which was actually released as 3.0. Fixes issue #717 * add assert for TIFFReadCustomDirectory infoarray check. * ppm2tiff: Fix bug in pack_words trailing bytes, where last two bytes of each line were written wrongly. (fixes issue #467) * fax2ps: fix regression of commit 28c38d648b64a66c3218778c4745225fe3e3a06d where TIFFTAG_FAXFILLFUNC is being used rather than an output buffer (fixes issue #649) * tiff2pdf: Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH (fixes issue #650) * tiff2pdf: check h_samp and v_samp for range 1 to 4 to avoid division by zero. Fixes issue #654 * tiff2pdf: avoid null pointer dereference. (fixes issue #741) * Improve non-secure integer overflow check (comparison of division result with multiplicant) at compiler optimisation in tiffcp, rgb2ycbcr and tiff2rgba. Fixes issue #546 * tiff2rgba: fix some "a partial expression can generate an overflow before it is assigned to a broader type" warnings. (fixes issue #682) * tiffdither/tiffmedian: Don't skip the first line of the input image. (fixes issue #703) * tiffdither: avoid out-of-bounds read identified in issue #733 * tiffmedian: error out if TIFFReadScanline() fails (fixes issue #707) * tiffmedian: close input file. (fixes issue #735) * thumbail: avoid potential out of bounds access (fixes issue #715) * tiffcrop: close open TIFF files and release allocated buffers before exiting in case of error to avoid memory leaks. (fixes issue #716) * tiffcrop: fix double-free and memory leak exposed by issue #721 * tiffcrop: avoid buffer overflow. (fixes issue #740) * tiffcrop: avoid nullptr dereference. (fixes issue #734) * tiffdump: Fix coverity scan issue CID 1373365: Passing tainted expression *datamem to PrintData, which uses it as a divisor or modulus. * tiff2ps: check return of TIFFGetFiled() for TIFFTAG_STRIPBYTECOUNTS and TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer dereference. (fixes issue #718) * tiffcmp: fix memory leak when second file cannot be opened. (fixes issue #718 and issue #729) * tiffcp: fix setting compression level for lossless codecs. (fixes issue #730) * raw2tiff: close input file before exit (fixes issue #742) Tools changes: * tiffinfo: add a -W switch to warn about unknown tags. * tiffdither: process all pages in input TIFF file. Documentation: * TIFFRGBAImage.rst note added for incorrect saving of images with TIFF orientation from 5 (LeftTop) to 8 (LeftBottom) in the raster. * TIFFRGBAImage.rst note added about un-associated alpha handling (fixes issue #67) * Update "Defining New TIFF Tags" description. (fixes issue #642) * Fix return type of TIFFReadEncodedTile() * Update the documentation to reflect deprecated typedefs. * TIFFWriteDirectory.rst: Clarify TIFFSetWriteOffset() only sets offset for image data and not for IFD data. * Update documentation on re-entrancy and thread safety. * Remove dead links to no more existing Awaresystems web-site. * Updating BigTIFF specification and some miscelaneous editions. * Replace some last links and remove last todos. * Added hints for correct allocation of TIFFYCbCrtoRGB structure and its associated buffers. (fixes issue #681) * Added chapter to "Using the TIFF Library" with links to handling multi-page TIFF and custom directories. (fixes issue #43) * update TIFFOpen.rst with the return values of mapproc and unmapproc. (fixes issue #12) - Drop upstreamed patches: * tiff-4.7.0-test_directory.patch * tiff-CVE-2025-8176.patch * tiff-CVE-2025-8177.patch * tiff-4.7.0-bsc1243503.patch * tiff-CVE-2025-8534.patch * tiff-CVE-2025-9165.patch * tiff-CVE-2024-13978.patch * tiff-CVE-2025-8961.patch ------------------------------------------------------------------ ------------------ 2025-9-17 - Sep 17 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - rpm/config.sh: SLFO 1.2 is now synced to OBS as well - commit a1cec7e - ACPI: RISC-V: Fix FFH_CPPC_CSR error handling (git-fixes). - commit 29541f6 - ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path (stable-fixes). - commit 3cb3b40 - io_uring/net: commit partial buffers on retry (CVE-2025-38730 bsc#1249172). - commit 6c3c764 - io_uring/futex: ensure io_futex_wait() cleans up properly on failure (bsc#1249322 CVE-2025-39698). - commit 6b74cde - userfaultfd: fix a crash in UFFDIO_MOVE when PMD is a migration entry (CVE-2025-38686 bsc#1249160). - commit a942b8d - kABI: netfs: handle new netfs_io_stream flag (bsc#1249314 CVE-2025-39723). - commit b79d24b - btrfs: fix subvolume deletion lockup caused by inodes xarray race (git-fixes). - commit d8d3b1e - btrfs: fix squota compressed stats leak (git-fixes). - commit f4489c7 - btrfs: fix wrong length parameter for btrfs_cleanup_ordered_extents() (git-fixes). - commit 73f12d4 - netfs: Fix unbuffered write error handling (stable-fixes bsc#1249314 CVE-2025-39723). - commit de949a4 - ppp: fix race conditions in ppp_fill_forward_path (CVE-2025-39673 bsc#1249320). - commit 835095c ++++ nvidia-open-driver-G06-signed: - pesign-spec-macros: added definition for %__kernel_supplements, which replaced %__kmp_supplements with latest RPM used on TW now, in order to fix PCI HW Supplements for TW (boo#1249814) ------------------------------------------------------------------ ------------------ 2025-9-16 - Sep 16 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - mm/damon/sysfs: fix use-after-free in state_show() (git-fixes). - commit 97c6157 - percpu: fix race on alloc failed warning limit (git-fixes). - commit df7089c - mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() (git-fixes). - commit 7f118fd - mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() (git-fixes). - commit a721c93 - mm/damon/core: set quota->charged_from to jiffies at first charge window (git-fixes). - commit 8cc5d6c - mm: fault in complete folios instead of individual pages for tmpfs (git-fixes). - commit 72eb4d6 - mm: close theoretical race where stale TLB entries could linger (git-fixes). - commit 43ddf98 - mm/damon/core: avoid destroyed target reference from DAMOS quota (git-fixes). - commit b8f858b - execmem: enforce allocation size aligment to PAGE_SIZE (git-fixes). - commit ed49080 - coredump: Fixes core_pipe_limit sysctl proc_handler (git-fixes). - commit dfdab4e - mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma (git-fixes). - commit debc2cc - pptp: fix pptp_xmit() error path (git-fixes). - commit bf03393 - net, hsr: reject HSR frame if skb can't hold tag (CVE-2025-39703 bsc#1249315). - commit 31af9c5 - power: supply: bq27xxx: restrict no-battery detection to bq27000 (git-fixes). - power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery (git-fixes). - commit ca0a722 - drm/dp: Add an EDID quirk for the DPCD register access probe (bsc#1248121). - kABI workaround for "drm/dp: Add an EDID quirk for the DPCD register access probe" (bsc#1248121). - Refresh patches.suse/drm-Add-kabi-placeholders-to-commonly-used-structs.patch. - commit 8284f72 - kABI: arm64: ftrace: Restore struct mod_arch_specific layout (git-fixes). - commit cb06f32 - arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module (git-fixes) - commit a64c583 - arm64: dts: rockchip: Fix Bluetooth interrupts flag on Neardi LBA3368 (git-fixes) - commit 78938d3 - arm64: dts: rockchip: Fix the headphone detection on the orangepi 5 (git-fixes) - commit ba5fe5b - arm64: dts: rockchip: Add vcc-supply to SPI flash on (git-fixes) - commit 8dd21d2 - arm64: dts: rockchip: use cs-gpios for spi1 on ringneck (git-fixes) - commit 7fdd334 - arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi 4B (git-fixes). - commit bc5a89e - arm64: dts: rockchip: disable unrouted USB controllers and PHY on (git-fixes) - commit 607b715 - arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma (git-fixes) - commit d20c924 - arm64: dts: imx8mp: Fix missing microSD slot vqmmc on Data Modul (git-fixes) - commit f84cc30 - arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics (git-fixes) - commit 627de8c - arm64: dts: imx8mp-tqma8mpql: fix LDO5 power off (git-fixes) - commit e690dcc - arm64: Mark kernel as tainted on SAE and SError panic (git-fixes) - commit 5a4a449 - arm64: stacktrace: Check kretprobe_find_ret_addr() return value (git-fixes) - commit f7313d0 - arm64: Handle KCOV __init vs inline mismatches (git-fixes) - commit 8a132f8 - i2c: tegra: Use internal reset when reset property is not available (bsc#1249143) - commit 9c0b7e3 - cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag (stable-fixes). - commit fc53d59 - cpufreq: Exit governor when failed to start old governor (stable-fixes). - commit e935313 ------------------------------------------------------------------ ------------------ 2025-9-15 - Sep 15 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - cpufreq: Init policy->rwsem before it may be possibly used (git-fixes). - commit fdf9d91 - drm/amd/display: Disable DPCD Probe Quirk (bsc#1248121). - commit b441892 - tls: fix handling of zero-length records on the rx_list (CVE-2025-39682 bsc#1249284). - commit dae1b00 - drm/dp: Change AUX DPCD probe address from LANE0_1_STATUS to TRAINING_PATTERN_SET (bsc#1248121). - commit 05496be - Update patches.suse/drm-dp-Change-AUX-DPCD-probe-address-from-DPCD_REV-t.patch (bsc#1248121) Move to the cherry-picked 6.16-rc patch, to be applied earlier - commit c2137da - drm/edid: Add support for quirks visible to DRM core and drivers (bsc#1248121). - commit 3f7be89 - drm/edid: Define the quirks in an enum list (bsc#1248121). - commit f72505b - netfilter: nf_tables: reject duplicate device on updates (CVE-2025-38678 bsc#1249126). - commit fa3b4ce - ptp: fix breakage after ptp_vclock_in_use() rework (git-fixes). - commit c4393a1 - iommu/amd: Avoid stack buffer overflow from kernel cmdline (CVE-2025-38676 bsc#1248775). - commit b6650d7 - phy: ti-pipe3: fix device leak at unbind (git-fixes). - phy: ti: omap-usb2: fix device leak at unbind (git-fixes). - phy: tegra: xusb: fix device and OF node leak at probe (git-fixes). - phy: qualcomm: phy-qcom-eusb2-repeater: fix override properties (git-fixes). - dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate (git-fixes). - dmaengine: ti: edma: Fix memory allocation size for queue_priority_map (git-fixes). - dmaengine: idxd: Fix double free in idxd_setup_wqs() (git-fixes). - dmaengine: idxd: Fix refcount underflow on module unload (git-fixes). - dmaengine: idxd: Remove improper idxd_free (git-fixes). - dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees (git-fixes). - serial: sc16is7xx: fix bug in flow control levels init (git-fixes). - usb: gadget: midi2: Fix MIDI2 IN EP max packet size (git-fixes). - usb: gadget: midi2: Fix missing UMP group attributes initialization (git-fixes). - usb: typec: tcpm: properly deliver cable vdms to altmode drivers (git-fixes). - USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels (git-fixes). - xhci: fix memory leak regression when freeing xhci vdev devices depth first (git-fixes). - xhci: dbc: Fix full DbC transfer ring after several reconnects (git-fixes). - xhci: dbc: decouple endpoint allocation from initialization (git-fixes). - commit 8847945 ------------------------------------------------------------------ ------------------ 2025-9-14 - Sep 14 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - regulator: sy7636a: fix lifecycle of power good gpio (git-fixes). - commit 3cf2f7b ------------------------------------------------------------------ ------------------ 2025-9-13 - Sep 13 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - struct cdc_ncm_ctx: move new member to end (git-fixes). - commit 0696383 - drm/xe: Attempt to bring bos back to VRAM after eviction (git-fixes). - drm/panthor: validate group queue count (git-fixes). - drm/mediatek: fix potential OF node use-after-free (git-fixes). - drm/amd/display: use udelay rather than fsleep (git-fixes). - drm/amdgpu: fix a memory leak in fence cleanup when unloading (git-fixes). - drm/i915/power: fix size for for_each_set_bit() in abox iteration (git-fixes). - commit 28aeb21 - net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions (git-fixes). - commit d37f2a9 - net: usb: cdc-ncm: check for filtering capability (git-fixes). - commit 024c467 ------------------------------------------------------------------ ------------------ 2025-9-12 - Sep 12 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - Update config files: Disable UBLK (PED-13686) - commit 32a5a8b - Refresh patches.suse/sched-Don-t-define-sched_clock_irqtime-as-static-key.patch. - commit ccab819 - iommu/vt-d: Restore context entry setup order for aliased devices (CVE-2025-38216 bsc#1245963). - commit 9397573 - pidfs: Fix memory leak in pidfd_info() (jsc#PED-13113). - pidfs: raise SB_I_NODEV and SB_I_NOEXEC (bsc#1249562). - commit 7f76e12 - cgroup/cpuset: Fix a partition error with CPU hotplug (bsc#1241166). - cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key (bsc#1241166). - commit 403a981 - sched/deadline: Don't count nr_running for dl_server proxy tasks (git-fixes, bsc#1247936). - sched/deadline: Fix RT task potential starvation when expiry time passed (git-fixes, bsc#1247936). - sched/deadline: Always stop dl-server before changing parameters (bsc#1247936). - sched/deadline: Fix dl_server_stopped() (bsc#1247936). - commit ef2b61d - Limit patch filenames to 100 characters (bsc#1249604). - commit 6aa47a1 - cpufreq: Initialize cpufreq-based frequency-invariance later (git-fixes). - commit 4cd57b7 - s390/cpum_cf: Deny all sampling events by counter PMU (git-fixes bsc#1249477). - s390/pai: Deny all events not handled by this PMU (git-fixes bsc#1249478). - commit 9debf1a - mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing (git-fixes). - mtd: rawnand: stm32_fmc2: fix ECC overwrite (git-fixes). - mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer (git-fixes). - can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB (git-fixes). - can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails (git-fixes). - can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed (git-fixes). - can: j1939: implement NETDEV_UNREGISTER notification handler (git-fixes). - cpufreq/amd-pstate: Fix a regression leading to EPP 0 after resume (git-fixes). - cpufreq/amd-pstate: Fix setting of CPPC.min_perf in active mode for performance governor (git-fixes). - commit f4059fc ------------------------------------------------------------------ ------------------ 2025-9-11 - Sep 11 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Bump version: 10.2.32 → 10.2.33 ++++ kernel-default: - s390/mm: Fix in_atomic() handling in do_secure_storage_access() (git-fixes CVE-2025-38359 bsc#1247076). - commit ad2ef8d - cpufreq: intel_pstate: Add Granite Rapids support in no-HWP mode (stable-fixes). - commit 688ba83 - cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode (git-fixes). - commit 93b10c9 - cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs (stable-fixes). - commit 8228e62 - pptp: ensure minimal skb length in pptp_xmit() (CVE-2025-38574 bsc#1248365). - commit 5a47a7a - cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode (git-fixes). - commit 8c79560 - io_uring: expose read/write attribute capability (jsc#PED-12882 bsc#1237542). - io_uring/rw: don't mask in f_iocb_flags (jsc#PED-12882 bsc#1237542). Drop blacklisting. - commit c90a02f ++++ virt-manager: - Fix issues with detection of openSUSE Leap 16. virtinst-add-sle16-detection-support.patch ------------------------------------------------------------------ ------------------ 2025-9-10 - Sep 10 2025 ------------------- ------------------------------------------------------------------ ++++ curl: - tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] * Add curl-tool_operate-fix-return-code-when-retry-is-used.patch ++++ python-kiwi: - Run grub mkconfig with os-prober disabled Set GRUB_DISABLE_OS_PROBER=true to the caller environment such that it gets consumed via /etc/grub.d/30_os-prober This Fixes #2883 - Fixed typo in documentation Invalid XML syntax, missing end tag. This Fixes #2882 ++++ kernel-default: - smb: client: fix use-after-free in cifs_oplock_break (bsc#1248199, CVE-2025-38527). - commit a3059e7 - Drop PCI patches that broke kdump capture boot (bsc#1246509) Deleted: patches.suse/PCI-Explicitly-put-devices-into-D0-when-initializing.patch patches.suse/PCI-PM-Set-up-runtime-PM-even-for-devices-without-PC.patch Refreshed: patches.suse/PCI-Support-Immediate-Readiness-on-devices-without-PM.patch - commit b491bf9 - platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list (stable-fixes). - drm/amd/display: Clear the CUR_ENABLE register on DCN314 w/out DPP PG (stable-fixes). - drm/amdgpu: drop hw access in non-DC audio fini (stable-fixes). - ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model (stable-fixes). - ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY (stable-fixes). - ALSA: usb-audio: Add mute TLV for playback volumes on some devices (stable-fixes). - mmc: sdhci-of-arasan: Ensure CD logic stabilization before power-up (stable-fixes). - cpupower: Fix a bug where the -t option of the set subcommand was not working (stable-fixes). - cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN (stable-fixes). - Bluetooth: hci_sync: Avoid adding default advertising on startup (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FN990A w/audio composition (stable-fixes). - dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() (git-fixes). - net: usb: qmi_wwan: fix Telit Cinterion FE990A name (stable-fixes). - net: usb: qmi_wwan: fix Telit Cinterion FN990A name (stable-fixes). - mmc: sdhci-of-arasan: Support for emmc hardware reset (stable-fixes). - commit 67865ae ++++ osinfo-db: - Fix the definition of Leap 16.0 to match the current names of the Leap 16.0 ISOs and the Volume IDs contained within those ISOs. (bsc#1236401) add-opensuse-leap-16.0-support.patch ------------------------------------------------------------------ ------------------ 2025-9-9 - Sep 9 2025 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fixes: * [bsc#1249191, CVE-2025-9086] Out of bounds read for cookie path * [bsc#1249348, CVE-2025-10148] Predictable WebSocket mask * Add patches: - curl-CVE-2025-9086.patch - curl-CVE-2025-10148.patch ++++ kernel-default: - cpufreq: cppc: Fix invalid return value in .get() callback (git-fixes). - commit 0113318 - cpufreq: Reference count policy in cpufreq_update_limits() (git-fixes). - commit fc0d863 - cpufreq: governor: Fix negative 'idle_time' handling in dbs_update() (git-fixes). - commit 5082177 - cpufreq: scpi: compare kHz instead of Hz (git-fixes). - commit f23b3de - kernel-subpackage-build: Decompress ghost file when compressed version exists (bsc#1249346) - commit 40606b5 - PCI: pnv_php: Fix surprise plug detection and recovery (CVE-2025-38623 bsc#1248610). - commit a87ddcb - selftests/bpf: Add test cases with CONST_PTR_TO_MAP null checks (git-fixes). - selftests/bpf: Add cmp_map_pointer_with_const test (git-fixes). - bpf: Make reg_not_null() true for CONST_PTR_TO_MAP (git-fixes). - commit 07f73b3 - supported.conf: mark hyperv_drm as external - net: hv_netvsc: fix loss of early receive events from host during channel open (git-fixes). - hv_netvsc: Fix panic during namespace deletion with VF (bsc#1248111). - RDMA/mana_ib: add support of multiple ports (git-fixes). - RDMA/mana_ib: add additional port counters (git-fixes). - net: mana: fix spelling for mana_gd_deregiser_irq() (git-fixes). - commit 27fd758 - drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port (CVE-2025-38597 bsc#1248378). - commit 3361c8b - bpf: Disable migration in nf_hook_run_bpf() (bsc#1248622 CVE-2025-38640). - commit ea00555 - btrfs: codify pattern for adding block_group to bg_list (git-fixes). - commit 28d12b0 ++++ liburing: - Add upstream patch to fix test on ppc64le * 0001-test-recvsend_bundle-enlarge-recv-buf-ring-to-2-MiB-.patch ------------------------------------------------------------------ ------------------ 2025-9-8 - Sep 8 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - isolcpus: add missing hunk back (bsc#1236897 bsc#1249206). Update patches.suse/blk-mq-use-hk-cpus-only-when-isolcpus-managed_irq-is-enabled.patch (bsc#1236897 bsc#1249206). - commit 9d2b796 - btrfs: fix printing of mount info messages for NODATACOW/NODATASUM (git-fixes). - commit ba5bcd7 - btrfs: restore mount option info messages during mount (git-fixes). - commit 802999a - btrfs: fix incorrect log message for nobarrier mount option (git-fixes). - commit e3e34d3 - btrfs: avoid load/store tearing races when checking if an inode was logged (git-fixes). - commit 05dbe91 - btrfs: fix race between setting last_dir_index_offset and inode logging (git-fixes). - commit 87677ec - btrfs: fix race between logging inode and checking if it was logged before (git-fixes). - commit dd428a8 - btrfs: always abort transaction on failure to add block group to free space tree (git-fixes). - btrfs: move transaction aborts to the error site in add_block_group_free_space() (git-fixes). - commit 66017bd - netfilter: xt_nfacct: don't assume acct name is null-terminated (CVE-2025-38639 bsc#1248674) - commit 6246696 - btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() (git-fixes). - commit 7a86e25 - btrfs: qgroup: remove no longer used fs_info->qgroup_ulist (git-fixes). - btrfs: qgroup: fix race between quota disable and quota rescan ioctl (git-fixes). - commit cbd92f9 - x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() (git-fixes). - commit 1ff0ea2 - mm: introduce and use {pgd,p4d}_populate_kernel() (git-fixes). - commit 98f7021 - mm: move page table sync declarations to linux/pgtable.h (git-fixes). - commit 57bad67 - mm/damon/core: prevent unnecessary overflow in damos_set_effective_quota() (git-fixes). - commit 760f69c - mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE (git-fixes). - commit a1213be - mm/damon/ops-common: ignore migration request to invalid nodes (git-fixes). - commit 0aae268 - mm: swap: fix potential buffer overflow in setup_clusters() (git-fixes). - commit ba72e08 - PCI: pnv_php: Fix surprise plug detection and recovery (CVE-2025-38623 bsc#1248610). - commit 72424b3 - kABI workaround for bluetooth discovery_state change (CVE-2025-38593 bsc#1248357). - commit 12620c5 - Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' (CVE-2025-38593 bsc#1248357). - Refresh patches.kabi/bluetooth-hci_dev-kabi-workaround.patch. - commit 1bb3148 - Fix OOB access in "drm/amdgpu: read back register after written for VCN v4.0.5" (bsc#1249251) - commit 3545bbd ++++ tiff: - security update: * CVE-2025-8961 [bsc#1248117] Fix segmentation fault via main function of tiffcrop utility + tiff-CVE-2025-8961.patch ++++ nvidia-open-driver-G06-signed: - let conflict CUDA and non-CUDA -devel packages; this is needed if both have the same version ------------------------------------------------------------------ ------------------ 2025-9-7 - Sep 7 2025 ------------------- ------------------------------------------------------------------ ++++ nvidia-open-driver-G06-signed: - update non-CUDA variant to 580.82.07 (boo#1249235) ------------------------------------------------------------------ ------------------ 2025-9-6 - Sep 6 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - spi: spi-fsl-lpspi: Clear status register after disabling the module (git-fixes). - spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort (git-fixes). - spi: spi-fsl-lpspi: Set correct chip-select polarity bit (git-fixes). - spi: spi-fsl-lpspi: Fix transmissions when using CONT (git-fixes). - ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() (git-fixes). - hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM (git-fixes). - platform/x86/intel: power-domains: Use topology_logical_package_id() for package ID (git-fixes). - platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk (git-fixes). - drm/amd/amdgpu: Fix missing error return on kzalloc failure (git-fixes). - drm/bridge: ti-sn65dsi86: fix REFCLK setting (git-fixes). - accel/ivpu: Prevent recovery work from being queued during device removal (git-fixes). - nouveau: fix disabling the nonstall irq due to storm code (git-fixes). - commit 10f191d ++++ nvidia-open-driver-G06-signed: - update CUDA variant to 580.82.07 ------------------------------------------------------------------ ------------------ 2025-9-5 - Sep 5 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - erofs: fix atomic context detection when !CONFIG_DEBUG_LOCK_ALLOC (git-fixes). - commit 672e366 - net: drop UFO packets in udp_rcv_segment() (CVE-2025-38622 bsc#1248619). - commit 48c98b8 - smb: client: fix use-after-free in crypt_message when using async crypto (bsc#1247239, CVE-2025-38488). - commit 09784fa - wifi: mt76: mt7925: fix the wrong bss cleanup for SAP (git-fixes). - commit aed2258 - ax25: properly unshare skbs in ax25_kiss_rcv() (git-fixes). - wifi: ath11k: fix group data packet drops during rekey (git-fixes). - wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() (git-fixes). - wifi: libertas: cap SSID len in lbs_associate() (git-fixes). - wifi: cw1200: cap SSID length in cw1200_do_join() (git-fixes). - batman-adv: fix OOB read/write in network-coding decode (git-fixes). - Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() (git-fixes). - Bluetooth: vhci: Prevent use-after-free by removing debugfs files early (git-fixes). - microchip: lan865x: Fix LAN8651 autoloading (git-fixes). - microchip: lan865x: Fix module autoloading (git-fixes). - mISDN: Fix memory leak in dsp_hwec_enable() (git-fixes). - xirc2ps_cs: fix register access when enabling FullDuplex (git-fixes). - wifi: iwlwifi: uefi: check DSM item validity (git-fixes). - wifi: mt76: fix linked list corruption (git-fixes). - wifi: mt76: free pending offchannel tx frames on wcid cleanup (git-fixes). - wifi: mt76: prevent non-offchannel mgmt tx during scan/roc (git-fixes). - wifi: mt76: mt7925u: use connac3 tx aggr check in tx complete (git-fixes). - wifi: mt76: mt7925: fix locking in mt7925_change_vif_links() (git-fixes). - wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data() (git-fixes). - wifi: mwifiex: Initialize the chan_stats array to zero (git-fixes). - wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work (git-fixes). - wifi: cfg80211: fix use-after-free in cmp_bss() (git-fixes). - HID: quirks: add support for Legion Go dual dinput modes (stable-fixes). - HID: logitech: Add ids for G PRO 2 LIGHTSPEED (stable-fixes). - HID: input: report battery status changes immediately (git-fixes). - HID: input: rename hidinput_set_battery_charge_status() (stable-fixes). - HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() (stable-fixes). - HID: wacom: Add a new Art Pen 2 (stable-fixes). - drm/amd/amdgpu: disable hwmon power1_cap* for gfx 11.0.3 on vf mode (stable-fixes). - Revert "drm/amdgpu: fix incorrect vm flags to map bo" (stable-fixes). - net: rose: fix a typo in rose_clear_routes() (git-fixes). - net: rose: include node references in rose_neigh refcount (git-fixes). - net: rose: convert 'use' field to refcount_t (git-fixes). - net: rose: split remove and free operations in rose_remove_neigh() (stable-fixes). - mISDN: hfcpci: Fix warning when deleting uninitialized timer (git-fixes). - dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted (stable-fixes). - ASoC: codecs: tx-macro: correct tx_macro_component_drv name (stable-fixes). - PCI: dwc: Ensure that dw_pcie_wait_for_link() waits 100 ms after link up (stable-fixes). - thermal/drivers/mediatek/lvts_thermal: Add mt7988 lvts commands (stable-fixes). - thermal/drivers/mediatek/lvts_thermal: Add lvts commands and their sizes to driver data (stable-fixes). - thermal/drivers/mediatek/lvts_thermal: Change lvts commands array to static const (stable-fixes). - ACPI: EC: Add device to acpi_ec_no_wakeup[] qurik list (stable-fixes). - commit 605bae8 - Refresh patches.suse/selftests-bpf-Range-analysis-test-case-for-JSET.patch. Fix BPF selftest failure in the "verifier_bounds/dead branch on jset, does not result in invariants violation error" case. - commit 906c64e ------------------------------------------------------------------ ------------------ 2025-9-4 - Sep 4 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() (CVE-2025-38643 bsc#1248681) - commit 34311cc - mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices (CVE-2025-38019 bsc#1245000) - commit a85ff92 - Refresh patches.suse/Revert-mm-page_alloc.c-don-t-show-protection-in-zone.patch. Update patch metadata and move to sorted section. - commit 625f5ae - [ceph] parse_longname(): strrchr() expects NUL-terminated string (bsc#1248634 CVE-2025-38660). - commit ab3a29c - kABI: netfilter: supress warnings for nft_set_ops (git-fixes). - commit 27ce688 - tracepoint: Print the function symbol when tracepoint_debug is set (jsc#PED-13631). - commit a74d4fb - s390/ap: Unmask SLCF bit in card and queue ap functions sysfs (git-fixes bsc#1247837). - commit 288d9b8 - igc: fix disabling L1.2 PCI-E link substate on I226 on init (git-fixes). - commit 8d32f7d ++++ runc: - Update to runc v1.3.1. Upstream changelog is available from - Fix runc 1.3.x builds on SLE-12 by enabling --std=gnu11. ------------------------------------------------------------------ ------------------ 2025-9-3 - Sep 3 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - scsi: ufs: core: Set default runtime/system PM levels before ufshcd_hba_init() (git-fixes). - commit 6c09a41 - net/mlx5e: Set local Xoff after FW update (git-fixes). - net/mlx5e: Update and set Xon/Xoff upon port speed set (git-fixes). - net/mlx5e: Update and set Xon/Xoff upon MTU set (git-fixes). - net/mlx5: Prevent flow steering mode changes in switchdev mode (git-fixes). - net/mlx5: Nack sync reset when SFs are present (git-fixes). - net/mlx5: Fix lockdep assertion on sync reset unload event (git-fixes). - net/mlx5: Reload auxiliary drivers on fw_activate (git-fixes). - net/mlx5: HWS, Fix pattern destruction in mlx5hws_pat_get_pattern error path (git-fixes). - net/mlx5: HWS, Fix memory leak in hws_action_get_shared_stc_nic error flow (git-fixes). - ice: fix incorrect counter for buffer allocation failures (git-fixes). - ice: use fixed adapter index for E825C embedded devices (git-fixes). - ice: don't leave device non-functional if Tx scheduler config fails (git-fixes). - bnxt_en: Fix stats context reservation logic (git-fixes). - bnxt_en: Adjust TX rings if reservation is less than requested (git-fixes). - bnxt_en: Fix memory corruption when FW resources change during ifdown (git-fixes). - net/mlx5e: Preserve shared buffer capacity during headroom updates (git-fixes). - net/mlx5: Base ECVF devlink port attrs from 0 (git-fixes). - Octeontx2-af: Skip overlap check for SPI field (git-fixes). - ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc (git-fixes). - net/mlx5: CT: Use the correct counter offset (git-fixes). - net/mlx5: HWS, fix bad parameter in CQ creation (git-fixes). - gve: prevent ethtool ops after shutdown (git-fixes). - net: page_pool: allow enabling recycling late, fix false positive warning (git-fixes). - benet: fix BUG when creating VFs (git-fixes). - net/mlx5: Correctly set gso_segs when LRO is used (git-fixes). - vdpa: Fix IDR memory leak in VDUSE module exit (git-fixes). - vdpa/mlx5: Fix release of uninitialized resources on error path (CVE-2025-38628 bsc#1248616). - vdpa/mlx5: Fix needs_teardown flag calculation (git-fixes). - RDMA/mana_ib: Fix DSCP value in modify QP (git-fixes). - igb: xsk: solve negative overflow of nb_pkts in zerocopy mode (git-fixes). - neighbour: Fix null-ptr-deref in neigh_flush_dev() (git-fixes). - net/mlx5e: Remove skb secpath if xfrm state is not found (git-fixes). - net/mlx5e: Clear Read-Only port buffer size in PBMC before update (git-fixes). - net/mlx5: Check device memory pointer before usage (git-fixes). - e1000e: ignore uninitialized checksum word on tgp (git-fixes). - e1000e: disregard NVM checksum on tgp when valid checksum bit is not set (git-fixes). - i40e: When removing VF MAC filters, only check PF-set MAC (git-fixes). - i40e: report VF tx_dropped with tx_errors instead of tx_discards (git-fixes). - gve: Fix stuck TX queue for DQ queue format (git-fixes). - net/mlx5: E-Switch, Fix peer miss rules to use peer eswitch (git-fixes). - net/mlx5: Fix memory leak in cmd_exec() (git-fixes). - ice: check correct pointer in fwlog debugfs (git-fixes). - net/mlx5: Correctly set gso_size when LRO is used (git-fixes). - bnxt_en: Flush FW trace before copying to the coredump (git-fixes). - bnxt_en: Fix DCB ETS validation (git-fixes). - net/mlx5e: Add new prio for promiscuous mode (git-fixes). - ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof (git-fixes). - bnxt_en: eliminate the compile warning in bnxt_request_irq due to CONFIG_RFS_ACCEL (git-fixes). - igc: disable L1.2 PCI-E link substate to avoid performance issue (git-fixes). - bnxt_en: Update MRU and RSS table of RSS contexts on queue reset (git-fixes). - bnxt_en: Add a helper function to configure MRU and RSS (git-fixes). - ice/ptp: fix crosstimestamp reporting (git-fixes). - commit d4ae4ee - Drop ath12k patch that was reverted in the upstream (git-fixes) - commit 0ebe805 - netfilter: nf_reject: don't leak dst refcount for loopback packets (git-fixes). - commit c98a78c - netfilter: ctnetlink: remove refcounting in expectation dumpers (git-fixes). - commit 180b1da - netfilter: ctnetlink: fix refcount leak on table dump (git-fixes). - commit 144df33 - Revert "wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO" (git-fixes). - Refresh patches.suse/wifi-mt76-mt7925-load-the-appropriate-CLC-data-based.patch. - commit 022c9d4 - wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event (git-fixes). - wifi: ath12k: fix wrong handling of CCMP256 and GCMP ciphers (git-fixes). - wifi: mt76: mt7925: adjust rm BSS flow to prevent next connection failure (git-fixes). - wifi: ath12k: fix memory leak in ath12k_pci_remove() (stable-fixes). - commit d6dfa86 - netfilter: nft_set_pipapo: prefer kvmalloc for scratch maps (git-fixes). - commit 30511a6 - netfilter: nf_tables: adjust lockdep assertions handling (git-fixes). - commit 4eac73e - netfilter: nf_tables: Drop dead code from fill_*_info routines (git-fixes). - commit 0985889 - netfilter: nf_nat: also check reverse tuple to obtain clashing entry (git-fixes). - commit e8b9b42 - netfilter: nft_tunnel: fix geneve_opt dump (git-fixes). - commit e8ff1b8 - usb: dwc3: qcom: Don't leave BCR asserted (git-fixes). - commit d02e75f - netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds (git-fixes). - commit 9973f5b - netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around (git-fixes). - commit 840672d - soundwire: amd: fix for handling slave alerts after link is down (git-fixes). - tools/power turbostat: Clustered Uncore MHz counters should honor show/hide options (stable-fixes). - commit 2b28a91 - netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template (git-fixes). - commit d759ad6 - selinux: change security_compute_sid to return the ssid or tsid on match (git-fixes). - selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len (stable-fixes). - commit 67b27c3 - xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO (git-fixes). - commit 384833b - r8169: disable RTL8126 ZRX-DC timeout (stable-fixes). - r8169: don't scan PHY addresses > 0 (stable-fixes). - r8169: add support for RTL8125D (stable-fixes). - commit 5a5406a - phy: mscc: Fix timestamping for vsc8584 (git-fixes). - phy: mscc: Fix parsing of unicast frames (git-fixes). - phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal (stable-fixes). - commit cef652d - mmc: sdhci_am654: Disable HS400 for AM62P SR1.0 and SR1.1 (git-fixes). - mfd: exynos-lpass: Fix another error handling path in exynos_lpass_probe() (git-fixes). - mtd: rawnand: qcom: Fix last codeword read in qcom_param_page_type_exec() (git-fixes). - misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type (git-fixes). - misc: pci_endpoint_test: Give disabled BARs a distinct error code (stable-fixes). - commit 265f979 - media: uvcvideo: Rollback non processed entities on error (git-fixes). - commit 77fe556 - Revert "mac80211: Dynamically set CoDel parameters per station" (stable-fixes). - commit a3f9ef1 - iio: temperature: maxim_thermocouple: use DMA-safe buffer for spi_read() (git-fixes). - iio: adc: ad7173: fix setting ODR in probe (git-fixes). - commit c345d74 - kabi/severities: ignore kABI compatibility in iio inv_icm42600 drivers They are used only locally - commit 4b6ea02 - iio: imu: inv_icm42600: Convert to uXX and sXX integer types (stable-fixes). - Refresh patches.suse/iio-imu-inv_icm42600-change-invalid-data-error-to-EB.patch. - commit b49ad7a - iio: accel: fxls8962af: Fix temperature calculation (git-fixes). - iio: hid-sensor-prox: Fix incorrect OFFSET calculation (git-fixes). - iio: hid-sensor-prox: Restore lost scale assignments (git-fixes). - iio: imu: inv_icm42600: fix spi burst write not supported (git-fixes). - commit d725fa5 - i3c: master: Initialize ret in i3c_i2c_notifier_call() (stable-fixes). - commit 422bc10 - i2c: designware: Use temporary variable for struct device (stable-fixes). - Refresh patches.suse/i2c-designware-Fix-an-error-handling-path-in-i2c_dw_.patch. - commit 572df73 - HID: magicmouse: avoid setting up battery timer when not needed (git-fixes). - HID: apple: avoid setting up battery timer for devices without battery (git-fixes). - commit 60e95b8 - drm/i915/icl+/tc: Convert AUX powered WARN to a debug message (stable-fixes). - drm/i915/icl+/tc: Cache the max lane count value (stable-fixes). - drm/i915/dp: Fix 2.7 Gbps DP_LINK_BW value on g4x (git-fixes). - drm/xe: Move page fault init after topology init (git-fixes). - drm/nouveau/gsp: fix potential leak of memory used during acpi init (git-fixes). - drm/xe: Allow dropping kunit dependency as built-in (git-fixes). - commit e6e09dd - drm/amdgpu/discovery: fix fw based ip discovery (git-fixes). - drm/xe/bmg: Update Wa_22019338487 (git-fixes). - drm/amdgpu: VCN v5_0_1 to prevent FW checking RB during DPG pause (stable-fixes). - drm/amdgpu: add kicker fws loading for gfx11/smu13/psp13 (stable-fixes). - drm/amdgpu/mes: add missing locking in helper functions (stable-fixes). - commit 7e9890a - drm/simpledrm: Do not upcast in release helpers (git-fixes). - drm/cirrus-qemu: Fix pitch programming (git-fixes). - commit b624f85 - drm/xe/gsc: do not flush the GSC worker from the reset path (git-fixes). - drm/amd/display: Default IPS to RCG_IN_ACTIVE_IPS2_IN_OFF (git-fixes). - drm/xe: Ensure fixed_slice_mode gets set after ccs_mode change (git-fixes). - drm/xe/bmg: Add one additional PCI ID (stable-fixes). - commit c2190df - netfilter: nf_tables: fix set size with rbtree backend (git-fixes). - commit 80c4ea7 - drm/amdgpu/discovery: optionally use fw based ip discovery (stable-fixes). - commit 4e56fa6 - drm/amd/display: Fix mismatch type comparison (stable-fixes). - drm/xe/bmg: Add new PCI IDs (stable-fixes). - commit 8b6d86b - net: hsr: fix fill_frame_info() regression vs VLAN packets (git-fixes). - commit 8901b13 - Refresh patches.suse/drm-amd-display-Request-HW-cursor-on-DCN3.2-with-Sub.patch The partial revert in the upstream 6.12.y is folded into the patch - commit 8be4958 - ipv6: reject malicious packets in ipv6_gso_segment() (CVE-2025-38572 bsc#1248399). - net: add debug check in skb_reset_transport_header() (CVE-2025-38572 bsc#1248399). - commit 1c3093c - drm/msm/dp: account for widebus and yuv420 during mode validation (git-fixes). - drm/xe: Carve out wopcm portion from the stolen memory (git-fixes). - commit 4792a43 - Drop a few Xe patches that have been reverted in 6.12.y stable The upstream already reverted a few patches due to regressions, and we also follow (and blacklist them). Deleted: patches.suse/drm-xe-devcoredump-Update-handling-of-xe_force_wake_.patch patches.suse/drm-xe-forcewake-Add-a-helper-xe_force_wake_ref_has_.patch patches.suse/drm-xe-gt-Update-handling-of-xe_force_wake_get-retur.patch patches.suse/drm-xe-tests-mocs-Hold-XE_FORCEWAKE_ALL-for-LNCF-reg.patch patches.suse/drm-xe-tests-mocs-Update-xe_force_wake_get-return-ha.patch Refreshed: patches.suse/drm-xe-Fix-GT-for-each-engine-workarounds.patch patches.suse/drm-xe-Move-the-coredump-registration-to-the-worker-.patch patches.suse/drm-xe-Take-PM-ref-in-delayed-snapshot-capture-worke.patch patches.suse/drm-xe-bmg-Update-Wa_16023588340.patch patches.suse/drm-xe-pf-Prepare-to-stop-SR-IOV-support-prior-GT-re.patch - commit 019c4d3 - kABI workaround for struct mtk_base_afe changes (git-fixes). - commit bfb1140 - ASoC: mediatek: use reserved memory or enable buffer pre-allocation (git-fixes). - commit 8fbb8b5 - ASoC: codecs: wcd9375: Fix double free of regulator supplies (git-fixes). - ASoC: codecs: wcd937x: Drop unused buck_supply (git-fixes). - commit 428fcda - mctp: no longer rely on net->dev_index_head (git-fixes). - Refresh patches.suse/net-mctp-Don-t-access-ifa_index-when-missing.patch. - commit b5bc0f2 - rpm: Configure KABI checkingness macro (bsc#1249186) The value of the config should match presence of KABI reference data. If it mismatches: - !CONFIG & reference -> this is bug, immediate fail - CONFIG & no reference -> OK temporarily, must be resolved eventually - commit 23c1536 - mptcp: fix spurious wake-up on under memory pressure (git-fixes). - commit c782ac7 - Kconfig.suse: Add KABI checkiness macro (config) (bsc#1249186) The motivation: there are patches.kabi/ patches that restore KABI and they check validity of the approach with static_assert()s to prevent accidental KABI breakage. These asserts are invoked on each arch-flavor and they may signal false negatives -- that is KABI restoration patch could break KABI but the given arch-flavor defines no KABI. The intended use is to disable the compile time checks in patches.kabi/ (but not to be confused with __GENKSYMS__ that affects how reference is calculated). The name is chosen so that it mimics HAVE_* macros that are not configured manually (but is selected by an arch). In our case it's (un)selected by build script depending on whether KABI reference is defined for given arch-flavor and whether check is really requested by the user. Default value is 'n' so that people building merely via Makefile (not RPM with KABI checking) obtain consistent config. - commit a317d04 - net: 802: LLC+SNAP OID:PID lookup on start of skb data (git-fixes). - commit c23ea46 - net: llc: reset skb->transport_header (git-fixes). - commit 487d90f - net: mctp: handle skb cleanup on sock_queue failures (git-fixes). - Refresh patches.suse/net-mctp-unshare-packets-when-reassembling.patch. - commit 5e65ce2 - ipvs: Fix clamp() of ip_vs_conn_tab on small memory systems (git-fixes). - commit 3d1de0f - psample: adjust size if rate_as_probability is set (git-fixes). - commit 2508d32 - net: dsa: restore dsa_software_vlan_untag() ability to operate on VLAN-untagged traffic (git-fixes). - commit b8cbb32 - net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll (git-fixes). - commit e07bfa8 - net: dsa: tag_ocelot_8021q: fix broken reception (git-fixes). - commit 680a61f - net: hsr: fix hsr_init_sk() vs network/transport headers (git-fixes). - commit 9b32d20 - btrfs: fix data overwriting bug during buffered write when block size < page size (git-fixes). - commit 2ef27b3 - btrfs: do not output error message if a qgroup has been already cleaned up (git-fixes). - commit 9ca239b - btrfs: subpage: fix the bitmap dump of the locked flags (git-fixes). - commit 7983818 - btrfs: handle unaligned EOF truncation correctly for subpage cases (bsc#1249038). - commit 56bc678 - btrfs: convert ASSERT(0) with handled errors to DEBUG_WARN() (bsc#1249038). - commit a1589a9 - btrfs: add debug build only WARN (bsc#1249038). - commit 97bc3a6 - btrfs: use verbose ASSERT() in volumes.c (bsc#1249038). - commit e2a342d - gfs2: No more self recovery (bsc#1248639 CVE-2025-38659). - commit f21f207 - btrfs: enhance ASSERT() to take optional format string (bsc#1249038). - commit 038fb2a - ALSA: usb-audio: Allow Focusrite devices to use low samplerates (git-fixes). - commit 8cb030f ------------------------------------------------------------------ ------------------ 2025-9-2 - Sep 2 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - References #2474 and #2475 poweroff instead of halt on oem shutdown ++++ kernel-default: - scsi: ufs: ufs-pci: Fix default runtime and system PM levels (git-fixes). - scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers (git-fixes). - scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume (git-fixes). - scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE (git-fixes). - scsi: ufs: core: Fix spelling of a sysfs attribute name (git-fixes). - scsi: ufs: core: Fix clk scaling to be conditional in reset and restore (git-fixes). - scsi: ufs: core: Don't perform UFS clkscaling during host async scan (git-fixes). - scsi: ufs: mcq: Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort() (git-fixes). - scsi: ufs: core: Remove redundant query_complete trace (git-fixes). - scsi: ufs: Introduce quirk to extend PA_HIBERN8TIME for UFS devices (git-fixes). - scsi: ufs: exynos: gs101: Put UFS device in reset on .suspend() (git-fixes). - scsi: ufs: exynos: Move phy calls to .exit() callback (git-fixes). - scsi: ufs: exynos: Enable PRDT pre-fetching with UFSHCD_CAP_CRYPTO (git-fixes). - scsi: ufs: exynos: Ensure consistent phy reference counts (git-fixes). - scsi: ufs: exynos: Move UFS shareability value to drvdata (git-fixes). - scsi: ufs: exynos: Ensure pre_link() executes before exynos_ufs_phy_init() (git-fixes). - scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get (git-fixes). - scsi: ufs: core: Fix ufshcd_is_ufs_dev_busy() and ufshcd_eh_timed_out() (git-fixes). - scsi: ufs: core: Fix error return with query response (git-fixes). - scsi: ufs: Fix toggling of clk_gating.state when clock gating is not allowed (git-fixes). - scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails (git-fixes). - scsi: ufs: qcom: Fix crypto key eviction (git-fixes). - scsi: ufs: core: Prepare to introduce a new clock_gating lock (git-fixes). - scsi: ufs: core: Introduce ufshcd_has_pending_tasks() (git-fixes). - scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers (git-fixes). - scsi: ufs: core: Update compl_time_stamp_local_clock after completing a cqe (git-fixes). - scsi: ufs: core: Add missing post notify for power mode change (git-fixes). - scsi: ufs: pltfrm: Drop PM runtime reference count after ufshcd_remove() (git-fixes). - scsi: ufs: pltfrm: Disable runtime PM during removal of glue drivers (git-fixes). - scsi: ufs: core: Add ufshcd_send_bsg_uic_cmd() for UFS BSG (git-fixes). - scsi: ufs: exynos: Fix hibern8 notify callbacks (git-fixes). - scsi: ufs: exynos: Add gs101_ufs_drv_init() hook and enable WriteBooster (git-fixes). - scsi: ufs: exynos: Add check inside exynos_ufs_config_smu() (git-fixes). - scsi: ufs: exynos: Remove superfluous function parameter (git-fixes). - scsi: ufs: exynos: Remove empty drv_init method (git-fixes). - scsi: ufs: core: Improve ufshcd_mcq_sq_cleanup() (git-fixes). - scsi: ufs: core: Always initialize the UIC done completion (git-fixes). - commit 80e8ae3 - atm: atmtcp: Free invalid length skb in atmtcp_c_send() (CVE-2025-38185 bsc#1246012) - commit 481542d - s390/mm: Do not map lowcore with identity mapping (git-fixes bsc#1249066). - commit 8621600 - s390/sclp: Fix SCCB present check (git-fixes bsc#1249065). - commit a696cb0 - s390/time: Use monotonic clock in get_cycles() (git-fixes bsc#1249064). - commit d681db3 - s390/stp: Remove udelay from stp_sync_clock() (git-fixes bsc#1249062). - commit 599898d - s390/early: Copy last breaking event address to pt_regs (git-fixes bsc#1249061). - commit 75fe912 - Update config files: revive pwc driver for Leap (bsc#1249060) - commit 3eb97c1 - ext4: remove writable userspace mappings before truncating page cache (bsc#1247223). - commit f42a012 - mm: fix the inaccurate memory statistics issue for users (bsc#1244723). - commit cfde4ca - Refresh patches.suse/cpuidle-menu-Bias-selection-of-a-shallower-c-state-when-CPU-idles-for-IO.patch (bsc#1247935). - commit 1c15b68 - nvmet: exit debugfs after discovery subsystem exits (git-fixes). - commit 12678fa - nvmet: initialize discovery subsys after debugfs is initialized (git-fixes). - nvme-pci: try function level reset on init failure (git-fixes). - nvme-tcp: log TLS handshake failures at error level (git-fixes). - commit b6c5818 - ipv6: prevent infinite loop in rt6_nlmsg_size() (CVE-2025-38588 bsc#1248368). - commit 5b48674 - ice: Fix a null pointer dereference in ice_copy_and_init_pkg() (CVE-2025-38664 bsc#1248628). - commit c056165 ------------------------------------------------------------------ ------------------ 2025-9-1 - Sep 1 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Fix rawhide integration test The package shim-ia32 got dropped - Add test for profiled overlays kiwi supports overlay files per profile, but we didn't had a proper integration test for it. This commit adds one - Mount proc when needed Using cp -a might lookup in proc/self/.. under certain conditions. Make sure to mount proc for config/function that might trigger this condition. This Fixes #2876 - Update test-image-custom-partitions test build Fix patch files to match with new dracut module dirs - Update dracut version compat runtime check Update check_dracut_module_versions_compatible_to_kiwi to match with new dracut module dirs which have changed due to recommended dracut module ordering for out-of-tree modules. - Fix dracut Makefile install target module dir names have changed due to recommended dracut module ordering for out-of-tree modules. - Update pacman spec to dract changed module dirs Follow up change for the fix of the recommended dracut module ordering for out-of-tree modules. - Update spec file due to dract changed module dirs Follow up change for the fix of the recommended dracut module ordering for out-of-tree modules. ++++ kernel-default: - ring-buffer: Do not trigger WARN_ON() due to a commit_overrun (CVE-2025-38267 bsc#1246245) - commit 5cf9510 - net: drv: netdevsim: don't napi_complete() from netpoll (CVE-2025-38270 bsc#1246252) - commit 42d34e9 - HID: core: Harden s32ton() against conversion to 0 bits (CVE-2025-38556 bsc#1248296) - commit 69d7c6e - rxrpc: Fix bug due to prealloc collision (CVE-2025-38544 bsc#1248225) - commit c9a2e2d - net: libwx: fix the using of Rx buffer DMA (CVE-2025-38533 bsc#1248200) - commit 492149c - ice: add NULL check in eswitch lag check (CVE-2025-38526 bsc#1248192) - commit b5741b4 - rxrpc: Fix oops due to non-existence of prealloc backlog struct (CVE-2025-38514 bsc#1248202) - commit b9aa197 - idpf: return 0 size for RSS key if not supported (CVE-2025-38402 bsc#1247262) - commit 684be88 - remoteproc: core: Release rproc->clean_table after rproc_attach() fails (CVE-2025-38418 bsc#1247137) - commit fcf59c8 - remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() (CVE-2025-38419 bsc#1247136) - commit 081aa19 - genirq/irq_sim: Initialize work context pointers properly (CVE-2025-38408 bsc#1247126) - commit e434c9f - ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() (CVE-2025-38456 bsc#1247099) - commit 411d2f8 - perf: arm-ni: Fix missing platform_set_drvdata() (CVE-2025-38318 bsc#1246444) - commit a77d803 - nvmem: zynqmp_nvmem: unbreak driver after cleanup (CVE-2025-38301 bsc#1246351) - commit cd1ecf3 - perf: arm-ni: Unregister PMUs on probe failure (CVE-2025-38168 bsc#1245763) - commit b4e90d7 - bcache: fix NULL pointer in cache_set_flush() (CVE-2025-38263 bsc#1246248) - commit 3f952c1 - Update reference in patches.suse/lib-group_cpus-fix-NULL-pointer-dereference-from-gro.patch (CVE-2025-38255 bsc#1246190 bsc#1236897) - commit a85a300 - xfs: do not propagate ENODATA disk errors into xattr code (git-fixes). - commit 15bf037 - sunrpc: fix handling of server side tls alerts (bsc#1248374 CVE-2025-38566). - commit c831a16 - sunrpc: fix client side handling of tls alerts (bsc#1248401 CVE-2025-38571). - commit a14a1e5 - tracing/osnoise: Fix crash in timerlat_dump_stack() (CVE-2025-38493 bsc#1247283). - commit 5cbec5a - wifi: mac80211: reject TDLS operations when station is not associated (CVE-2025-38644 bsc#1248748). - commit f32351b - x86/bugs: Clean up SRSO microcode handling (git-fixes). - commit b9aaf6a - x86/bugs: Use IBPB for retbleed if used by SRSO (git-fixes). - commit 0f67ae1 - x86/bugs: Add SRSO_MITIGATION_NOSMT (git-fixes). - commit 1d54073 - EDAC/{i10nm,skx,skx_common}: Support UV systems (bsc#1234693). - Refresh patches.suse/EDAC-skx_common-i10nm-Fix-some-missing-error-reports.patch. - commit fd6b8c8 - slab: Decouple slab_debug and no_hash_pointers (bsc#1249022). - commit 3da3d78 - kABI fix after KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap (git-fixes). - commit f1ae006 - KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap (git-fixes). - commit 59df1fc - s390/pci: Allow automatic recovery with minimal driver support (bsc#1248728 git-fixes). - commit de86836 - s390/hypfs: Enable limited access during lockdown (bsc#1248727 git-fixes). - s390/hypfs: Avoid unnecessary ioctl registration in debugfs (bsc#1248727 git-fixes). - commit 6f1ae11 - kABI fix after KVM: VMX: Apply MMIO Stale Data mitigation if KVM maps MMIO into the guest (git-fixes). - commit f94bea5 - KVM: VMX: Apply MMIO Stale Data mitigation if KVM maps MMIO into the guest (git-fixes). - commit d93b5c1 - KVM: x86/mmu: Locally cache whether a PFN is host MMIO when making a SPTE (git-fixes). - commit b70d87b - RAS/AMD/FMPM: Get masked address (bsc#1242034). - commit e9e5ffb - RAS/AMD/ATL: Include row bit in row retirement (bsc#1242034). - commit 9ccbbc5 - vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() (git-fixes). - commit 61f61a5 - vsock/virtio: Resize receive buffers so that each SKB fits in a 4K page (git-fixes). - commit b1b2e0f - ixgbe: fix ixgbe_orom_civd_info struct layout (bsc#1245410). - commit 16234f6 - vhost: fail early when __vhost_add_used() fails (git-fixes). - commit 49782c5 - vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511 CVE-2025-38618). - commit e04e292 - compiler: remove __ADDRESSABLE_ASM{_STR,}() again (git-fixes). - commit 470eca8 - xen/netfront: Fix TX response spurious interrupts (git-fixes). - commit 1a84d61 - PCI: Extend isolated function probing to LoongArch (git-fixes). - commit 0d2add0 - vhost: Fix ioctl # for VHOST_[GS]ET_FORK_FROM_OWNER (git-fixes). - commit 6ddd657 - gfs2: skip if we cannot defer delete (bsc#1247220). - gfs2: minor evict fix (bsc#1247220). - commit 24ae034 - gfs2: Prevent inode creation race (2) (bsc#1247220). - gfs2: Replace GIF_DEFER_DELETE with GLF_DEFER_DELETE (bsc#1247220). - gfs2: Prevent inode creation race (bsc#1247220). - gfs2: Only defer deletes when we have an iopen glock (bsc#1247220). - gfs2: Simplify DLM_LKF_QUECVT use (bsc#1247220). - gfs2: gfs2_evict_inode clarification (bsc#1247220). - gfs2: Randomize GLF_VERIFY_DELETE work delay (bsc#1247220). - gfs2: Use mod_delayed_work in gfs2_queue_try_to_evict (bsc#1247220). - gfs2: Update to the evict / remote delete documentation (bsc#1247220). - gfs2: Call gfs2_queue_verify_delete from gfs2_evict_inode (bsc#1247220). - gfs2: Clean up delete work processing (bsc#1247220). - gfs2: Minor delete_work_func cleanup (bsc#1247220). - gfs2: Return enum evict_behavior from gfs2_upgrade_iopen_glock (bsc#1247220). - gfs2: Rename dinode_demise to evict_behavior (bsc#1247220). - gfs2: Rename GIF_{DEFERRED -> DEFER}_DELETE (bsc#1247220). - gfs2: Faster gfs2_upgrade_iopen_glock wakeups (bsc#1247220). - gfs2: Initialize gl_no_formal_ino earlier (bsc#1247220). - commit b3f7b8c ------------------------------------------------------------------ ------------------ 2025-8-31 - Aug 31 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Follow the recommended dracut module ordering for out-of-tree modules In dracut release v108 or later the recommended ordering for out out of tree modules is 50-59 range. The following is a section from dracut documentation: > Not using the 50-59 range for out of tree dracut modules will likely > lead to unintended errors in the initramfs generation process as your > dracut module will either run too early or too late in the generation process. > You have been warned. ++++ kernel-default: - Update patches.suse/ASoC-mediatek-mt8365-dai-i2s-pass-correct-size-to-mt.patch (git-fixes CVE-2025-38662 bsc#1248635). - Update patches.suse/HID-apple-validate-feature-report-field-count-to-pre.patch (git-fixes CVE-2025-38557 bsc#1248304). - Update patches.suse/KVM-Allow-CPU-to-reschedule-while-setting-per-page-m.patch (git-fixes CVE-2025-38506 bsc#1248186). - Update patches.suse/PCI-pnv_php-Clean-up-allocated-IRQs-on-unplug.patch (bsc#1215199 CVE-2025-38624 bsc#1248617). - Update patches.suse/PM-devfreq-Check-governor-before-using-governor-name.patch (git-fixes CVE-2025-38609 bsc#1248337). - Update patches.suse/RDMA-hns-Fix-double-destruction-of-rsv_qp.patch (git-fixes CVE-2025-38582 bsc#1248349). - Update patches.suse/arm64-entry-Mask-DAIF-in-cpu_switch_to-call_on_irq_stack.patch (git-fixes CVE-2025-38670 bsc#1248655). - Update patches.suse/bpf-Reject-narrower-access-to-pointer-ctx-fields.patch (git-fixes CVE-2025-38591 bsc#1248363). - Update patches.suse/bpf-Reject-p-format-string-in-bprintf-like-helpers.patch (git-fixes CVE-2025-38528 bsc#1248198). - Update patches.suse/bpf-arm64-Fix-fp-initialization-for-exception-boundary.patch (git-fixes CVE-2025-38586 bsc#1248359). - Update patches.suse/btrfs-fix-assertion-when-building-free-space-tree.patch (git-fixes CVE-2025-38503 bsc#1248183). - Update patches.suse/can-netlink-can_changelink-fix-NULL-pointer-deref-of.patch (git-fixes CVE-2025-38665 bsc#1248648). - Update patches.suse/clk-davinci-Add-NULL-check-in-davinci_lpsc_clk_regis.patch (git-fixes CVE-2025-38635 bsc#1248573). - Update patches.suse/clk-imx95-blk-ctl-Fix-synchronous-abort.patch (git-fixes CVE-2025-38631 bsc#1248662). - Update patches.suse/clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch (git-fixes CVE-2025-38583 bsc#1248350). - Update patches.suse/crypto-ccp-Fix-crash-when-rebind-ccp-device-for-ccp..patch (git-fixes CVE-2025-38581 bsc#1248345). - Update patches.suse/fbdev-imxfb-Check-fb_add_videomode-to-prevent-null-p.patch (git-fixes CVE-2025-38630 bsc#1248575). - Update patches.suse/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch (git-fixes CVE-2025-38671 bsc#1248652). - Update patches.suse/iio-common-st_sensors-Fix-use-of-uninitialize-device.patch (stable-fixes CVE-2025-38531 bsc#1248205). - Update patches.suse/ipv6-fix-possible-infinite-loop-in-fib6_info_uses_de.patch (git-fixes CVE-2025-38587 bsc#1248361). - Update patches.suse/ipv6-prevent-infinite-loop-in-rt6_nlmsg_size.patch (git-fixes CVE-2025-38588 bsc#1248368). - Update patches.suse/ipv6-reject-malicious-packets-in-ipv6_gso_segment.patch (git-fixes CVE-2025-38572 bsc#1248399). - Update patches.suse/iwlwifi-Add-missing-check-for-alloc_ordered_workqueu.patch (git-fixes CVE-2025-38602 bsc#1248341). - Update patches.suse/md-make-rdev_addable-usable-for-rcu-mode.patch (git-fixes CVE-2025-38621 bsc#1248609). - Update patches.suse/media-ti-j721e-csi2rx-fix-list_del-corruption.patch (git-fixes CVE-2025-38619 bsc#1248664). - Update patches.suse/net-packet-fix-a-race-in-packet_set_ring-and-packet_.patch (git-fixes CVE-2025-38617 bsc#1248621). - Update patches.suse/net-sched-Restrict-conditions-for-adding-duplicating.patch (git-fixes CVE-2025-38553 bsc#1248255). - Update patches.suse/net-sched-mqprio-fix-stack-out-of-bounds-write-in-tc.patch (git-fixes CVE-2025-38568 bsc#1248386). - Update patches.suse/nvmet-pci-epf-Do-not-complete-commands-twice-if-nvme.patch (git-fixes CVE-2025-38658 bsc#1248627). - Update patches.suse/perf-core-Exit-early-on-perf_mmap-fail.patch (CVE-2025-38563 bsc#1248306 dependency CVE-2025-38565 bsc#1248377). - Update patches.suse/perf-core-Handle-buffer-mapping-fail-correctly-in-perf_mma.patch (CVE-2025-38563 bsc#1248306 dependency CVE-2025-38564 bsc#1248367). - Update patches.suse/pinmux-fix-race-causing-mux_owner-NULL-with-active-m.patch (git-fixes CVE-2025-38632 bsc#1248669). - Update patches.suse/power-supply-cpcap-charger-Fix-null-check-for-power_.patch (git-fixes CVE-2025-38634 bsc#1248666). - Update patches.suse/powercap-dtpm_cpu-Fix-NULL-pointer-dereference-in-ge.patch (git-fixes CVE-2025-38610 bsc#1248395). - Update patches.suse/powerpc-eeh-Make-EEH-driver-device-hotplug-safe.patch (bsc#1215199 CVE-2025-38576 bsc#1248354). - Update patches.suse/regulator-core-fix-NULL-dereference-on-unbind-due-to.patch (stable-fixes CVE-2025-38668 bsc#1248647). - Update patches.suse/spi-cs42l43-Property-entry-should-be-a-null-terminat.patch (bsc#1246979 CVE-2025-38573 bsc#1248396). - Update patches.suse/spi-stm32-Check-for-cfg-availability-in-stm32_spi_pr.patch (git-fixes CVE-2025-38648 bsc#1248624). - Update patches.suse/staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch (git-fixes CVE-2025-38612 bsc#1248390). - Update patches.suse/staging-media-atomisp-Fix-stack-buffer-overflow-in-g.patch (git-fixes CVE-2025-38585 bsc#1248355). - Update patches.suse/sunrpc-fix-client-side-handling-of-tls-alerts.patch (git-fixes CVE-2025-38571 bsc#1248401). - Update patches.suse/sunrpc-fix-handling-of-server-side-tls-alerts.patch (git-fixes CVE-2025-38566 bsc#1248374). - Update patches.suse/usb-gadget-fix-use-after-free-in-composite_dev_clean.patch (git-fixes CVE-2025-38555 bsc#1248297). - Update patches.suse/wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch (git-fixes CVE-2025-38601 bsc#1248340). - Update patches.suse/wifi-ath12k-Pass-ab-pointer-directly-to-ath12k_dp_tx.patch (git-fixes CVE-2025-38605 bsc#1248334). - Update patches.suse/wifi-iwlwifi-Fix-error-code-in-iwl_op_mode_dvm_start.patch (git-fixes CVE-2025-38656 bsc#1248643). - Update patches.suse/wifi-mac80211-reject-TDLS-operations-when-station-is.patch (git-fixes CVE-2025-38644 bsc#1248748). - Update patches.suse/wifi-rtl818x-Kill-URBs-before-clearing-tx-status-que.patch (git-fixes CVE-2025-38604 bsc#1248333). - Update patches.suse/wifi-rtw89-avoid-NULL-dereference-when-RX-problemati.patch (git-fixes CVE-2025-38646 bsc#1248577). - Update patches.suse/xen-fix-UAF-in-dmabuf_exp_from_pages.patch (git-fixes CVE-2025-38595 bsc#1248380). - commit ab6edaf ------------------------------------------------------------------ ------------------ 2025-8-30 - Aug 30 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - efi: stmm: Fix incorrect buffer allocation method (git-fixes). - HID: asus: fix UAF via HID_CLAIMED_INPUT validation (git-fixes). - HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (git-fixes). - drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv (git-fixes). - drm/mediatek: Add error handling for old state CRTC in atomic_disable (git-fixes). - drm/msm: update the high bitfield of certain DSI registers (git-fixes). - drm/msm/kms: move snapshot init earlier in KMS init (git-fixes). - drm/msm: Defer fd_install in SUBMIT ioctl (git-fixes). - drm/nouveau: remove unused memory target test (git-fixes). - drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr (git-fixes). - drm/nouveau: fix error path in nvkm_gsp_fwsec_v2 (git-fixes). - drm/nouveau/disp: Always accept linear modifier (git-fixes). - drm/xe: Don't trigger rebind on initial dma-buf validation (git-fixes). - drm/xe/vm: Clear the scratch_pt pointer on error (git-fixes). - drm/xe/xe_sync: avoid race during ufence signaling (git-fixes). - Bluetooth: hci_sync: fix set_local_name race condition (git-fixes). - Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced (git-fixes). - Bluetooth: hci_event: Mark connection as closed during suspend disconnect (git-fixes). - Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success (git-fixes). - drm/hisilicon/hibmc: fix the i2c device resource leak when vdac init failed (git-fixes). - drm/hisilicon/hibmc: refactored struct hibmc_drm_private (stable-fixes). - commit 3cc6741 ------------------------------------------------------------------ ------------------ 2025-8-29 - Aug 29 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - Refresh patches.suse/kdump-add-crashkernel-cma-suffix.patch patches.suse/kdump-crashkernel-cma-update-Documentation.patch patches.suse/kdump-implement-reserve_crashkernel_cma.patch patches.suse/kdump-wait-for-dma-to-time-out-when-using-cma.patch patches.suse/kdump-x86-implement-crashkernel-cma-reservation.patch (jsc#PED-7249 implementation now upstream). - commit f57031a - clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() (CVE-2025-38160 bsc#1245780) - commit a306e30 - tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (CVE-2025-38184 bsc#1245956) - commit ea5f7f7 - drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 (CVE-2025-38205 bsc#1246005) - commit ca56750 - smb: client: add NULL check in automount_fullpath (CVE-2025-38208 bsc#1245815) - commit cb3a2bf - net: stmmac: make sure that ptp_rate is not 0 before configuring EST (CVE-2025-38125 bsc#1245710) - commit 04509ac - block: Make REQ_OP_ZONE_FINISH a write operation (git-fixes, bsc#1249552). - blacklist.conf: remove 3f66ccbaaef3 mwilck: this commit is a necessary part of an upstream fix series. See comments in block-Make-REQ_OP_ZONE_FINISH-a-write-operation.patch. - commit 5f975b1 - dm: split write BIOs on zone boundaries when zone append is not emulated (git-fixes). - commit 68ed6f4 - dm: Always split write BIOs to zoned device limits (git-fixes, CVE-2025-39792, bsc#1249618). - commit a8b835f - dm: dm-crypt: Do not partially accept write BIOs with zoned targets (git-fixes, CVE-2025-39791, bsc#1249550). - commit d7f2e88 - dm: Check for forbidden splitting of zone write operations (git-fixes). - commit f3bd28c - dm-stripe: limit chunk_sectors to the stripe size (git-fixes). - commit a008640 - kernel-binary: Another installation ordering fix (bsc#1241353). - commit fe14ab5 - dm-table: fix checking for rq stackable devices (git-fixes). - commit c0133c8 - dm-mpath: don't print the "loaded" message if registering fails (git-fixes). - commit d2cfeaf - md: dm-zoned-target: Initialize return variable r to avoid uninitialized use (git-fixes). - commit c0e418a - iio: imu: inv_icm42600: change invalid data error to -EBUSY (git-fixes). - commit e4f8b35 - drm/amdgpu: fix task hang from failed job submission during process kill (git-fixes). - commit 6f325ab - iio: light: as73211: Ensure buffer holes are zeroed (git-fixes). - usb: dwc3: Remove WARN_ON for device endpoint command timeouts (stable-fixes). - USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles (stable-fixes). - usb: dwc3: pci: add support for the Intel Wildcat Lake (stable-fixes). - USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera (stable-fixes). - usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive (stable-fixes). - drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 (stable-fixes). - drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Fix Xorg desktop unresponsive on Replay panel (stable-fixes). - drm/amd/display: Avoid a NULL pointer dereference (stable-fixes). - drm/amdgpu/swm14: Update power limit logic (stable-fixes). - ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 (stable-fixes). - drm/amdkfd: Destroy KFD debugfs after destroy KFD wq (stable-fixes). - amdgpu/amdgpu_discovery: increase timeout limit for IFWI init (stable-fixes). - drm/amd/display: fix a Null pointer dereference vulnerability (stable-fixes). - drm/amd/display: Add primary plane to commits for correct VRR handling (stable-fixes). - drm/amdgpu: update mmhub 3.0.1 client id mappings (stable-fixes). - drm/amd: Restore cached power limit during resume (stable-fixes). - drm/amdgpu: Update external revid for GC v9.5.0 (stable-fixes). - drm/amdgpu: update mmhub 4.1.0 client id mappings (stable-fixes). - drm/amdgpu: Avoid extra evict-restore process (stable-fixes). - drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities (stable-fixes). - pwm: mediatek: Fix duty and period setting (git-fixes). - pwm: mediatek: Handle hardware enable and clock enable separately (stable-fixes). - crypto: qat - lower priority for skcipher and aead algorithms (stable-fixes). - crypto: octeontx2 - Fix address alignment on CN10KB and CN10KA-B0 (stable-fixes). - crypto: octeontx2 - Fix address alignment on CN10K A0/A1 and OcteonTX2 (stable-fixes). - crypto: octeontx2 - Fix address alignment issue on ucode loading (stable-fixes). - drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS (stable-fixes). - iio: imu: inv_icm42600: use = { } instead of memset() (stable-fixes). - drm/format-helper: Add conversion from XRGB8888 to BGR888 (stable-fixes). - iio: imu: inv_icm42600: switch timestamp type from int64_t __aligned(8) to aligned_s64 (stable-fixes). - iio: light: Use aligned_s64 instead of open coding alignment (stable-fixes). - commit 60c07db - net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info (CVE-2025-38545 bsc#1248224). - commit af6b2ae ------------------------------------------------------------------ ------------------ 2025-8-28 - Aug 28 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - x86/sev: Evict cache lines during SNP memory validation (CVE-2025-38560 bsc#1248312). - commit 122589e - x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation (CVE-2025-38508 bsc#1248190). - kABI: x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation (git-fixes). - commit 9051bdb - hid: hide cleanup of hid_descriptor (CVE-2025-38103 bsc#1245663). - commit da277ba - xfrm: interface: fix use-after-free after changing collect_md xfrm interface (CVE-2025-38500 bsc#1248088). - rxrpc: Fix recv-recv race of completed call (CVE-2025-38524 bsc#1248194). - atm: clip: Fix memory leak of struct clip_vcc (CVE-2025-38546 bsc#1248223). - commit f78c063 - HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() (CVE-2025-38103 bsc#1245663). - blacklist.conf: removing erroneous entry - commit 59058fc - selftests/bpf: Fix build error with llvm 19 (git-fixes). - selftests/bpf: Add a test for arena range tree algorithm (git-fixes). - commit f2d6c5a - selftests/bpf: Range analysis test case for JSET (git-fixes). - bpf: Forget ranges when refining tnum after JSET (git-fixes). - commit 0deb4ac ------------------------------------------------------------------ ------------------ 2025-8-27 - Aug 27 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - selftests/perf_events: Add a mmap() correctness test (CVE-2025-38563 bsc#1248306 selftest). - commit dffae9d - perf/core: Prevent VMA split of buffer mappings (CVE-2025-38563 bsc#1248306). - commit 011b3e1 - perf/core: Handle buffer mapping fail correctly in perf_mmap() (CVE-2025-38563 bsc#1248306 dependency). - commit b1e65ce - perf/core: Exit early on perf_mmap() fail (CVE-2025-38563 bsc#1248306 dependency). - commit f53f18d - perf/core: Don't leak AUX buffer refcount on allocation failure (CVE-2025-38563 bsc#1248306 dependency). - commit 00401fa - perf/core: Preserve AUX buffer allocation failure result (CVE-2025-38563 bsc#1248306 dependency). - commit ed80f93 - mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped (CVE-2025-38554 bsc#1248299). - commit af06370 ++++ regionServiceClientConfigAzure: - Update to version 3.0.0 (bsc#1246995) + SLE 16 python-requests requiers SSL v3 certificates. Update 2 region server certs to support SLE 16 when it gets released. ++++ regionServiceClientConfigEC2: - Update to version 5.0.0 (bsc#1246995) + SLE 16 python-requests requiers SSL v3 certificates. Update 2 region server certs to support SLE 16 when it gets released. ++++ regionServiceClientConfigGCE: - Update to version 5.0.0 (bsc#1246995) + SLE 16 python-requests requiers SSL v3 certificates. Update 2 region server certs to support SLE 16 when it gets released. ------------------------------------------------------------------ ------------------ 2025-8-26 - Aug 26 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - build_bug.h: Add KABI assert (bsc#1249186). - commit 126f232 - kabi/severities: ignore kabi for intel pmt drivers (CVE-2025-38559 bsc#1248302) They are locally used only among intel pmt drivers. - commit 336a1fb - platform/x86/intel/pmt: fix a crashlog NULL pointer access (CVE-2025-38559 bsc#1248302). - commit 21f76b6 - usb: xhci: Fix slot_id resource race conflict (git-fixes). - commit ca93cfc - of: dynamic: Fix use after free in of_changeset_add_prop_helper() (git-fixes). - commit 864aa13 - pinctrl: STMFX: add missing HAS_IOMEM dependency (git-fixes). - usb: xhci: Fix slot_id resource race conflict (git-fixes). - usb: typec: maxim_contaminant: re-enable cc toggle if cc is open and port is clean (git-fixes). - usb: typec: maxim_contaminant: disable low power mode when reading comparator values (git-fixes). - usb: storage: realtek_cr: Use correct byte order for bcs->Residue (git-fixes). - usb: dwc3: Ignore late xferNotReady event to prevent halt timeout (git-fixes). - usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test (git-fixes). - usb: renesas-xhci: Fix External ROM access timeouts (git-fixes). - platform/x86/amd/hsmp: Ensure sock->metric_tbl_addr is non-NULL (git-fixes). - platform/x86/intel-uncore-freq: Check write blocked for ELC (git-fixes). - commit 2aeddbc - of: dynamic: Fix memleak when of_pci_add_properties() failed (git-fixes). - iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() (git-fixes). - iio: proximity: isl29501: fix buffered read on big-endian systems (git-fixes). - most: core: Drop device reference after usage in get_channel() (git-fixes). - comedi: Make insn_rw_emulate_bits() do insn->n samples (git-fixes). - comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() (git-fixes). - comedi: pcl726: Prevent invalid irq number (git-fixes). - cdx: Fix off-by-one error in cdx_rpmsg_probe() (git-fixes). - drm/hisilicon/hibmc: fix the hibmc loaded failed bug (git-fixes). - accel/habanalabs/gaudi2: Use kvfree() for memory allocated with kvcalloc() (git-fixes). - iosys-map: Fix undefined behavior in iosys_map_clear() (git-fixes). - drm/tests: Fix endian warning (git-fixes). - drm/nouveau: fix typos in comments (git-fixes). - drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor() (git-fixes). - drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 (git-fixes). - drm/amd/display: Don't print errors for nonexistent connectors (git-fixes). - drm/amd/display: Adjust DCE 8-10 clock, don't overclock by 15% (git-fixes). - drm/amd/display: Don't overclock DCE 6 by 15% (git-fixes). - drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() (git-fixes). - memstick: Fix deadlock by moving removing flag earlier (git-fixes). - mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER (git-fixes). - mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency (git-fixes). - mmc: sdhci-pci-gli: Add a new function to simplify the code (git-fixes). - ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation (git-fixes). - ALSA: timer: fix ida_free call while not allocated (git-fixes). - ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again (git-fixes). - ALSA: hda/realtek: Fix headset mic on ASUS Zenbook 14 (git-fixes). - ALSA: usb-audio: Fix size validation in convert_chmap_v3() (git-fixes). - commit 3b28ac3 ------------------------------------------------------------------ ------------------ 2025-8-25 - Aug 25 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - btrfs: error on missing block group when unaccounting log tree extent buffers (git-fixes). - commit ca535e9 - atm: clip: Fix NULL pointer dereference in vcc_sendmsg() (CVE-2025-38458 bsc#1247116) - commit 48dd298 - atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister() (CVE-2025-38245 bsc#1246193) - commit daf962c - NFS: Fix a race when updating an existing write (git-fixes). - commit dd68c46 - squashfs: fix memory leak in squashfs_fill_super (git-fixes). - commit 97b84d0 - btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents() (git-fixes). - commit 71e5dc6 - btrfs: fix two misuses of folio_shift() (git-fixes). - commit 56b1b7d - btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling (git-fixes). - commit 6429a2c - atm: Revert atm_account_tx() if copy_from_iter_full() fails (CVE-2025-38190 bsc#1245973) - commit 0dae89a - btrfs: correctly escape subvol in btrfs_show_options() (git-fixes). - commit a28815d - btrfs: exit after state split error at set_extent_bit() (git-fixes). - commit 3d66187 - btrfs: simplify error detection flow during log replay (git-fixes). - commit 01419dc - btrfs: remove redundant path release when replaying a log tree (git-fixes). - commit 7716eeb - md/raid1: Fix stack memory use after return in raid1_reshape (CVE-2025-38445 bsc#1247229) - commit 9aa9477 - btrfs: abort transaction during log replay if walk_log_tree() failed (git-fixes). - commit e991a13 - btrfs: unfold transaction aborts when replaying log trees (git-fixes). - commit e05bcc5 - btrfs: fix -ENOSPC mmap write failure on NOCOW files/extents (bsc#1247949). - commit 358990e - btrfs: use a single variable to track return value at btrfs_page_mkwrite() (bsc#1247949). - commit 7b18bc8 - btrfs: don't return VM_FAULT_SIGBUS on failure to set delalloc for mmap write (bsc#1247949). - commit 621c50f - btrfs: simplify early error checking in btrfs_page_mkwrite() (bsc#1247949). - commit c73e908 - btrfs: pass true to btrfs_delalloc_release_space() at btrfs_page_mkwrite() (bsc#1247949). - commit 3b9148d - btrfs: fix iteration bug in __qgroup_excl_accounting() (git-fixes). - commit ad5c1bb - bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338 CVE-2025-38608). - commit 04b4d43 - RDMA/hns: Fix dip entries leak on devices newer than hip09 (git-fixes) - commit 25d5b8f - RDMA/bnxt_re: Fix to initialize the PBL array (git-fixes) - commit 8869ef6 - RDMA/bnxt_re: Fix a possible memory leak in the driver (git-fixes) - commit 33fe82f - RDMA/bnxt_re: Fix to remove workload check in SRQ limit path (git-fixes) - commit 9051d83 - RDMA/bnxt_re: Fix to do SRQ armena by default (git-fixes) - commit abc50d4 - RDMA/hns: Fix querying wrong SCC context for DIP algorithm (git-fixes) - commit a868248 - RDMA/erdma: Fix ignored return value of init_kernel_qp (git-fixes) - commit 61ee0cd - RDMA/rxe: Flush delayed SKBs while releasing RXE resources (git-fixes) - commit db9dec3 ++++ colord: - Update to version 1.4.8: + New Features: - Add AppStream metainfo XML with hardware provide info. - Add support for -Dsystemd_root_prefix to make local building easier. - Install sysusers.d config file if configured user is not root. + Bugfixes: - Add the source attribute for each man page. - Drop component type from AppStream metadata XML to avoid parsing error. - Fix a critical warning when running the self tests. - Fix USB scanners not working with RestrictAddressFamilies. - Fix writing to the database with ProtectSystem=strict. - Properly set the status to CD_SESSION_STATUS_RUNNING. - Use g_ascii_strtod instead of atof(). - Use sqlite3_errmsg() to avoid getting a mutable error message. - Changes from version 1.4.7: + Bugfixes: - Add various hardenings to the systemd service. - Always close the ICC profile when loading fails. - Avoid destructing LCMS plugin twice with lcms 2.14. - Do not make state files executable in tmpfiles.d/colord.conf. - Fix a double free spotted by Coverity. - Fix an error check when parsing the DTP94 data. - Fix a -Wincompatible-pointer-types warning. - Fix potential crash when reading from broken Huey hardware. - Set FILE_OFFSET_BITS explicitly. - Use a 64-bit time_t. - Use thread context for Gamut Alarm codes. - Drop colord-CVE-2021-42523.patch and harden_colord.service.patch: fixed upstream. ------------------------------------------------------------------ ------------------ 2025-8-23 - Aug 23 2025 ------------------- ------------------------------------------------------------------ ++++ kmod: - kmod-testsuite * BuildIgnore pesign-obs-integration (new runtime requirement of kernel-default-devel): we don't need it for the kmod testsuite, and it also breaks the build as we aren't producting any binaries. (bsc#1248108) ------------------------------------------------------------------ ------------------ 2025-8-22 - Aug 22 2025 ------------------- ------------------------------------------------------------------ ++++ cloud-regionsrv-client: - Update version to 10.5.2 (bsc#1247539) + When an instance fails verification server side the default credentials were left behind requireing manual intervantion prior to the next registration attempt. + Fix issue triggered when using instance-billing-flavor-check due to IP address handling as object rather than string introduced 10.5.0 ++++ python-kiwi: - Fix agama integration test Disable no longer existing agama-auto.service - Fixed agama integration test nothing provides agama-auto anymore ++++ kdump: - upgrade to version 2.1.6 * drop broken option KDUMP_NETCONFIG="" from manpage * prevent NetworkManager from overwriting resolv.conf (bsc#1247848) * fix KDUMP_NETCONFIG=auto for NetworkManager (bsc#1247848) * exclude kernel.panic_on_warn sysctl (bsc#1247355) ++++ kernel-default: - atm: clip: Fix infinite recursive call of clip_push() (CVE-2025-38459 bsc#1247119) - commit 40aa5b7 - atm: clip: prevent NULL deref in clip_push() (CVE-2025-38251 bsc#1246181) - commit bcf4c6c - spi: spi-fsl-lpspi: Clamp too high speed_hz (git-fixes). - ACPI: pfr_update: Fix the driver update version check (git-fixes). - microchip: lan865x: fix missing Timer Increment config for Rev.B0/B1 (git-fixes). - microchip: lan865x: fix missing netif_start_queue() call on device open (git-fixes). - net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization (git-fixes). - Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() (git-fixes). - Bluetooth: hci_event: fix MTU for BN == 0 in CIS Established (git-fixes). - Bluetooth: hci_sync: Prevent unintended PA sync when SID is 0xFF (git-fixes). - Bluetooth: hci_core: Fix using {cis,bis}_capable for current settings (git-fixes). - Bluetooth: btmtk: Fix wait_on_bit_timeout interruption during shutdown (git-fixes). - Bluetooth: hci_sync: Fix scan state after PA Sync has been established (git-fixes). - commit 71fbfbf - bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT (CVE-2025-38439 bsc#1247155) - commit e4fb5aa - zram: permit only one post-processing operation at a time (git-fixes). - Refresh patches.suse/zram-fix-NULL-pointer-in-comp_algorithm_show.patch. - commit a8f2eb9 ++++ openldap2_6: - Fix the git version identifying as 2.6.X which breaks packages parsing the version string trying to match numbers. ++++ libtpms: - Allow for %is_opensuse to be unset, following up to https://src.suse.de/products/SLFO/pulls/204 (bsc#1248486). ------------------------------------------------------------------ ------------------ 2025-8-21 - Aug 21 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - serial: 8250: Touch watchdogs in write_atomic() (bsc#1246688). - commit 956817a - raid10: cleanup memleak at raid10_make_request (CVE-2025-38444 bsc#1247162) - commit 2551d5d - config.sh: SLFO 1.2 branched in IBS - commit 38742b4 - md/md-bitmap: fix GPF in bitmap_get_stats() (CVE-2025-38451 bsc#1247102) - commit f2c7bab - net: openvswitch: Fix the dead loop of MPLS parse (CVE-2025-38146 bsc#1245767). - commit 9115959 - scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue (bsc#1243055,CVE-2025-37861). - commit a094fbc - ata: libata-sata: Add link_power_management_supported sysfs attribute (git-fixes). - commit e1a205b - watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition (stable-fixes). - wifi: iwlwifi: mvm: avoid outdated reorder buffer head_sn (stable-fixes). - wifi: ath12k: Correct tid cleanup when tid setup fails (stable-fixes). - wifi: ath10k: shutdown driver when hardware is unreliable (stable-fixes). - wifi: ath12k: Add memset and update default rate value in wmi tx completion (stable-fixes). - wifi: ath12k: Fix station association with MBSSID Non-TX BSS (stable-fixes). - wifi: cfg80211: reject HTC bit for management frames (stable-fixes). - wifi: rtw89: wow: Add Basic Rate IE to probe request in scheduled scan mode (stable-fixes). - wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB (stable-fixes). - wifi: rtw89: Fix rtw89_mac_power_switch() for USB (stable-fixes). - wifi: iwlwifi: mvm: set gtk id also in older FWs (stable-fixes). - wifi: iwlwifi: mvm: fix scan request validation (stable-fixes). - wifi: cfg80211: Fix interface type validation (stable-fixes). - wifi: mac80211: don't unreserve never reserved chanctx (stable-fixes). - wifi: mac80211: don't complete management TX on SAE commit (stable-fixes). - wifi: mac80211: avoid weird state in error path (stable-fixes). - wifi: mac80211: fix rx link assignment for non-MLO stations (stable-fixes). - wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch (stable-fixes). - wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() (stable-fixes). - wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` (stable-fixes). - wifi: rtw89: scan abort when assign/unassign_vif (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() (stable-fixes). - wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 (stable-fixes). - wifi: ath12k: Decrement TID on RX peer frag setup error handling (stable-fixes). - wifi: mac80211: update radar_required in channel context after channel switch (stable-fixes). - wifi: iwlegacy: Check rate_idx range after addition (stable-fixes). - commit e7f2df8 - tools/power turbostat: Handle non-root legacy-uncore sysfs permissions (stable-fixes). - tools/power turbostat: Handle cap_get_proc() ENOSYS (stable-fixes). - tools/power turbostat: Fix build with musl (stable-fixes). - watchdog: dw_wdt: Fix default timeout (stable-fixes). - watchdog: iTCO_wdt: Report error if timeout configuration fails (stable-fixes). - soundwire: amd: cancel pending slave status handling workqueue during remove sequence (stable-fixes). - soundwire: amd: serialize amd manager resume sequence during pm_prepare (stable-fixes). - soundwire: Move handle_nested_irq outside of sdw_dev_lock (stable-fixes). - usb: xhci: print xhci->xhc_state when queue_command failed (stable-fixes). - usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default (stable-fixes). - usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command (stable-fixes). - usb: xhci: Avoid showing warnings for dying controller (stable-fixes). - usb: xhci: Avoid showing errors during surprise removal (stable-fixes). - usb: typec: tcpm/tcpci_maxim: fix irq wake usage (stable-fixes). - usb: core: config: Prevent OOB read in SS endpoint companion parsing (stable-fixes). - usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present (stable-fixes). - usb: core: usb_submit_urb: downgrade type check (stable-fixes). - tty: serial: fix print format specifiers (stable-fixes). - thermal: sysfs: Return ENODATA instead of EAGAIN for reads (stable-fixes). - thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required (stable-fixes). - commit c8e8ef2 - rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 (stable-fixes). - rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe (stable-fixes). - power: supply: qcom_battmgr: Add lithium-polymer entry (stable-fixes). - soc: qcom: rpmh-rsc: Add RSC version 4 support (stable-fixes). - soc: qcom: mdt_loader: Actually use the e_phoff (stable-fixes). - reset: brcmstb: Enable reset drivers for ARCH_BCM2835 (stable-fixes). - pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() (stable-fixes). - PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() (stable-fixes). - PM: sleep: console: Fix the black screen issue (stable-fixes). - PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() (stable-fixes). - commit 958ff77 - net: phy: smsc: add proper reset flags for LAN8710A (stable-fixes). - pinctrl: stm32: Manage irq affinity settings (stable-fixes). - media: hi556: Fix reset GPIO timings (stable-fixes). - media: ipu-bridge: Add _HID for OV5670 (stable-fixes). - mfd: axp20x: Set explicit ID for AXP313 regulator (stable-fixes). - net: phy: micrel: Add ksz9131_resume() (stable-fixes). - net: phy: bcm54811: PHY initialization (stable-fixes). - net: thunderbolt: Enable end-to-end flow control also in transmit (stable-fixes). - net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() (stable-fixes). - net: ieee8021q: fix insufficient table-size assertion (stable-fixes). - mmc: sdhci-msm: Ensure SD card power isn't ON when card removed (stable-fixes). - mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() (stable-fixes). - mei: bus: Check for still connected devices in mei_cl_bus_dev_release() (stable-fixes). - platform/chrome: cros_ec_sensorhub: Retries when a sensor is not ready (stable-fixes). - platform/chrome: cros_ec_typec: Defer probe on missing EC parent (stable-fixes). - platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list (stable-fixes). - commit dd25a85 - ipmi: Use dev_warn_ratelimited() for incorrect message warnings (stable-fixes). - ipmi: Fix strcpy source and destination the same (stable-fixes). - i2c: Force DLL0945 touchpad i2c freq to 100khz (stable-fixes). - i3c: add missing include to internal header (stable-fixes). - i3c: don't fail if GETHDRCAP is unsupported (stable-fixes). - hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state (stable-fixes). - media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control (stable-fixes). - media: tc358743: Return an appropriate colorspace from tc358743_set_fmt (stable-fixes). - media: tc358743: Check I2C succeeded during probe (stable-fixes). - media: tc358743: Increase FIFO trigger level to 374 (stable-fixes). - media: usb: hdpvr: disable zero-length read messages (stable-fixes). - media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() (stable-fixes). - media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar (stable-fixes). - media: uvcvideo: Add quirk for HP Webcam HD 2300 (stable-fixes). - media: uvcvideo: Fix bandwidth issue for Alcor camera (stable-fixes). - leds: leds-lp50xx: Handle reg to get correct multi_index (stable-fixes). - iio: adc: ad_sigma_delta: don't overallocate scan buffer (stable-fixes). - iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement (stable-fixes). - gpio: wcd934x: check the return value of regmap_update_bits() (stable-fixes). - gpio: tps65912: check the return value of regmap_update_bits() (stable-fixes). - commit 6c360e1 - ASoC: Intel: avs: Fix uninitialized pointer error in probe() (stable-fixes). - fbdev: Fix vmalloc out-of-bounds write in fast_imageblit (stable-fixes). - fbdev: fix potential buffer overflow in do_register_framebuffer() (stable-fixes). - dmaengine: stm32-dma: configure next sg only if there are more than 2 sgs (stable-fixes). - drm/amd/display: Allow DCN301 to clear update flags (git-fixes). - drm/amd/display: Only finalize atomic_obj if it was initialized (stable-fixes). - drm/amd/display: Avoid configuring PSR granularity if PSR-SU not supported (stable-fixes). - drm/amd/display: Disable dsc_power_gate for dcn314 by default (stable-fixes). - crypto: hisilicon/hpre - fix dma unmap sequence (stable-fixes). - crypto: jitter - fix intermediary handling (stable-fixes). - crypto: octeontx2 - add timeout for load_fvc completion poll (stable-fixes). - crypto: ccp - Add missing bootloader info reg for pspv6 (stable-fixes). - drm/amd/pm: fix null pointer access (stable-fixes). - drm/amd/display: limit clear_update_flags to dcn32 and above (stable-fixes). - drm/xe/xe_query: Use separate iterator while filling GT list (stable-fixes). - drm/msm: use trylock for debugfs (stable-fixes). - drm/msm: Add error handling for krealloc in metadata setup (stable-fixes). - drm/amd/display: Separate set_gsl from set_gsl_source_select (stable-fixes). - drm/amd/display: Fix 'failed to blank crtc!' (stable-fixes). - drm/amd/display: Initialize mode_select to 0 (stable-fixes). - drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual (stable-fixes). - drm/amd/display: Update DMCUB loading sequence for DCN3.5 (stable-fixes). - drm/amd/display: Avoid trying AUX transactions on disconnected ports (stable-fixes). - drm/imagination: Clear runtime PM errors while resetting the GPU (stable-fixes). - drm/xe: Make dma-fences compliant with the safe access rules (stable-fixes). - drm: renesas: rz-du: mipi_dsi: Add min check for VCLK range (stable-fixes). - drm/ttm: Should to return the evict error (stable-fixes). - drm/ttm: Respect the shrinker core free target (stable-fixes). - Bluetooth: btusb: Add new VID/PID 0489/e14e for MT7925 (stable-fixes). - Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() (stable-fixes). - firmware: tegra: Fix IVC dependency problems (stable-fixes). - firmware: arm_scmi: Convert to SYSTEM_SLEEP_PM_OPS (git-fixes). - firmware: arm_scmi: power_control: Ensure SCMI_SYSPOWER_IDLE is set early during resume (stable-fixes). - char: misc: Fix improper and inaccurate error code returned by misc_init() (stable-fixes). - ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed (stable-fixes). - firmware: arm_ffa: Change initcall level of ffa_init() to rootfs_initcall (stable-fixes). - ata: ahci: Disallow LPM policy control if not supported (stable-fixes). - ata: ahci: Disable DIPM if host lacks support (stable-fixes). - ata: libata-sata: Disallow changing LPM state if not supported (stable-fixes). - commit 81a9217 - ALSA: hda/realtek: Fix headset mic on HONOR BRB-X (stable-fixes). - ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks (stable-fixes). - ALSA: hda/realtek: add LG gram 16Z90R-A to alc269 fixup table (stable-fixes). - ACPI: Suppress misleading SPCR console message when SPCR table is absent (stable-fixes). - ACPI: Return -ENODEV from acpi_parse_spcr() when SPCR support is disabled (stable-fixes). - ASoC: hdac_hdmi: Rate limit logging on connection and disconnection (stable-fixes). - ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() (stable-fixes). - ASoC: SOF: topology: Parse the dapm_widget_tokens in case of DSPless mode (stable-fixes). - ASoC: qcom: use drvdata instead of component to keep id (stable-fixes). - ASoC: codecs: rt5640: Retry DEVICE_ID verification (stable-fixes). - ALSA: hda: Handle the jack polling always via a work (stable-fixes). - ALSA: hda: Disable jack polling at shutdown (stable-fixes). - ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 (stable-fixes). - ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control (stable-fixes). - ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop (stable-fixes). - ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros (stable-fixes). - ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered (stable-fixes). - ACPI: processor: fix acpi_object initialization (stable-fixes). - commit 7148b68 - RDMA/bnxt_re: Fix size of uverbs_copy_to() in BNXT_RE_METHOD_GET_TOGGLE_MEM (git-fixes) - commit 295036f - RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() (git-fixes) - commit 3c7e10f - RDMA/core: reduce stack using in nldev_stat_get_doit() (git-fixes) - commit 096f6b9 - pNFS: Fix disk addr range check in block/scsi layout (git-fixes). - commit c14b06d - pNFS: Fix stripe mapping in block/scsi layout (git-fixes). - commit 2a1cc0f - pNFS: Handle RPC size limit for layoutcommits (git-fixes). - commit 14b9be8 - pNFS: Fix uninited ptr deref in block/scsi layout (git-fixes). - commit 65e1a8b - exfat: add cluster chain loop check for dir (git-fixes). - commit 6a79efa - kabi: hide new member fallback_lock in struct mptcp_sock (CVE-2025-38491 bsc#1247280). - mptcp: make fallback action and fallback decision atomic (CVE-2025-38491 bsc#1247280). - mptcp: safety check before fallback (CVE-2025-38491 bsc#1247280). - commit 41fa302 - tipc: Fix use-after-free in tipc_conn_close() (CVE-2025-38464 bsc#1247112). - commit ca43752 - ixgbe: prevent from unwanted interface name changes (git-fixes). - commit b593885 - kABI: fix for struct devlink_port_attrs: move new member to the end (git-fixes). - commit 7c0fd06 - devlink: let driver opt out of automatic phys_port_name generation (git-fixes). - commit 28c0839 ++++ tiff: - security update: * CVE-2025-8534 [bsc#1247582] Fix null pointer dereference in function PS_Lvl2page + tiff-CVE-2025-8534.patch * CVE-2025-9165 [bsc#1248330] Fix local execution manipulation can lead to memory leak + tiff-CVE-2025-9165.patch * CVE-2024-13978 [bsc#1247581] Fix null pointer dereference in tiff2pdf + tiff-CVE-2024-13978.patch ------------------------------------------------------------------ ------------------ 2025-8-20 - Aug 20 2025 ------------------- ------------------------------------------------------------------ ++++ git: - Use zlib instead of zlib-ng for SLES16 ++++ kernel-default: - md: make rdev_addable usable for rcu mode (git-fixes). - block: ensure discard_granularity is zero when discard is not supported (git-fixes). - scsi: sd: Make sd shutdown issue START STOP UNIT appropriately (git-fixes). - scsi: Revert "scsi: iscsi: Fix HW conn removal use after free" (git-fixes). - scsi: mpt3sas: Fix a fw_event memory leak (git-fixes). - scsi: isci: Fix dma_unmap_sg() nents value (git-fixes). - scsi: mvsas: Fix dma_unmap_sg() nents value (git-fixes). - scsi: elx: efct: Fix dma_unmap_sg() nents value (git-fixes). - scsi: core: Fix kernel doc for scsi_track_queue_full() (git-fixes). - scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value (git-fixes). - scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems (git-fixes). - scsi: mpi3mr: Fix race between config read submit and interrupt completion (git-fixes). - scsi: mpi3mr: Fix kernel-doc issues in mpi3mr_app.c (git-fixes). - sunvdc: Balance device refcount in vdc_port_mpgroup_check (git-fixes). - md: allow removing faulty rdev during resync (git-fixes). - block: sanitize chunk_sectors for atomic write limits (git-fixes). - block: mtip32xx: Fix usage of dma_map_sg() (git-fixes). - ublk: use vmalloc for ublk_device's __queues (git-fixes). - block: Introduce bio_needs_zone_write_plugging() (git-fixes). - loop: use kiocb helpers to fix lockdep warning (git-fixes). - block: fix kobject leak in blk_unregister_queue (git-fixes). - md/raid1,raid10: strip REQ_NOWAIT from member bios (git-fixes). - ublk: sanity check add_dev input for underflow (git-fixes). - aoe: defer rexmit timer downdev work to workqueue (git-fixes). - scsi: core: ufs: Fix a hang in the error handler (CVE-2025-38119 bsc#1245700). - commit d72a9d3 - fs/fhandle.c: fix a race in call of has_locked_children() (CVE-2025-38306 bsc#1246366) - commit ba2c55e - clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (CVE-2025-38499 bsc#1247976) - commit e64cd3b - selftests/livepatch: Ignore NO_SUPPORT line in dmesg (poo#187320). - commit e28bde1 - livepatch: Add stack_order sysfs attribute (poo#187320). - commit 9ec1cd1 - selftests: livepatch: test if ftrace can trace a livepatched function (poo#187320). - commit 30f78a7 - selftests: livepatch: add new ftrace helpers functions (poo#187320). - commit 2920271 - selftest/livepatch: Only run test-kprobe with CONFIG_KPROBES_ON_FTRACE (poo#187320). - commit 6f6ceda - selftests: livepatch: handle PRINTK_CALLER in check_result() (poo#187320). - commit 1420668 - selftests: livepatch: add test cases of stack_order sysfs interface (poo#187320). - commit d445e83 - selftests/livepatch: Replace hardcoded module name with variable in test-callbacks.sh (poo#187320). - commit 35f2fcd - selftests: livepatch: test livepatching a kprobed function (poo#187320). - commit 9775843 - selftests: livepatch: save and restore kprobe state (poo#187320). - commit 687700e - selftests: livepatch: rename KLP_SYSFS_DIR to SYSFS_KLP_DIR (poo#187320). - commit 7dc1564 - selftests/run_kselftest.sh: Use readlink if realpath is not available (poo#187320). - commit d609bae - selftests/run_kselftest.sh: Fix help string for --per-test-log (poo#187320). - commit 0a13bf1 - selftests: ncdevmem: Move ncdevmem under drivers/net/hw (poo#187443). - Refresh patches.suse/selftests-net-Add-busy_poll_test.patch. - commit bfa5fe6 - hrtimers: Handle CPU state correctly on hotplug (CVE-2024-57951 bsc#1237108). - commit 4d85e21 - Revert "libfs: fix infinite directory reads for offset dir" (CVE-2024-57952 bsc#1237131). - commit a2419ea ------------------------------------------------------------------ ------------------ 2025-8-19 - Aug 19 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Update SLFO integration test Make sure ps tool is installed ++++ kernel-default: - efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths (CVE-2025-38549 bsc#1248235). - commit fd82800 - scsi: target: iscsi: Fix timeout on deleted connection (CVE-2025-38075 bsc#1244734) - commit 9ff5b21 - net: mctp: Don't access ifa_index when missing (CVE-2025-38006 bsc#1244930) - commit d4809b9 ------------------------------------------------------------------ ------------------ 2025-8-18 - Aug 18 2025 ------------------- ------------------------------------------------------------------ ++++ git: - Update to 2.51.0 - UI, Workflows & Features - Userdiff patterns for the R language have been added. - Documentation for "git send-email" has been updated with a bit more credential helper and OAuth information. - "git cat-file --batch" learns to understand %(objectmode) atom to allow the caller to tell missing objects (due to repository corruption) and submodules (whose commit objects are OK to be missing) apart. - "git diff --no-index dirA dirB" can limit the comparison with pathspec at the end of the command line, just like normal "git diff". - "git subtree" (in contrib/) learned to grok GPG signing its commits. - "git whatchanged" that is longer to type than "git log --raw" which is its modern rough equivalent has outlived its usefulness more than 10 years ago. Plan to deprecate and remove it. - An interchange format for stash entries is defined, and subcommand of "git stash" to import/export has been added. - "git merge/pull" has been taught the "--compact-summary" option to use the compact-summary format, intead of diffstat, when showing the summary of the incoming changes. - "git imap-send" has been broken for a long time, which has been resurrected and then taught to talk OAuth2.0 etc. - Some error messages from "git imap-send" has been updated. - When "git daemon" sees a signal while attempting to accept() a new client, instead of retrying, it skipped it by mistake, which has been corrected. - The reftable ref backend has matured enough; Git 3.0 will make it the default format in a newly created repositories by default. - "netrc" credential helper has been improved to understand textual service names (like smtp) in addition to the numeric port numbers (like 25). - Lift the limitation to use changed-path filter in "git log" so that it can be used for a pathspec with multiple literal paths. - Clean up the way how signature on commit objects are exported to and imported from fast-import stream. - Remove unsupported, unused, and unsupportable old option from "git log". - Document recently added "git imap-send --list" with an example. - "git pull" learned to pay attention to pull.autostash configuration variable, which overrides rebase/merge.autostash. - "git for-each-ref" learns "--start-after" option to help applications that want to page its output. - "git switch" and "git restore" are declared to be no longer experimental. - "git -c alias.foo=bar foo -h baz" reported "'foo' is aliased to 'bar'" and then went on to run "git foo -h baz", which was unexpected. Tighten the rule so that alias expansion is reported only when "-h" is the sole option. - Performance, Internal Implementation, Development Support etc. - "git pack-objects" learned to find delta bases from blobs at the same path, using the --path-walk API. - CodingGuidelines update. - Add settings for Solaris 10 & 11. - Meson-based build/test framework now understands TAP output generated by our tests. - "Do not explicitly initialize to zero" rule has been clarified in the CodingGuidelines document. - A test helper "test_seq" function learned the "-f " option, which allowed us to simplify a lot of test scripts. - A lot of stale stuff has been removed from the contrib/ hierarchy. - "git push" and "git fetch" are taught to update refs in batches to gain performance. - Some code paths in "git prune" used to ignore the passed-in repository object and used the `the_repository` singleton instance instead, which has been corrected. - Update ".clang-format" and ".editorconfig" to match our style guide a bit better. - "make coccicheck" succeeds even when spatch made suggestions, which has been updated to fail in such a case. - Code clean-up around object access API. - Define .precision to more canned parse-options type to avoid bugs coming from using a variable with a wrong type to capture the parsed values. - Flipping the default hash function to SHA-256 at Git 3.0 boundary is planned. - Declare weather-balloon we raised for "bool" type 18 months ago a success and officially allow using the type in our codebase. - GIT_TEST_INSTALLED was not honored in the recent topic related to SHA256 hashes, which has been corrected. - The pop_most_recent_commit() function can have quite expensive worst case performance characteristics, which has been optimized by using prio-queue data structure. - Move structure definition from unrelated header file to where it belongs. - To help our developers, document what C99 language features are being considered for adoption, in addition to what past experiments have already decided. - The reftable unit tests are now ported to the "clar" unit testing framework. - Redefine where the multi-pack-index sits in the object subsystem, which recently was restructured to allow multiple backends that support a single object source that belongs to one repository. A MIDX does span multiple "object sources". - Reduce implicit assumption and dependence on the_repository in the object-file subsystem. - Fixes since v2.50 Unless otherwise noted, all the changes in 2.50.X maintenance track, including security updates, are included in this release. - A memory-leak in an error code path has been plugged. (merge 7082da85cb ly/commit-graph-graph-write-leakfix later to maint). - A memory-leak in an error code path has been plugged. (merge aedebdb6b9 ly/fetch-pack-leakfix later to maint). - Some leftover references to documentation source files that no longer exist, due to recent ".txt" -> ".adoc" renaming, have been corrected. (merge 3717a5775a jw/doc-txt-to-adoc-refs later to maint). - "git stash -p " improvements. (merge 468817bab2 pw/stash-p-pathspec-fixes later to maint). - "git send-email" incremented its internal message counter when a message was edited, which made logic that treats the first message specially misbehave, which has been corrected. (merge 2cc27b3501 ag/send-email-edit-threading-fix later to maint). - "git stash" recorded a wrong branch name when submodules are present in the current checkout, which has been corrected. (merge ffb36c64f2 kj/stash-onbranch-submodule-fix later to maint). - When asking to apply mailmap to both author and committer field while showing a commit object, the field that appears later was not correctly parsed and replaced, which has been corrected. (merge abf94a283f sa/multi-mailmap-fix later to maint). - "git maintenance" lacked the care "git gc" had to avoid holding onto the repository lock for too long during packing refs, which has been remedied. (merge 1b5074e614 ps/maintenance-ref-lock later to maint). - Avoid regexp_constraint and instead use comparison_constraint when listing functions to exclude from application of coccinelle rules, as spatch can be built with different regexp engine X-<. (merge f2ad545813 jc/cocci-avoid-regexp-constraint later to maint). - Updating submodules from the upstream did not work well when submodule's HEAD is detached, which has been improved. (merge ca62f524c1 jk/submodule-remote-lookup-cleanup later to maint). - Remove unnecessary check from "git daemon" code. (merge 0c856224d2 cb/daemon-fd-check-fix later to maint). - Use of sysctl() system call to learn the total RAM size used on BSDs has been corrected. (merge 781c1cf571 cb/total-ram-bsd-fix later to maint). - Drop FreeBSD 4 support and declare that we support only FreeBSD 12 or later, which has memmem() supported. (merge 0392f976a7 bs/config-mak-freebsd later to maint). - A diff-filter with negative-only specification like "git log - -diff-filter=d" did not trigger correctly, which has been fixed. (merge 375ac087c5 jk/all-negative-diff-filter-fix later to maint). - A failure to open the index file for writing due to conflicting access did not state what went wrong, which has been corrected. (merge 9455397a5c hy/read-cache-lock-error-fix later to maint). - Tempfile removal fix in the codepath to sign commits with SSH keys. (merge 4498127b04 re/ssh-sign-buffer-fix later to maint). - Code and test clean-up around string-list API. (merge 6e5b26c3ff sj/string-list later to maint). - "git apply -N" should start from the current index and register only new files, but it instead started from an empty index, which has been corrected. (merge 2b49d97fcb rp/apply-intent-to-add-fix later to maint). - Leakfix with a new and a bit invasive test on pack-bitmap files. (merge bfd5522e98 ly/load-bitmap-leakfix later to maint). - "git fetch --prune" used to be O(n^2) expensive when there are many refs, which has been corrected. (merge 87d8d8c5d0 ph/fetch-prune-optim later to maint). - When a ref creation at refs/heads/foo/bar fails, the files backend now removes refs/heads/foo/ if the directory is otherwise not used. (merge a3a7f20516 ps/refs-files-remove-empty-parent later to maint). - "pack-objects" has been taught to avoid pointing into objects in cruft packs from midx. - "git remote" now detects remote names that overlap with each other (e.g., remote nickname "outer" and "outer/inner" are used at the same time), as it will lead to overlapping remote-tracking branches. (merge a5a727c448 jk/remote-avoid-overlapping-names later to maint). - The gpg.program configuration variable, which names a pathname to the (custom) GPG compatible program, can now be spelled with ~tilde expansion. (merge 7d275cd5c0 jb/gpg-program-variable-is-a-pathname later to maint). - Our header file relied on that the system-supplied header is not later included, which would override our macro definitions, but "amazon linux" broke this assumption. Fix this by preemptively including near the beginning of ourselves. (merge 9d3b33125f ps/sane-ctype-workaround later to maint). - Clean-up compat/bswap.h mess. (merge f4ac32c03a ss/compat-bswap-revamp later to maint). - Meson-based build did not handle libexecdir setting correctly, which has been corrected. (merge 056dbe8612 rj/meson-libexecdir-fix later to maint). - Document that we do not require "real" name when signing your patches off. (merge 1f0fed312a bc/contribution-under-non-real-names later to maint). - "git commit" that concludes a conflicted merge failed to notice and remove existing comment added automatically (like "# Conflicts:") when the core.commentstring is set to 'auto'. (merge 92b7c7c9f5 ac/auto-comment-char-fix later to maint). - "git rebase -i" with bogus rebase.instructionFormat configuration failed to produce the todo file after recording the state files, leading to confused "git status"; this has been corrected. (merge ade14bffd7 ow/rebase-verify-insn-fmt-before-initializing-state later to maint). - A few file descriptors left unclosed upon program completion in a few test helper programs are now closed. (merge 0f1b33815b hl/test-helper-fd-close later to maint). - Interactive prompt code did not correctly strip CRLF from the end of line on Windows. (merge 711a20827b js/prompt-crlf-fix later to maint). - The config API had a set of convenience wrapper functions that implicitly use the_repository instance; they have been removed and inlined at the calling sites. - "git add/etc -p" now honor the diff.context configuration variable, and also they learn to honor the -U command-line option. (merge 2b3ae04011 lm/add-p-context later to maint). - The case where a new submodule takes a path where there used to be a completely different subproject is now dealt with a bit better than before. (merge 5ed8c5b465 kj/renamed-submodule later to maint). - The deflate codepath in "git archive --format=zip" had a longstanding bug coming from misuse of zlib API, which has been corrected. - drop patches included in update: 0001-git-gui-Replace-null_sha1-with-nullid.patch 0001-gitk-Add-support-of-SHA256-repo.patch 0002-git-gui-Add-support-of-SHA256-repo.patch - refreshed patches: CVE-2024-24577.patch completion-wordbreaks.diff git-tcsh-completion-fixes.diff setup-don-t-fail-if-commondir-reference-is-deleted.patch - contrib/workdir is dropped. remove references for it. ++++ kernel-default: - printk: nbcon: Allow reacquire during panic (bsc#1246688). - commit 941c111 - netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX (CVE-2025-38201 bsc#1245977). - commit 4f77e20 - netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() (CVE-2025-38441 bsc#1247167). - commit d5364ae - netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (CVE-2025-38472 bsc#1247313). - commit 11979f4 - netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext (git-fixes). - commit 596135b - powerpc/kernel: Fix ppc_save_regs inclusion in build (bsc#1215199). - powerpc: do not build ppc_save_regs.o always (bsc#1215199). - commit 8f66a65 - s390/mm: Allocate page table with PAGE_SIZE granularity (git-fixes bsc#1247838). - commit bb475d8 - x86/vmscape: Warn when STIBP is disabled with SMT (bsc#1247483 CVE-2025-40300). - commit 0596b58 - x86/bugs: Move cpu_bugs_smt_update() down (bsc#1247483 CVE-2025-40300). - commit fcdc737 - x86/vmscape: Enable the mitigation (bsc#1247483 CVE-2025-40300). - Update config files. - commit 0178963 - powerpc/eeh: Make EEH driver device hotplug safe (bsc#1215199). - powerpc/eeh: Export eeh_unfreeze_pe() (bsc#1215199). - PCI: pnv_php: Work around switches with broken presence detection (bsc#1215199). - PCI: pnv_php: Clean up allocated IRQs on unplug (bsc#1215199). - arch/powerpc: Remove .interp section in vmlinux (bsc#1215199). - commit c0014cb - x86/vmscape: Add conditional IBPB mitigation (bsc#1247483 CVE-2025-40300). - commit 4212c10 - sched/psi: Fix psi_seq initialization (bsc#1248155). - commit 2dd3707 - x86/vmscape: Enumerate VMSCAPE bug (bsc#1247483 CVE-2025-40300). - commit 91b029d - Documentation/hw-vuln: Add VMSCAPE documentation (bsc#1247483 CVE-2025-40300). - commit c6b560b ------------------------------------------------------------------ ------------------ 2025-8-17 - Aug 17 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - ata: libata-scsi: Fix CDL control (git-fixes). - commit 0aa8bcb ++++ openssl-3: - Move ssl configuration files to the libopenssl package [bsc#1247463] - Don't install unneeded NOTES ------------------------------------------------------------------ ------------------ 2025-8-16 - Aug 16 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - drm/amdgpu: fix incorrect vm flags to map bo (git-fixes). - drm/amdgpu: fix vram reservation issue (git-fixes). - drm/bridge: fix OF node leak (git-fixes). - ALSA: usb-audio: Validate UAC3 cluster segment descriptors (git-fixes). - ALSA: usb-audio: Validate UAC3 power domain descriptors, too (git-fixes). - ASoC: fsl_sai: replace regmap_write with regmap_update_bits (git-fixes). - gpio: mlxbf3: use platform_get_irq_optional() (git-fixes). - Revert "gpio: mlxbf3: only get IRQ for device instance 0" (git-fixes). - soc/tegra: pmc: Ensure power-domains are in a known state (git-fixes). - net: mdio: mdio-bcm-unimac: Correct rate fallback logic (git-fixes). - net: usbnet: Fix the wrong netif_carrier_on() call (git-fixes). - ALSA: hda/realtek - Fix mute LED for HP Victus 16-d1xxx (MB 8A26) (stable-fixes). - ALSA: hda/realtek - Fix mute LED for HP Victus 16-s0xxx (stable-fixes). - ALSA: hda/realtek - Fix mute LED for HP Victus 16-r1xxx (stable-fixes). - Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano (stable-fixes). - USB: serial: option: add Foxconn T99W709 (stable-fixes). - ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx (stable-fixes). - ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx (stable-fixes). - ASoC: Intel: fix SND_SOC_SOF dependencies (stable-fixes). - ALSA: hda/cs35l56: Workaround bad dev-index on Lenovo Yoga Book 9i GenX (stable-fixes). - ASoC: amd: yc: add DMI quirk for ASUS M6501RM (stable-fixes). - drm/i915/ddi: only call shutdown hooks for valid encoders (stable-fixes). - drm/i915/display: add intel_encoder_is_hdmi() (stable-fixes). - drm/i915/ddi: gracefully handle errors from intel_ddi_init_hdmi_connector() (stable-fixes). - drm/i915/hdmi: add error handling in g4x_hdmi_init() (stable-fixes). - drm/i915/hdmi: propagate errors from intel_hdmi_init_connector() (stable-fixes). - drm/i915/ddi: change intel_ddi_init_{dp, hdmi}_connector() return type (stable-fixes). - accel/ivpu: Fix reset_engine debugfs file logic (stable-fixes). - commit 6ed913d ------------------------------------------------------------------ ------------------ 2025-8-15 - Aug 15 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Fix exclude list for live image builds When specifying a filesystem attribute for a live image build, the rootfs gets build directly into this filesystem instead of being a squashfs wraped ext4 which is the default layout for compatibility reasons. In this direct filesystem mode the exclude list was not passed along to the filesystem creation and causes unwanted metadata to be part of the final image. This Fixes #2873 ++++ kernel-default: - ACPI: processor: perflib: Move problematic pr->performance check (git-fixes). - net: usb: asix_devices: add phy_mask for ax88772 mdio bus (git-fixes). - commit c0405fc ------------------------------------------------------------------ ------------------ 2025-8-14 - Aug 14 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit: - Fix not falling back to PRETTY_NAME in SUSE_PRETTY_NAME patches bsc#1248446 ++++ kernel-default: - Refresh patches.kabi/xsk-Fix-race-condition-in-AF_XDP-generic-RX-path.patch Drop the static_assert() kABI checks temporarily until we have a proper solution to signal kABI verification. - commit e7bb4bf - Move pesign-obs-integration requirement from kernel-syms to kernel devel subpackage (bsc#1248108). - commit e707e41 - PCI: dw-rockchip: Replace PERST# sleep time with proper macro (git-fixes). - commit bb054e5 - PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining (git-fixes). - PCI: rockchip: Use standard PCIe definitions (git-fixes). - PCI: imx6: Add IMX8MQ_EP third 64-bit BAR in epc_features (git-fixes). - PCI: qcom: Wait PCIE_RESET_CONFIG_WAIT_MS after link-up IRQ (git-fixes). - PCI: dw-rockchip: Wait PCIE_RESET_CONFIG_WAIT_MS after link-up IRQ (git-fixes). - PCI: Rename PCIE_RESET_CONFIG_DEVICE_WAIT_MS to PCIE_RESET_CONFIG_WAIT_MS (git-fixes). - PCI/portdrv: Use is_pciehp instead of is_hotplug_bridge (git-fixes). - PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - kABI: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - PCI: Support Immediate Readiness on devices without PM capabilities (git-fixes). - serial: 8250: fix panic due to PSLVERR (git-fixes). - PCI: imx6: Add i.MX8Q PCIe Endpoint (EP) support (git-fixes). - commit d9839d9 - habanalabs: fix UAF in export_dmabuf() (git-fixes). - commit e4702d9 - mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() (git-fixes) - commit ca79f49 - bpf, arm64: Fix fp initialization for exception boundary (git-fixes) - commit 99a8d8c - arm64: dts: imx8mm-venice-gw7904: Increase HS400 USDHC clock speed (git-fixes) - commit eead6a6 - arm64: dts: imx8mm-venice-gw7903: Increase HS400 USDHC clock speed (git-fixes) - commit cdabae0 - arm64: dts: imx8mn-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - commit 9c47c1b - arm64: dts: imx8mm-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - commit eb83c61 - arm64: dts: imx8mm-venice-gw7901: Increase HS400 USDHC clock speed (git-fixes) - commit 2f99788 - arm64: dts: imx8mp-venice-gw702x: Increase HS400 USDHC clock speed (git-fixes) - commit bf3a9db - arm64: dts: imx8mm-venice-gw700x: Increase HS400 USDHC clock speed (git-fixes) - commit 1f06f91 - arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed (git-fixes) - commit 35f4757 - arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed (git-fixes) - commit 3b1791e - arm64: dts: freescale: imx93-tqma9352: Limit BUCK2 to 600mV (git-fixes) - commit d3b2a07 - arm64: dts: st: fix timer used for ticks (git-fixes) - commit 564f85e - arm64: dts: rockchip: fix endpoint dtc warning for PX30 ISP (git-fixes) - commit f18579c - arm64: dts: exynos: gs101: ufs: add dma-coherent property (git-fixes) - commit 22fb09f - arm64: dts: exynos: gs101: Add 'local-timer-stop' to cpuidle nodes (git-fixes) - commit b3eb296 - arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() (git-fixes) - commit 1656f5d - arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi CM5 (git-fixes) - commit 06668ed - arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on (git-fixes) - commit 7a17452 - arm64: dts: imx95: Correct the DMA interrupter number of pcie0_ep (git-fixes) - commit d3f8c87 - arm64: dts: add big-endian property back into watchdog node (git-fixes) - commit 28f0cfd - arm64: dts: imx8mp-venice-gw74xx: fix TPM SPI frequency (git-fixes) - commit 6ca14ce - arm64: dts: imx8mp-venice-gw73xx: fix TPM SPI frequency (git-fixes) - commit 35c5043 - arm64: dts: imx8mp-venice-gw72xx: fix TPM SPI frequency (git-fixes) - commit f964f6e - arm64: dts: imx8mp-venice-gw71xx: fix TPM SPI frequency (git-fixes) - commit 1221df5 - arm64/mm: Drop wrong writes into TCR2_EL1 (git-fixes) - commit e3d963f - arm64: poe: Handle spurious Overlay faults (git-fixes) - commit c62c76a - arm64: Filter out SME hwcaps when FEAT_SME isn't implemented (git-fixes) - commit 81f649f - arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename (git-fixes) - commit 9f9e25d - arm64: Restrict pagetable teardown to avoid false warning (git-fixes) - commit dee5a62 - arm64/mm: Close theoretical race where stale TLB entry remains valid (git-fixes) - commit 2b9ed9e - arm64: dts: rockchip: fix internal USB hub instability on RK3399 Puma (git-fixes) - commit e5bad02 - arm64: dts: rockchip: Update eMMC for NanoPi R5 series (git-fixes) - commit 7f552e2 - arm64: dts: imx8mn-beacon: Set SAI5 MCLK direction to output for HDMI (git-fixes) - commit 5876cdf - arm64: dts: imx8mm-beacon: Set SAI5 MCLK direction to output for HDMI (git-fixes) - commit a98adac - arm64: dts: imx8mp-beacon: Fix RTC capacitive load (git-fixes) - commit 51525e3 - arm64: dts: imx8mn-beacon: Fix RTC capacitive load (git-fixes) - commit ad05c9f - arm64: dts: imx8mm-beacon: Fix RTC capacitive load (git-fixes) - commit dfb5eed - arm64: tegra: Add uartd serial alias for Jetson TX1 module (git-fixes) - commit e812e32 - arm64: tegra: Drop remaining serial clock-names and reset-names (git-fixes) - commit e6ab9c1 - arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3566-rock3c (git-fixes) - commit 13e0c58 - arm64: dts: rockchip: Move SHMEM memory to reserved memory on rk3588 (git-fixes) - commit 344f8c5 - kbuild: rust: add rustc-min-version support function (git-fixes) - commit 573f96a - arm64: zynqmp: add clock-output-names property in clock nodes (git-fixes) - commit 82c486e - arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator (git-fixes) - commit 6c6ebf5 - arm64: tegra: Resize aperture for the IGX PCIe C5 slot (git-fixes) - commit d1d248d - arm64/mm: Check pmd_table() in pmd_trans_huge() (git-fixes) - commit 04e9ebd - arm64/mm: Check PUD_TYPE_TABLE in pud_bad() (git-fixes) - commit 68e8096 - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes) - commit 8062927 - arm64/sysreg: Add register fields for HFGWTR2_EL2 (git-fixes) - commit c06ac5b - arm64/sysreg: Add register fields for HFGRTR2_EL2 (git-fixes) - commit ac00342 - arm64/sysreg: Add register fields for HFGITR2_EL2 (git-fixes) - commit 40903bf - arm64/sysreg: Add register fields for HDFGWTR2_EL2 (git-fixes) - commit 9b26437 - arm64/sysreg: Add register fields for HDFGRTR2_EL2 (git-fixes) - commit 6c6c2d1 - arm64/sysreg: Update register fields for ID_AA64MMFR0_EL1 (git-fixes) - commit 1862d57 - arm64: rust: clean Rust 1.85.0 warning using softfloat target (git-fixes) - commit 2c2605f - arm64/mm: Ensure adequate HUGE_MAX_HSTATE (git-fixes) - commit d144825 ++++ openldap2_6: - Update to version 2.6.10+10: * Add export symbols related to LDAP_CONNECTIONLESS - Initial import of OpenLDAP 2.6 ++++ nvidia-open-driver-G06-signed: - make sure Requires to nvidia packages are not added for SLE16 ------------------------------------------------------------------ ------------------ 2025-8-13 - Aug 13 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (bsc#1242782, CVE-2025-23141). - commit f303436 - net: libwx: remove duplicate page_pool_put_full_page() (CVE-2025-38490 bsc#1247243). - commit eca8cf3 - drm/amd/display: Add more checks for DSC / HUBP ONO guarantees (bsc#1247078 CVE-2025-38360) - commit 273e174 ++++ podman: - Add patch for CVE-2025-6032 (bsc#1245320): * 0003-CVE-2025-6032-machine-init-fix-tls-check.patch ++++ ovmf: - Update firmware descriptors to remove tab whitespace (bsc#1247847) - Replace tab whitespace with spaces in 50-ovmf-x86_64-sev.json - Replace tab whitespace with spaces in 50-ovmf-x86_64-sev-snp.json ++++ virt-manager: - Adjust how we detect sles16 as the media layout changes. (bsc#1244685) (bsc#1249466) virtinst-add-sle16-detection-support.patch ------------------------------------------------------------------ ------------------ 2025-8-12 - Aug 12 2025 ------------------- ------------------------------------------------------------------ ++++ dracut: - Update to version 059+suse.696.g950c4798: * fix(dracut-util): crash if CMDLINE ends with quotation mark (bsc#1247819) * fix(74nvmf): set root=nvmf (bsc#1238848) ++++ kernel-default: - sunrpc: fix handling of server side tls alerts (git-fixes). - commit 7a563f7 ++++ qemu: - Fix build issues due to Python version: * mkvenv: Support pip 25.2 (bsc#1247972) - Bug and CVE fixes: * tests: Avoid dependency on padding on signal messages (boo#1246830) * pcie_sriov: Fix configuration and state synchronization (bsc#1246992 CVE-2025-54566 CVE-2025-54567) * [openSUSE][RPM] linux-user: restart systemd-binfmt upon changes (bsc#1247443) ++++ ovmf: - Update firmware descriptors for SEV-SNP and TDX (bsc#1247847) - Add 50-ovmf-x86_64-sev-snp.json to support the 'amd-sev-snp' feature. - Remove the sev-snp feature from 50-ovmf-x86_64-sev.json. - Update the device in 60-ovmf-x86_64-tdx.json from 'pflash' to 'memory'. ++++ virt-manager: - bsc#1247865 - sles 16.0 rc3 KVM virt-manager detects windows 2025 as 2022 virtinst-windows-server-detection.patch ------------------------------------------------------------------ ------------------ 2025-8-11 - Aug 11 2025 ------------------- ------------------------------------------------------------------ ++++ busybox: - Add patch to fix adduser inside containers on an SELinux host (boo#1247779): * 0001-update_passwd-Avoid-selinux_preserve_fcontext-if-SEL.patch - Don't throw debug info away during build, let RPM separate it afterwards ++++ python-kiwi: - Fix test-image-custom-partitions integration test Same fix as for the Tumbleweed test now also applied to the Leap test. Patching of the new root device did no longer apply - Fix test-image-custom-partitions integration test Patching of the new root device did no longer apply - Bump version: 10.2.31 → 10.2.32 - fix: resize for raid device, ensure vars like kiwi_RaidDev are loaded before setting disk variable ++++ kernel-default: - dpll: zl3073x: ZL3073X_I2C and ZL3073X_SPI should depend on NET (jsc#PED-13331). - commit 7ae9e04 - dpll: Make ZL3073X invisible (jsc#PED-13331). - Update config files. - commit 1c5ea3f - dpll: Add basic Microchip ZL3073x support (jsc#PED-13331). - Update config files. - supported.conf: Mark ZL3073X modules supported - commit 9ca5336 - dpll: zl3073x: Fix build failure (jsc#PED-13331). - netlink: specs: devlink: replace underscores with dashes in names (jsc#PED-13331). - netlink: fix policy dump for int with validation callback (jsc#PED-13331). - commit 8ed21c1 - dpll: zl3073x: Add support to get/set frequency on pins (jsc#PED-13331). - dpll: zl3073x: Implement input pin state setting in automatic mode (jsc#PED-13331). - dpll: zl3073x: Add support to get/set priority on input pins (jsc#PED-13331). - dpll: zl3073x: Implement input pin selection in manual mode (jsc#PED-13331). - dpll: zl3073x: Register DPLL devices and pins (jsc#PED-13331). - dpll: zl3073x: Read DPLL types and pin properties from system firmware (jsc#PED-13331). - dpll: zl3073x: Fetch invariants during probe (jsc#PED-13331). - devlink: Add support for u64 parameters (jsc#PED-13331). - dt-bindings: dpll: Add support for Microchip Azurite chip family (jsc#PED-13331). - dt-bindings: dpll: Add DPLL device and pin (jsc#PED-13331). - devlink: avoid param type value translations (jsc#PED-13331). - devlink: define enum for attr types of dynamic attributes (jsc#PED-13331). - devlink: introduce devlink_nl_put_u64() (jsc#PED-13331). - commit 635a9c4 - ice, irdma: fix an off by one in error handling code (bsc#1247712). - irdma: free iwdev->rf after removing MSI-X (bsc#1247712). - ice: Fix signedness bug in ice_init_interrupt_scheme() (bsc#1247712). - ice: init flow director before RDMA (bsc#1247712). - ice: simplify VF MSI-X managing (bsc#1247712). - ice: enable_rdma devlink param (bsc#1247712). - ice: treat dyn_allowed only as suggestion (bsc#1247712). - ice, irdma: move interrupts code to irdma (bsc#1247712). - ice: get rid of num_lan_msix field (bsc#1247712). - ice: remove splitting MSI-X between features (bsc#1247712). - ice: devlink PF MSI-X max and min parameter (bsc#1247712). - ice: count combined queues using Rx/Tx count (bsc#1247712). - ice, irdma: fix an off by one in error handling code (bsc#1247712). - irdma: free iwdev->rf after removing MSI-X (bsc#1247712). - ice: Fix signedness bug in ice_init_interrupt_scheme() (bsc#1247712). - ice: init flow director before RDMA (bsc#1247712). - ice: simplify VF MSI-X managing (bsc#1247712). - ice: enable_rdma devlink param (bsc#1247712). - ice: treat dyn_allowed only as suggestion (bsc#1247712). - ice, irdma: move interrupts code to irdma (bsc#1247712). - ice: get rid of num_lan_msix field (bsc#1247712). - ice: remove splitting MSI-X between features (bsc#1247712). - ice: devlink PF MSI-X max and min parameter (bsc#1247712). - ice: count combined queues using Rx/Tx count (bsc#1247712). - commit 5c830c5 - iommu/vt-d: Fix missing PASID in dev TLB flush with cache_tag_flush_all (git-fixes). - commit 3a05b85 - iommu: Handle race with default domain setup (git-fixes). - commit 10fd40d - smb: client: fix netns refcount leak after net_passive changes (git-fixes). - commit afa7a11 - net: mana: Fix build errors when CONFIG_NET_SHAPER is disabled (gix-fixes). - commit 9d3b307 - RDMA/mana_ib: Add device statistics support (bsc#1246651). - net: mana: Handle Reset Request from MANA NIC (bsc#1245728). - net: mana: Set tx_packets to post gso processing packet count (bsc#1245731). - net: mana: Handle unsupported HWC commands (bsc#1245726). - net: mana: Add speed support in mana_get_link_ksettings (bsc#1245726). - net: mana: Add support for net_shaper_ops (bsc#1245726). - net: mana: Fix potential deadlocks in mana napi ops (bsc#1245726). - net: mana: Allocate MSI-X vectors dynamically (bsc#1245457). - net: mana: Allow irq_setup() to skip cpus for affinity (bsc#1245457). - net: mana: explain irq_setup() algorithm (bsc#1245457). - PCI: hv: Allow dynamic MSI-X vector allocation (bsc#1245457). - PCI/MSI: Export pci_msix_prepare_desc() for dynamic MSI-X allocations (bsc#1245457). - net: mana: Add handler for hardware servicing events (bsc#1245730). - net: mana: Expose additional hardware counters for drop and TC via ethtool (bsc#1245729). - commit 0742f38 - kABI: io_uring: msg_ring ensure io_kiocb freeing is deferred (CVE-2025-38453 bsc#1247234). Conflicts: series.conf - kABI: io_uring: msg_ring ensure io_kiocb freeing is deferred (CVE-2025-38453 bsc#1247234). - commit 909d7fe - Revert "smb: client: fix TCP timers deadlock after rmmod" (bsc#1241403, CVE-2025-22077). - commit cadbdcb - smb: client: fix potential deadlock when reconnecting channels (bsc#1246183, CVE-2025-38244). - commit 1b9b63f - NFS: Fix the setting of capabilities when automounting a new filesystem (git-fixes). - commit 92d61de - sunrpc: fix client side handling of tls alerts (git-fixes). - commit 504fa2d - NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY (git-fixes). - commit cdc019d - NFSv4.2: another fix for listxattr (git-fixes). - commit 20728e2 - NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() (git-fixes). - commit a126339 - NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() (git-fixes). - commit 47a75c4 - pNFS/flexfiles: don't attempt pnfs on fatal DS errors (git-fixes). - commit f90ce8d - drm/amdgpu: Add basic validation for RAS header (bsc#1247252 CVE-2025-38426) - commit c5bedcf - netlink: avoid infinite retry looping in netlink_unicast() (CVE-2025-38465 bsc#1247118). - commit e134e60 - Move upstreamed SPI patch into sorted section - commit 71eadf5 - tools/power turbostat: Fix bogus SysWatt for forked program (git-fixes). - gpio: mlxbf2: use platform_get_irq_optional() (git-fixes). - ASoC: tas2781: Fix the wrong step for TLV on tas2781 (git-fixes). - ASoC: SOF: amd: acp-loader: Use GFP_KERNEL for DMA allocations in resume context (git-fixes). - ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() (git-fixes). - ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() (git-fixes). - commit f114c9a ++++ sqlite3: - Update to version 3.50.4: * Fix two long-standings cases of the use of uninitialized variables in obscure circumstances. ++++ unbound: - simplify python handling. python2 support is dropped and python3 is built by default. Conditionals for the latter are removed. - enable EDNS subnet handling ++++ libzypp: - Make ld.so ignore the subarch packages during install (bsc#1246912) - version 17.37.17 (35) ++++ net-tools: - Provide more readable error for interface name size checking introduced by net-tools-CVE-2025-46836.patch (bsc#1243581, net-tools-CVE-2025-46836-error-reporting.patch). ++++ nvidia-open-driver-G06-signed: - update non-CUDA variant to 580.76.05 (boo#1247907) - get rid of rule of older KMPs not to load nvidia_drm module, which are still installed in parallel and therefore still active (boo#1247923) ------------------------------------------------------------------ ------------------ 2025-8-10 - Aug 10 2025 ------------------- ------------------------------------------------------------------ ++++ unbound: - Update to 1.23.1: (boo#1246625) Bug Fixes: * Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from AOSP Lab Nankai University. - our package was not built with EDNS subnet support up to this point and therefor was not affected. - prepare enabling quic support: currently fails on missing quic support in openssl. aws-lc is sadly not a drop in replacement for unbound. - enable TCP Fast Open for the server and client - remove unused --with-ldns option - enable cachedb including hiredis support on Tumbleweed new BuildRequires pkgconfig(libhiredis) ++++ qemu: - Update to stable release 10.0.3: Full list of backports here: https://lore.kernel.org/qemu-devel/1748499690.323471.13081.nullmailer@localhost/ A selection of them is reported here too: hvf: arm: Emulate ICC_RPR_EL1 accesses properly target/arm: Correct encoding of Debug Communications Channel registers ui: fix setting client_endian field defaults hw/net/npcm_gmac.c: Send the right data for second packet in a row target/i386: do not expose ARCH_CAPABILITIES on AMD CPU i386/cpu: Honor maximum value for CPUID.8000001DH.EAX[25:14] i386/cpu: Fix overflow of cache topology fields in CPUID.04H i386/cpu: Fix cpu number overflow in CPUID.01H.EBX[23:16] ui/vnc: Do not copy z_stream vhost: Fix used memslot tracking when destroying a vhost device roms: re-remove execute bit from hppa-firmware* file-posix: Fix aio=threads performance regression after enablign FUA amd_iommu: Fix truncation of oldval in amdvi_writeq amd_iommu: Remove duplicated definitions amd_iommu: Fix the calculation for Device Table size amd_iommu: Fix mask to retrieve Interrupt Table Root Pointer from DTE amd_iommu: Fix masks for various IOMMU MMIO Registers amd_iommu: Update bitmasks representing DTE reserved fields amd_iommu: Fix Device ID decoding for INVALIDATE_IOTLB_PAGES command amd_iommu: Fix Miscellaneous Information Register 0 encoding virtio-net: Add queues for RSS during migration net: fix buffer overflow in af_xdp_umem_create() accel/kvm: Adjust the note about the minimum required kernel version ... ------------------------------------------------------------------ ------------------ 2025-8-9 - Aug 9 2025 ------------------- ------------------------------------------------------------------ ++++ nvidia-open-driver-G06-signed: - make sure these Requires right below are not added on Tumbleweed ------------------------------------------------------------------ ------------------ 2025-8-8 - Aug 8 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Do not clobber initialize method There was a method named initialize defined and implemented differently in the dracut modules kiwi-lib and kiwi-repart. kiwi-lib is expected to be shared code across all kiwi dracut modules. However if one module redefines a method of the same name which is used in another module and expected to work differently there, this is evil. This commit cleans up the name conflict and names the kiwi library init function as lib_initialize. All dracut code that is expected to make use of this method has been adopted too. ++++ kernel-default: - io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU (CVE-2025-38453 bsc#1247234). - commit 171360a - posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (bsc#1246911 CVE-2025-38352). - commit 0681499 - Delete patches.suse/kasan-avoid-sleepable-page-allocation-from-atomic-co.patch This doesn't build properly with the current SL-16.0 kernel code - commit beec866 - tls: always refresh the queue when reading sock (CVE-2025-38471 bsc#1247450). - mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write (CVE-2025-38258 bsc#1246185). - perf/x86/intel: Fix crash in icl_update_topdown_event() (CVE-2025-38322 bsc#1246447). - ext4: only dirty folios when data journaling regular files (CVE-2025-38220 bsc#1245966). - commit 2bcb640 - smc: Fix various oops due to inet_sock type confusion (CVE-2025-38475 bsc#1247308). - kABI fix for net: vlan: fix VLAN 0 refcount imbalance of toggling (CVE-2025-38470 bsc#1247288). - net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime (CVE-2025-38470 bsc#1247288). - smc: Fix various oops due to inet_sock type confusion (CVE-2025-38475 bsc#1247308). - net/mlx5e: Fix race between DIM disable and net_dim() (CVE-2025-38440 bsc#1247290). - net/sched: Abort __tc_modify_qdisc if parent class does not exist (CVE-2025-38457 bsc#1247098). - atm: clip: Fix potential null-ptr-deref in to_atmarpd() (CVE-2025-38460 bsc#1247143). - idpf: convert control queue mutex to a spinlock (CVE-2025-38392 bsc#1247169). - commit 05e8074 - net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing (git-fixes). - commit 38b5d6f - net/packet: fix a race in packet_set_ring() and packet_notifier() (git-fixes). - commit da0301d - net/packet: fix a race in packet_set_ring() and packet_notifier() (CVE-2025-38617 bsc#1248621) Cherry-picked from SL-16.0. CVSS is 7.0 so it should be on SL-16.0-GA too. - commit 6ca1c18 - net/sched: taprio: enforce minimum value for picos_per_byte (git-fixes). - commit d42d899 - ipv6: reject malicious packets in ipv6_gso_segment() (git-fixes). - commit 1820a44 - netpoll: prevent hanging NAPI when netcons gets enabled (git-fixes). - commit 1d345b1 - tracing: Fix using ret variable in tracing_set_tracer() (git-fixes). - commit e9dbf86 - fgraph: Fix set_graph_notrace with setting TRACE_GRAPH_NOTRACE_BIT (git-fixes). - commit c43ec6f - ring-buffer: Do not allow events in NMI with generic atomic64 cmpxchg() (git-fixes). - commit 720a150 - tracing: Switch trace_events_hist.c code over to use guard() (git-fixes). - commit 7cfc3ab - tracing: Switch trace.c code over to use guard() (git-fixes). - commit d022aa4 - drm/amd/display: Don't overwrite dce60_clk_mgr (git-fixes). - Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" (stable-fixes). - commit 5df2fd2 ------------------------------------------------------------------ ------------------ 2025-8-7 - Aug 7 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() (CVE-2025-38399 bsc#1247097). - commit b40a9d6 - exfat: fdatasync flag should be same like generic_write_sync() (git-fixes). - commit a622d1a - do_change_type(): refuse to operate on unmounted/not ours mounts (CVE-2025-38498 bsc#1247374) - commit cb82edb - Enable CONFIG_CMA_SYSFS This is a generally useful feature for anyone using CMA or investigating CMA issues, with a small and simple code base and no runtime overhead. - commit 523b720 - Update config files. Set CONFIG_CMA_AREAS values to their new upstream default. - commit bb7f630 - ring-buffer: Make reading page consistent with the code logic (git-fixes). - commit 22871cd - ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() (CVE-2025-38101 bsc#1245659). - commit 59c07ff - tracing/kprobes: Fix to free objects when failed to copy a symbol (git-fixes). - commit c9b00b2 - ftrace: Fix function profiler's filtering functionality (git-fixes). - commit 594ca40 - tracing/kprobe: Make trace_kprobe's module callback called after jump_label update (git-fixes). - commit a204d8e - trace/ring-buffer: Do not use TP_printk() formatting for boot mapped buffers (git-fixes). - commit 4041535 - module: Restore the moduleparam prefix length check (git-fixes). - module: Remove unnecessary +1 from last_unloaded_module::name size (git-fixes). - commit a84e148 - audit,module: restore audit logging in load failure case (git-fixes). - kABI: Fix the module::name type in audit_context (git-fixes). - commit 4504207 - module: Fix memory deallocation on error path in move_module() (git-fixes). - commit 00ca9af - mm/vmalloc: fix data race in show_numa_info() (CVE-2025-38383 bsc#1247250). - commit c043092 - RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages (git-fixes) - commit 4638273 ++++ libzypp: - Fix evaluation of libproxy results (bsc#1247690) - Replace URL variables inside mirrorlist/metalink files (fixes #667) - version 17.37.16 (35) ------------------------------------------------------------------ ------------------ 2025-8-6 - Aug 6 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - io_uring/rsrc: fix folio unpinning (bsc#1246188 CVE-2025-38256). - commit 95e6074 - io_uring: fix potential page leak in io_sqe_buffer_register() (git-fixes). - commit 3fb0381 - btrfs: fix log tree replay failure due to file with 0 links and extents (git-fixes). - commit a2d6441 - netlink: make sure we allow at least one dump skb (CVE-2025-38465 bsc#1247118). - netlink: Fix rmem check in netlink_broadcast_deliver() (CVE-2025-38465 bsc#1247118). - netlink: Fix wraparounds of sk->sk_rmem_alloc (CVE-2025-38465 bsc#1247118). - commit 51a6af8 - netfilter: nft_flow_offload: update tcp state flags under lock (git-fixes). - commit 88664ea - netfilter: nf_tables: imbalance in flowtable binding (git-fixes). - commit 94ec604 - netfilter: nft_set_hash: skip duplicated elements pending gc run (git-fixes). - commit 12841f0 - nvme-tcp: fix selinux denied when calling sock_sendmsg (bsc#1247497). - commit 6082643 - eth: fbnic: avoid double free when failing to DMA-map FW msg (CVE-2025-38341 bsc#1246260). - commit 5553a2c - selftests/bpf: adapt one more case in test_lru_map to the new target_free (git-fixes). - commit 9c60da1 - integrity/platform_certs: Allow loading of keys in the static key management mode (jsc#PED-13345 jsc#PED-13343). - powerpc/secvar: Expose secvars relevant to the key management mode (jsc#PED-13345 jsc#PED-13343). - powerpc/pseries: Correct secvar format representation for static key management (jsc#PED-13345 jsc#PED-13343). - commit 3e4fe7b ++++ libvirt: - Set virt_hooks_unconfined boolean to true in libvirt-daemon-hooks %post script (see comment 13 in bsc#1242998) ++++ toolbox: - Update to version 2.4+git20250806.ba48bd3: * Add SCC credentials if available [bsc#1247491] ------------------------------------------------------------------ ------------------ 2025-8-5 - Aug 5 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Skip kiwi-repart module in install ISOs In case the kiwi-repart module is explicitly requested in a dracut.conf file and the image is also configured to build an install ISO image this leads the install ISO to contain the kiwi-repart module as well which is unwanted. This commit explicitly omits the kiwi-repart when creating the initrd for the install image - Skip repart when booting install/live iso ++++ kernel-default: - kABI: restore layout of struct msi_desc (CVE-2025-38062 bsc#1245216). - genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie (CVE-2025-38062 bsc#1245216). - commit 831ff50 - md/md-cluster: handle REMOVE message earlier (bsc#1247057). - commit 8e8eaf1 - sched/eevdf: Fix se->slice being set to U64_MAX and resulting (CVE-2025-37821 bsc#1242864) - commit ba057af - sched/core: Prevent rescheduling when interrupts are disabled (bsc#1240324 CVE-2024-58090) - commit cc45d5b - sched_ext: Fix invalid irq restore in scx_ops_bypass() (CVE-2024-57891 bsc#1235953) - commit f68543a - selftests/bpf: Fix unintentional switch case fall through (git-fixes). - selftests/bpf: fix signedness bug in redir_partial() (git-fixes). - selftests/bpf: Test invalid narrower ctx load (git-fixes). - bpf: Reject narrower access to pointer ctx fields (git-fixes). - bpf, sockmap: Fix psock incorrectly pointing to sk (git-fixes). - selftests/bpf: Add negative test cases for snprintf (git-fixes). - commit 0d272a0 - bpf: Reject %p% format string in bprintf-like helpers (git-fixes). - bpf: Adjust free target to avoid global starvation of LRU map (git-fixes). - tools/resolve_btfids: Fix build when cross compiling kernel with clang (git-fixes). - commit a8770bb - bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ (git-fixes). - bpf: Allow XDP dev-bound programs to perform XDP_REDIRECT into maps (git-fixes). - libbpf: Add identical pointer detection to btf_dedup_is_equiv() (git-fixes). - bpf: Use proper type to calculate bpf_raw_tp_null_args.mask index (git-fixes). - samples/bpf: Fix compilation failure for samples/bpf on LoongArch Fedora (git-fixes). - commit db60287 - bpf: Return prog btf_id without capable check (git-fixes). - commit 8f212fe - selftests/bpf: add test for softlock when modifying hashmap while iterating (git-fixes). - bpf: fix possible endless loop in BPF map iteration (git-fixes). - selftests/bpf: Mitigate sockmap_ktls disconnect_after_delete failure (git-fixes). - selftests/bpf: Add selftest for attaching fexit to __noreturn functions (git-fixes). - bpf: Reject attaching fexit/fmod_ret to __noreturn functions (git-fixes). - commit 088a03b - bpf: Only fails the busy counter check in bpf_cgrp_storage_get if it creates storage (git-fixes). - selftests/bpf: Fix string read in strncmp benchmark (git-fixes). - bpf, docs: Fix broken link to renamed bpf_iter_task_vmas.c (git-fixes). - selftests/bpf: Use asm constraint "m" for LoongArch (git-fixes). - commit 6a67de9 - i2c: muxes: mule: Fix an error handling path in mule_i2c_mux_probe() (git-fixes). - commit 3d7da1a - kABI fix after vhost: Reintroduce kthread API and add mode selection (git-fixes). - commit d3622c5 ++++ nvidia-open-driver-G06-signed: - added Requires * nvidia-modprobe >= %version * nvidia-persitenced >= %version * nvidia-modprobe-cuda-lt-sp6 * nvidia-persitenced-cuda-lt-sp6 to be provided by special versions of nvidia-modprobe and nvidia-persitenced built against SP4 (bsc#1237208, jsc#PED-13295) ------------------------------------------------------------------ ------------------ 2025-8-4 - Aug 4 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Update leap test-image-disk integration test Add test for alternative volume ID in install ISO ++++ kernel-default: - KVM: Conditionally reschedule when resetting the dirty ring (git-fixes). - commit 2dff58a - KVM: Bail from the dirty ring reset flow if a signal is pending (git-fixes). - commit eab0b89 - KVM: Bound the number of dirty ring entries in a single reset at INT_MAX (git-fixes). - commit aac37a8 - KVM: Allow CPU to reschedule while setting per-page memory attributes (git-fixes). - commit 5d216e9 - KVM: arm64: Don't free hyp pages with pKVM on GICv2 (git-fixes). - commit c01040d - tcp: call tcp_measure_rcv_mss() for ooo packets (git-fixes). - commit 317bbda - net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class (git-fixes). - commit 7e0d53d - KVM: arm64: Fix error path in init_hyp_mode() (git-fixes). - commit 23e29da - btrfs: avoid starting new transaction when cleaning qgroup during subvolume drop (git-fixes). - commit 5d6038d - btrfs: qgroup: fix qgroup create ioctl returning success after quotas disabled (git-fixes). - commit 6bfd9e4 - btrfs: qgroup: set quota enabled bit if quota disable fails flushing reservations (git-fixes). - commit 7eff76f - KVM: arm64: Adjust range correctly during host stage-2 faults (git-fixes). - commit 3d83087 - btrfs: clear dirty status from extent buffer on error at insert_new_root() (git-fixes). - commit feae542 - btrfs: tests: fix chunk map leak after failure to add it to the tree (git-fixes). - commit ab9615f - btrfs: fix ssd_spread overallocation (git-fixes). - commit c5cd300 - Rename to patches.suse/virtio-blk-scsi-use-block-layer-helpers-to-calculate.patch. - commit 4cc7f9f - Rename to patches.suse/scsi-use-block-layer-helpers-to-calculate-num-of-que.patch. - commit a2aa4dc - Rename to patches.suse/nvme-pci-use-block-layer-helpers-to-calculate-num-of.patch. - commit 1f9b36e - btrfs: use btrfs_record_snapshot_destroy() during rmdir (git-fixes). - commit 88c829f - btrfs: propagate last_unlink_trans earlier when doing a rmdir (git-fixes). - commit bbb516f - Refresh patches.suse/blk-mq-add-number-of-queue-calc-helper.patch. - commit e910199 - btrfs: don't skip remaining extrefs if dir not found during log replay (git-fixes). - commit 70b2e71 - Rename to patches.suse/lib-group_cpus-Let-group_cpu_evenly-return-the-numbe.patch. (bsc#1236897 bsc#1243774) - Refresh patches.suse/lib-group_cpus-honor-housekeeping-config-when-grouping-cpus.patch. - commit 446c2ea - btrfs: don't ignore inode missing when replaying log tree (git-fixes). - commit 23b8b0c - btrfs: fix inode lookup error handling during log replay (git-fixes). - commit 2365a96 - lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() (bsc#1236897). - Refresh patches.suse/lib-group_cpus-let-group_cpu_evenly-return-number-initialized-masks.patch. - commit 1ff1f6d - btrfs: don't silently ignore unexpected extent type when replaying log (git-fixes). - commit 45649bf - btrfs: fix invalid inode pointer dereferences during log replay (git-fixes). - commit b75fd3b - KVM: x86: Drop pending_smi vs. INIT_RECEIVED check when setting MP_STATE (git-fixes). - commit 5a81b3c - btrfs: return a btrfs_inode from read_one_inode() (git-fixes). - commit f365bc7 - btrfs: return a btrfs_inode from btrfs_iget_logging() (git-fixes). - commit 1b7aead - KVM: SVM: Disable interception of SPEC_CTRL iff the MSR exists for the guest (git-fixes). - commit 32d198b - nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails (git-fixes). - nvmet-tcp: fix callback lock for TLS handshake (git-fixes). - nvme: fix misaccounting of nvme-mpath inflight I/O (git-fixes). - nvme: fix endianness of command word prints in nvme_log_err_passthru() (git-fixes). - nvme: fix inconsistent RCU list manipulation in nvme_ns_add_to_ctrl_list() (git-fixes). - commit 1304ce4 - KVM: TDX: Use kvm_arch_vcpu.host_debugctl to restore the host's DEBUGCTL (git-fixes). - commit d8f0496 - btrfs: update superblock's device bytes_used when dropping chunk (git-fixes). - commit a87918f - Enable SMC_LO (a.k.a SMC-D) (jsc#PED-13256). - commit 9164e38 - Fix bogus i915 patch backport (bsc#1238972) It's been already cherry-picked in 6.12 kernel itself. - commit b66de0d - RDMA/core: Rate limit GID cache warning messages (git-fixes) - commit a5e809e - Refresh patches.suse/s390-boot-Use-D__DISABLE_EXPORTS.patch. - commit bcdca9e - KVM: x86: Avoid calling kvm_is_mmio_pfn() when kvm_x86_ops.get_mt_mask is NULL (git-fixes). - commit cc59aef - Update config files. - commit 40dfe08 - vsock/virtio: Validate length in packet header before skb_put() (git-fixes). - commit 3f40097 - vhost/vsock: Avoid allocating arbitrarily-sized SKBs (git-fixes). - commit b8d0767 - vhost: Reintroduce kthread API and add mode selection (git-fixes). - commit 4f10d1a - vhost-scsi: Fix log flooding with target does not exist errors (git-fixes). - commit 35e2840 - virtio_net: Enforce minimum TX ring size for reliability (git-fixes). - commit d86e0e3 - Refresh patches.suse/powerpc-pseries-dlpar-Search-DRC-index-from-ibm-drc-.patch. - commit 8a56f7b - virtio_ring: Fix error reporting in virtqueue_resize (git-fixes). - commit 82b060c - kernel-syms.spec: Drop old rpm release number hack (bsc#1247172). - commit b4fa2d1 - xen/gntdev: remove struct gntdev_copy_batch from stack (git-fixes). - commit 078d2c1 - rtc: rv3028: fix incorrect maximum clock rate handling (git-fixes). - rtc: pcf8563: fix incorrect maximum clock rate handling (git-fixes). - rtc: pcf85063: fix incorrect maximum clock rate handling (git-fixes). - rtc: nct3018y: fix incorrect maximum clock rate handling (git-fixes). - rtc: hym8563: fix incorrect maximum clock rate handling (git-fixes). - rtc: ds1307: fix incorrect maximum clock rate handling (git-fixes). - ucount: fix atomic_long_inc_below() argument type (git-fixes). - i3c: fix module_i3c_i2c_driver() with I3C=n (git-fixes). - commit 24bca99 - xen: fix UAF in dmabuf_exp_from_pages() (git-fixes). - commit b9557cc ++++ numactl: - bsc#1247093 bsc#1246858 Cleanup code by reverting 2 patches and get back to old has_preferred_many initialization. This allows to call numa_set_bind_policy early again. A Cleanup-No-need-to-suppress-possible-errno-anymore.patch A Cleanup-move-has_preferred_many-to-numa_init-again.patch ++++ tiff: - bsc#1243503: Fix TIFFMergeFieldInfo() read_count=write_count=0 + tiff-4.7.0-bsc1243503.patch - security update: * CVE-2025-8176 [bsc#1247108] Fix heap use-after-free in tools/tiffmedian.c + tiff-CVE-2025-8176.patch * CVE-2025-8177 [bsc#1247106] Fix possible buffer overflow in tools/thumbnail.c:setrow() + tiff-CVE-2025-8177.patch ++++ net-tools: - Fix a regression in net-tools-CVE-2025-46836.patch (bsc#1246608). ------------------------------------------------------------------ ------------------ 2025-8-3 - Aug 3 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - pinmux: fix race causing mux_owner NULL with active mux_usecount (git-fixes). - pinctrl: berlin: fix memory leak in berlin_pinctrl_build_state() (git-fixes). - pinctrl: sunxi: Fix memory leak on krealloc failure (git-fixes). - fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref (git-fixes). - firewire: ohci: correct code comments about bus_reset tasklet (git-fixes). - commit 598b0ba ------------------------------------------------------------------ ------------------ 2025-8-2 - Aug 2 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - PCI: rockchip-host: Fix "Unexpected Completion" log message (git-fixes). - PCI: imx6: Delay link start until configfs 'start' written (git-fixes). - PCI: imx6: Remove apps_reset toggling from imx_pcie_{assert/deassert}_core_reset (git-fixes). - PCI: imx6: Add IMX8MM_EP and IMX8MP_EP fixed 256-byte BAR 4 in epc_features (git-fixes). - PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute (git-fixes). - PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails (git-fixes). - PCI: endpoint: Fix configfs group removal on driver teardown (git-fixes). - PCI: endpoint: Fix configfs group list head handling (git-fixes). - watchdog: ziirave_wdt: check record length in ziirave_firm_verify() (git-fixes). - dmaengine: nbpfaxi: Add missing check after DMA map (git-fixes). - dmaengine: mv_xor: Fix missing check after DMA map and missing unmap (git-fixes). - dmaengine: mmp: Fix again Wvoid-pointer-to-enum-cast warning (git-fixes). - dmaengine: qcom: gpi: Drop unused gpi_write_reg_field() (git-fixes). - dmaengine: fsl-dpaa2-qdma: Drop unused mc_enc() (git-fixes). - dmaengine: dw-edma: Drop unused dchan2dev() and chan2dev() (git-fixes). - phy: qcom: phy-qcom-m31: Update IPQ5332 M31 USB phy initialization sequence (git-fixes). - phy: qualcomm: phy-qcom-eusb2-repeater: Don't zero-out registers (git-fixes). - selftests: ALSA: fix memory leak in utimer test (git-fixes). - ASoC: fsl_xcvr: get channel status data when PHY is not exists (git-fixes). - ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() (git-fixes). - soundwire: stream: restore params when prepare ports fail (git-fixes). - drm/xe/vf: Disable CSC support on VF (git-fixes). - drm/amd/display: fix initial backlight brightness calculation (git-fixes). - drm/amdgpu: Initialize data to NULL in imu_v12_0_program_rlc_ram() (git-fixes). - power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set (git-fixes). - power: supply: cpcap-charger: Fix null check for power_supply_get_by_name (git-fixes). - HID: apple: validate feature-report field count to prevent NULL pointer dereference (git-fixes). - kasan: use vmalloc_dump_obj() for vmalloc error reports (git-fixes). - ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx (stable-fixes). - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa0xxx (stable-fixes). - staging: vchiq_arm: Make vchiq_shutdown never fail (git-fixes). - regulator: core: fix NULL dereference on unbind due to stale coupling data (stable-fixes). - spi: cadence-quadspi: fix cleanup of rx_chan on failure paths (stable-fixes). - platform/x86: asus-nb-wmi: add DMI quirk for ASUS Zenbook Duo UX8406CA (stable-fixes). - usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach (git-fixes). - usb: typec: tcpm: allow switching to mode accessory to mux properly (stable-fixes). - usb: typec: tcpm: allow to use sink in accessory mode (stable-fixes). - commit 50f3301 ------------------------------------------------------------------ ------------------ 2025-8-1 - Aug 1 2025 ------------------- ------------------------------------------------------------------ ++++ busybox: - revert the change to busybox.install.patch below. The logic will be needed only in busybox-links package when generating file lists. - fix mkdir path to point to /usr/bin instead of /bin ++++ python-kiwi: - Bump version: 10.2.30 → 10.2.31 ++++ kernel-default: - iommu/arm-smmu-qcom: Add SM6115 MDSS compatible (git-fixes). - commit 86d87fb - iommu/amd: Fix geometry.aperture_end for V2 tables (git-fixes). - commit 9fabb61 - cgroup: Add compatibility option for content of /proc/cgroups (jsc#PED-12405). - cgroup: Print message when /proc/cgroups is read on v2-only system (jsc#PED-12405). - commit 764f23b - Update patches.suse/ACPI-CPPC-Fix-NULL-pointer-dereference-when-nosmp-is.patch (git-fixes CVE-2025-38113 bsc#1245683). - Update patches.suse/ACPICA-Refuse-to-evaluate-a-method-if-arguments-are-.patch (stable-fixes CVE-2025-38386 bsc#1247138). - Update patches.suse/ACPICA-fix-acpi-operand-cache-leak-in-dswstate.c.patch (stable-fixes CVE-2025-38345 bsc#1246337). - Update patches.suse/ACPICA-fix-acpi-parse-and-parseext-cache-leaks.patch (stable-fixes CVE-2025-38344 bsc#1246334). - Update patches.suse/ALSA-ad1816a-Fix-potential-NULL-pointer-deref-in-snd.patch (git-fixes CVE-2025-38454 bsc#1247426). - Update patches.suse/ALSA-usb-audio-Fix-out-of-bounds-read-in-snd_usb_get.patch (git-fixes CVE-2025-38249 bsc#1246171). - Update patches.suse/ASoC-Intel-avs-Verify-content-returned-by-parse_int_.patch (git-fixes CVE-2025-38307 bsc#1246364). - Update patches.suse/ASoC-SOF-Intel-hda-Use-devm_kstrdup-to-avoid-memleak.patch (stable-fixes CVE-2025-38438 bsc#1247157). - Update patches.suse/ASoC-codecs-wcd9335-Fix-missing-free-of-regulator-su.patch (git-fixes CVE-2025-38259 bsc#1246220). - Update patches.suse/ASoC-mediatek-mt8195-Set-ETDM1-2-IN-OUT-to-COMP_DUMM.patch (git-fixes CVE-2025-38299 bsc#1246290). - Update patches.suse/Bluetooth-Disable-SCO-support-if-READ_VOICE_SETTING-.patch (stable-fixes CVE-2025-38099 bsc#1245671). - Update patches.suse/Bluetooth-Fix-NULL-pointer-deference-on-eir_get_serv.patch (git-fixes CVE-2025-38304 bsc#1246240). - Update patches.suse/Bluetooth-Fix-null-ptr-deref-in-l2cap_sock_resume_cb.patch (git-fixes CVE-2025-38473 bsc#1247289). - Update patches.suse/Bluetooth-MGMT-Fix-UAF-on-mgmt_remove_adv_monitor_co.patch (git-fixes CVE-2025-38118 bsc#1245670). - Update patches.suse/Bluetooth-MGMT-reject-malformed-HCI_CMD_SYNC-command.patch (git-fixes CVE-2025-38128 bsc#1245703). - Update patches.suse/Bluetooth-btintel-Check-dsbr-size-from-EFI-variable.patch (git-fixes CVE-2025-38315 bsc#1246333). - Update patches.suse/Bluetooth-eir-Fix-possible-crashes-on-eir_create_adv.patch (git-fixes CVE-2025-38303 bsc#1246354). - Update patches.suse/HID-core-do-not-bypass-hid_hw_raw_request.patch (stable-fixes CVE-2025-38494 bsc#1247349). - Update patches.suse/HID-core-ensure-the-allocated-report-buffer-can-cont.patch (stable-fixes CVE-2025-38495 bsc#1247348). - Update patches.suse/HID-wacom-fix-crash-in-wacom_aes_battery_handler.patch (git-fixes CVE-2025-38253 bsc#1246192). - Update patches.suse/IB-cm-Drop-lockdep-assert-and-WARN-when-freeing-old-.patch (git-fixes CVE-2025-38287 bsc#1246285). - Update patches.suse/IB-mlx5-Fix-potential-deadlock-in-MR-deregistration.patch (git-fixes CVE-2025-38373 bsc#1247033). - Update patches.suse/Input-cs40l50-vibra-fix-potential-NULL-dereference-i.patch (git-fixes CVE-2025-38381 bsc#1247027). - Update patches.suse/Input-gpio-keys-fix-a-sleep-while-atomic-with-PREEMP.patch (git-fixes CVE-2025-38335 bsc#1246250). - Update patches.suse/Input-ims-pcu-check-record-size-in-ims_pcu_flash_fir.patch (git-fixes CVE-2025-38428 bsc#1247150). - Update patches.suse/KVM-SVM-Reject-SEV-ES-intra-host-migration-if-vCPU-c.patch (git-fixes CVE-2025-38455 bsc#1247101). - Update patches.suse/NFC-nci-uart-Set-tty-disc_data-only-in-success-path.patch (git-fixes CVE-2025-38416 bsc#1247151). - Update patches.suse/NFSD-fix-race-between-nfsd-registration-and-exports_proc.patch (git-fixes CVE-2025-38232 bsc#1246054). - Update patches.suse/NFSv4-pNFS-Fix-a-race-to-wake-on-NFS_LAYOUT_DRAIN.patch (git-fixes CVE-2025-38393 bsc#1247170). - Update patches.suse/PCI-pwrctrl-Cancel-outstanding-rescan-work-when-unre.patch (git-fixes CVE-2025-38137 bsc#1245721). - Update patches.suse/RDMA-cma-Fix-hang-when-cma_netevent_callback-fails-t.patch (git-fixes CVE-2025-38151 bsc#1245745). - Update patches.suse/RDMA-iwcm-Fix-use-after-free-of-work-objects-after-c.patch (git-fixes CVE-2025-38211 bsc#1246008). - Update patches.suse/RDMA-mlx5-Fix-error-flow-upon-firmware-failure-for-R.patch (git-fixes CVE-2025-38161 bsc#1245777). - Update patches.suse/RDMA-mlx5-Fix-unsafe-xarray-access-in-implicit-ODP-h.patch (git-fixes CVE-2025-38372 bsc#1247020). - Update patches.suse/RDMA-mlx5-Initialize-obj_event-obj_sub_list-before-x.patch (git-fixes CVE-2025-38387 bsc#1247154). - Update patches.suse/Squashfs-check-return-result-of-sb_min_blocksize.patch (git-fixes CVE-2025-38415 bsc#1247147). - Update patches.suse/VMCI-fix-race-between-vmci_host_setup_notify-and-vmc.patch (git-fixes CVE-2025-38102 bsc#1245669). - Update patches.suse/aoe-clean-device-rq_list-in-aoedev_downdev.patch (git-fixes CVE-2025-38326 bsc#1246490). - Update patches.suse/arm64-fpsimd-Avoid-clobbering-kernel-FPSIMD-state-with-SMS.patch (git-fixes CVE-2025-38169 bsc#1245784). - Update patches.suse/arm64-fpsimd-Discard-stale-CPU-state-when-handling-SME-tra.patch (git-fixes CVE-2025-38170 bsc#1245785). - Update patches.suse/ata-pata_via-Force-PIO-for-ATAPI-devices-on-VT6415-V.patch (stable-fixes CVE-2025-38336 bsc#1246370). - Update patches.suse/backlight-pm8941-Add-NULL-check-in-wled_configure.patch (git-fixes CVE-2025-38143 bsc#1245714). - Update patches.suse/block-don-t-use-submit_bio_noacct_nocheck-in-blk_zone_wplu.patch (git-fixes CVE-2025-38302 bsc#1246353). - Update patches.suse/bnxt-properly-flush-XDP-redirect-lists.patch (git-fixes CVE-2025-38246 bsc#1246195). - Update patches.suse/bnxt_en-Fix-double-invocation-of-bnxt_ulp_stop-bnxt_.patch (git-fixes CVE-2025-38186 bsc#1245955). - Update patches.suse/bpf-sockmap-Fix-panic-when-calling-skb_linearize.patch (bsc#1245749 CVE-2025-38154 CVE-2025-38165 bsc#1245757). - Update patches.suse/bus-fsl-mc-fix-double-free-on-mc_dev.patch (git-fixes CVE-2025-38313 bsc#1246342). - Update patches.suse/bus-mhi-ep-Update-read-pointer-only-after-buffer-is-.patch (git-fixes CVE-2025-38429 bsc#1247253). - Update patches.suse/calipso-Fix-null-ptr-deref-in-calipso_req_-set-del-a.patch (git-fixes CVE-2025-38181 bsc#1246000). - Update patches.suse/can-kvaser_pciefd-refine-error-prone-echo_skb_max-ha.patch (git-fixes CVE-2025-38224 bsc#1246166). - Update patches.suse/clk-imx-Fix-an-out-of-bounds-access-in-dispmix_csr_c.patch (git-fixes CVE-2025-38446 bsc#1247231). - Update patches.suse/comedi-Fail-COMEDI_INSNLIST-ioctl-if-n_insns-is-too-.patch (git-fixes CVE-2025-38481 bsc#1247276). - Update patches.suse/comedi-Fix-initialization-of-data-for-instructions-t.patch (git-fixes CVE-2025-38478 bsc#1247273). - Update patches.suse/comedi-Fix-use-of-uninitialized-data-in-insn_rw_emul.patch (git-fixes CVE-2025-38480 bsc#1247274). - Update patches.suse/comedi-das16m1-Fix-bit-shift-out-of-bounds.patch (git-fixes CVE-2025-38483 bsc#1247278). - Update patches.suse/comedi-das6402-Fix-bit-shift-out-of-bounds.patch (git-fixes CVE-2025-38482 bsc#1247277). - Update patches.suse/crypto-marvell-cesa-Handle-zero-length-skcipher-requ.patch (git-fixes CVE-2025-38173 bsc#1245769). - Update patches.suse/crypto-sun8i-ce-cipher-fix-error-handling-in-sun8i_c.patch (git-fixes CVE-2025-38300 bsc#1246349). - Update patches.suse/dm-bufio-fix-sched-in-atomic-context.patch (git-fixes CVE-2025-38496 bsc#1247284). - Update patches.suse/dm-fix-dm_blk_report_zones.patch (CVE-2025-38140 bsc#1245717 CVE-2025-38141 bsc#1245715). - Update patches.suse/dma-buf-insert-memory-barrier-before-updating-num_fe.patch (git-fixes CVE-2025-38095 bsc#1245658). - Update patches.suse/dmaengine-idxd-Check-availability-of-workqueue-alloc.patch (stable-fixes CVE-2025-38369 bsc#1247209). - Update patches.suse/dmaengine-ti-Add-NULL-check-in-udma_probe.patch (git-fixes CVE-2025-38138 bsc#1245719). - Update patches.suse/drivers-rapidio-rio_cm.c-prevent-possible-heap-overw.patch (stable-fixes CVE-2025-38090 bsc#1245510). - Update patches.suse/drm-amd-display-Add-null-pointer-check-for-get_first.patch (git-fixes CVE-2025-38362 bsc#1247089). - Update patches.suse/drm-amd-display-Check-dce_hwseq-before-dereferencing.patch (stable-fixes CVE-2025-38361 bsc#1247079). - Update patches.suse/drm-amd-display-Don-t-treat-wb-connector-as-physical.patch (stable-fixes CVE-2025-38098 bsc#1245654). - Update patches.suse/drm-amd-display-check-stream-id-dml21-wrapper-to-get.patch (stable-fixes CVE-2025-38091 bsc#1245621). - Update patches.suse/drm-amd-pp-Fix-potential-NULL-pointer-dereference-in.patch (git-fixes CVE-2025-38319 bsc#1246243). - Update patches.suse/drm-exynos-exynos7_drm_decon-add-vblank-check-in-IRQ.patch (git-fixes CVE-2025-38467 bsc#1247146). - Update patches.suse/drm-gem-Acquire-references-on-GEM-handles-for-frameb.patch (stable-fixes CVE-2025-38449 bsc#1247255). - Update patches.suse/drm-i915-gt-Fix-timeline-left-held-on-VMA-alloc-erro.patch (git-fixes CVE-2025-38389 bsc#1247153). - Update patches.suse/drm-msm-Fix-a-fence-leak-in-submit-error-path.patch (stable-fixes CVE-2025-38410 bsc#1247128). - Update patches.suse/drm-msm-Fix-another-leak-in-the-submit-error-path.patch (stable-fixes CVE-2025-38409 bsc#1247285). - Update patches.suse/drm-msm-a7xx-Call-CP_RESET_CONTEXT_STATE.patch (git-fixes CVE-2025-38188 bsc#1246098). - Update patches.suse/drm-msm-gpu-Fix-crash-when-throttling-GPU-immediatel.patch (git-fixes CVE-2025-38354 bsc#1247061). - Update patches.suse/drm-scheduler-signal-scheduled-fence-when-kill-job.patch (stable-fixes CVE-2025-38436 bsc#1247227). - Update patches.suse/drm-tegra-Fix-a-possible-null-pointer-dereference.patch (git-fixes CVE-2025-38363 bsc#1247018). - Update patches.suse/drm-v3d-Avoid-NULL-pointer-dereference-in-v3d_job_up.patch (stable-fixes CVE-2025-38189 bsc#1245812). - Update patches.suse/drm-v3d-Disable-interrupts-before-resetting-the-GPU.patch (git-fixes CVE-2025-38371 bsc#1247178). - Update patches.suse/drm-xe-Fix-taking-invalid-lock-on-wedge.patch (stable-fixes CVE-2025-38353 bsc#1247265). - Update patches.suse/drm-xe-Process-deferred-GGTT-node-removals-on-device.patch (git-fixes CVE-2025-38355 bsc#1247062). - Update patches.suse/drm-xe-guc-Explicitly-exit-CT-safe-mode-on-unwind.patch (git-fixes CVE-2025-38356 bsc#1247064). - Update patches.suse/e1000-Move-cancel_work_sync-to-avoid-deadlock.patch (git-fixes CVE-2025-38114 bsc#1245686). - Update patches.suse/erofs-avoid-using-multiple-devices-with-different-type.patch (git-fixes CVE-2025-38172 bsc#1245787). - Update patches.suse/fbcon-Make-sure-modelist-not-set-on-unregistered-con.patch (stable-fixes CVE-2025-38198 bsc#1245952). - Update patches.suse/fbdev-Fix-do_register_framebuffer-to-prevent-null-pt.patch (git-fixes CVE-2025-38215 bsc#1246109). - Update patches.suse/fbdev-Fix-fb_set_var-to-prevent-null-ptr-deref-in-fb.patch (git-fixes CVE-2025-38214 bsc#1246042). - Update patches.suse/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch (git-fixes CVE-2025-38312 bsc#1246386). - Update patches.suse/firmware-arm_ffa-Fix-memory-leak-by-freeing-notifier.patch (git-fixes CVE-2025-38390 bsc#1247088). - Update patches.suse/fpga-fix-potential-null-pointer-deref-in-fpga_mgr_te.patch (git-fixes CVE-2025-38274 bsc#1246234). - Update patches.suse/fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empty_folio.patch (git-fixes CVE-2025-38338 bsc#1246258). - Update patches.suse/gve-add-missing-NULL-check-for-gve_alloc_pending_pac.patch (git-fixes CVE-2025-38122 bsc#1245746). - Update patches.suse/hwmon-asus-ec-sensors-check-sensor-index-in-read_str.patch (git-fixes CVE-2025-38142 bsc#1245713). - Update patches.suse/hwmon-ftsteutates-Fix-TOCTOU-race-in-fts_read.patch (git-fixes CVE-2025-38217 bsc#1246002). - Update patches.suse/i2c-designware-Fix-an-initialization-issue.patch (git-fixes CVE-2025-38380 bsc#1247028). - Update patches.suse/i2c-tegra-check-msg-length-in-SMBUS-block-read.patch (bsc#1242086 CVE-2025-38425 bsc#1247251). - Update patches.suse/ice-fix-Tx-scheduler-error-handling-in-XDP-callback.patch (git-fixes CVE-2025-38127 bsc#1245705). - Update patches.suse/ice-fix-eswitch-code-memory-leak-in-reset-scenario.patch (git-fixes CVE-2025-38417 bsc#1247282). - Update patches.suse/iio-accel-fxls8962af-Fix-use-after-free-in-fxls8962a.patch (git-fixes CVE-2025-38485 bsc#1247236). - Update patches.suse/iio-backend-fix-out-of-bound-write.patch (git-fixes CVE-2025-38484 bsc#1247235). - Update patches.suse/maple_tree-fix-MA_STATE_PREALLOC-flag-in-mas_preallo.patch (git-fixes CVE-2025-38364 bsc#1247091). - Update patches.suse/media-cxusb-no-longer-judge-rbuf-when-the-write-fail.patch (git-fixes CVE-2025-38229 bsc#1246049). - Update patches.suse/media-imagination-fix-a-potential-memory-leak-in-e50.patch (git-fixes CVE-2025-38228 bsc#1245814). - Update patches.suse/media-imx-jpeg-Cleanup-after-an-allocation-error.patch (git-fixes CVE-2025-38225 bsc#1246041). - Update patches.suse/media-vidtv-Terminating-the-subsequent-process-of-in.patch (git-fixes CVE-2025-38227 bsc#1246031). - Update patches.suse/media-vivid-Change-the-siize-of-the-composing.patch (git-fixes CVE-2025-38226 bsc#1246050). - Update patches.suse/misc-tps6594-pfsm-Add-NULL-pointer-check-in-tps6594_.patch (stable-fixes CVE-2025-38368 bsc#1247022). - Update patches.suse/mtd-nand-ecc-mxic-Fix-use-of-uninitialized-variable-.patch (git-fixes CVE-2025-38277 bsc#1246246). - Update patches.suse/mtd-spinand-fix-memory-leak-of-ECC-engine-conf.patch (stable-fixes CVE-2025-38384 bsc#1247035). - Update patches.suse/mtk-sd-Prevent-memory-corruption-from-DMA-map-failur.patch (git-fixes CVE-2025-38401 bsc#1247125). - Update patches.suse/nbd-fix-uaf-in-nbd_genl_connect-error-path.patch (git-fixes CVE-2025-38443 bsc#1247164). - Update patches.suse/net-Fix-TOCTOU-issue-in-sk_is_readable.patch (git-fixes CVE-2025-38112 bsc#1245668). - Update patches.suse/net-fix-udp-gso-skb_segment-after-pull-from-frag_lis.patch (git-fixes CVE-2025-38124 bsc#1245690). - Update patches.suse/net-mdiobus-Fix-potential-out-of-bounds-clause-45-re.patch (git-fixes CVE-2025-38110 bsc#1245665). - Update patches.suse/net-mdiobus-Fix-potential-out-of-bounds-read-write-a.patch (git-fixes CVE-2025-38111 bsc#1245666). - Update patches.suse/net-mlx5-Fix-ECVF-vports-unload-on-shutdown-flow.patch (git-fixes CVE-2025-38109 bsc#1245684). - Update patches.suse/net-phy-clear-phydev-devlink-when-the-link-is-delete.patch (git-fixes CVE-2025-38149 bsc#1245737). - Update patches.suse/net-phy-mscc-Fix-memory-leak-when-using-one-step-tim.patch (git-fixes CVE-2025-38148 bsc#1245735). - Update patches.suse/net-sched-Return-NULL-when-htb_lookup_leaf-encounter.patch (git-fixes CVE-2025-38468 bsc#1247437). - Update patches.suse/net-sched-fix-use-after-free-in-taprio_dev_notifier.patch (git-fixes CVE-2025-38087 bsc#1245504). - Update patches.suse/net-sched-sch_qfq-Fix-race-condition-on-qfq_aggregat.patch (git-fixes CVE-2025-38477 bsc#1247314). - Update patches.suse/net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch (CVE-2025-38052 bsc#1244749 CVE-2025-38273 bsc#1246266). - Update patches.suse/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch (git-fixes CVE-2025-38153 bsc#1245744). - Update patches.suse/net-usb-lan78xx-fix-WARN-in-__netif_napi_del_locked-.patch (git-fixes CVE-2025-38385 bsc#1247149). - Update patches.suse/net-wwan-t7xx-Fix-napi-rx-poll-issue.patch (git-fixes CVE-2025-38123 bsc#1245688). - Update patches.suse/net_sched-ets-fix-a-race-in-ets_qdisc_change.patch (git-fixes CVE-2025-38107 bsc#1245676). - Update patches.suse/net_sched-red-fix-a-race-in-__red_change.patch (git-fixes CVE-2025-38108 bsc#1245675). - Update patches.suse/net_sched-sch_sfq-reject-invalid-perturb-period.patch (git-fixes CVE-2025-38193 bsc#1245945). - Update patches.suse/netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch (git-fixes CVE-2025-38120 bsc#1245711). - Update patches.suse/nfs-Clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_init-fails.patch (git-fixes CVE-2025-38400 bsc#1247123). - Update patches.suse/nfsd-Initialize-ssc-before-laundromat_work-to-prevent-NULL-dereference.patch (git-fixes CVE-2025-38231 bsc#1246055). - Update patches.suse/nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch (git-fixes CVE-2025-38430 bsc#1247160). - Update patches.suse/nvme-multipath-fix-suspicious-RCU-usage-warning.patch (git-fixes CVE-2025-38397 bsc#1247163). - Update patches.suse/nvme-tcp-remove-tag-set-when-second-admin-queue-conf.patch (git-fixes CVE-2025-38209 bsc#1246022). - Update patches.suse/nvmet-fix-memory-leak-of-bio-integrity.patch (git-fixes CVE-2025-38405 bsc#1247270). - Update patches.suse/octeontx2-pf-QOS-Refactor-TC_HTB_LEAF_DEL_LAST-callb.patch (git-fixes CVE-2025-38278 bsc#1246255). - Update patches.suse/page_pool-Fix-use-after-free-in-page_pool_recycle_in.patch (git-fixes CVE-2025-38129 bsc#1245723). - Update patches.suse/perf-Fix-sample-vs-do_exit.patch (bsc#1246547 CVE-2025-38424 bsc#1247293). - Update patches.suse/perf-Revert-to-requiring-CAP_SYS_ADMIN-for-uprobes.patch (git-fixes CVE-2025-38466 bsc#1247442). - Update patches.suse/phy-qcom-qmp-usb-Fix-an-NULL-vs-IS_ERR-bug.patch (git-fixes CVE-2025-38275 bsc#1246236). - Update patches.suse/pinctrl-at91-Fix-possible-out-of-boundary-access.patch (git-fixes CVE-2025-38286 bsc#1246283). - Update patches.suse/platform-x86-amd-pmf-Use-device-managed-allocations.patch (git-fixes CVE-2025-38421 bsc#1247130). - Update patches.suse/platform-x86-dell-wmi-sysman-Fix-WMI-data-block-retr.patch (git-fixes CVE-2025-38412 bsc#1247132). - Update patches.suse/platform-x86-dell_rbu-Fix-list-usage.patch (git-fixes CVE-2025-38197 bsc#1246047). - Update patches.suse/powerpc-bpf-fix-JIT-code-size-calculation-of-bpf-tra.patch (jsc#PED-10909 git-fixes CVE-2025-38339 bsc#1246259). - Update patches.suse/powerpc-powernv-memtrace-Fix-out-of-bounds-issue-in-.patch (bsc#1244309 ltc#213790 CVE-2025-38088 bsc#1245506). - Update patches.suse/powerpc64-ftrace-fix-clobbered-r15-during-livepatchi.patch (jsc#PED-10909 git-fixes CVE-2025-38233 bsc#1246053). - Update patches.suse/ptp-remove-ptp-n_vclocks-check-logic-in-ptp_vclock_i.patch (git-fixes CVE-2025-38305 bsc#1246358). - Update patches.suse/regulator-gpio-Fix-the-out-of-bounds-access-to-drvda.patch (git-fixes CVE-2025-38395 bsc#1247171). - Update patches.suse/rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch (git-fixes CVE-2025-38377 bsc#1247174). - Update patches.suse/rpl-Fix-use-after-free-in-rpl_do_srh_inline.patch (git-fixes CVE-2025-38476 bsc#1247317). - Update patches.suse/s390-bpf-Fix-bpf_arch_text_poke-with-new_addr-NULL-again.patch (git-fixes bsc#1246868 CVE-2025-38489 bsc#1247241). - Update patches.suse/s390-pkey-Prevent-overflow-in-size-calculation-for-memdup_.patch (git-fixes bsc#1245596 CVE-2025-38257 bsc#1246186). - Update patches.suse/sch_hfsc-make-hfsc_qlen_notify-idempotent.patch (CVE-2025-37798 bsc#1242414 CVE-2025-38177 bsc#1245986). - Update patches.suse/sched-rt-Fix-race-in-push_rt_task.patch (bsc#1234634 (Scheduler functional and performance backports) CVE-2025-38234 bsc#1246057). - Update patches.suse/scsi-lpfc-Avoid-potential-ndlp-use-after-free-in-dev.patch (bsc#1242995 CVE-2025-38289 bsc#1246287). - Update patches.suse/scsi-lpfc-Use-memcpy-for-BIOS-version.patch (bsc#1240966 CVE-2025-38332 bsc#1246375). - Update patches.suse/scsi-smartpqi-Fix-smp_processor_id-call-trace-for-preempti.patch (git-fixes CVE-2025-38288 bsc#1246286). - Update patches.suse/serial-Fix-potential-null-ptr-deref-in-mlb_usio_prob.patch (git-fixes CVE-2025-38135 bsc#1246023). - Update patches.suse/serial-jsm-fix-NPE-during-jsm_uart_port_init.patch (git-fixes CVE-2025-38265 bsc#1246244). - Update patches.suse/soc-aspeed-Add-NULL-check-in-aspeed_lpc_enable_snoop.patch (git-fixes CVE-2025-38145 bsc#1245765). - Update patches.suse/soc-aspeed-lpc-snoop-Don-t-disable-channels-that-are.patch (git-fixes CVE-2025-38487 bsc#1247238). - Update patches.suse/software-node-Correct-a-OOB-check-in-software_node_g.patch (stable-fixes CVE-2025-38342 bsc#1246453). - Update patches.suse/sunrpc-handle-SVC_GARBAGE-during-svc-auth-processing-as-auth-error.patch (git-fixes CVE-2025-38089 bsc#1245508). - Update patches.suse/thunderbolt-Do-not-double-dequeue-a-configuration-re.patch (stable-fixes CVE-2025-38174 bsc#1245781). - Update patches.suse/usb-acpi-Prevent-null-pointer-dereference-in-usb_acp.patch (git-fixes CVE-2025-38134 bsc#1245678). - Update patches.suse/usb-chipidea-udc-disconnect-reconnect-from-host-when.patch (git-fixes CVE-2025-38376 bsc#1247176). - Update patches.suse/usb-gadget-u_serial-Fix-race-condition-in-TTY-wakeup.patch (git-fixes CVE-2025-38448 bsc#1247233). - Update patches.suse/usb-net-sierra-check-for-no-status-endpoint.patch (git-fixes CVE-2025-38474 bsc#1247311). - Update patches.suse/usb-renesas_usbhs-Reorder-clock-handling-and-power-m.patch (git-fixes CVE-2025-38136 bsc#1245691). - Update patches.suse/usb-typec-altmodes-displayport-do-not-index-invalid-.patch (git-fixes CVE-2025-38391 bsc#1247181). - Update patches.suse/usb-typec-displayport-Fix-potential-deadlock.patch (git-fixes CVE-2025-38404 bsc#1247271). - Update patches.suse/usb-typec-tcpm-move-tcpm_queue_vdm_unlocked-to-async.patch (git-fixes CVE-2025-38268 bsc#1246385). - Update patches.suse/vgacon-Add-check-for-vc_origin-address-range-in-vgac.patch (git-fixes CVE-2025-38213 bsc#1246037). - Update patches.suse/video-screen_info-Update-framebuffers-behind-PCI-bri.patch (bsc#1240696 CVE-2025-38427 bsc#1247152). - Update patches.suse/virtio-net-ensure-the-received-length-does-not-excee.patch (git-fixes CVE-2025-38375 bsc#1247177). - Update patches.suse/virtio-net-xsk-rx-fix-the-frame-s-length-check.patch (git-fixes CVE-2025-38413 bsc#1247131). - Update patches.suse/vsock-Fix-transport_-TOCTOU.patch (git-fixes CVE-2025-38461 bsc#1247103). - Update patches.suse/vsock-Fix-transport_-g2h-h2g-TOCTOU.patch (git-fixes CVE-2025-38462 bsc#1247104). - Update patches.suse/vsock-vmci-Clear-the-vmci-transport-packet-properly-.patch (git-fixes CVE-2025-38403 bsc#1247141). - Update patches.suse/wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch (git-fixes CVE-2025-38293 bsc#1246292). - Update patches.suse/wifi-ath12k-Fix-buffer-overflow-in-debugfs.patch (git-fixes CVE-2025-38317 bsc#1246443). - Update patches.suse/wifi-ath12k-Prevent-sending-WMI-commands-to-firmware.patch (bsc#1240998 CVE-2025-38291 bsc#1246297). - Update patches.suse/wifi-ath12k-fix-GCC_GCC_PCIE_HOT_RST-definition-for-.patch (git-fixes CVE-2025-38414 bsc#1247145). - Update patches.suse/wifi-ath12k-fix-invalid-access-to-memory.patch (git-fixes CVE-2025-38292 bsc#1246295). - Update patches.suse/wifi-ath12k-fix-node-corruption-in-ar-arvifs-list.patch (git-fixes CVE-2025-38290 bsc#1246293). - Update patches.suse/wifi-ath6kl-remove-WARN-on-bad-firmware-input.patch (stable-fixes CVE-2025-38406 bsc#1247210). - Update patches.suse/wifi-ath9k_htc-Abort-software-beacon-handling-if-dis.patch (git-fixes CVE-2025-38157 bsc#1245747). - Update patches.suse/wifi-carl9170-do-not-ping-device-which-has-failed-to.patch (git-fixes CVE-2025-38420 bsc#1247279). - Update patches.suse/wifi-iwlwifi-don-t-warn-when-if-there-is-a-FW-error.patch (stable-fixes CVE-2025-38096 bsc#1245657). - Update patches.suse/wifi-mt76-mt7915-Fix-null-ptr-deref-in-mt7915_mmio_w.patch (git-fixes CVE-2025-38155 bsc#1245748). - Update patches.suse/wifi-mt76-mt7925-prevent-NULL-pointer-dereference-in.patch (git-fixes CVE-2025-38450 bsc#1247376). - Update patches.suse/wifi-mt76-mt7996-Fix-null-ptr-deref-in-mt7996_mmio_w.patch (git-fixes CVE-2025-38156 bsc#1246034). - Update patches.suse/wifi-mt76-mt7996-drop-fragments-with-multicast-or-br.patch (stable-fixes CVE-2025-38343 bsc#1246438). - Update patches.suse/wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_re.patch (git-fixes CVE-2025-38348 bsc#1246262). - Update patches.suse/wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch (git-fixes CVE-2025-38159 bsc#1245751). - commit 8064d69 - ipv6: annotate data-races around rt->fib6_nsiblings (git-fixes). - commit 4b09993 - ipv6: fix possible infinite loop in fib6_info_uses_dev() (git-fixes). - commit b0133f0 - ipv6: prevent infinite loop in rt6_nlmsg_size() (git-fixes). - commit a1d8794 - net/sched: Restrict conditions for adding duplicating netems to qdisc tree (git-fixes). - commit 21bb04b - spi: cs42l43: Property entry should be a null-terminated array (bsc#1246979). - commit 2043cd1 - Move upstreamed sched, SCSI and ACPI patches into sorted section - commit 836e139 - selftests/bpf: Fix selection of static vs. dynamic LLVM Bring git fixes for commit 4ed92da84b67 ("selftests/bpf: Support dynamically linking LLVM if static is not available") - commit 7a43a26 - media: venus: vdec: Clamp param smaller than 1fps and bigger than 240 (git-fixes). - commit 1e731e7 - maple_tree: fix status setup on restore to active (git-fixes). - mtd: rawnand: atmel: set pmecc data setup time (git-fixes). - mtd: spinand: propagate spinand_wait() errors from spinand_write_page() (git-fixes). - mtd: rawnand: fsmc: Add missing check after DMA map (git-fixes). - mtd: rawnand: rockchip: Add missing check after DMA map (git-fixes). - mtd: rawnand: atmel: Fix dma_mapping_error() address (git-fixes). - mtd: rawnand: renesas: Add missing check after DMA map (git-fixes). - mtd: spi-nor: Fix spi_nor_try_unlock_all() (git-fixes). - mtd: spi-nor: spansion: Fixup params->set_4byte_addr_mode for SEMPER (git-fixes). - mtd: fix possible integer overflow in erase_xfer() (git-fixes). - clk: qcom: gcc-ipq8074: fix broken freq table for nss_port6_tx_clk_src (git-fixes). - clk: imx95-blk-ctl: Fix synchronous abort (git-fixes). - clk: at91: sam9x7: update pll clk ranges (git-fixes). - clk: thead: th1520-ap: Correctly refer the parent of osc_12m (git-fixes). - clk: sunxi-ng: v3s: Fix de clock definition (git-fixes). - clk: samsung: exynos850: fix a comment (git-fixes). - clk: samsung: gs101: fix alternate mout_hsi0_usb20_ref parent clock (git-fixes). - clk: samsung: gs101: fix CLK_DOUT_CMU_G3D_BUSD (git-fixes). - clk: renesas: rzv2h: Fix missing CLK_SET_RATE_PARENT flag for ddiv clocks (git-fixes). - clk: clk-axi-clkgen: fix fpfd_max frequency for zynq (git-fixes). - clk: xilinx: vcu: unregister pll_post only if registered correctly (git-fixes). - clk: davinci: Add NULL check in davinci_lpsc_clk_register() (git-fixes). - hwmon: (gsc-hwmon) fix fan pwm setpoint show functions (git-fixes). - pwm: imx-tpm: Reset counter if CMOD is 0 (git-fixes). - media: v4l2: Add support for NV12M tiled variants to v4l2_format_info() (git-fixes). - media: uvcvideo: Do not mark valid metadata as invalid (git-fixes). - media: ov2659: Fix memory leaks in ov2659_probe() (git-fixes). - media: ti: j721e-csi2rx: fix list_del corruption (git-fixes). - media: hi556: correct the test pattern configuration (git-fixes). - media: ipu6: isys: Use correct pads for xlate_streams() (git-fixes). - media: vivid: fix wrong pixel_array control size (git-fixes). - media: qcom: camss: cleanup media device allocated resource on error path (git-fixes). - media: venus: Fix MSM8998 frequency table (git-fixes). - media: venus: hfi: explicitly release IRQ during teardown (git-fixes). - media: venus: Fix OOB read due to missing payload bound check (git-fixes). - media: venus: Add a check for packet size after reading from shared memory (git-fixes). - media: venus: protect against spurious interrupts during probe (git-fixes). - media: venus: venc: Clamp param smaller than 1fps and bigger than 240 (git-fixes). - media: pisp_be: Fix pm_runtime underrun in probe (git-fixes). - media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls (git-fixes). - media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free() (git-fixes). - media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval (git-fixes). - media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check (git-fixes). - media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() (git-fixes). - media: verisilicon: Fix AV1 decoder clock frequency (git-fixes). - media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() (git-fixes). - media: gspca: Add bounds checking to firmware parser (git-fixes). - media: usbtv: Lock resolution while streaming (git-fixes). - media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() (git-fixes). - Revert "leds: trigger: netdev: Configure LED blink interval for HW offload" (git-fixes). - leds: flash: leds-qcom-flash: Fix registry access after re-bind (git-fixes). - mfd: cros_ec: Separate charge-control probing from USB-PD (git-fixes). - crypto: qat - fix seq_file position update in adf_ring_next() (git-fixes). - crypto: qat - fix DMA direction for compression on GEN2 devices (git-fixes). - crypto: qat - flush misc workqueue during device shutdown (git-fixes). - crypto: qat - disable ZUC-256 capability for QAT GEN5 (git-fixes). - crypto: img-hash - Fix dma_unmap_sg() nents value (git-fixes). - crypto: keembay - Fix dma_unmap_sg() nents value (git-fixes). - hwrng: mtk - handle devm_pm_runtime_enable errors (git-fixes). - crypto: ccp - Fix crash when rebind ccp device for ccp.ko (git-fixes). - crypto: inside-secure - Fix `dma_unmap_sg()` nents value (git-fixes). - crypto: ccp - Fix locking on alloc failure handling (git-fixes). - crypto: caam - Prevent crash on suspend with iMX8QM / iMX8ULP (git-fixes). - crypto: arm/aes-neonbs - work around gcc-15 warning (git-fixes). - crypto: qat - fix state restore for banks with exceptions (git-fixes). - crypto: qat - allow enabling VFs in the absence of IOMMU (git-fixes). - crypto: marvell/cesa - Fix engine load inaccuracy (git-fixes). - crypto: qat - use unmanaged allocation for dc_data (git-fixes). - crypto: sun8i-ce - fix nents passed to dma_unmap_sg() (git-fixes). - commit ae512ba - RDMA/uverbs: Add empty rdma_uattrs_has_raw_cap() declaration (git-fixes) - commit e78882a - x86/rdrand: Disable RDSEED on AMD Cyan Skillfish (git-fixes). - commit 3ccca36 - x86/cacheinfo: Properly parse CPUID(0x80000006) L2/L3 associativity (git-fixes). - commit a5b12b1 - RDMA/mlx5: Fix compilation warning when USER_ACCESS isn't set (git-fixes) - commit 5241bbd - x86/cacheinfo: Properly parse CPUID(0x80000005) L1d/L1i associativity (git-fixes). - commit 530f80b - x86/cpu: Sanitize CPUID(0x80000000) output (git-fixes). - commit 8c1593e - RDMA/hns: Fix -Wframe-larger-than issue (git-fixes) - commit 160aaf0 - RDMA/hns: Drop GFP_NOWARN (git-fixes) - commit 3983b2d - RDMA/hns: Fix accessing uninitialized resources (git-fixes) - commit 020f808 - RDMA/hns: Get message length of ack_req from FW (git-fixes) - commit ed23840 - RDMA/hns: Fix HW configurations not cleared in error flow (git-fixes) - commit 17d9c9c - RDMA/hns: Fix double destruction of rsv_qp (git-fixes) - commit 127df58 - Fix dma_unmap_sg() nents value (git-fixes) - commit 72c9bb9 - RDMA/counter: Check CAP_NET_RAW check in user namespace for RDMA counters (git-fixes) - commit e32f637 - RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify (git-fixes) - commit 066fc2e - RDMA/mlx5: Check CAP_NET_RAW in user namespace for devx create (git-fixes) - commit 876344b - RDMA/uverbs: Check CAP_NET_RAW in user namespace for RAW QP create (git-fixes) - commit 84b0982 - RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create (git-fixes) - commit 5d5e159 - RDMA/mlx5: Check CAP_NET_RAW in user namespace for anchor create (git-fixes) - commit 1d83d68 - RDMA/mlx5: Check CAP_NET_RAW in user namespace for flow create (git-fixes) - commit 880cd69 - RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create (git-fixes) - commit 1e737a4 ++++ python313-core: - Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now validates archives to ensure member offsets are non-negative (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249). ++++ python313: - Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now validates archives to ensure member offsets are non-negative (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249). ------------------------------------------------------------------ ------------------ 2025-7-31 - Jul 31 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Consolidate device lock into its own method Add set_device_lock method which uses udevadm lock preferable but also supports an flock fallback in case there is no lock command provided via systemd/udev - Fix bug in shell condition The shell code test ... || warn A; warn B will always print the warning for B despite the test result. This lead to the warning message "Settings from the kiwi description will be ignored" to be printed always. This commit fixes it with a clean if/then condition ++++ kernel-default: - tcp: Correct signedness in skb remaining space calculation (CVE-2025-38463 bsc#1247113). - net/sched: Always pass notifications when child class becomes empty (CVE-2025-38350 bsc#1246781). - commit 3e7e03b - wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start() (git-fixes). - wifi: iwlwifi: return ERR_PTR from opmode start() (stable-fixes). - commit f109748 - drm/amdgpu/gfx10: fix kiq locking in KCQ reset (git-fixes). - drm/amdgpu/gfx9.4.3: fix kiq locking in KCQ reset (git-fixes). - drm/amdgpu/gfx9: fix kiq locking in KCQ reset (git-fixes). - drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value (git-fixes). - drm/xe/uapi: Correct sync type definition in comments (git-fixes). - fbcon: Fix outdated registered_fb reference in comment (git-fixes). - drm/msm/dpu: Fill in min_prefill_lines for SC8180X (git-fixes). - drm/amdgpu: Remove nbiov7.9 replay count reporting (git-fixes). - drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel (git-fixes). - drm/panthor: Add missing explicit padding in drm_panthor_gpu_info (git-fixes). - drm/panfrost: Fix panfrost device variable name in devfreq (git-fixes). - drm/connector: hdmi: Evaluate limited range after computing format (git-fixes). - drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed (git-fixes). - can: peak_usb: fix USB FD devices potential malfunction (git-fixes). - net: phy: micrel: fix KSZ8081/KSZ8091 cable test (git-fixes). - net: usbnet: Avoid potential RCU stall on LINK_CHANGE event (git-fixes). - can: kvaser_usb: Assign netdev.dev_port based on device channel index (git-fixes). - can: kvaser_pciefd: Store device channel index (git-fixes). - Bluetooth: hci_event: Mask data status from LE ext adv reports (git-fixes). - wifi: nl80211: Set num_sub_specs before looping through sub_specs (git-fixes). - wifi: mac80211: Write cnt before copying in ieee80211_copy_rnr_beacon() (git-fixes). - wifi: ath12k: fix endianness handling while accessing wmi service bit (git-fixes). - wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask() (git-fixes). - wifi: ath12k: fix dest ring-buffer corruption when ring is full (git-fixes). - wifi: ath12k: fix source ring-buffer corruption (git-fixes). - wifi: ath12k: fix dest ring-buffer corruption (git-fixes). - wifi: ath11k: fix dest ring-buffer corruption when ring is full (git-fixes). - wifi: ath11k: fix source ring-buffer corruption (git-fixes). - wifi: ath11k: fix dest ring-buffer corruption (git-fixes). - wifi: ath11k: fix suspend use-after-free after probe failure (git-fixes). - wifi: ath11k: clear initialized flag for deinit-ed srng lists (git-fixes). - wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE (git-fixes). - Reapply "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" (git-fixes). - wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() (git-fixes). - wifi: mac80211: Don't call fq_flow_idx() for management frames (git-fixes). - wifi: mac80211: Do not schedule stopped TXQs (git-fixes). - wifi: plfxlc: Fix error handling in usb driver probe (git-fixes). - wifi: mac80211: reject TDLS operations when station is not associated (git-fixes). - wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() (git-fixes). - wifi: rtw88: Fix macid assigned to TDLS station (git-fixes). - wifi: rtl8xxxu: Fix RX skb size for aggregation disabled (git-fixes). - mwl8k: Add missing check after DMA map (git-fixes). - iwlwifi: Add missing check for alloc_ordered_workqueue (git-fixes). - wifi: iwlwifi: Fix memory leak in iwl_mvm_init() (git-fixes). - wifi: rtl818x: Kill URBs before clearing tx status queue (git-fixes). - wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band (git-fixes). - wifi: ath12k: Pass ab pointer directly to ath12k_dp_tx_get_encap_type() (git-fixes). - staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() (git-fixes). - commit 2967d89 - RDMA/mlx5: Fix UMR modifying of mkey page size (git-fixes) - commit 2bdec98 ++++ systemd: - Remove the script used to help migrating the language and locale settings located in /etc/sysconfig/language on old systems to the systemd default locations (bsc#1247074) The script was introduced more than 7 years ago and all systems running TW should have been migrated since then. Moreover the installer supports the systemd default locations since approximately SLE15. ++++ libzypp: - Append RepoInfo::path() to the mirror URLs in Preloader (bsc#1247054) - version 17.37.15 (35) ++++ selinux-policy: - Update to version 20250627+git66.15675827a: * Set /srv/tftpboot = /var/lib/tftpboot as equivalent file context (bsc#1247381) * Create unconfined type for salt-minion bsc#1228984 - Change default of example config to enforcing mode. With selinux-autorelabel taking care of relabeling this should work nowadays ------------------------------------------------------------------ ------------------ 2025-7-30 - Jul 30 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit: - drop duplicate %changelog macro ++++ python-kiwi: - Fix documentation rendering There was an indentation bug which caused the docs to render wrong. This commit fixes it - solver/repository: Handle zstd-compressed metadata files `_create_solvables` assumes metadata files are gzip-compressed, but modern Fedora ones are not, they are zstd-compressed. Signed-off-by: Adam Williamson ++++ kernel-default: - io_uring/sqpoll: don't put task_struct on tctx setup failure (bsc#1245664 CVE-2025-38106). - io_uring: consistently use rcu semantics with sqpoll thread (bsc#1245664 CVE-2025-38106). - io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() (bsc#1245664 CVE-2025-38106). - commit 83d2779 - usb: gadget: configfs: Fix OOB read on empty string write (CVE-2025-38497 bsc#1247347). - commit fdc50d2 - fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (CVE-2025-38396 bsc#1247156). Conflicts: series.conf - fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (CVE-2025-38396 bsc#1247156). - commit 4bbdefe - Enable MT7925 WiFi drivers for openSUSE Leap 16.0 (bsc#1247325) Enabled only for Leap 16.0 kernel-default-optional as unsupported for now - commit 60216d7 - optee: ffa: fix sleep in atomic context (CVE-2025-38374 bsc#1247024). - commit c40f48d - kabi/severities: ignore two unused/dropped symbols from MEI - commit f8ced2f - soc: qcom: mdt_loader: Fix error return values in mdt_header_valid() (git-fixes). - commit eab169b - Docs/ABI: Fix sysfs-kernel-address_bits path (git-fixes). - soc: qcom: pmic_glink: fix OF node leak (git-fixes). - soc: qcom: fix endianness for QMI header (git-fixes). - soc: qcom: QMI encoding/decoding for big endian (git-fixes). - soc: qcom: mdt_loader: Ensure we don't read past the ELF header (git-fixes). - memory: mtk-smi: Add ostd setting for mt8186 (git-fixes). - soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS (git-fixes). - firmware: arm_scmi: Fix up turbo frequencies selection (git-fixes). - usb: musb: omap2430: fix device leak at unbind (git-fixes). - usb: gadget: udc: renesas_usb3: fix device leak at unbind (git-fixes). - usb: dwc3: meson-g12a: fix device leaks at unbind (git-fixes). - usb: dwc3: imx8mp: fix device leak at unbind (git-fixes). - usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() (git-fixes). - thunderbolt: Fix copy+paste error in match_service_id() (git-fixes). - usb: typec: ucsi: Update power_supply on power role change (git-fixes). - usb: typec: fusb302: cache PD RX state (git-fixes). - usb: gadget : fix use-after-free in composite_dev_cleanup() (git-fixes). - cdc-acm: fix race between initial clearing halt and open (git-fixes). - usb: early: xhci-dbc: Fix early_ioremap leak (git-fixes). - USB: gadget: f_hid: Fix memory leak in hidg_bind error path (git-fixes). - usb: typec: ucsi: yoga-c630: fix error and remove paths (git-fixes). - usb: misc: apple-mfi-fastcharge: Make power supply names unique (git-fixes). - Documentation: usb: gadget: Wrap remaining usage snippets in literal code block (git-fixes). - usb: host: xhci-plat: fix incorrect type for of_match variable in xhci_plat_probe() (git-fixes). - vt: defkeymap: Map keycodes above 127 to K_HOLE (git-fixes). - vt: keyboard: Don't process Unicode characters in K_OFF mode (git-fixes). - staging: axis-fifo: remove sysfs interface (git-fixes). - staging: nvec: Fix incorrect null termination of battery manufacturer (git-fixes). - staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() (git-fixes). - interconnect: qcom: sc8180x: specify num_nodes (git-fixes). - interconnect: qcom: sc8280xp: specify num_links for qnm_a1noc_cfg (git-fixes). - comedi: fix race between polling and detaching (git-fixes). - iio: adc: ad_sigma_delta: change to buffer predisable (git-fixes). - iio: imu: bno055: fix OOB access of hw_xlate array (git-fixes). - bus: mhi: host: Detect events pointing to unexpected TREs (git-fixes). - bus: mhi: host: pci_generic: Fix the modem name of Foxconn T99W640 (git-fixes). - misc: rtsx: usb: Ensure mmc child device is active when card is present (git-fixes). - vmci: Prevent the dispatching of uninitialized payloads (git-fixes). - samples: mei: Fix building on musl libc (git-fixes). - mei: vsc: Fix "BUG: Invalid wait context" lockdep error (git-fixes). - mei: vsc: Run event callback from a workqueue (git-fixes). - mei: vsc: Unset the event callback on remove and probe errors (git-fixes). - mei: vsc: Event notifier fixes (git-fixes). - mei: vsc: Destroy mutex after freeing the IRQ (git-fixes). - mei: vsc: Don't re-init VSC from mei_vsc_hw_reset() on stop (git-fixes). - mei: vsc: Drop unused vsc_tp_request_irq() and vsc_tp_free_irq() (stable-fixes). - platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() (git-fixes). - pwm: rockchip: Round period/duty down on apply, up on get (git-fixes). - spi: stm32: Check for cfg availability in stm32_spi_probe (git-fixes). - gpio: virtio: Fix config space reading (git-fixes). - ASoC: ops: dynamically allocate struct snd_ctl_elem_value (git-fixes). - ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() (git-fixes). - Documentation: ACPI: Fix parent device references (git-fixes). - ACPI: LPSS: Remove AudioDSP related ID (git-fixes). - ACPI: processor: perflib: Fix initial _PPC limit application (git-fixes). - powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() (git-fixes). - PM: runtime: Take active children into account in pm_runtime_get_if_in_use() (git-fixes). - PM / devfreq: Fix a index typo in trans_stat (git-fixes). - PM / devfreq: Check governor before using governor->name (git-fixes). - commit bb1eeb0 - s390/ism: fix concurrency management in ism_cmd() (git-fixes bsc#1247372). - commit 9c82c2d - s390/mm: Remove possible false-positive warning in pte_free_defer() (git-fixes bsc#1247366). - commit 24410b3 - x86/fpu: Delay instruction pointer fixup until after warning (git-fixes). - commit 065c5cd - x86/bugs: Allow ITS stuffing in eIBRS+retpoline mode also (git-fixes). - commit 5066cbd - x86/bugs: Remove its=stuff dependency on retbleed (git-fixes). - commit a74c41e - x86/bugs: Introduce cdt_possible() (git-fixes). - commit 229ca7c - x86/bugs: Use switch/case in its_apply_mitigation() (git-fixes). - commit 83a9f22 - x86/bugs: Avoid warning when overriding return thunk (git-fixes). - commit 0b33009 - x86/bugs: Simplify the retbleed=stuff checks (git-fixes). - commit 4381119 - x86/bugs: Avoid AUTO after the select step in the retbleed mitigation (git-fixes). - commit 4ef3103 - Refresh patches.suse/x86-entry-Add-__init-to-ia32_emulation_override_cmdline.patch. - commit dfed6d8 ++++ openssl-3: - Disable LTO for userspace livepatching [jsc#PED-13245] ++++ selinux-policy: - Unify with factory specfile, which includes: - Explain that disabling SELinux should not be done via the config file anymore (bsc#1246549) - Drop mls option, as we don't provide this ATM - Improve selinux-policy-devel dependencies and add post script to improve experience when debugging (bsc#1236193). - Move manpages to selinux-policy-doc package (bsc#1241391) - Add ugly workaround for semodule removal issues (bsc#1221342 bsc#1238062 bsc#1230643 bsc#1230938) Can be dropped when PED-12491 is done. - Use python311 tools in 15.4 and 15.5 when building selinux-policy to deprecate python36 tooling - Improve selinux-policy packaging * Remove bashisms to support UNIX SH syntax in scriptlets (bsc#1237517) * Fix non-existing $package variable in "%post minimum" scriptlet * Improve selinux-policy.rpmlintrc file * Remove duplicates with fdupes ------------------------------------------------------------------ ------------------ 2025-7-29 - Jul 29 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - uri: If we fail to resolve the metalink URI, log it It's rather useful to know *what* the URI is when something goes wrong, after all. Signed-off-by: Adam Williamson - Bump version: 10.2.29 → 10.2.30 - Fix repartitioning with parted parted does locking itself already. Wrapping it in udevadm lock results in a deadlock, breaking boot. ++++ fde-tools: - Add the missing /var/log/fde (bsc#1247228) ++++ kernel-default: - selftests/bpf: Remove test_skb_cgroup_id.sh from TEST_PROGS Fix the following BPF selftests build error: [ 183s] make[1]: Entering directory '/home/abuild/rpmbuild/BUILD/kselftests-bpf-6.12.0-build/tools/testing/selftests/bpf' [ 183s] rsync -a --copy-unsafe-links test_kmod.sh test_xdp_redirect.sh test_xdp_redirect_multi.sh test_xdp_meta.sh test_tunnel.sh test_lwt_seg6local.sh test_lirc_mode2.sh test_skb_cgroup_id.sh test_flow_dissector.sh test_xdp_vlan_mode_generic.sh test_xdp_vlan_mode_native.sh test_lwt_ip_encap.sh test_tcp_check_syncookie.sh test_tc_tunnel.sh test_tc_edt.sh test_xdping.sh test_bpftool_build.sh test_bpftool.sh test_bpftool_metadata.sh test_doc_build.sh test_xsk.sh test_xdp_features.sh /home/abuild/rpmbuild/BUILD/kselftests-bpf-6.12.0-build/tools/testing/selftests/kselftest_install/bpf/ [ 183s] rsync: [sender] link_stat "/home/abuild/rpmbuild/BUILD/kselftests-bpf-6.12.0-build/tools/testing/selftests/bpf/test_skb_cgroup_id.sh" failed: No such file or directory (2) [ 183s] rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1338) [sender=3.4.1] - commit 7aa88b9 - selftests/bpf: Support dynamically linking LLVM if static is not available Fix the following BPF selftests build error: [ 116s] make[1]: Entering directory '/home/abuild/rpmbuild/BUILD/kselftests-bpf-6.12.0-build/tools/testing/selftests/bpf' [ 116s] llvm-config: error: missing: /usr/lib64/libLLVMDemangle.a [ 116s] llvm-config: error: missing: /usr/lib64/libLLVMSupport.a [ 116s] llvm-config: error: missing: /usr/lib64/libLLVMTargetParser.a [ 116s] llvm-config: error: missing: /usr/lib64/libLLVMBinaryFormat.a (...) - commit 4ed92da - iommu/tegra241-cmdqv: Read SMMU IDR1.CMDQS instead of hardcoding (git-fixes). - commit b2958c3 - eventpoll: don't decrement ep refcount while still holding the ep mutex (bsc#1246777 CVE-2025-38349). - commit 8cd134d - jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() (bsc#1246253 CVE-2025-38337). - commit c6fbc8a - ext4: inline: fix len overflow in ext4_prepare_inline_data (bsc#1245976 CVE-2025-38222). - commit c641a38 - ublk: santizize the arguments from userspace when adding a device (bsc#1245937 CVE-2025-38182). - commit 89a2a7b - __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock (bsc#1245151 CVE-2025-38058). - commit e772035 - xfs: remove unused trace event xfs_reflink_cow_enospc (git-fixes). - commit be810e3 - xfs: remove unused trace event xfs_discard_rtrelax (git-fixes). - commit 97feca9 - xfs: remove unused trace event xfs_log_cil_return (git-fixes). - commit f8adb59 - xfs: change xfs_xattr_class from a TRACE_EVENT() to DECLARE_EVENT_CLASS() (git-fixes). - commit 9d236fc - xfs: only create event xfs_file_compat_ioctl when CONFIG_COMPAT is configure (git-fixes). - commit 9c39d8c - xfs: remove usused xfs_end_io_direct events (git-fixes). - commit 60f358f - xfs: remove unused event xfs_pagecache_inval (git-fixes). - commit a5b7032 - xfs: remove unused event xfs_alloc_near_nominleft (git-fixes). - commit 78d1acd - xfs: remove unused event xfs_alloc_near_error (git-fixes). - commit 3b1caf6 - xfs: remove unused event xfs_attr_node_removename (git-fixes). - commit e689919 - xfs: remove unused xfs_attr events (git-fixes). - commit 950fc00 - xfs: remove unused trace event xfs_attr_rmtval_set (git-fixes). - commit 096be3d - xfs: remove unused xfs_reflink_compare_extents events (git-fixes). - commit 4ed410c - xfs: remove unused event xfs_ioctl_clone (git-fixes). - commit 1ca6b2f - xfs: remove unused event xlog_iclog_want_sync (git-fixes). - commit c429e69 - xfs: remove unused trace event xfs_attr_remove_iter_return (git-fixes). - commit 82f668d - NFSD: detect mismatch of file handle and delegation stateid in OPEN op (git-fixes). - commit 4e26ab2 - nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() (git-fixes). - commit 5f5b227 - x86/fpu: Avoid copying dynamic FP state from init_task in arch_dup_task_struct() (git-fixes). - commit 5286ce5 - x86/fpu: Fix guest FPU state buffer allocation size (git-fixes). - commit fcdd18c - x86/fpu/xstate: Fix inconsistencies in guest FPU xfeatures (git-fixes). - commit 3c77f80 - x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in UAPI headers (git-fixes). - commit d331bca - x86/smpboot: Fix INIT delay assignment for extended Intel Families (git-fixes). - commit fa3f890 - x86/fpu: Fully optimize out WARN_ON_FPU() (git-fixes). - commit 44d216b - x86/percpu: Disable named address spaces for UBSAN_BOOL with KASAN for GCC < 14.2 (git-fixes). - commit 495301f - x86/nmi: Add an emergency handler in nmi_desc & use it in nmi_shootdown_cpus() (git-fixes). - commit 62f7c35 - x86/locking: Use ALT_OUTPUT_SP() for percpu_{,try_}cmpxchg{64,128}_op() (git-fixes). - commit a3223dc - x86/boot: Sanitize boot params before parsing command line (git-fixes). - commit fa10e4c - x86/mce: Make sure CMCI banks are cleared during shutdown on Intel (git-fixes). - commit c364173 - x86/platform/olpc: Remove unused variable 'len' in olpc_dt_compatible_match() (git-fixes). - commit 6fe089b - x86/fred/signal: Prevent immediate repeat of single step trap on return from SIGTRAP handler (git-fixes). - commit 8aa4767 - x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 (git-fixes). - commit 9f24ef0 - x86/Kconfig: Always enable ARCH_SPARSEMEM_ENABLE (git-fixes). - commit 1378c6a - Refresh patches.suse/RISC-V-Add-defines-for-the-SBI-nested-acceleration-e.patch. Fix metadata for the RISC-V patch. - commit 7fb7430 - Refresh patches.suse/x86-entry-Add-__init-to-ia32_emulation_override_cmdline.patch. - commit 7b16eb0 - Update patches.suse/vfs-add-super_operations-get_inode_dev (bsc#927455 bsc#1246450). - commit c096336 ------------------------------------------------------------------ ------------------ 2025-7-28 - Jul 28 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Update test-image-disk-simple integration test Update slfo/test-image-disk-simple. Add more space for flake testing and add a user to test flakes for non root ++++ kernel-default: - Refresh patches.suse/padding-for-more-cgroup-controllers.patch. SUSE developers may build our kernel with customized configs. We don't know how many controllers they enable and this may run over the limit in BUILD_BUG_ON because of the added padding. Relax BUILD_BUG_ON condition to only look at actually used controllers (the effective boundary in our kernel). - commit 44a41b0 - sprintf.h: mask additional include (git-fixes). - commit 3c155f3 - sprintf.h requires stdarg.h (git-fixes). - commit 4e2dd00 - btrfs: fix non-empty delayed iputs list on unmount due to async workers (git-fixes). - commit bd1213b - btrfs: record new subvolume in parent dir earlier to avoid dir logging races (git-fixes). - commit bb20dcf - btrfs: fix assertion when building free space tree (git-fixes). - commit 9c045a8 - btrfs: fix iteration of extrefs during log replay (bsc#1247031 CVE-2025-38382). - commit e093d49 - btrfs: fix missing error handling when searching for inode refs during log replay (git-fixes). - commit fb9d68c - kabi: Hide adding of u64 to devlink_param_type (jsc#PED-12745). - commit 4d9651f ++++ nvidia-open-driver-G06-signed: - update CUDA variant to 580.65.06, which addresses various security issues: * CVE-2025-23277 (bsc#1247528) * CVE-2025-23278 (bsc#1247529) * CVE-2025-23286 (bsc#1247530) * CVE-2025-23283 (bsc#1247531) * CVE-2025-23279 (bsc#1247532) ------------------------------------------------------------------ ------------------ 2025-7-27 - Jul 27 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - Revert "RISC-V: KVM: Allow Smnpm and Ssnpm extensions for guests" This reverts commit 5fc44fd9addf2ae400bcc37ae75c718d86dafcaa. Requires support for Smnpm and Ssnpm extensions which is not present. - commit 2f49da4 - i2c: qup: jump out of the loop in case of timeout (git-fixes). - i2c: virtio: Avoid hang by using interruptible completion wait (git-fixes). - i2c: tegra: Fix reset error handling with ACPI (git-fixes). - commit d23cb51 ------------------------------------------------------------------ ------------------ 2025-7-26 - Jul 26 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - RISC-V: Add defines for the SBI nested acceleration extension (jsc#PED-348). - commit 7bb7585 - drm/xe: Fix build without debugfs (git-fixes). - drm/i915/display: Fix dma_fence_wait_timeout() return value handling (git-fixes). - commit 04fc7cf ------------------------------------------------------------------ ------------------ 2025-7-25 - Jul 25 2025 ------------------- ------------------------------------------------------------------ ++++ cloud-regionsrv-client: - Update version to 10.5.1 + Fix issue with picking up configured server names from the regionsrv config file. Previously only IP addresses were collected + Update scriptlet for package uninstall to avoid issues in the build service ++++ python-kiwi: - Catch potential exceptions from pathlib.Path.mkdir Creating a directory can fail, we should catch this error instead of ending up in a stack trace ++++ kernel-default: - btrfs: fix a race between renames and directory logging (bsc#1247023 CVE-2025-38365). - commit 82d2bad - btrfs: fix use-after-free when COWing tree bock and tracing is enabled (bsc#1235645 CVE-2024-56759). - commit bd41b6c - nvme-tcp: sanitize request list handling (CVE-2026-38264 bsc#1246387). - commit 4fae28c - cpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost (bsc#1244812 CVE-2025-38038). - Refresh patches.suse/cpufreq-amd-pstate-Overhaul-locking.patch. - commit 9e52e61 - KVM: arm64: Tear down vGIC on failed vCPU creation (CVE-2025-37849 bsc#1243000). - commit 38855cd - drm/xe/pf: Prepare to stop SR-IOV support prior GT reset (git-fixes). - commit 71e9c4e - resource: fix false warning in __request_region() (git-fixes). - ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv (git-fixes). - ALSA: hda/realtek: Fix mute LED mask on HP OMEN 16 laptop (git-fixes). - can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode (git-fixes). - bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() (git-fixes). - i2c: omap: Fix an error handling path in omap_i2c_probe() (git-fixes). - i2c: omap: Handle omap_i2c_init() errors in omap_i2c_probe() (git-fixes). - USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition (stable-fixes). - USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI (stable-fixes). - USB: serial: option: add Foxconn T99W640 (stable-fixes). - iio: common: st_sensors: Fix use of uninitialize device structs (stable-fixes). - iio: adc: max1363: Reorder mode_list[] entries (stable-fixes). - iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] (stable-fixes). - drm/xe/mocs: Initialize MOCS index early (stable-fixes). - drm/amdgpu: Increase reset counter only on success (stable-fixes). - drm/amd/display: Disable CRTC degamma LUT for DCN401 (stable-fixes). - drm/amd/display: Free memory allocation (stable-fixes). - ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS (stable-fixes). - ALSA: hda/realtek - Fix mute LED for HP Victus 16-r0xxx (stable-fixes). - HID: core: do not bypass hid_hw_raw_request (stable-fixes). - HID: core: ensure the allocated report buffer can contain the reserved report ID (stable-fixes). - i2c: omap: Fix an error handling path in omap_i2c_probe() (git-fixes). - i2c: omap: fix deprecated of_property_read_bool() use (git-fixes). - i2c: omap: Add support for setting mux (stable-fixes). - drm/xe/pf: Move VFs reprovisioning to worker (stable-fixes). - drm/xe/pf: Sanitize VF scratch registers on FLR (stable-fixes). - commit ad41c3a - mm: userfaultfd: fix race of userfaultfd_move and swap cache (CVE-2025-38242 bsc#1246176). - commit 04ed915 ++++ samba: - adjust gpgme build dependency for future-proofing ++++ wpa_supplicant: - Build wpa_gui with qt6 instead of obsolete qt5 [+ 0001-wpa_gui-Port-to-Qt6.patch] - Update build config: * Enable 802.11ax support ------------------------------------------------------------------ ------------------ 2025-7-24 - Jul 24 2025 ------------------- ------------------------------------------------------------------ ++++ Mesa: - U_loader_wayland-Fix-missing-timespec.h-include.patch * fixes build with wayland-protocols 1.45 ++++ Mesa-drivers: - U_loader_wayland-Fix-missing-timespec.h-include.patch * fixes build with wayland-protocols 1.45 ++++ container-selinux: - Add workaround for rootless docker iptables AVCs (bsc#1246348) adding rootless-docker_iptables.patch ++++ python-kiwi: - Bump version: 10.2.28 → 10.2.29 - Fix return from repart stage If we return from the repart stage it's important to wait for the root device to appear. This is because the device setup from udev might still be held back due to a former lock on the device. This means if we return fast after locking for example when check_repart_possible() quickly finds out that it's not possible, then udev has not yet got the time to create the device nodes. This Fixes #2863 ++++ glibc: - regcomp-double-free.patch: posix: Fix double-free after allocation failure in regcomp (CVE-2025-8058, bsc#1246965, BZ #33185) ++++ kdump: - upgrade to version 2.1.5 * kdumptool calibrate: use kernel flavour from the kdump kernel (jsc#PED-12971) * order kdump-commandline.service after kdump.service * updated documentation (bsc#1246908) ++++ kernel-default: - x86/fpu: Refactor xfeature bitmask update code for sigframe XSAVE (git-fixes). - commit fdfb535 - kABI workaround for drm_gem.h (git-fixes). - commit b3f8c43 - x86/microcode: Consolidate the loader enablement checking (git-fixes). - commit a281c51 - x86/pkeys: Simplify PKRU update in signal frame (git-fixes). - commit 7f493bf - x86/mm/pat: don't collapse pages without PSE set (git-fixes). - commit a309aa1 - x86/traps: Initialize DR6 by writing its architectural reset value (git-fixes). - commit b9a8d7c - x86/mce: Don't remove sysfs if thresholding sysfs init fails (git-fixes). - commit 6b9b4dc - x86/mce: Ensure user polling settings are honored when restarting timer (git-fixes). - commit dd99169 - x86/mce/amd: Add default names for MCA banks and blocks (git-fixes). - commit 8cf89c0 - drivers: base: handle module_kobject creation (git-fixes). - kernel: globalize lookup_or_create_module_kobject() (stable-fixes). - kernel: param: rename locate_module_kobject (stable-fixes). - commit 443c294 - bus: firewall: Fix missing static inline annotations for stubs (git-fixes). - drm/gem: Internally test import_attach for imported objects (git-fixes). - commit 883c447 - mailbox: Not protect module_put with spin_lock_irqsave (stable-fixes). - of: unittest: Unlock on error in unittest_data_add() (git-fixes). - objtool, lkdtm: Obfuscate the do_nothing() pointer (stable-fixes). - objtool, regulator: rk808: Remove potential undefined behavior in rk806_set_mode_dcdc() (stable-fixes). - objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in wcd934x_slim_irq_handler() (stable-fixes). - mailbox: pcc: Use acpi_os_ioremap() instead of ioremap() (stable-fixes). - mailbox: pcc: Always clear the platform ack interrupt first (stable-fixes). - mailbox: pcc: Fix the possible race in updation of chan_in_use flag (stable-fixes). - of: resolver: Fix device node refcount leakage in of_resolve_phandles() (git-fixes). - of: resolver: Simplify of_resolve_phandles() using __free() (stable-fixes). - commit 2842fe3 - phy: fsl-imx8mq-usb: fix phy_tx_vboost_level_from_property() (git-fixes). - phy: rockchip: samsung-hdptx: Do no set rk_hdptx_phy->rate in case of errors (git-fixes). - phy: rockchip: samsung-hdptx: Fix clock ratio setup (git-fixes). - PM: EM: use kfree_rcu() to simplify the code (stable-fixes). - pm: cpupower: bench: Prevent NULL dereference on malloc failure (stable-fixes). - commit 0b2b7d3 - iio: pressure: mprls0025pa: use aligned_s64 for timestamp (git-fixes). - iio: adc: ad7266: Fix potential timestamp alignment issue (git-fixes). - iio: adc: ad7768-1: Fix insufficient alignment of timestamp (git-fixes). - iio: adc: dln2: Use aligned_s64 for timestamp (git-fixes). - iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 (git-fixes). - iio: chemical: pms7003: use aligned_s64 for timestamp (git-fixes). - iio: chemical: sps30: use aligned_s64 for timestamp (git-fixes). - commit c3a47c4 - drm/i915/dp_mst: Work around Thunderbolt sink disconnect after SINK_COUNT_ESI read (stable-fixes). - accel/ivpu: Correct DCT interrupt handling (git-fixes). - commit af2fdb4 - accel/ivpu: Fix warning in ivpu_gem_bo_free() (git-fixes). - drm/gem: Test for imported GEM buffers with helper (stable-fixes). - commit bf7255f - rpm/kernel-subpackage-spec: Skip brp-strip-debug to avoid file truncation (bsc#1246879) Put the same workaround to avoid file truncation of vmlinux and co in kernel-default-base package, too. - commit 2329734 - iommu/vt-d: Fix possible circular locking dependency (git-fixes). - commit b917ee9 - drm/bridge: ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe() (git-fixes). - Revert "drm/nouveau: check ioctl command codes better" (git-fixes). - drm/sched: Remove optimization that causes hang when killing dependent jobs (git-fixes). - drm/amdgpu: Reset the clear flag in buddy during resume (git-fixes). - platform/x86: Fix initialization order for firmware_attributes_class (git-fixes). - platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots (git-fixes). - platform/x86: ideapad-laptop: Fix FnLock not remembered among boots (git-fixes). - platform/mellanox: mlxbf-pmc: Use kstrtobool() to check 0/1 input (git-fixes). - platform/mellanox: mlxbf-pmc: Validate event/enable input (git-fixes). - platform/mellanox: mlxbf-pmc: Remove newline char from event name input (git-fixes). - commit e77a634 ------------------------------------------------------------------ ------------------ 2025-7-23 - Jul 23 2025 ------------------- ------------------------------------------------------------------ ++++ cloud-regionsrv-client: - Update version to 10.5.0 + Use region server IP addresses to determine Internet access rather than a generic address. Region server IP addresses may not be blocked in the network construct. (bsc#1245305) ++++ cockpit: - Add %postun for firewalld package to ensure the firewall state remains as expected ++++ transactional-update: - Add journalmount.patch to bind mount systemd journal only when available ++++ kernel-default: - hci_dev centralize extra lock (CVE-2025-38117 bsc#1245695). - commit 242b32d - rpm/kernel-binary.spec.in: Ignore return code from ksymtypes compare When using suse-kabi-tools, the RPM build invokes 'ksymvers compare' to compare the resulting symbol CRCs with the reference data. If the values differ, it then invokes 'ksymtypes compare' to provide a detailed report explaining why the symbols differ. The build expects the latter 'ksymtypes compare' command to always return zero, even if the two compared kABI corpuses are different. This is currently the case for 'ksymtypes compare'. However, I plan to update the command to return a non-zero code when the comparison detects any differences. This should ensure consistent behavior with 'ksymvers compare'. Since the build uses 'ksymtypes compare' only for more detailed diagnostics, ignore its return code. - commit 5ac1381 - net: atm: fix /proc/net/atm/lec handling (CVE-2025-38180 bsc#1245970). - net: atm: add lec_mutex (CVE-2025-38323 bsc#1246473). - net: atm: fix /proc/net/atm/lec handling (CVE-2025-38180 bsc#1245970). - net: atm: add lec_mutex (CVE-2025-38323 bsc#1246473). - commit 736dcb9 - Bluetooth: MGMT: Protect mgmt_pending list with its own lock (CVE-2025-38117 bsc#1245695). - commit 089c9e2 - arm64: config: Make tpm_tis_spi module build-in (bsc#1246896) - commit 9192eb0 ++++ libzypp: - During installation indicate the backend being used (bsc#1246038) If some package actually needs to know, it should test for ZYPP_CLASSIC_RPMTRANS being set in the environment. Otherwise the transaction is driven by librpm. - version 17.37.14 (35) ++++ qemu: - Fix bsc#1246566: * [roms] seabios: include "pciinit: don't misalign large BARs" (bsc#1246566) ++++ sysuser-tools: - disable the buildroot virus scanning, as it needs the vscan user this package provides. (bsc#1246878) ------------------------------------------------------------------ ------------------ 2025-7-22 - Jul 22 2025 ------------------- ------------------------------------------------------------------ ++++ cloud-init: - Update to version 25.1.3 (bsc#1245403) + Forward port - cloud-init-no-openstack-guess.patch + docs: provide example3 for PAM and ssh_pwauth behavior (#27) + fix: Make hotplug socket writable only by root (#25) (CVE-2024-11584) + fix: Don't attempt to identify non-x86 OpenStack instances (LP: #2069607) (CVE-2024-6174) From 25.1.2 + fix: ensure MAAS datasource retries on failure (#6167) ++++ fde-tools: - Add fde-tools-bsc1246464-use-default-uefi-boot-path.patch to use the default EFI boot path if there is no FILE compoment in in the boot entry (bsc#1246464) ++++ kernel-default: - KVM: TDX: Don't report base TDVMCALLs (git-fixes). - commit 486d9e8 - Documentation: KVM: Fix unexpected unindent warning (git-fixes). - commit 1046fef - Documentation: KVM: Fix unexpected unindent warnings (git-fixes). - commit bfc2140 - kABI fix after Add TDX support for vSphere (jsc#PED-13302). - commit a4c3d79 - s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again (git-fixes bsc#1246868). - commit 7a6a473 - KVM: VMX: Ensure unused kvm_tdx_capabilities fields are zeroed out (jsc#PED-13302). - commit bc9f3cf - KVM: TDX: Report supported optional TDVMCALLs in TDX capabilities (jsc#PED-13302). - commit af1a799 - KVM: TDX: Exit to userspace for SetupEventNotifyInterrupt (jsc#PED-13302). - commit b72fb90 - KVM: TDX: Exit to userspace for GetTdVmCallInfo (jsc#PED-13302). - commit 78e8a10 - KVM: TDX: Handle TDG.VP.VMCALL (jsc#PED-13302). - commit 2d49648 - KVM: TDX: Add new TDVMCALL status code for unsupported subfuncs (jsc#PED-13302). - commit 9661c0c - KVM: x86: Reject KVM_SET_TSC_KHZ vCPU ioctl for TSC protected guest (git-fixes). - commit 62d55cd - KVM: x86: avoid underflow when scaling TSC frequency (git-fixes). - commit 38e9775 - iommu/vt-d: Fix system hang on reboot -f (git-fixes). - commit d8aaf21 - KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table (git-fixes). - commit be0174d - KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight (git-fixes). - commit 95b4b81 - kABI fix after KVM: SVM: Fix SNP AP destroy race with VMRUN (git-fixes). - commit 48db1ee - KVM: SVM: Fix SNP AP destroy race with VMRUN (git-fixes). - commit 1cd78e3 ++++ kernel-firmware-sound: - Update to version 20250721 (git commit d89120bb80fc): * cirrus: cs35l41: Add Firmware for various ASUS commercial Laptops using CS35L41 HDA * cirrus: cs35l41: Update Firmware for Dell Oasis * cirrus: cs35l56: Add firmware for Cirrus CS35L56 for various Dell laptops * qcom: Add Audio topology for QCS6490 RB3Gen2 ++++ libnvme: - Update to version 1.11+4.g18b9f8e5: * tree: free ctrl attributes when (re)configure ctrl (bsc#1243716) * tree: filter tree after scan has completed (bsc#1243716) * test/mock: pass thru unknown ioctls * linux: fix derive_psk_digest OpenSSL 1.1 version - Drop intergrated patches * remove 0001-linux-fix-derive_psk_digest-OpenSSL-1.1-version.patch * remove 0002-test-mock-pass-thru-unknown-ioctls.patch ++++ libzypp: - Workaround 'rpm -vv' leaving scriptlets /var/tmp (bsc#1218459) - Verbose log libproxy results if PX_DEBUG=1 is set. - BuildRequires: cmake >= 3.17. - version 17.37.13 (35) ++++ nvme-cli: - Update to version 2.11+4.g16c450a7: * nvme: fix mem leak in nvme copy (bsc#1243716) * nvme-print: suppress output when no ctrl is present for list-subsys (bsc#1243716) * nvme: extend filter to match device name (bsc#1243716) * udev-rules-ontap: switch to queue-depth iopolicy (bsc#1246599) ------------------------------------------------------------------ ------------------ 2025-7-21 - Jul 21 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit: - Add cockpit-firewalld package for easily configuring the users firewall jsc#PED-13228 ++++ transactional-update: - Version 5.0.7 - Add sysext compatibility [bsc#1246140] - Fix soft-reboot with btrfs subvolume based /etc - Sync /etc layers also on soft-reboot - Bind mount /run/systemd/journal to allow log calls [gh#openSUSE/transactional-update#149] - Use rootlesskit instead of fakeroot for tests - Small coding style fixes - Temporarily disabling the testsuite because it doesn't run in the build environment so far ++++ kernel-default: - iavf: get rid of the crit lock (CVE-2025-38311 bsc#1246376). - iavf: sprinkle netdev_assert_locked() annotations (CVE-2025-38311 bsc#1246376). - iavf: extract iavf_watchdog_step() out of iavf_watchdog_task() (CVE-2025-38311 bsc#1246376). - iavf: simplify watchdog_task in terms of adminq task scheduling (CVE-2025-38311 bsc#1246376). - iavf: centralize watchdog requeueing itself (CVE-2025-38311 bsc#1246376). - net: dsa: b53: do not enable EEE on bcm63xx (CVE-2025-38272 bsc#1246268). - commit 2236e1a - kABI workaround for bluetooth hci_dev changes (CVE-2025-38250 bsc#1246182). - commit 9363e74 - Bluetooth: hci_core: Fix use-after-free in vhci_flush() (CVE-2025-38250 bsc#1246182). - commit 7979f02 - tools/hv: fcopy: Fix irregularities with size of ring buffer (git-fixes). - PCI: hv: Use the correct hypercall for unmasking interrupts on nested (git-fixes). - x86/hyperv: Expose hv_map_msi_interrupt() (git-fixes). - Drivers: hv: Use nested hypercall for post message and signal event (git-fixes). - x86/hyperv: Clean up hv_map/unmap_interrupt() return values (git-fixes). - x86/hyperv: Fix usage of cpu_online_mask to get valid cpu (git-fixes). - PCI: hv: Don't load the driver for baremetal root partition (git-fixes). - net: mana: Fix warnings for missing export.h header inclusion (git-fixes). - PCI: hv: Fix warnings for missing export.h header inclusion (git-fixes). - clocksource: hyper-v: Fix warnings for missing export.h header inclusion (git-fixes). - x86/hyperv: Fix warnings for missing export.h header inclusion (git-fixes). - Drivers: hv: Fix warnings for missing export.h header inclusion (git-fixes). - Drivers: hv: Fix the check for HYPERVISOR_CALLBACK_VECTOR (git-fixes). - tools/hv: fcopy: Fix incorrect file path conversion (git-fixes). - Drivers: hv: Select CONFIG_SYSFB only if EFI is enabled (git-fixes). - hv_netvsc: Set VF priv_flags to IFF_NO_ADDRCONF before open to prevent IPv6 addrconf (git-fixes). - commit 6fce57d - i2c: stm32f7: unmap DMA mapped buffer (git-fixes). - i2c: stm32: fix the device used for the DMA map (git-fixes). - usb: hub: Don't try to recover devices lost during warm reset (git-fixes). - usb: dwc2: gadget: Fix enter to hibernation for UTMI+ PHY (git-fixes). - usb: musb: fix gadget state on disconnect (git-fixes). - thunderbolt: Fix bit masking in tb_dp_port_set_hops() (git-fixes). - thunderbolt: Fix wake on connect at runtime (git-fixes). - pch_uart: Fix dma_sync_sg_for_device() nents value (git-fixes). - serial: core: fix OF node leak (git-fixes). - comedi: Fix initialization of data for instructions that write to subdevice (git-fixes). - comedi: Fix use of uninitialized data in insn_rw_emulate_bits() (git-fixes). - comedi: das6402: Fix bit shift out of bounds (git-fixes). - comedi: aio_iiro_16: Fix bit shift out of bounds (git-fixes). - comedi: pcl812: Fix bit shift out of bounds (git-fixes). - comedi: das16m1: Fix bit shift out of bounds (git-fixes). - comedi: Fix some signed shift left operations (git-fixes). - comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large (git-fixes). - interconnect: icc-clk: destroy nodes in case of memory allocation failures (git-fixes). - interconnect: exynos: handle node name allocation failure (git-fixes). - interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node (git-fixes). - iio: adc: ad7949: use spi_is_bpw_supported() (git-fixes). - iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush (git-fixes). - iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps (git-fixes). - iio: adc: stm32-adc: Fix race in installing chained IRQ handler (git-fixes). - iio: backend: fix out-of-bound write (git-fixes). - spi: Add check for 8-bit transfer with 8 IO mode support (git-fixes). - regmap: fix potential memory leak of regmap_bus (git-fixes). - Input: xpad - set correct controller type for Acer NGR200 (git-fixes). - commit efa1e54 ++++ kernel-firmware-nvidia: - Remove stale *.rpmmoved directories (bsc#1244458) ++++ kernel-firmware-qcom: - Remove stale *.rpmmoved directories (bsc#1244458) ++++ libbpf: - update to 1.6.0: * add more control over BPF object lifetime with new preparation step (bpf_object__prepare() API) * libbpf will report symbolic error code (e.g., "-EINVAL") in addition to human-readable error description * bpf_prog_stream_read() API * BPF token support when attaching BPF trampoline-based BPF programs in bpf_program__set_attach_target() * BPF token support for BPF_BTF_GET_FD_BY_ID command * support multi-uprobe session (SEC("uprobe.session")) BPF programs * support unique_match option for multi-kprobe attachment * support creating and destroying qdisk with BPF_TC_QDISC flag; * bpf_program__attach_cgroup_opts() which enables more precise cgroup-based attachment ordering * automatically take advantage of memory-mappable kernel BTF (/sys/kernel/btf/vmlinux), if supported * emit_strings option for BTF dumper API, improving string-like data printing * add BPF program's func and line info accessors * BPF linker supports linking ELF object files coming from memory buffer and referenced by FD, in addition to file path-based APIs; * small improvements to BTF dedup to handle rare quirky corner cases produces by some compilers * add likely() and unlikely() convenience macros; * __arg_untrusted annotation for BPF global subprog arguments; * bpf_stream_printk() macro for working with BPF streams; * bpf_usdt_arg_size() API - update to 1.6.0: * fixing a possible crash when handling BPF arena global variable relocations - drop 0001-libbpf-Add-identical-pointer-detection-to-btf_dedup_.patch, which is now included ------------------------------------------------------------------ ------------------ 2025-7-20 - Jul 20 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - hwmon: (corsair-cpro) Validate the size of the received input buffer (git-fixes). - drm/mediatek: only announce AFBC if really supported (git-fixes). - drm/mediatek: Add wait_event_timeout when disabling plane (git-fixes). - drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume (git-fixes). - drm/nouveau: check ioctl command codes better (git-fixes). - soundwire: amd: fix for clearing command status register (git-fixes). - dmaengine: nbpfaxi: Fix memory corruption in probe() (git-fixes). - phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode (git-fixes). - memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() (git-fixes). - mmc: bcm2835: Fix dma_unmap_sg() nents value (git-fixes). - mmc: sdhci_am654: Workaround for Errata i2312 (git-fixes). - mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models (git-fixes). - commit f4e7d99 ++++ unbound: - Remove leftover dependency on sudo (not required) See also: boo#1215628 ------------------------------------------------------------------ ------------------ 2025-7-19 - Jul 19 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - virtio-net: fix recursived rtnl_lock() during probe() (git-fixes). - commit 0bc7aff - vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` (git-fixes). - commit 615e0f1 - vsock: Fix transport_* TOCTOU (git-fixes). - commit 704674f - vsock: Fix transport_{g2h,h2g} TOCTOU (git-fixes). - commit 3024c81 ++++ kernel-firmware-amdgpu: - Update to version 20250718 (git commit a5fbfa20d1bd): * amdgpu: update dmcub fw for various DCN version ++++ kernel-firmware-intel: - Update to version 20250718 (git commit a5fbfa20d1bd): * intel_vpu: Update NPU firmware ------------------------------------------------------------------ ------------------ 2025-7-18 - Jul 18 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Bump version: 10.2.27 → 10.2.28 - Fix dracut code to be POSIX compliant The redirect type "< <(...)" is not POSIX complians and leads to a syntax error in dracut which calls bash as "sh" leading it to be restricted to POSIX only ++++ kdump: - upgrade to version 2.1.4 * work around failing calibration on aarch64 * support for kernel flavour-specific calibration * specific calibration for aarch64 -64kb kernels (jsc#PED-12971) * use KDUMP_NET_TIMEOUT as sftp/ftp timeout - update calibrate values ++++ kernel-default: - vsock/vmci: Clear the vmci transport packet properly when initializing it (git-fixes). - commit ec91da1 - virtio-net: xsk: rx: fix the frame's length check (git-fixes). - commit d6ac97d - af_unix: Don't set -ECONNRESET for consumed OOB skb (bsc#1246093). - commit 6c81d26 - sched/psi: Optimize psi_group_change() cpu_clock() usage KABI (bsc#1234634 (Scheduler functional and performance backports)). - commit 74a8f57 - virtio-net: ensure the received length does not exceed allocated size (git-fixes). - commit 98cd35a - sched: Skip useless sched_balance_running acquisition if load balance is not due (bsc#1234634 (Scheduler functional and performance backports)). - commit 8648646 - net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (git-fixes). - commit ecdd7a1 - net: fix segmentation after TCP/UDP fraglist GRO (git-fixes). - commit 0365d28 - ipv6: mcast: Delay put pmc->idev in mld_del_delrec() (git-fixes). - commit 6b2d784 - rpl: Fix use-after-free in rpl_do_srh_inline() (git-fixes). - commit fa150fb - af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() (git-fixes). - commit f0f997a - net/sched: sch_qfq: Fix race condition on qfq_aggregate (git-fixes). - commit e3a7f48 - sched/deadline: Less agressive dl_server handling KABI (bsc#1234634 (Scheduler functional and performance backports)). - commit ce216e3 - sched/fair: Workaround NO_RUN_TO_PARITY fix kabi (bsc#1234634 (Scheduler functional and performance backports)). - commit 6a6e170 - af_unix: Don't leave consecutive consumed OOB skbs (CVE-2025-38236 bsc#1246093). - commit a443f38 - kABI workaround for struct drm_framebuffer changes (git-fixes). - commit 7f15c4f - bridge: mcast: Fix use-after-free during router port configuration (CVE-2025-38248 bsc#1246173). - commit 78cf8a3 - Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU (git-fixes). - Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID (git-fixes). - Bluetooth: hci_core: add missing braces when using macro parameters (git-fixes). - Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout (git-fixes). - Bluetooth: SMP: If an unallowed command is received consider it a failure (git-fixes). - Bluetooth: btintel: Check if controller is ISO capable on btintel_classify_pkt_type (git-fixes). - Bluetooth: hci_sync: fix connectable extended advertising when using static random address (git-fixes). - Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() (git-fixes). - wifi: cfg80211: remove scan request n_channels counted_by (git-fixes). - can: tcan4x5x: fix reset gpio usage during probe (git-fixes). - usb: net: sierra: check for no status endpoint (git-fixes). - net: phy: Don't register LEDs for genphy (git-fixes). - clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data (git-fixes). - clk: scmi: Handle case where child clocks are initialized before their parents (git-fixes). - drm/gem: Fix race in drm_gem_handle_create_tail() (stable-fixes). - drm/framebuffer: Acquire internal references on GEM handles (git-fixes). - wifi: prevent A-MSDU attacks in mesh networks (stable-fixes). - wifi: mac80211: correctly identify S1G short beacon (git-fixes). - wifi: cfg80211: fix S1G beacon head validation in nl80211 (git-fixes). - net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol() (git-fixes). - net: phy: qcom: move the WoL function to shared library (stable-fixes). - Revert "ACPI: battery: negate current when discharging" (stable-fixes). - drm/gem: Acquire references on GEM handles for framebuffers (stable-fixes). - vt: add missing notification when switching back to text mode (stable-fixes). - Revert "PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()" (stable-fixes). - ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak (stable-fixes). - ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic (stable-fixes). - ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 (stable-fixes). - HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 (stable-fixes). - HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY (stable-fixes). - HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras (stable-fixes). - HID: nintendo: avoid bluetooth suspend/resume stalls (stable-fixes). - driver: bluetooth: hci_qca:fix unable to load the BT driver (stable-fixes). - net: usb: qmi_wwan: add SIMCom 8230C composition (stable-fixes). - wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements (git-fixes). - drm/amdgpu/ip_discovery: add missing ip_discovery fw (stable-fixes). - drm/amdgpu/discovery: use specific ip_discovery.bin for legacy asics (stable-fixes). - ASoC: Intel: soc-acpi: arl: Add match entries for new cs42l43 laptops (stable-fixes). - ASoC: Intel: soc-acpi: arl: Correct naming of a cs35l56 address struct (stable-fixes). - commit ead540d ++++ kernel-firmware-media: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-mellanox: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-network: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-platform: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-qlogic: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-realtek: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-serial: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ kernel-firmware-usb-network: - Update to version 20250717 (git commit 6fc20e018cca): * WHENCE: extract more license statements ++++ leancrypto: - Add baselibs.conf ++++ ceph: - Drop cryptopp as potential dependency [jsc#PED-13011] and use gnutls as upstream seastar. * Remove cryptopp and use gnutls instead. * Add ceph-replace-CryptoPP-calls-with-GnuTLS.patch ++++ libxml2: - security update - added patches CVE-2025-7425 [bsc#1246296], Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr + libxml2-CVE-2025-7425.patch ++++ libxml2-python: - security update - added patches CVE-2025-7425 [bsc#1246296], Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr + libxml2-CVE-2025-7425.patch ++++ zypper: - Fix addrepo to handle explicit --check and --no-check requests (bsc#1246466) - Accept "show" as alias for "info" (bsc#1245985) - version 1.14.93 ------------------------------------------------------------------ ------------------ 2025-7-17 - Jul 17 2025 ------------------- ------------------------------------------------------------------ ++++ busybox: - add placeholder variable and ignore applet logic to busybox.install ++++ busybox-links: - add filtering of ignored applets to busybox.install ++++ docker: - Update to Go 1.24 for builds, to match upstream. ++++ python-kiwi: - Extend test-image-lvm integration test For testing a bit more complex resize procedure, update the lvm integration test to run more resize actions with required device locking - Apply proper udev locking Several commands during repart, resize and other actions require a proper lock to be set for udev such that other events knows about the locked state of a device and do not mess with it until the command for which the lock persists has completed. This commit applies proper udev locks to all commands that requires it. In addition incorrect code that was expected to prevent such race conditions got dropped from the implementation. This is related to bsc#1242987 - relocate GPT at the end of disk using sfdisk Using sfdisk for relocation and verification makes this part more consistent. We also want to move away from gdisk. This is related to #2851 - Do not strictly require config.partids in repart The kiwi-repart implementation requires a metadata file named config.partids which holds information about partition ids and more stored at the time the image was built. Depending on the complexity of the image and the resize request some of the information can be rebuilt in case the metadata file is missing. This commit adds the rebuild of the minimum required information to run a standard resize and therefore allows the kiwi-repart dracut module to work also without config.partids to be present in the system - Do not drop /config.partids The partition id metadata file is used in the kiwi-repart module. If a user wants to use the kiwi repart module permanently, this metadata file needs to stay in the system. Therefore it should not be automatically deleted by the cleanup. A disk.sh hook script can be used to force the deletion of the file though. This is related #2851 ++++ kernel-default: - sched/fair: Reimplement NEXT_BUDDY to align with EEVDF goals (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Enable scheduler feature NEXT_BUDDY (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Always trigger resched at the end of a protected period (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Fix entity's lag with run to parity (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Limit run to parity to the min slice of enqueued entities (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Remove spurious shorter slice preemption (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Fix NO_RUN_TO_PARITY case (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Use protect_slice() instead of direct comparison (bsc#1234634 (Scheduler functional and performance backports)). - sched/deadline: Less agressive dl_server handling (bsc#1234634 (Scheduler functional and performance backports)). - sched/psi: Optimize psi_group_change() cpu_clock() usage (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails (bsc#1234634 (Scheduler functional and performance backports)). - sched/eevdf: Correct the comment in place_entity (bsc#1234634 (Scheduler functional and performance backports)). - sched/deadline: Fix dl_server runtime calculation formula (bsc#1234634 (Scheduler functional and performance backports)). - sched/core: Fix migrate_swap() vs. hotplug (bsc#1234634 (Scheduler functional and performance backports)). - sched: Fix preemption string of preempt_dynamic_none (bsc#1234634 (Scheduler functional and performance backports)). - sched/numa: fix task swap by skipping kernel threads (bsc#1234634 (Scheduler functional and performance backports)). - mm: pcp: increase pcp->free_count threshold to trigger free_high (bsc#1241169 (MM functional and performance backports)). - sched/numa: add tracepoint that tracks the skipping of numa balancing due to cpuset memory pinning (bsc#1234634 (Scheduler functional and performance backports)). - sched/numa: skip VMA scanning on memory pinned to one NUMA node via cpuset.mems (bsc#1234634 (Scheduler functional and performance backports)). - mm: page_alloc: remove redundant READ_ONCE (bsc#1241169 (MM functional and performance backports)). - sched/uclamp: Align uclamp and util_est and call before freq update (bsc#1234634 (Scheduler functional and performance backports)). - sched/util_est: Simplify condition for util_est_{en,de}queue() (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Fixup wake_up_sync() vs DELAYED_DEQUEUE (bsc#1234634 (Scheduler functional and performance backports)). - sched/core: Tweak wait_task_inactive() to force dequeue sched_delayed tasks (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Adhere to place_entity() constraints (bsc#1234634 (Scheduler functional and performance backports)). - sched/debug: Print the local group's asym_prefer_cpu (bsc#1234634 (Scheduler functional and performance backports)). - sched/topology: Introduce sched_update_asym_prefer_cpu() (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Use READ_ONCE() to read sg->asym_prefer_cpu (bsc#1234634 (Scheduler functional and performance backports)). - sched/isolation: Make use of more than one housekeeping cpu (bsc#1234634 (Scheduler functional and performance backports)). - sched/rt: Fix race in push_rt_task (bsc#1234634 (Scheduler functional and performance backports)). - sched/fair: Allow decaying util_est when util_avg > CPU capa (bsc#1234634 (Scheduler functional and performance backports)). - sched: Fix trace_sched_switch(.prev_state) (bsc#1234634 (Scheduler functional and performance backports)). - commit 2289d34 - Update patches.suse/scsi-megaraid_sas-Fix-invalid-node-index.patch (git-fixes CVE-2025-38239 bsc#1246178). - commit 3918567 - soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled (git-fixes). - soc: aspeed: lpc-snoop: Cleanup resources in stack-order (git-fixes). - HID: core: ensure __hid_request reserves the report ID as the first byte (git-fixes). - commit d4ff6f9 - x86/iopl: Cure TIF_IO_BITMAP inconsistencies (CVE-2025-38100 bsc#1245650). - commit 2e30d9c - config: x86_64: default: use run_oldconfig to refresh - commit e2e6c0d - kABI workaround for bpf: Do not include stack ptr register in precision backtracking bookkeeping (bsc#1246264 CVE-2025-38279). - commit e82df30 - btrfs: explicitly ref count block_group on new_bgs list (bsc#1243068) - commit 8676cda - btrfs: make btrfs_discard_workfn() block_group ref explicit (bsc#1243068) - commit 5d891f0 - btrfs: harden block_group::bg_list against list_del() races (CVE-2025-37856 bsc#1243068) - commit fe28436 - btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref (CVE-2025-38034 bsc#1244792) - commit cbeb64e ++++ kernel-firmware-amdgpu: - Update to version 20250716 (git commit 1b1a9d871442): * amdgpu: Update GC 11.5.1 microcode ++++ gcc15: - Fixup conflicts again. - Make sure to retain binary suffixes for accelerator crosses. ++++ libxslt: - security update - added patches CVE-2025-7424 [bsc#1246360], Type confusion in xmlNode.psvi between stylesheet and source nodes + libxslt-CVE-2025-7424.patch ++++ sqlite3: - Update to version 3.50.3: * Fix a possible memory error that can occur if a query is made against against FTS5 index that has been deliberately corrupted in a very specific way. * Fix the parser so that it ignored SQL comments in all places of a CREATE TRIGGER statement. This resolves a problem that was introduced by the introduction of the SQLITE_DBCONFIG_ENABLE_COMMENTS feature in version 3.49.0. * Fix an incorrect answer due to over-optimization of an AND operator. ++++ libzypp: - Allow explicit request to probe an added repo's URL (bsc#1246466) - Fix tests with -DISABLE_MEDIABACKEND_TESTS=1 (fixes #661) - version 17.37.12 (35) ++++ update-bootloader: - merge gh#openSUSE/perl-bootloader#191 - avoid spurious warning messages when parsing /etc/default/grub (bsc#1246373, bsc#1245323) - 1.25 ------------------------------------------------------------------ ------------------ 2025-7-16 - Jul 16 2025 ------------------- ------------------------------------------------------------------ ++++ dracut: - Update to version 059+suse.692.g6ec224d5: * ci(suse.conf.example): change log levels (jsc#PED-12922) ++++ python-kiwi: - Fix centos/test-image-live-disk-v10 There is no package named iprutils - Fix centos/test-image-live-disk-v10 Update package names - Added centos/test-image-live-disk-v10 build test - Fix tumbleweed/test-image-gce integration test Drop obsolete growpart - Followup fix to support older apt versions for bootstrap There are apt versions that do not create missing state files. Make sure the intermediate bootstrap state file is created in any case. This Fixes #2857 - Fixed integration test builds Next round of fixes for integration tests. Missing or wrong service activations - Fix arm/tumbleweed/test-image-rpi Fix snapper setup for this integration test ++++ grub2: - Fix test -f and -s do not work properly over the network files served via tftp and http (bsc#1246157) (bsc#1246237) * 0001-test-Fix-f-test-on-files-over-network.patch * 0002-http-Return-HTTP-status-code-in-http_establish.patch * 0003-docs-Clarify-test-for-files-on-TFTP-and-HTTP.patch * 0004-tftp-Fix-hang-when-file-is-a-directory.patch ++++ kernel-default: - net: sched: fix ordering of qlen adjustment (CVE-2024-53164 bsc#1234863) - commit f3dbf9a - seg6: Fix validation of nexthop addresses (CVE-2025-38310 bsc#1246361). - netfs: Fix oops in write-retry from mis-resetting the subreq iterator (CVE-2025-38139 bsc#1245718). - x86/sgx: Prevent attempts to reclaim poisoned pages (CVE-2025-38334 bsc#1246384). - commit 5e00081 - fs/proc: Use inode_get_dev() for device numbers in procmap_query References: bsc#1246450 - commit 8f812e6 - fs/proc/kcore.c: Clear ret value in read_kcore_iter after successful iov_iter_zero (bsc#1246620). - commit ac8d8ea - net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping (CVE-2025-38126 bsc#1245708). - bpf: fix ktls panic with sockmap (CVE-2025-38166 bsc#1245758). - commit f2dcced - objtool: Ignore end-of-section jumps for KCOV/GCOV (git-fixes). - commit cdba1ce - objtool: Silence more KCOV warnings, part 2 (git-fixes). - commit 4da0721 - objtool: Add missing endian conversion to read_annotate() (git-fixes). - commit 33dacf5 - ixgbe: add FW API version check (jsc#PED-12380 bsc#1245410 bsc#1246128). - Refresh patches.suse/bsc1170284-ixgbe_dont_check_firmware_errors.patch. - commit c263240 - ixgbe: add support for devlink reload (jsc#PED-12380 bsc#1245410 bsc#1246128). - Refresh patches.suse/bsc1170284-ixgbe_dont_check_firmware_errors.patch. - commit 207db98 - ixgbe: devlink: add devlink region support for E610 (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add E610 .set_phys_id() callback implementation (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: apply different rules for setting FC on E610 (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add support for ACPI WOL for E610 (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: create E610 specific ethtool_ops structure (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add support for FW rollback mode (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add E610 implementation of FW recovery mode (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add device flash update via devlink (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: extend .info_get() with stored versions (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add E610 functions getting PBA and FW ver info (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add .info_get extension specific for E610 devices (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: read the netlist version information (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: read the OROM version information (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add E610 functions for acquiring flash data (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add handler for devlink .info_get() (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add initial devlink support (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: wrap netdev_priv() usage (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: Fix unreachable retry logic in combined and byte I2C write functions (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add support for thermal sensor event reception (jsc#PED-12380 bsc#1245410 bsc#1246128). - ixgbe: add PTP support for E610 device (jsc#PED-12380 bsc#1245410 bsc#1246128). - commit aea9558 - objtool: Stop UNRET validation on UD2 (git-fixes). - commit 82f38be - objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() (git-fixes). - commit af1e729 - objtool: Properly disable uaccess validation (git-fixes). - commit c47d66e - objtool: Silence more KCOV warnings (git-fixes). - commit 700d945 - wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan (git-fixes). - commit bd0db70 - wifi: mt76: mt7925: fix the wrong config for tx interrupt (git-fixes). - commit 1568d0d - wifi: rt2x00: fix remove callback type mismatch (git-fixes). - commit c0ae7f4 - wifi: mwifiex: discard erroneous disassoc frames on STA interface (git-fixes). - commit decdc76 - wifi: mac80211: fix non-transmitted BSSID profile search (git-fixes). - commit 7ee21af - wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() (git-fixes). - commit c13b504 - selftests/bpf: Add tests with stack ptr register in conditional jmp (bsc#1246264 CVE-2025-38279). - bpf: Do not include stack ptr register in precision backtracking bookkeeping (bsc#1246264 CVE-2025-38279). - commit 3a79b8b - selftests/bpf: Set test path for token/obj_priv_implicit_token_envvar (git-fixes). - commit 493edb3 - perf/core: Fix the WARN_ON_ONCE is out of lock protected region (git-fixes). - commit 6223b3a - perf: Revert to requiring CAP_SYS_ADMIN for uprobes (git-fixes). - perf/aux: Fix pending disable flow when the AUX ring buffer overruns (git-fixes). - perf/core: Fix WARN in perf_cgroup_switch() (git-fixes). - perf: Fix dangling cgroup pointer in cpuctx (git-fixes). - perf: Fix cgroup state vs ERROR (git-fixes). - perf test: Directory file descriptor leak (git-fixes). - perf evsel: Missed close() when probing hybrid core PMUs (git-fixes). - perf callchain: Always populate the addr_location map when adding IP (git-fixes). - perf trace: Set errpid to false for rseq and set_robust_list (git-fixes). - perf trace: Always print return value for syscalls returning a pid (git-fixes). - perf record: Fix incorrect --user-regs comments (git-fixes). - perf symbol: Fix use-after-free in filename__read_build_id (git-fixes). - perf pmu: Avoid segv for missing name/alias_name in wildcarding (git-fixes). - perf tests switch-tracking: Fix timestamp comparison (git-fixes). - perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 (git-fixes). - perf intel-pt: Fix PEBS-via-PT data_src (git-fixes). - perf tests: Fix 'perf report' tests installation (git-fixes). - perf trace: Fix leaks of 'struct thread' in set_filter_loop_pids() (git-fixes). - perf symbol-minimal: Fix double free in filename__read_build_id (git-fixes). - perf tool_pmu: Fix aggregation on duration_time (git-fixes). - perf ui browser hists: Set actions->thread before calling do_zoom_thread() (git-fixes). - perf build: Warn when libdebuginfod devel files are not available (git-fixes). - tools build: Don't show libunwind build status as it is opt-in (git-fixes). - tools build: Don't set libunwind as available if test-all.c build succeeds (git-fixes). - perf/core: Fix broken throttling when max_samples_per_tick=1 (git-fixes). - perf/x86/amd/uncore: Prevent UMC counters from saturating (git-fixes). - perf/x86/amd/uncore: Remove unused 'struct amd_uncore_ctx::node' member (git-fixes). - perf: Ensure bpf_perf_link path is properly serialized (git-fixes). - arch/powerpc/perf: Check the instruction type before creating sample with perf_mem_data_src (git-fixes). - perf/hw_breakpoint: Return EOPNOTSUPP for unsupported breakpoint type (git-fixes). - commit 4d40f30 ++++ kernel-default-base: - Add modules for confidential compute (bsc#1246502) ++++ kernel-firmware-realtek: - Update to version 20250715 (git commit 04c379b552c7): * rtw89: 8852b: update fw to v0.29.128.0 * rtw89: 8852bt: update fw to v0.29.127.0 * rtw89: 8922a: add regd fw element with version R72-R6 * rtw89: 8852c: add regd fw element with version R72-R57 * rtw89: 8922a: update BB parameter V49 ++++ leancrypto: - Split kernel module into to a separate package as to allow leancrypto to be part of ring1 following replacement of liboqs in gnutls [jsc#PED-3176] - Update to 1.5.1: * add ChaCha20 Poly 1305 AEAD * ChaCha20: add ARMv8 NEON, ARMv7 Neon, Intel AVX2, Intel AVX512, RISCV RVV/ZBB implementations * RISC-V entropy source: make implementation consistent to spec * Unify stack memory allocation ++++ selinux-policy: - Update to version 20250627+git62.68c403828: * Allow virtqemud_t use its private tmpfs files (bsc#1242998) * Allow virtqemud_t setattr to /dev/userfaultfd (bsc#1242998) * Allow virtqemud_t read and write /dev/ptmx (bsc#1242998) * Extend virtqemud_t tcp_socket permissions (bsc#1242998) * Mark configfs_t as mountpoint (bsc#1246080) * healthchecker: add proper optional_policy() guards * Allow virtqemud_t to read and write generic pty (bsc#1242998) * Drop SUSE-specific /usr/etc = /etc equivalency * Allow irqbalance execute shell if irqbalance_run_unconfined is on * Allow openvswitch ioctl vduse devices * Label /dev/vduse/control and /dev/vduse/NAME devices * Allow virtstoraged the sys_rawio capability * Allow virtqemud read insights-core state files * Allow virtnodedev create mdevctl config dirs * Allow virtqemud additional permissions on scsi generic chr files * Allow local login execute gnome keyring daemon * Allow plymouthd_t read proc files of systemd_passwd_agent (bsc#1245470) * Allow virtqemud send a generic signal to passt * Allow svirt-tcg read init state * Allow irqbalance execute shell if irqbalance_run_unconfined is on * Label /run/opendkim with dkim_milter_data_t * Allow sa-update status systemd services * Introduce new cluster_service_transition_to_unconfined_user boolean (bsc#1244495) * Allow updpwd logging send audit messages * Temporary dontaudit iio-sensor-proxy sys_admin. * Allow iio-sensor-proxy sendto to journald over a unix datagram socket * Revert "Allow iio-sensor-proxy sendto to journald over a unix datagram socket" * virt: allow QEMU use of the qgs daemon for attestation * qgs: add contrib module for TDX "qgs" daemon * kernel: add interfaces for using SGX enclaves * Define file equivalency for /usr/etc * Allow mongod to receive pressure stall information * Dontaudit systemd_generator read sssd public files * Allow plymouthd read/write input event devices * Label 99-nvme-nbft-connect.sh with NetworkManager_dispatcher_nvme_script_t * Allow systemd-user-runtime-dir sendto to syslogd * Remove pcp module * Update irqbalance policy for using unconfined scripts * Allow utempter use terminal multiplexor * Allow virtqemud execute ovs-vsctl with a domain transition * Update the files_search_mnt() interface * Allow nmbd read network sysctls * Allow iio-sensor-proxy sendto to journald over a unix datagram socket * Allow logrotate stop all systemd services * systemd: rework systemd_manage_random_seed * Allow tuned-ppd connect to sssd over a unix stream socket * Drop config for /run/random-seed * Update file location for systemd random-seed file * Allow tomcat execute cracklib-check with a domain transition * Allow sssd watch lib dirs * Confine systemd-hibernate-resume * Allow login_userdomain create /run/tlog directory with user_tmp_t * Allow login_pgm read filesystem sysctls * Allow gconfd connect to system dbus * Allow NetworkManager manage NetworkManager_etc_rw_t symlinks - Syncing with upstream rawhide selinux-policy up to: * 23514206ea45e1d1d2f8a4c08288065c813fcc91 - Update embedded container-selinux version to commit: * 36e8f213b7ac8a1843e5e37b37eb8ef7bdc2af9c (version 2.238.0) ------------------------------------------------------------------ ------------------ 2025-7-15 - Jul 15 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit: - add 0001-cockpit-overview-support-SUSE_SUPPORT_PRODUCT-keys.patch - add 0002-cockpit-kdump-support-SLE-micro-6.2.patch - add 0003-branding-use-SUSE_SUPPORT_PRODUCT-and-SUSE_SUPPORT_P.patch to fix bsc#1241003 ++++ python-kiwi: - Fixed test-image-live-disk Added missing openssh-server package - Fixed test-image-azure Add missing python-azure-agent-config-default package - Fixed debian integration test builds secure shell service is named ssh and not sshd there - Fixed integration test builds Second round of fixes for integration tests. Again errors now became visible due to the refactoring of the script code - Fixed integration test builds Errors from scripts were no longer ignored due to the last cleanup of the integration test script code. This commit fixes the now exposed build errors - Fix check_target_dir_on_unsupported_filesystem Find the first existing path in the target path and check the filesystem capabilities for this path. This Fixes #2858 ++++ git: - update git-gui sha256 patches after the upstream review: 0001-git-gui-Replace-null_sha1-with-nullid.patch 0002-git-gui-Add-support-of-SHA256-repo.patch ++++ gnutls: - Build with leancrypto. The liboqs support for post-quantum cryptography (PQC) has been removed and is only provided through leancrypto. - Build with TPM 2.0 support via tpm2-0-tss. ++++ kernel-default: - dm-bufio: fix sched in atomic context (git-fixes). - commit ccc1d23 - Update patches.suse/nvme-pci-fix-queue-unquiesce-check-on-slot_reset.patch (git-fixes bsc#1240885). - commit 03e1767 - objtool: Fix error handling inconsistencies in check() (git-fixes). - commit ec79144 - x86/traps: Make exc_double_fault() consistently noreturn (git-fixes). - commit bf4b16f - objtool: Fix C jump table annotations for Clang (git-fixes). - commit 529d2a6 - objtool: Add bch2_trans_unlocked_error() to bcachefs noreturns (git-fixes). - commit 7e1fde5 - perf: Fix sample vs do_exit() (bsc#1246547). - commit 073eb4d - drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() (bsc#1245951 CVE-2025-38187) - commit 9b6cd76 - nvme-multipath: fix suspicious RCU usage warning (git-fixes). - nvme-pci: refresh visible attrs after being checked (git-fixes). - nvmet: fix memory leak of bio integrity (git-fixes). - nvme: Fix incorrect cdw15 value in passthru error logging (git-fixes). - nvme-tcp: fix I/O stalls on congested sockets (git-fixes). - commit 717d386 - tools: fix atomic_set() definition to set the value correctly (git-fixes). - Refresh patches.suse/mm-replace-vm_lock-and-detached-flag-with-a-reference-coun.patch. - commit a7fcdf3 - firewall: remove misplaced semicolon from stm32_firewall_get_firewall (git-fixes). - commit 2dc4084 - scsi: lpfc: Copyright updates for 14.4.0.10 patches (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update lpfc version to 14.4.0.10 (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Modify end-of-life adapters' model descriptions (bsc#1245260 bsc#1243100 bsc#1246125 bsc#1204142). - scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Move clearing of HBA_SETUP flag to before lpfc_sli4_queue_unset (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Relocate clearing initial phba flags from link up to link down hdlr (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Simplify error handling for failed lpfc_get_sli4_parameters cmd (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Early return out of FDMI cmpl for locally rejected statuses (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update debugfs trace ring initialization messages (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Revise logging format for failed CT MIB requests (bsc#1245260 bsc#1243100 bsc#1246125). - commit db7c71a - sched_ext: fix application of sizeof to pointer (git-fixes). - commit 7226f76 - crypto: hkdf - skip TVs with unapproved salt lengths in FIPS mode (bsc#1241200 bsc#1246134). - commit 5472af3 - Update patches.suse/net-clear-the-dst-when-changing-skb-protocol.patch (bsc#1245954 CVE-2025-38192). Fix incorrect CVE reference. - commit 0f40511 - bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() (bsc#1245980 CVE-2025-38202). - commit ca2d088 - bpf, sockmap: Avoid using sk_socket after free when sending (bsc#1245749 CVE-2025-38154). - selftest/bpf/benchs: Add benchmark for sockmap usage (bsc#1245749 CVE-2025-38154). - bpf, sockmap: Fix panic when calling skb_linearize (bsc#1245749 CVE-2025-38154). - bpf, sockmap: fix duplicated data transmission (bsc#1245749 CVE-2025-38154). - bpf, sockmap: Fix data lost during EAGAIN retries (bsc#1245749 CVE-2025-38154). - commit b7122ae - btrfs: improve the warning and error message for btrfs_remove_qgroup() (bsc#1246357). - commit 01d925c ++++ kernel-firmware-bluetooth: - Update to version 20250714 (git commit ecdbd2b8af04): * linux-firmware: Update firmware file for Intel Solar core * linux-firmware: Update firmware file for Intel BlazarU core * linux-firmware: Update firmware file for Intel BlazarI core ++++ kernel-firmware-qcom: - Update to version 20250714 (git commit ecdbd2b8af04): * qcom: Update gpu firmwares of QCS615 chipset ++++ polkit: - CVE-2025-7519: Fixed that a XML policy file with a large number of nested elements may lead to out-of-bounds write (bsc#1246472) added 0001-Nested-.policy-files-cause-xml-parsing-overflow-lead.patch ++++ systemd: - systemd-update-helper: fix regression introduced when support for package renaming/splitting was added (bsc#1245551) The cleanup of the flags in /run/systemd/rpm was previously handled in the %pretrans/%posttrans sections of the systemd main package. However, this method was ineffective if systemd was not part of the transaction. The cleanup is now run in %transfiletriggerin instead. ++++ pam-config: - Update to version 2.13+git.20250715: * Release version 2.13 * Place himmelblau near the top of pam stack [bsc#1243418] ++++ psmisc: - Add patch 0001-fuser-Fix-expandpath.patch * Is an upstream commit which fixes https://gitlab.com/psmisc/psmisc/-/issues/57 as well as bug boo#1242093 ------------------------------------------------------------------ ------------------ 2025-7-14 - Jul 14 2025 ------------------- ------------------------------------------------------------------ ++++ accountsservice: - Update accountsservice-sysconfig.patch: Check whether sysconfig is used and fallback to display manager settings if sysconfig is not used (bsc#1246127). ++++ cockpit: - update check_cockpit_users to only check for systemd support in /etc/nsswitch.conf bsc#1246408 ++++ curl: - Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197] * tool_getparam: fix --ftp-pasv [5f805ee] * Add curl-fix--ftp-pasv.patch ++++ branding-SLE: - Update square-hicolor.svg to adapt the GNOME light color style (bsc#1243104). ++++ python-kiwi: - Cleanup integration tests config.sh script code Add script code to shellcheck and fix all reported issues. Get rid of suseXX and baseXX methods as much as possible. Add set -ex for all script code. Do not allow any script code to fail. - defaults: Add patterns for shim/grub2 on riscv64 A recent commit changed the way these are looked up and accidentally broke image building on riscv64, with KiwiBootLoaderGrubSecureBootError: Signed grub2 efi loader not found now being raised for kiwi recipes that worked just fine before that moment. Fixes: 197572378cf4f25103934beac2ceca4fbbcfcbc0 Thanks: David Abdurachmanov Thanks: Marcus Schäfer Signed-off-by: Andrea Bolognani ++++ gnutls: - Update to 3.8.10: * libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium] [bsc#1246299, CVE-2025-6395] * libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps Spotted by oss-fuzz and reported by OpenAI Security Research Team, and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, CVSS: medium] [bsc#1246233, CVE-2025-32989] * libgnutls: Fix double-free upon error when exporting otherName in SAN Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2, CVSS: low] [bsc#1246232, CVE-2025-32988] * certtool: Fix 1-byte write buffer overrun when parsing template Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low] [bsc#1246267, CVE-2025-32990] * libgnutls: PKCS#11 modules can now be used to override the default cryptographic backend. Use the [provider] section in the system-wide config to specify path and pin to the module (see system-wide config Documentation). * libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update support. The library running on the aforementioned version now utilizes the kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted TLS session. The --enable-ktls configure option as well as the system-wide kTLS configuration(see GnuTLS Documentation) are still required to enable this feature. * libgnutls: liboqs support for PQC has been removed For maintenance purposes, support for post-quantum cryptography (PQC) is now only provided through leancrypto. The experimental key exchange algorithm, X25519Kyber768Draft00, which is based on the round 3 candidate of Kyber and only supported through liboqs has also been removed altogether. * libgnutls: TLS certificate compression methods can now be set with cert-compression-alg configuration option in the gnutls priority file. * libgnutls: All variants of ML-DSA private key formats are supported While the previous implementation of ML-DSA was based on draft-ietf-lamps-dilithium-certificates-04, this updates it to draft-ietf-lamps-dilithium-certificates-12 with support for all 3 variants of private key formats: "seed", "expandedKey", and "both". * libgnutls: ML-DSA signatures can now be used in TLS The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and ML-DSA-87, can now be used to digitally sign TLS handshake messages. * API and ABI modifications: - GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t - GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t - Add patch gnutls-3.8.10-disable-ktls_test.patch - Rebased patches: * gnutls-FIPS-140-3-references.patch * gnutls-FIPS-disable-mac-sha1.patch * gnutls-disable-flaky-test-dtls-resume.patch * gnutls-skip-pqx-test.patch ++++ hwinfo: - merge gh#openSUSE/hwinfo#170 - Makefile: fix build for ARCH=i686 - 25.0 - merge gh#openSUSE/hwinfo#165 - Fix memory leaks in block device name handling - merge gh#openSUSE/hwinfo#164 - feat: capture usb alternate setting - feat: capture usb interface association - feat: use interface association descriptor first when classifying usb devices - USB improvements - merge gh#openSUSE/hwinfo#169 - add nvmeof and iscsi info (jsc#PED-13261, jsc#PED-13209) ++++ texinfo: - Add texinfo-perl-5.42.patch: Fix syntax to be unambiguous if (! $str eq '') is not really clear; is it (!$str) eq '' or !($str eq '') Perl 5.42 rightly flagges this syntax with: Possible precedence problem between ! and string eq Assuming !($str eq '') was meant, we can rewrite this as $str ne '', which happens to also be used in multiple places already (sometimes just a few lines further down in the same files) ++++ kernel-default: - scsi: core: Enforce unlimited max_segment_size when virt_boundary_mask is set (git-fixes). - scsi: sd: Fix VPD page 0xb7 length check (git-fixes). - scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() (git-fixes). - scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() (git-fixes). - scsi: megaraid_sas: Fix invalid node index (git-fixes). - aoe: clean device rq_list in aoedev_downdev() (git-fixes). - block: use plug request list tail for one-shot backmerge attempt (git-fixes). - block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work (git-fixes). - block: Clear BIO_EMULATES_ZONE_APPEND flag on BIO completion (git-fixes). - md/md-bitmap: fix dm-raid max_write_behind setting (git-fixes). - scsi: smartpqi: Add new PCI IDs (git-fixes). - block: use q->elevator with ->elevator_lock held in elv_iosched_show() (git-fixes). - commit abdb18a - mm: fix uprobe pte be overwritten when expanding vma (CVE-2025-38207 bsc#1246004). - commit b1729e5 - ipc: fix to protect IPCS lookups using RCU (CVE-2025-38212 bsc#1246029). - commit 78df593 - calipso: unlock rcu before returning -EAFNOSUPPORT (CVE-2025-38147 bsc#1245768). - calipso: Don't call calipso functions for AF_INET sk (CVE-2025-38147 bsc#1245768). - commit ddcefe6 - s390x config: set CONFIG_PCI_NR_FUNCTIONS=512 (bsc#1246470 LTC#214321) - commit 1465ef8 - x86/fred: Fix system hang during S4 resume with FRED enabled (bsc#1245084 CVE-2025-38047). - commit 622750a - hisi_acc_vfio_pci: bugfix live migration function without VF device driver (CVE-2025-38283 bsc#1246273). - configfs-tsm-report: Fix NULL dereference of tsm_ops (CVE-2025-38210 bsc#1246020). - commit fb63fb6 ++++ gcc15: - Update to GCC 15 branch head, 15.1.1+git9973 - Fixes PR120995, unrecognizable insn UNSPEC_COMPARE_AND_SWAP with rv64gc_zabha_zacas ++++ libcontainers-common: - Remove subpackage libcontainers-sles-mounts and prevent auto mounting SUSEConnect credentials from host to container. SLE16 onwards, the idea is to expect users to explicitly mount secrets. (bsc#1246227) ++++ libzypp: - Add runtime check for a broken rpm-4.18.0 --runpostrans (bsc#1246149) - Add regression test for bsc#1245220 and some other filesize related tests. - version 17.37.11 (35) ++++ python-requests: - Add revert-caching-default-sslcontext.patch upstream patch to avoid problems with certificate caching in sslcontext. bsc#1246104, gh#psf/requests#6767 ++++ rust-keylime: - Update vendored crates (bsc#1242623, CVE-2025-3416) * openssl 0.10.73 - Update to version 0.2.7+117: * Increase coverage in evidence handling structure * Add Capabilities Negotiations resp. missing fields * Fix UEFI test to check file access in all cases * context_info_handler: Do not assume /var/lib/keylime exists * Fix clippy warnings about uninlined format arguments * attestation: Allow unwrap() in tests * Increase coverage (groom code, extend unit tests) * Include IMA/UEFI logs in Evidence Handling request * Include method to get all IMA entries as string * Send correct list of pcr banks and sign algorithms * Try to fix TPM tests related issues * Define attestation perform asynchronous * Perform attestation in push model agent binary * Refactor code to use new attestation.rs * Create attestation.rs for Attestation stuff * Move ContextInfo management to its own handler * Adjust context_info.rs after rebase * Add attestation function to ContextInfo structure * Add prohibited signing algorithms, avoid ecschnorr * keylime/config: Use macro to implement PushModelConfigTrait * Introduce keylime-macros and define_view_trait * config: Remove KeylimeConfig structure * config: Remove unnecessary options and lazy initialization * Fix pcr_bank function to send all possible slots * Send Content-Type:application/json on request (#1039) * Send correct 'key_algorithm' in certification_keys (#1035) * Push Model: Persist Attestation Key to file * Add Keylime push model binary to root GNUmakefile * Use singleton to avoid multiple Context allocation * tests: Do not assume `/var/lib/keylime` exists (#1030) * lib/cert: Fix race condition due to use of same file path * payloads: Fix race condition in tests * Add uefi_log_handler.rs to parse UEFI binary * Use IMA log parser to send correct entry count * Add IMA log parser * build(deps): bump once_cell from 1.19.0 to 1.21.3 * lib/config/base.rs: Add more unit tests * lib/permissions: Add unit tests * keylime-agent: move JsonWrapper from common.rs to the library * lib/agent_data: Move agent_data related tests from common * common: Replace APIVersion with the library Version structure * keylime_agent: Move secure_mount.rs to the library * lib: Rename keylime_error.rs as error.rs * config: Move config to keylime library * config: Rename push_model_config to push_model * lib: Move permissions.rs from keylime-agent to the lib * Extract Capabilities Negotiation info from TPM (#1014) ------------------------------------------------------------------ ------------------ 2025-7-13 - Jul 13 2025 ------------------- ------------------------------------------------------------------ ++++ gnutls: - enable ktls support - enable brotli and zstd compression support ++++ open-iscsi: - Update to version 2.1.11.suse+73.1723affc61eb: * README for rpm build directory * Fix issue with IPv6 adapter interfaces (#508, bsc#1240969) * fwparam_ppc.c: Fix the calloc-transposed-args issue (#504) * Makefile: fix "No rule to make target 'iscsiuio/Makefile.in" issue (#506) * Fix typo in initiator.c (#507) - Fixed some issues in this changes file * One date had incorrect format from 2014 * Two separator lines were formatted incrrectly ++++ kernel-default: - kasan: remove kasan_find_vm_area() to prevent possible deadlock (git-fixes). - maple_tree: fix mt_destroy_walk() on root leaf node (git-fixes). - maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() (git-fixes). - kasan: avoid sleepable page allocation from atomic context (git-fixes). - commit 3186bf7 ------------------------------------------------------------------ ------------------ 2025-7-12 - Jul 12 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Add SLFO test-image-disk-simple integration test Add simple disk test and allow for testing the new transparent container idea for the aws toolchain. also add SLFO builds to the helper script ++++ kernel-default: - drm/imagination: Fix kernel crash when hard resetting the GPU (git-fixes). - drm/tegra: nvdec: Fix dma_alloc_coherent error check (git-fixes). - drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() (git-fixes). - drm/xe/bmg: fix compressed VRAM handling (git-fixes). - Revert "drm/xe/xe2: Enable Indirect Ring State support for Xe2" (git-fixes). - drm/xe: Allocate PF queue size on pow2 boundary (git-fixes). - drm/xe/pf: Clear all LMTT pages on alloc (git-fixes). - nbd: fix uaf in nbd_genl_connect() error path (git-fixes). - can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level (git-fixes). - net: phy: microchip: limit 100M workaround to link-down events on LAN88xx (git-fixes). - net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits (git-fixes). - wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() (git-fixes). - wifi: mt76: mt7921: prevent decap offload config before STA initialization (git-fixes). - wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() (git-fixes). - wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan (git-fixes). - wifi: mt76: mt7925: fix the wrong config for tx interrupt (git-fixes). - wifi: mwifiex: discard erroneous disassoc frames on STA interface (git-fixes). - wifi: mac80211: fix non-transmitted BSSID profile search (git-fixes). - wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() (git-fixes). - commit 7d2f716 ------------------------------------------------------------------ ------------------ 2025-7-11 - Jul 11 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit: - add a requirement on /usr/sbin/kdumptool for cockpit-kdump (bsc#1227402) - add libzypp-plugin-appdata dependency to cockpit-packagekit as this will generate the swcatalog which it depends on for calculating various cockpit packages ++++ grub2: - Enable loongarch64 build (bsc#1234248) ++++ kernel-default: - xfs: fix off-by-one error in fsmap's end_daddr usage (bsc#1235837). - commit f532c0d - hisi_acc_vfio_pci: fix XQE dma address error (CVE-2025-38158 bsc#1245750). - commit d6de051 - platform/x86: think-lmi: Create ksets consecutively (stable-fixes). - Refresh patches.suse/platform-x86-think-lmi-Fix-kobject-cleanup.patch. - commit ed9e879 - ASoC: tas2764: Extend driver to SN012776 (stable-fixes). - Refresh patches.suse/ASoC-tas2764-Reinit-cache-on-part-reset.patch. - commit d98ebe4 - drm/xe/guc: Dead CT helper (stable-fixes). - Refresh patches.suse/drm-xe-Fix-early-wedge-on-GuC-load-failure.patch. - commit f279fcb - net: phy: smsc: Fix link failure in forced mode with Auto-MDIX (git-fixes). - net: phy: smsc: Force predictable MDI-X state on LAN87xx (git-fixes). - net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap (git-fixes). - Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected (git-fixes). - Bluetooth: hci_sync: Fix not disabling advertising instance (git-fixes). - platform/x86: dell-wmi-sysman: Fix class device unregistration (git-fixes). - platform/x86: think-lmi: Fix class device unregistration (git-fixes). - platform/x86: hp-bioscfg: Fix class device unregistration (git-fixes). - usb: xhci: quirk for data loss in ISOC transfers (stable-fixes). - Logitech C-270 even more broken (stable-fixes). - Input: xpad - support Acer NGR 200 Controller (stable-fixes). - dma-buf: fix timeout handling in dma_resv_wait_timeout v2 (stable-fixes). - mmc: sdhci: Add a helper function for dump register in dynamic debug mode (stable-fixes). - drm/xe/guc: Explicitly exit CT safe mode on unwind (git-fixes). - drm/xe: move DPT l2 flush to a more sensible place (git-fixes). - drm/xe: Move DSB l2 flush to a more sensible place (git-fixes). - ACPICA: Refuse to evaluate a method if arguments are missing (stable-fixes). - mtd: spinand: fix memory leak of ECC engine conf (stable-fixes). - ASoC: amd: yc: update quirk data for HP Victus (stable-fixes). - ASoC: amd: yc: Add quirk for MSI Bravo 17 D7VF internal mic (stable-fixes). - ALSA: sb: Force to disable DMAs once when DMA mode is changed (stable-fixes). - ALSA: sb: Don't allow changing the DMA mode during operations (stable-fixes). - drm/msm: Fix another leak in the submit error path (stable-fixes). - drm/msm: Fix a fence leak in submit error path (stable-fixes). - regulator: fan53555: add enable_time support and soft-start times (stable-fixes). - wifi: ath6kl: remove WARN on bad firmware input (stable-fixes). - wifi: mac80211: drop invalid source address OCB frames (stable-fixes). - ata: pata_cs5536: fix build on 32-bit UML (stable-fixes). - platform/x86/amd/pmc: Add PCSpecialist Lafite Pro V 14M to 8042 quirks list (stable-fixes). - ACPI: thermal: Execute _SCP before reading trip points (git-fixes). - crypto: zynqmp-sha - Add locking (git-fixes). - crypto: iaa - Do not clobber req->base.data (git-fixes). - crypto: iaa - Remove dst_null support (stable-fixes). - spinlock: extend guard with spinlock_bh variants (stable-fixes). - ACPI: thermal: Fix stale comment regarding trip points (stable-fixes). - platform/x86: dell-sysman: Directly use firmware_attributes_class (stable-fixes). - platform/x86: hp-bioscfg: Directly use firmware_attributes_class (stable-fixes). - platform/x86: think-lmi: Directly use firmware_attributes_class (stable-fixes). - platform/x86: firmware_attributes_class: Simplify API (stable-fixes). - platform/x86: firmware_attributes_class: Move include linux/device/class.h (stable-fixes). - drm/xe: Allow bo mapping on multiple ggtts (stable-fixes). - drm/xe: add interface to request physical alignment for buffer objects (stable-fixes). - drm/xe: Fix DSB buffer coherency (stable-fixes). - drm/xe: Replace double space with single space after comma (stable-fixes). - commit 909dad5 - i40e: fix MMIO write access to an invalid page in i40e_clear_hw (CVE-2025-38200 bsc#1246045). - net: cadence: macb: Fix a possible deadlock in macb_halt_tx (CVE-2025-38094 bsc#1245649). - commit 13d7db9 - x86/process: Move the buffer clearing before MONITOR (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - commit 8266745 - x86/microcode/AMD: Add TSA microcode SHAs (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - commit b20882f - KVM: SVM: Advertise TSA CPUID bits to guests (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - commit eae5894 - x86/cpu: Avoid running off the end of an AMD erratum table (git-fixes). - commit 1a01a37 - x86/cpu: Move AMD erratum 1386 table over to 'x86_cpu_id' (git-fixes). - commit 00956a9 - x86/cpu: Replace PEBS use of 'x86_cpu_desc' use with 'x86_cpu_id' (git-fixes). - commit a673ad4 - x86/cpu: Introduce new microcode matching helper (git-fixes). - commit e274dab - x86/bugs: Add a Transient Scheduler Attacks mitigation (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - Update config files. - commit 8a110dc - kabi: fix dm-fix-dm_blk_report_zones.patch (CVE-2025-38140 bsc#1245717). - commit 701faad - net: clear the dst when changing skb protocol (bsc#1245954 CVE-2024-49861). - commit b34915e ++++ llvm19: - Add reproducible.patch to make libomp.so reproducible (boo#1199076) - Replace usage of %jobs for reproducible builds (boo#1237231) ++++ at-spi2-core: - Add upstream fixes: + at-spi2-core-grab-memory-leak.patch + at-spi2-core-key-grabs.patch (glgo#GNOME/at-spi2-core!193) + at-spi2-core-plug-crash.patch (glgo#GNOME/at-spi2-core#198) ++++ procps: - Add patch procps-ng-4.0.5-bsc1246330.patch * Do not Fail in year 2038 (bsc#1246330) ++++ nvidia-open-driver-G06-signed: - update non-CUDA variant to 570.172.08 (boo#1246327) - supersedes * 0003-nv-dmabuf-Inline-dma_buf_attachment_is_dynamic.patch * 0004-nvidia-uvm-Disable-SVA-support-for-6.16.patch - update pci_ids-supported ++++ perl: - update to 5.42.0 * new pragma "source::encoding" * new ":writer" attribute on field variables * new "any" and "all" operators * lexical method declaration using "my method" * lexical method invocation operator "->&" * switch and Smart Match operator kept, behind a feature * unicode 16.0 supported * assigning logical xor "^^=" operator * many performance enhancements - drop perl-dirdup.diff (included upstream) ------------------------------------------------------------------ ------------------ 2025-7-10 - Jul 10 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit: - Show reboot nofication after updates in packagekit * Add 0009-packagekit-reboot-notification.patch ++++ kernel-default: - dm: limit swapping tables for devices with zone write plugs (CVE-2025-38140 bsc#1245717). - commit 8c8d49f - dm: fix dm_blk_report_zones (CVE-2025-38140 bsc#1245717). - commit 6d395b8 - dm-table: check BLK_FEAT_ATOMIC_WRITES inside limits_lock (git-fixes). - commit d31c434 - coresight: prevent deactivate active config while enabling the config (CVE-2025-38131 bsc#1245677). - coresight: holding cscfg_csdev_lock while removing cscfg from csdev (CVE-2025-38132 bsc#1245679). - commit 4dcb9b9 - ACPI: PRM: Reduce unnecessary printing to avoid user confusion (bsc#1246122). - commit 13b2592 - ALSA: hda: Add missing NVIDIA HDA codec IDs (stable-fixes). - ALSA: hda/tegra: Add Tegra264 support (stable-fixes). - commit df0e4a0 - ALSA: hda/realtek: Add quirk for ASUS ExpertBook B9403CVAR (stable-fixes). - ALSA: usb-audio: Improve filtering of sample rates on Focusrite devices (stable-fixes). - ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 (stable-fixes). - commit 3d097e2 - ALSA: hda/realtek: Enable headset Mic on Positivo K116J (stable-fixes). - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fb2xxx (stable-fixes). - ALSA: hda/realtek: Add quirks for some Clevo laptops (stable-fixes). - ALSA: hda/realtek: Enable headset Mic on Positivo P15X (stable-fixes). - ALSA: hda/realtek: Add quirk for Asus GA605K (stable-fixes). - commit c130ef1 - pinctrl: amd: Clear GPIO debounce for suspend (git-fixes). - pinctrl: qcom: msm: mark certain pins as invalid for interrupts (git-fixes). - commit f2d1e17 ++++ kernel-firmware-amdgpu: - Update to version 20250708 (git commit 99d64b4f788c): * amdgpu: Add DCN 3.6 * amdgpu: Add PSP 14.0.5 * amdgpu: Add SDMA 6.1.3 * amdgpu: Add GC 11.5.3 ++++ kernel-firmware-i915: - Update to version 20250708 (git commit 99d64b4f788c): * xe: Add fan_control v203.0.0.0 for BMG ++++ kernel-firmware-mediatek: - Update to version 20250708 (git commit 99d64b4f788c): * mediatek MT7921: update bluetooth firmware to 20250625154126 ++++ kernel-firmware-qcom: - Update to version 20250708 (git commit 99d64b4f788c): * qcom/adreno: move A610 and A702 ZAP files to Adreno driver section * qcom: Add sdx61 Foxconn vendor firmware image file ++++ python313-core: - Fix gil/nogil package description, bsc#1246229 ++++ net-tools: - Perform bound checks when parsing interface labels in /proc/net/dev (bsc#1243581, CVE-2025-46836, net-tools-CVE-2025-46836.patch, net-tools-CVE-2025-46836-regression.patch). ++++ python313: - Fix gil/nogil package description, bsc#1246229 ++++ systemd-presets-common-SUSE: - Add cockpit.socket to improve user experience as it is replacing YaST (jsc#PED-13228) ------------------------------------------------------------------ ------------------ 2025-7-9 - Jul 9 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit-machines: - Explicitly set uefi as default firmware (bsc#1245145) ++++ docker: - Update to Docker 28.3.2-ce. See upstream changelog online at ++++ python-kiwi: - Fixed check for unallocated space on disk So far the check for unallocated space was only working for GPT and there it was also not really stable. The check was based on verifying if the backup GPT table is really at the end of the disk. Depending on which tool was used to dump the image on the target this "mistake" often got corrected by the tools that dumped the image. In this case the check no longer worked. This commit improves the check by another test which looks for the real free bytes on disk compared to the current partition geometry. - Move to neutral directory for calling osc When calling the helper/build_status.sh script to get an overview about the results of the integration tests, there is a stupid new behavior from the osc tool that it assumes a package name according to the name of the directory you are in probably connected to the fact that the data in this directory is a git checkout or some other strange assumption. This commit moves to a neutral directory where none of the osc internal assumptions applies and it just does what it should do... showing results of the given project. - Bump version: 10.2.26 → 10.2.27 ++++ transactional-update: - Version 5.0.6 - Fix missing x-initrd.mount in fstab on migration [boo#1246139] When migrating overlayfs based /etc to btrfs subvolumes, then the attribute was not set - this may result in failures from services operating on /etc during initrd phase such as SELinux relabelling - Optimize execution time of tests ++++ git: - refreshed gitk sha256 patches: 0001-gitk-Add-support-of-SHA256-repo.patch 0002-git-gui-Add-support-of-SHA256-repo.patch - update to 2.50.1 (boo#1245938 boo#1245939 boo#1245942 boo#1245943 boo#1245946 boo#1245947) Security fixes for CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386 CVE-2025-27613, Gitk: When a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enabled or not. CVE-2025-27614, Gitk: A Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking `gitk filename`, where `filename` has a particular structure. CVE-2025-46334, Git GUI (Windows only): A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. On Windows, path lookup can find such executables in the worktree. These programs are invoked when the user selects "Git Bash" or "Browse Files" from the menu. CVE-2025-46835, Git GUI: When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file. CVE-2025-48384, Git: When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. CVE-2025-48385, Git: When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. CVE-2025-48386, Git: The wincred credential helper uses a static buffer (`target`) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with `wcsncat()`, leading to potential buffer overflows. ++++ kdump: - upgrade to version 2.1.1 * check for reserved memory on load for better error reporting * update man page * set KDUMP_CPUS to 1 on XEN (bsc#1244289) * load.sh clean up * use eval for PRESCRIPT, POSTSCRIPT and TRANSFER * sftp: fix key-based authentication * fix and improve calibrate build - update calibrate values ++++ kernel-default: - kabi: restore encap_sk in struct xfrm_state (CVE-2025-38097 bsc#1245660). - espintcp: remove encap socket caching to avoid reference leak (CVE-2025-38097 bsc#1245660). - commit 063ca35 - net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() (CVE-2025-38183 bsc#1246006). - commit 39da23e - net_sched: sch_sfq: fix a potential crash on gso_skb handling (CVE-2025-38115 bsc#1245689). - commit 9e19da0 - ALSA: usb-audio: Kill timer properly at removal (CVE-2025-38105 bsc#1245682). - commit 79e6efd - rpm/mkspec: Fix missing kernel-syms-rt creation (bsc#1244337) - commit 630f139 - exfat: fix double free in delayed_free (bsc#1246073 CVE-2025-38206). - commit ad15d15 - pwm: mediatek: Ensure to disable clocks in error path (git-fixes). - pwm: Fix invalid state detection (git-fixes). - ASoC: cs35l56: probe() should fail if the device ID is not recognized (git-fixes). - ASoC: fsl_sai: Force a software reset when starting in consumer mode (git-fixes). - ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select SND_SOC_ACPI_INTEL_MATCH (git-fixes). - ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode (git-fixes). - ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() (git-fixes). - commit 04c53e4 ++++ gcc15: - Prune the use of update-alternatives from openSUSE Factory and SLFO. - Adjust crosses to conflict consistently where they did not already and make them use unsuffixed binaries. ------------------------------------------------------------------ ------------------ 2025-7-8 - Jul 8 2025 ------------------- ------------------------------------------------------------------ ++++ dracut: - Update to version 059+suse.690.g496a1409: * fix(rngd): adjust license to match the license of the whole project * fix(dracut): kernel module name normalization in drivers lists (bsc#1241680) * fix(dracut-init): assign real path to srcmods (bsc#1241114) ++++ python-kiwi: - Fix regression in get_partition_node_name backwards compat for lsblk before 2.38 if START column not supported, fall back to default sort - Add global option --setenv Allow to set environment variables in the caller environment via the commandline, e.g --setenv SOURCE_DATE_EPOCH=42 - Seed filesystem UUIDs with SOURCE_DATE_EPOCH For reproducible builds the calculation of the filesystem UUID should be persistent with each rebuild of the image. To achieve this the UUID is calculated using the SOURCE_DATE_EPOCH from the environment plus a char-number representation of the filesystem label name as random seed. In kiwi every filesystem is created with a label, thus only in case there is no SOURCE_DATE_EPOCH available we continue to create the UUID as random data. This Fixes #2761 - Add label attribute for section Allow to specify a filesystem label as part of a definition. So far the label was set by the name of the partition. With the new label attribute, a filesystem label different from the partition name can be set. This commit also updates/fixes the documentation in this regard. - Improve log message in SystemIdentifier Add some scope information such that we know from where this log information originates from. ++++ grub2: - Backport upstream disk password retry (bsc#1245545) * 0001-disk-cryptodisk-Allow-user-to-retry-failed-passphras.patch ++++ jeos-firstboot: - Update to version 1.5.8: * Update files/usr/share/jeos-firstboot/jeos-firstboot-functions * Use SUSE_PRETTY_NAME as product name to display if it exists (bsc#1245364) * Use xterm-256color on WSL based hosts boo#1237756 ++++ kernel-default: - dm-raid: fix variable in journal device check (git-fixes). - commit 03404b3 - dm-verity: fix a memory leak if some arguments are specified multiple times (git-fixes). - commit bbecd6f - dm-mirror: fix a tiny race condition (git-fixes). - commit 0d4f8fc - dm vdo indexer: don't read request structure after enqueuing (git-fixes). - commit 4cb65b5 - dm-table: Set BLK_FEAT_ATOMIC_WRITES for target queue limits (git-fixes). - commit 2396437 - dm-flakey: make corrupting read bios work (git-fixes). - commit b0152c6 - dm-flakey: error all IOs when num_features is absent (git-fixes). - commit fd9c57b - dm: lock limits when reading them (git-fixes). - commit 153ee47 - dm: handle failures in dm_table_set_restrictions (git-fixes). - commit 78fcb29 - dm: free table mempools if not used in __bind (git-fixes). - commit 5859b3f - dm: don't change md if dm_table_set_restrictions() fails (git-fixes). - commit 4bd9525 - virtgpu: don't reset on shutdown (git-fixes). - commit 901c686 - kernel/fork: only call untrack_pfn_clear() on VMAs duplicated for fork() (git-fix for CVE-2025-22090 bsc#1241537). - commit 09cb3ff - netfilter: nft_set_pipapo: prevent overflow in lookup table allocation (CVE-2025-38162 bsc#1245752). - commit 8282c3d - vhost-scsi: protect vq->log_used with vq->mutex (CVE-2025-38074 bsc#1244735). - commit 4cc2d93 - crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() (CVE-2025-37984 bsc#1243669). - commit 743073a - virtio: break and reset virtio devices on device_shutdown() (CVE-2025-38064 bsc#1245201). - commit dec0ac7 ++++ samba: - Update to 4.22.3 * samba-tool cannot add user to group whose name is exactly 16 characters long; (bso#15854); * Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName; (bsc#1246431); (bso#15876); * Startup messages of rpc deamons fills /var/log/messages; (bso#15869); ++++ libvirt: - qemu: ARM: Change default SCSI controller model from 'lsilogic' to 'virtio-scsi' bsc#1240762 ++++ ovmf: - Backport the patch from edk2-stable202505 (jsc#PED-13202) - ovmf-UefiCpuPkg-MpInitLib-Fix-SNP-AP-creation.patch dca5d26bc57e UefiCpuPkg/MpInitLib: Fix SNP AP creation when using known APIC IDs ++++ read-only-root-fs: - Update to version 1.0+git20250708.3eed5de: * writable-etc: Install findmnt instead of mountpoint * CI: Omit volatile-overlay from the initrd * Add basic CI * Only remount when [/sysroot]/etc is ro (bsc#1246021) ++++ systemd-rpm-macros: - Bump version to 26 ------------------------------------------------------------------ ------------------ 2025-7-7 - Jul 7 2025 ------------------- ------------------------------------------------------------------ ++++ container-selinux: - Update to version 2.239.0: * Allow containers to use hsa devices for ROCM ++++ python-kiwi: - Add rd.kiwi.install.devicepersistency Allow to specify which type of persistent device name should be used to build up the list of installation disk devices. For example rd.kiwi.install.devicepersistency=by-path would use the by-path representations for the available disk devices. The default (by-id) stays untouched. In case an invalid or not present device representation is selected, kiwi falls back to the non persistent unix node names. ++++ hwinfo: - merge gh#openSUSE/hwinfo#167 - fix usb network card detection (bsc#1245950) - 24.1 ++++ kernel-default: - rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu (bsc#1234810 CVE-2024-53160) - commit cc08ae0 - net: dsa: clean up FDB, MDB, VLAN entries on unbind (CVE-2025-37864 bsc#1242965). - commit 9f73d53 - NFSv4: Always set NLINK even if the server doesn't support it (git-fixes). - commit ab761d1 - NFSv4.2: fix listxattr to return selinux security label (git-fixes). - commit b10a707 - NFSv4.2: fix setattr caching of TIME_[MODIFY|ACCESS]_SET when timestamps are delegated (git-fixes). - commit 3f2e95e - NFSv4: xattr handlers should check for absent nfs filehandles (git-fixes). - commit 4564984 - sunrpc: don't immediately retransmit on seqno miss (git-fixes). - commit eaac877 - usb: typec: displayport: Fix potential deadlock (git-fixes). - commit bf24223 - iio: dac: ad3552r: changes to use FIELD_PREP (stable-fixes). - Refresh patches.suse/iio-dac-ad3552r-clear-reset-status-flag.patch. - commit 9805aa5 - accel/ivpu: Make command queue ID allocated on XArray (stable-fixes). - Refresh patches.suse/accel-ivpu-Fix-locking-order-in-ivpu_job_submit.patch. - commit f24456f - accel/ivpu: Do not fail on cmdq if failed to allocate preemption buffers (stable-fixes). - Refresh patches.suse/accel-ivpu-Use-xa_alloc_cyclic-instead-of-custom-fun.patch. - commit d5a180a - drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type (git-fixes). - ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 (stable-fixes). - wifi: mac80211: finish link init before RCU publish (git-fixes). - Bluetooth: L2CAP: Fix L2CAP MTU negotiation (stable-fixes). - spi: spi-cadence-quadspi: Fix pm runtime unbalance (git-fixes). - drm/xe: Fix early wedge on GuC load failure (git-fixes). - drm/amdkfd: Fix race in GWS queue scheduling (stable-fixes). - drm/amdgpu: Fix SDMA UTC_L1 handling during start/stop sequences (stable-fixes). - drm/amd/display: Check dce_hwseq before dereferencing it (stable-fixes). - drm/amdgpu: Add kicker device detection (stable-fixes). - drm/amd/display: Fix RMCM programming seq errors (stable-fixes). - drm/amd/display: Fix mpv playback corruption on weston (stable-fixes). - drm/i915/dsi: Fix off by one in BXT_MIPI_TRANS_VTOTAL (stable-fixes). - ASoC: rt1320: fix speaker noise when volume bar is 100% (stable-fixes). - ASoC: codecs: wcd9335: Fix missing free of regulator supplies (git-fixes). - ALSA: hda: Ignore unsol events for cards being shut down (stable-fixes). - usb: dwc2: also exit clock_gating when stopping udc while suspended (stable-fixes). - usb: potential integer overflow in usbg_make_tpg() (stable-fixes). - usb: common: usb-conn-gpio: use a unique name for usb connector device (stable-fixes). - usb: Add checks for snprintf() calls in usb_alloc_dev() (stable-fixes). - usb: cdc-wdm: avoid setting WDM_READ for ZLP-s (stable-fixes). - usb: gadget: f_hid: wake up readers on disable/unbind (stable-fixes). - usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode (stable-fixes). - usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set (stable-fixes). - 8250: microchip: pci1xxxx: Add PCIe Hot reset disable support for Rev C0 and later devices (stable-fixes). - iio: pressure: zpa2326: Use aligned_s64 for the timestamp (stable-fixes). - iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos (stable-fixes). - misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe() (stable-fixes). - drm/scheduler: signal scheduled fence when kill job (stable-fixes). - drm/amd/display: Correct non-OLED pre_T11_delay (stable-fixes). - amd/amdkfd: fix a kfd_process ref leak (stable-fixes). - drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram (stable-fixes). - drm/amdgpu: seq64 memory unmap uses uninterruptible lock (stable-fixes). - Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" (stable-fixes). - dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using (stable-fixes). - dmaengine: xilinx_dma: Set dma_device directions (stable-fixes). - PCI: imx6: Add workaround for errata ERR051624 (stable-fixes). - PCI: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane (stable-fixes). - PCI: apple: Fix missing OF node reference in apple_pcie_setup_port (stable-fixes). - leds: multicolor: Fix intensity setting while SW blinking (stable-fixes). - mfd: max14577: Fix wakeup source leaks on device unbind (stable-fixes). - hwmon: (pmbus/max34440) Fix support for max34451 (stable-fixes). - wifi: mac80211: Create separate links for VLAN interfaces (stable-fixes). - wifi: mac80211: Add link iteration macro for link data (stable-fixes). - drm/bridge: ti-sn65dsi86: make use of debugfs_init callback (stable-fixes). - drm/xe: Fix taking invalid lock on wedge (stable-fixes). - ASoC: codec: wcd9335: Convert to GPIO descriptors (stable-fixes). - accel/ivpu: Separate DB ID and CMDQ ID allocations from CMDQ allocation (stable-fixes). - drm/amdkfd: Fix instruction hazard in gfx12 trap handler (stable-fixes). - types: Complement the aligned types with signed 64-bit one (stable-fixes). - drm/amdkfd: remove gfx 12 trap handler page size cap (stable-fixes). - accel/ivpu: Remove copy engine support (stable-fixes). - net: phy: realtek: add RTL8125D-internal PHY (stable-fixes). - net: phy: realtek: merge the drivers for internal NBase-T PHY's (stable-fixes). - commit 3355077 ++++ kernel-firmware-bluetooth: - Update to version 20250707 (git commit ba5e4e381494): * Revert "linux-firmware: Update firmware file for Intel Pulsar core" ++++ kernel-firmware-i915: - Update to version 20250707 (git commit ba5e4e381494): * xe: First HuC release for Pantherlake * xe: First GuC release for Pantherlake ++++ kernel-firmware-mediatek: - Update to version 20250707 (git commit ba5e4e381494): * linux-firmware: update firmware for MT7921 WiFi device ++++ kernel-firmware-qcom: - Update to version 20250707 (git commit ba5e4e381494): * qcom/adreno: sort entries in WHENCE ++++ libsolv: - add support for product-obsoletes() provides in the product autopackage generation code - bump version to 0.7.34 ++++ libzypp: - BuildRequires: %{libsolv_devel_package} >= 0.7.34 (bsc#1243486) Newer rpm versions no longer allow a ':' in rpm package names or obsoletes. So injecting an Obsoletes: product:oldproductname < oldproductversion into the -release package to indicate a product rename is no longer possible. Since libsolv-0.7.34 you can and should use: Provides: product-obsoletes(oldproductname) < oldproductversion in the -release package. libsolv will then inject the appropriate Obsoletes into the Product. - version 17.37.10 (35) ++++ nvidia-open-driver-G06-signed: - empty pci_ids-570.169; PCI ID hardware Supplements get moved to gfx repository to package nvidia-open-driver-G06-signed-kmp-meta (boo#1246010) - remove 60-nvidia-$flavor.conf, since driver no longer gets autoselected without gfx/cuda repositories present and so we no longer need to disable it by default (boo#1246010) ++++ systemd-rpm-macros: - Introduce %udev_trigger_with_reload() for packages that need to trigger events in theirs scriplets. The new macro automatically triggers a reload of the udev rule files as this step is often overlooked by packages (bsc#1237143). ------------------------------------------------------------------ ------------------ 2025-7-6 - Jul 6 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - i2c/designware: Fix an initialization issue (git-fixes). - powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed (git-fixes). - firmware: arm_ffa: Fix memory leak by freeing notifier callback node (git-fixes). - regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods (git-fixes). - spi: spi-fsl-dspi: Clear completion counter before initiating transfer (git-fixes). - platform/x86: think-lmi: Fix sysfs group cleanup (git-fixes). - platform/x86: think-lmi: Fix kobject cleanup (git-fixes). - platform/mellanox: mlxreg-lc: Fix logic error in power state check (git-fixes). - platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks (git-fixes). - platform/mellanox: nvsw-sn2201: Fix bus number in adapter error message (git-fixes). - platform/mellanox: mlxbf-pmc: Fix duplicate event ID for CACHE_DATA1 (git-fixes). - platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment (git-fixes). - xhci: dbc: Flush queued requests before stopping dbc (git-fixes). - xhci: dbctty: disable ECHO flag by default (git-fixes). - xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS (git-fixes). - usb: dwc3: gadget: Fix TRB reclaim logic for short transfers and ZLPs (git-fixes). - usb: typec: altmodes/displayport: do not index invalid pin_assignments (git-fixes). - usb: cdnsp: Fix issue with CV Bad Descriptor test (git-fixes). - Revert "usb: xhci: Implement xhci_handshake_check_state() helper" (git-fixes). - usb: xhci: Skip xhci_reset in xhci_resume if xhci is being removed (git-fixes). - usb: gadget: u_serial: Fix race condition in TTY wakeup (git-fixes). - Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" (git-fixes). - usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume (git-fixes). - usb: dwc3: Abort suspend on soft disconnect failure (git-fixes). - usb: cdnsp: do not disable slot for disabled slot (git-fixes). - Input: cs40l50-vibra - fix potential NULL dereference in cs40l50_upload_owt() (git-fixes). - Input: iqs7222 - explicitly define number of external channels (git-fixes). - Input: xpad - adjust error handling for disconnect (git-fixes). - drm/exynos: fimd: Guard display clock control with runtime PM calls (git-fixes). - drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling (git-fixes). - drm/i915/gsc: mei interrupt top half should be in irq disabled context (git-fixes). - drm/i915/gt: Fix timeline left held on VMA alloc error (git-fixes). - drm/i915/selftests: Change mock_request() to return error pointers (git-fixes). - drm/v3d: Disable interrupts before resetting the GPU (git-fixes). - drm/sched: Increment job count before swapping tail spsc queue (git-fixes). - drm/bridge: aux-hpd-bridge: fix assignment of the of_node (git-fixes). - drm/bridge: panel: move prepare_prev_first handling to drm_panel_bridge_add_typed (git-fixes). - drm/ttm: fix error handling in ttm_buffer_object_transfer (git-fixes). - drm/amdkfd: Don't call mmput from MMU notifier callback (git-fixes). - commit 58c4f95 ++++ wayland: - Update to release 1.24 * A new wl_fixes interface to add a request to destroy a wl_registry object. * A new wl_keyboard.key repeated state, to allow compositors to take over the responsibility of repeating keys, which is useful for remote desktop. * wl_display_dispatch_queue_timeout() and wl_display_dispatch_timeout(), to set a timeout when dispatching events. * wl_shm_buffer_ref() and wl_shm_buffer_unref(), to access wl_shm_buffer underlying storage after the protocol object has been destroyed (e.g. when a client is shutting down). * wl_proxy_get_interface() and wl_resource_get_interface(), to fetch the wl_interface of an object. * wl_resource_post_error_vargs(), as an alternative to wl_resource_post_error() when the compositor already has a va_list. ------------------------------------------------------------------ ------------------ 2025-7-4 - Jul 4 2025 ------------------- ------------------------------------------------------------------ ++++ Mesa: - U_0001-svga-add-svga_resource_create_with_modifiers-functio.patch U_0002-svga-fix-printing-64-bit-value-for-32-bit-build.patch * fixes Wayland session when using SP7 as vmware guest (bsc#1245034) ++++ Mesa-drivers: - U_0001-svga-add-svga_resource_create_with_modifiers-functio.patch U_0002-svga-fix-printing-64-bit-value-for-32-bit-build.patch * fixes Wayland session when using SP7 as vmware guest (bsc#1245034) ++++ python-kiwi: - Update test-image-disk Add NetworkManager for better remote debugging capabilities ++++ transactional-update: - Version 5.0.5 - Add support for kdump 2.1.0 [bsc#1243758] - Integrate test to support `make check` ++++ kernel-default: - smb: client: Fix use-after-free in cifs_fill_dirent (CVE-2025-38051 bsc#1244750). - commit f65fc44 - cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks (bsc#1241166). - commit e4048e5 - rose: fix dangling neighbour pointers in rose_rt_device_down() (git-fixes). - Bluetooth: HCI: Set extended advertising data synchronously (git-fixes). - Bluetooth: MGMT: mesh_send: check instances prior disabling advertising (git-fixes). - Bluetooth: MGMT: set_mesh: update LE scan interval and window (git-fixes). - Bluetooth: hci_sync: revert some mesh modifications (git-fixes). - Bluetooth: Prevent unintended pause by checking if advertising is active (git-fixes). - net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect (git-fixes). - commit a505fc6 - gfs2: Don't clear sb->s_fs_info in gfs2_sys_fs_add (bsc#1243993 bsc#1245617). - writeback: fix false warning in inode_to_wb() (bsc#1243993 bsc#1245617). - gfs2: replace sd_aspace with sd_inode (bsc#1243993 bsc#1245617). - commit 9761d03 ++++ systemd: - triggers.systemd: skip update of hwdb, journal-catalog if executed during an offline update. ++++ libzypp: - Ignore DeltaRpm download errors (bsc#1245672) DeltaRpms are in fact optional resources. In case of a failure the full rpm is downloaded. - Improve fix for incorrect filesize handling (bsc#1245220) - version 17.37.9 (35) ++++ salt: - Add `minion_legacy_req_warnings` option to avoid noisy warnings - Require M2Crypto >= 0.44.0 for SUSE Family distros - Added: * add-minion_legacy_req_warnings-option-to-avoid-noisy.patch ++++ ovmf: - Revert the following change due to security concerns and potential underlying issues. - Enables UEFI Shell support for guests on X64 and AARCH64 platforms (bsc#1244266) - Build Shell.efi independently - Add ovmf-ShellPkg-Add-post-script-for-Shell-installation.patch - Install Shell.efi to EFI boot partition (/boot/efi/EFI/opensuse/ or /boot/efi/EFI/sles/) - Register Shell.efi as a boot entry ++++ zypper: - sh: Reset solver options after command (bsc#1245496) - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - version 1.14.92 ------------------------------------------------------------------ ------------------ 2025-7-3 - Jul 3 2025 ------------------- ------------------------------------------------------------------ ++++ docker: - Update to Docker 28.3.1-ce. See upstream changelog online at ++++ kernel-default: - dma-mapping: Fix warning reported for missing prototype (git-fixes). - dma/mapping.c: dev_dbg support for dma_addressing_limited (git-fixes). - commit 0c85d2b - s390/pci: Fix stale function handles in error handling (git-fixes bsc#1245644). - commit 6883c36 - s390/pci: Do not try re-enabling load/store if device is disabled (git-fixes bsc#1245643). - commit 0f86722 - NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN (git-fixes). - commit d887598 - nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails (git-fixes). - commit cebbc14 - mtk-sd: reset host->mrq on prepare_data() error (git-fixes). - commit 9cc3c5f - Revert "mmc: sdhci: Disable SD card clock before changing parameters" (git-fixes). - mtk-sd: Prevent memory corruption from DMA map failure (git-fixes). - mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data (git-fixes). - mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier (git-fixes). - commit 34daecf - RDMA/mlx5: Fix vport loopback for MPV device (git-fixes) - commit 2e17666 - RDMA/mlx5: Fix CC counters query for MPV (git-fixes) - commit 047aefd - RDMA/mlx5: Fix HW counters query for non-representor devices (git-fixes) - commit 385720a - IB/mlx5: Fix potential deadlock in MR deregistration (git-fixes) - commit e26004c - RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert (git-fixes) - commit da1aeda - RDMA/mlx5: Fix unsafe xarray access in implicit ODP handling (git-fixes) - commit 877a2f1 - RDMA/mlx5: reduce stack usage in mlx5_ib_ufile_hw_cleanup (git-fixes) - commit 95b475f ++++ kernel-firmware-realtek: - Update to version 20250630 (git commit e2dad11e8d4b): * rtw89: 8922a: update fw to v0.35.80.0 * rtw89: 8852c: update fw to v0.27.129.1 * rtw89: 8852c: update fw to v0.27.128.0 ++++ leancrypto: - Update to 1.5.0: * Enable SHA3 CE 2x implementation for SLH-DSA and ML-DSA (performance increases 2 to 3 fold) * Fix lookup of RDRAND support in CPUID * Catch Y2038 issue on 32-bit systems that do not have 64 bit time_t support * Start Python interface * Add ED448 / X448 for use in hybrid PQC constructions, ED448 implementation verified with NIST ACVP * Add ML-KEM-X448 and ML-DSA-ED448 support * ASN.1: Add ML-DSA-ED448 certificate support * RUST: Add ML-DSA-ED448 support * Linux kernel: Add ML-KEM-X448 and ML-DSA-ED448 support * Ascon AEAD: Bug fix when calculating the tag for plaintext that is not multiples of 128 bits * Composite X.509 signatures: update implementation to match draft revision 5 * Add support for the Linux kernel updated scatterwalk API in 6.15 for leancrypto_kernel_aead_ascon.ko - Includes changes from 1.4.0: * ML-DSA: add signature generation rejection test cases and enable them during self tests * add HQC following reference implementation (https://pqc-hqc.org/implementation.html (versions from 2025-02-19)) but derived from PQClean implementation. NOTE: HQC is not yet considered stable as the implementation currently does not exhibit the IND-CCA2 property. Moreover, the FIPS standardization of HQC is pending. Changes to the HQC algorithm until standardization will need to be expected. I.e. the versioning rules of the library do not apply to the HQC algorithm until being announced in the CHANGES.md file. * ARMv8: properly save/restore SIMD registers v8 through v15 for ML-DSA/ML-KEM, X25519 and SHA3-CE (reported by Alexander Sosedkin) * Rust: add wrapper allowing a native interaction with the leancrypto library - the API offered by the Rust wrappers is not yet defined to be stable and may change to the next version - i.e. the versioning rules of the library do not apply to the Rust API until being announced in the CHANGES.md file. * Add “secure_execution” compile-time option * Add HQC AVX2 implementation derived from https://pqc-hqc.org/ - Remove patch fix-aarch64.patch ++++ ovmf: - Removed ovmf-Revert-OvmfPkg-PlatformInitLib-dynamic-mmio-window-s.patch because the bsc#1205978 be fixed in qemu. And re-enabling 'dynamic mmio window size' feature in ovmf can support big GPU passthrough to guest. (bsc#1245542) ++++ suseconnect-ng: - switch to go1.24-openssl for SL16/SLE15 ------------------------------------------------------------------ ------------------ 2025-7-2 - Jul 2 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - btrfs: remove the subpage related warning message (bsc#1241492). - commit 0e19b2b - x86/sev: Add the Secure TSC feature for SNP guests (jsc#PED-12716). - commit 3ab97c0 - x86/sev: Mark the TSC in a secure TSC guest as reliable (jsc#PED-12716). - commit 643400d - Update config files (bsc#1245603). Enable rtl8139 driver on ppc64le. - commit 61b03fb - scsi: s390: zfcp: Ensure synchronous unit_add (git-fixes bsc#1245597). - commit 3235d4d - s390/pkey: Prevent overflow in size calculation for memdup_user() (git-fixes bsc#1245596). - commit 0eac12f - Update config files. Enabled the following config on x86_64 and arm64: CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX=y (bsc#1243677, PED-12554, PED-6528) - commit 5d04048 ++++ kernel-default-base: - Add nvme support (bsc#1245533) ++++ gcc15: - Tune for power10 for SLES 16. [jsc#PED-12029] - Tune for z15 for SLES 16. [jsc#PED-253] ++++ python313-core: - Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705). - Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to generate ids for audit_events using docname (reproducible builds). ++++ libzypp: - Do not trigger download data exceeded errors on HTTP non data responses (bsc#1245220) In some cases a HTTP 401 or 407 did trigger a "filesize exceeded" error, because the response payload size was compared against the expected filesize. This patch adds some checks if the response code is in the success range and only then takes expected filesize into account. Otherwise the response content-length is used or a fallback of 2Mb if no content-length is known. - version 17.37.8 (35) - Fix SEGV in MediaDISK handler (bsc#1245452) - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. DownloadAsNeeded can not be combined with the rpm singletrans installer backend because a rpm transaction requires all package headers to be available the the beginning of the transaction. So explicitly selecting this mode also turns on the classic_rpmtrans backend. - Fix evaluation of libproxy results (bsc#1244710) - version 17.37.7 (35) ++++ python313: - Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705). - Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to generate ids for audit_events using docname (reproducible builds). ++++ ovmf: - Remove 60-ovmf-x86_64-sev.json descriptor (bsc#1245497) ++++ update-alternatives: - Update to version 1.22.21 The full changelog is very large. Please check it here: https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/debian/changelog?h=1.22.21 - Changes from 1.22.20: https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/debian/changelog?h=1.22.20 - Changes from 1.22.19: https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/debian/changelog?h=1.22.19 - Release 1.22.21 includes the fix upstream for CVE-2025-6297 / bsc#1245573. ------------------------------------------------------------------ ------------------ 2025-7-1 - Jul 1 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Make mbr-id deterministic Log the value of SDE so it is available to review, even if the build system does not tell about it. Update the tests to cover the new code-path. Co-Authored-By: Marcus Schäfer - Ensure dracut initrd is reproducible This helps a bit with issue #2358 Add reproducible flag for UKI too Update tests accordingly Co-Authored-By: Marcus Schäfer ++++ kernel-default: - kABI workaround for xsk: Fix race condition in AF_XDP generic RX path (CVE-2025-37920 bsc#1243479). - xsk: Fix race condition in AF_XDP generic RX path (CVE-2025-37920 bsc#1243479). - commit 53ced4a - rpm: Drop support for kabi/arch/ignore-flavor (bsc#1249186) It's not used in any active branches and it cannot solve contemporary problems. - commit f86a16a - Update config files (jsc#PED-12554 jsc#PED-6996 bsc#1243677 ltc#213602 bsc#1243678 ltc#213596) CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX=y - commit b450a63 - net: tipc: fix refcount warning in tipc_aead_encrypt (CVE-2025-38052 bsc#1244749). - net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done (CVE-2025-38052 bsc#1244749). - commit b3f2db2 - Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT (git-fixes). - commit 106066c - treewide: Convert new and leftover hrtimer_init() users (git-fixes). - commit a0cfc87 - net: vlan: don't propagate flags on open (CVE-2025-23163 bsc#1242837). - commit aa9c6ef - ata: ahci: Use correct DMI identifier for ASUSPRO-D840SA LPM quirk (git-fixes). - commit b1c1e22 - blacklist.conf: 2 fixes to drivers we don't build - Delete patches.suse/watchdog-da9052_wdt-respect-TWDMIN.patch. - commit 493eda5 - rtc: pcf2127: add missing semicolon after statement (git-fixes). - rtc: pcf2127: fix SPI command byte for PCF2131 (git-fixes). - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - commit 1050c51 ++++ python313-core: - Use one core to build doc. This will make sphinx doc build reproducible. bsc#1243155 ++++ ceph: - Enable build on riscv64 ++++ sqlite3: - Update to 3.50.2: * Fix the concat_ws() SQL function so that it includes empty strings in the concatenation. * Avoid writing frames with no checksums into the wal file if a savepoint is rolled back after dirty pages have already been spilled into the wal file. * Fix the Bitvec object to avoid stack overflow when the database is within 60 pages of its maximum size. * Fix a problem with UPDATEs on fts5 tables that contain BLOB values. * Fix an issue with transitive IS constraints on a RIGHT JOIN. * CVE-2025-6965, bsc#1246597: Raise an error early if the number of aggregate terms in a query exceeds the maximum number of columns, to avoid downstream assertion faults. * Ensure that sqlite3_setlk_timeout() holds the database mutex. ++++ systemd: - Import commit a0dfd5de4cdc3f97ef2ad23396904f3e20769317 (merge of v257.7) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/1e42ecf5a145589954df77da05937ee69619f3e5...a0dfd5de4cdc3f97ef2ad23396904f3e20769317 ++++ libvirt: - qemu: Use numa-preplace instead of numad for numa placement advice bsc#1242979, jsc#PED-12821 ++++ python313: - Use one core to build doc. This will make sphinx doc build reproducible. bsc#1243155 ++++ salt: - Prevent tests failures when pygit2 is not present - Several fixes for security issues (bsc#1244561, CVE-2024-38822) (bsc#1244564, CVE-2024-38823) (bsc#1244565, CVE-2024-38824) (bsc#1244566, CVE-2024-38825) (bsc#1244567, CVE-2025-22240) (bsc#1244568, CVE-2025-22236) (bsc#1244570, CVE-2025-22241) (bsc#1244571, CVE-2025-22237) (bsc#1244572, CVE-2025-22238) (bsc#1244574, CVE-2025-22239) (bsc#1244575, CVE-2025-22242) * Request server hardening * Prevent traversal in local_cache::save_minions * Add test and fix for file_recv cve * Fix traversal in gitfs find_file * Fix traversal in salt.utils.virt * Fix traversal in pub_ret * Reasonable failures when pillars timeout * Make send_req_async wait longer * Remove token to prevent decoding errors * Fix checking of non-url style git remotes * Allow subdirs in GitFS find_file check - Add subsystem filter to udev.exportdb (bsc#1236621) - tornado.httputil: raise errors instead of logging in multipart/form-data parsing (CVE-2025-47287, bsc#1243268) - Fix Ubuntu 24.04 edge-case test failures - Fix broken tests for Ubuntu 24.04 - Fix refresh of osrelease and related grains on Python 3.10+ - Make "salt" package to obsolete "python3-salt" package on SLE15SP7+ - Fix issue requiring proper Python flavor for dependencies and recommended package - Added: * fix-tests-issues-in-salt-shaker-environments-721.patch * several-fixes-for-security-issues.patch * add-subsystem-filter-to-udev.exportdb-bsc-1236621-71.patch * fix-of-cve-2025-47287-bsc-1243268-718.patch * fix-ubuntu-24.04-specific-failures-716.patch * fix-debian-tests-715.patch * fix-refresh-of-osrelease-and-related-grains-on-pytho.patch ++++ supportutils: - Changes to version 3.2.11 + Collect rsyslog frule files (bsc#1244003, pr#257) + Remove proxy passwords (bsc#1244011, pr#257) + Missing NetworkManager information (bsc#1241284, pr#257) + Include agama logs bsc#1244937, pr#256) + Additional NFS conf files (pr#253) + New fadump sysfs files (pr#252) + Fixed change log dates ------------------------------------------------------------------ ------------------ 2025-6-30 - Jun 30 2025 ------------------- ------------------------------------------------------------------ ++++ crypto-policies: - Allow openssl to load when using the DEFAULT policy, and also other policies, in FIPS mode. [bsc#1243830, bsc#1242233] * Add crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch ++++ curl: - Disable insecure NTLM authentication support [bsc#1245491, jsc#PED-12960] ++++ ignition: - ignition-suse-generator: Only use Ignition platform ID when the corresponding kernel modules are found [bsc#1234315] [boo#1230668] [gh#coreos/ignition#1984] ++++ kernel-default: - vhost-scsi: Fix vhost_scsi_send_status() (git-fixes). - commit 5eeec6a - Refresh patches.suse/virtio_net-ensure-netdev_tx_reset_queue-is-called-on.patch. - commit b3cad97 - Update config files. - commit 8ef851e - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - scsi: storvsc: Increase the timeouts to storvsc_timeout (bsc#1245455). - commit daecbe1 - kernel/watchdog: always restore watchdog_softlockup(,hardlockup)_user_enabled after proc show (bsc#1245522). Refresh patches.suse/watchdog-fix-watchdog-may-detect-false-positive-of-s.patch (bsc#1245523). - commit 789b353 - tools/power turbostat: Fix AMD package-energy reporting (git-fixes). - commit 053070b - vsock: avoid timeout during connect() if the socket is closing (git-fixes). - commit 7192292 - vhost-scsi: Return queue full for page alloc failures during copy (git-fixes). - commit 4420b10 - vhost-scsi: Add better resource allocation failure handling (git-fixes). - Refresh patches.suse/vhost-scsi-Fix-vhost_scsi_send_bad_target.patch. - commit 575b441 - kABI: update kABI symbols kABI exceptions were allowed for a couple of branches. Update kABI symbols after the merge. Since kABI symbols are being updated, remove current kABI workaround patches before the update. - commit 0c9b3ad - kernel-obs-qa: Do not depend on srchash when qemu emulation is used In this case the dependency is never fulfilled Fixes: 485ae1da2b88 ("kernel-obs-qa: Use srchash for dependency as well") - commit a840f87 - virtio_net: xsk: bind/unbind xsk for tx (git-fixes). - Update patches.suse/virtio-net-free-xsk_buffs-on-error-in-virtnet_xsk_po.patch (git-fixes). - Refresh patches.suse/virtio_net-ensure-netdev_tx_reset_queue-is-called-on.patch. - commit 0050a39 - KVM: VMX: Flush shadow VMCS on emergency reboot (git-fixes). - commit dec589f - KVM: x86/mmu: Use kvm_x86_call() instead of manual static_call() (git-fixes). - commit bfaf83d - KVM: SVM: Clear current_vmcb during vCPU free for all *possible* CPUs (git-fixes). - commit e71b652 - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - commit 8f58b75 - NFSD: Implement FATTR4_CLONE_BLKSIZE attribute (git-fixes). - commit 4f434fe - overflow: Introduce __DEFINE_FLEX for having no initializer (git-fixes). - commit 99c412c - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - commit d974da9 - NFSD: fix race between nfsd registration and exports_proc (git-fixes). - commit 7c3e6b5 - netlink: specs: tc: replace underscores with dashes in names (git-fixes). - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - netlink: specs: nfsd: replace underscores with dashes in names (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - ice: fix eswitch code memory leak in reset scenario (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net: ethtool: remove duplicate defines for family info (git-fixes). - bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start() (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/mlx5: HWS, make sure the uplink is the last destination (git-fixes). - net/mlx5: HWS, fix missing ip_version handling in definer (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - e1000: Move cancel_work_sync to avoid deadlock (git-fixes). - iavf: fix reset_task for early reset event (git-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - iavf: iavf_suspend(): take RTNL before netdev_lock() (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - idpf: avoid mailbox timeout delays during reset (git-fixes). - idpf: fix a race in txq wakeup (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback (git-fixes). - octeontx2-pf: QOS: Perform cache sync on send queue teardown (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - net/mlx5: HWS, Fix matcher action template attach (git-fixes). - overflow: Fix direct struct member initialization in _DEFINE_FLEX() (git-fixes). - idpf: fix idpf_vport_splitq_napi_poll() (git-fixes). - idpf: fix null-ptr-deref in idpf_features_check (CVE-2025-38053 bsc#1244746). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: fix vf->num_mac count with port representors (git-fixes). - commit af82899 - x86/xen: disable CPU idle and frequency drivers for PVH dom0 (git-fixes). - commit 1d99be7 - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - commit 70cda63 - xen/pci: Do not register devices with segments >= 0x10000 (git-fixes). - commit 1940a47 - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - commit 6e1a750 - xen: Add support for XenServer 6.1 platform device (git-fixes). - commit 7dd2df0 - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - commit 4ff5446 - Grab mm lock before grabbing pt lock (git-fixes). - commit 26a77ff - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - serial: core: restore of_node information in sysfs (git-fixes). - commit 3895da7 - RDMA/hns: initialize db in update_srq_db() (git-fixes) - commit 980c53d ++++ kernel-firmware-amdgpu: - Update to version 20250627 (git commit f40eafe21683): * amdgpu: DMCUB updates for DCN401 ++++ kernel-firmware-bnx2: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ++++ kernel-firmware-chelsio: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ++++ kernel-firmware-media: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts * qcom: update firmware binary for SM8550 ++++ kernel-firmware-network: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ++++ kernel-firmware-platform: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: expand the advansys license statement * WHENCE: some older AMD drivers are MIT licensed ++++ kernel-firmware-radeon: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: some older AMD drivers are MIT licensed ++++ kernel-firmware-serial: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ++++ kernel-firmware-sound: - Update to version 20250627 (git commit f40eafe21683): * WHENCE: extract license texts ++++ numactl: - Update to version 2.0.19.14.g690a72c: * numastat command fails on LPAR which is not having node0 Patch is now upstream: https://github.com/numactl/numactl/pull/246 D 4abeee1aac20a7a2552870e0359b8df013ae9037.patch Patches are wrong or not needed anymore: https://github.com/numactl/numactl/pull/246 D 0001-Fixed-segfault-when-no-node-could-be-found-in-sysfs-.patch D numactl-clearcache-pie.patch ++++ sudo: - Update to 1.9.17p1 * Fix a possible local privilege escalation via the --host option [bsc#1245274, CVE-2025-32462] * Fix a possible local privilege Escalation via chroot option [bsc#1245275, CVE-2025-32463] - Update to 1.9.17 * Sudo now uses the NODEV macro consistently. Bug #1074. Fixed a bug where the ALL command in a sudoers rule would override a previous NOSETENV tag. Command tags are inherited from previous Cmnds in a Cmnd_Spec_List. There is a special case for the SETENV tag with the ALL command, where SETENV is implied if no explicit SETENV or NOSETENV tag is specified. This special case did not take into account that a NOSETENV tag that was inherited should override this behavior. * If sudo is run via ssh without a terminal and a password is required, it now suggest using ssh’s -t option. * Fixed the display of timeout values in the sudo -V output on systems without a C99-compliant snprintf() function. * Quieted a number of minor Coverity warnings. * Fixed a problem running sudo from a serial console on Linux when the command is run in a pseudo-terminal (the default). * Fixed a crash in sudo which could occur if there was a fatal error after the user was validated but before the command was actually run. * Fixed a number of man page style warnings. The “lint” make target in the docs directory will now run groff with warnings enabled if it is available. Bug #1075. * The ignore_dot sudoers setting is now on by default. There is now a - -disable-ignore-dot configure option to disable it. The - -with-ignore-dot configure option has been deprecated. * Fixed a problem with the pwfeedback option where an initial backspace would reduce the maximum length allowed for the password. GitHub issue #439. * Fixed minor grammar and spelling problems in the man pages. * Fixed a bug where a user could avoid entering a password for sudo -l command if they specified their own user or group name via the -u or - g options. * Avoid potential password guessing based on timing attacks on the strcmp() function on systems without PAM or a crypt() function where plaintext passwords are stored in the shadow password file. * Fixed a potential information leak where sudo -l command could be used to determine whether an executable exists in a directory that they do not have search access to. * Sudo uses TCSAFLUSH, not TCSADRAIN, when disabling echo once again. A long time ago sudo changed from using TCSAFLUSH to TCSADRAIN due to some systems having bugs related to TCSAFLUSH. That should no longer be a concern. Using TCSAFLUSH ensures that password input that has been received by the kernel, but not yet read by sudo, will be discarded and not echoed. * Added the SUDO_TTY environment variable if the user has a terminal. This can be used to find the user’s original tty device when sudo runs the command in its own pseudo-terminal. GitHub issue #447. * New Cantonese translation for sudo. ++++ toolbox: - Update to version 2.4+git20250630.5e08e45: * Forbid --user if running as root ------------------------------------------------------------------ ------------------ 2025-6-29 - Jun 29 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - wifi: rtw88: usb: Upload the firmware in bigger chunks (stable-fixes). - commit 1df8f6c - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt7925: introduce thermal protection (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: ath12k: fix a possible dead lock caused by ab->base_lock (stable-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: mac80211: validate SCAN_FLAG_AP in scan request during MLO (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - wifi: rtw89: 8922a: fix TX fail with wrong VCO setting (stable-fixes). - wifi: iwlwifi: mvm: fix beacon CCK flag (stable-fixes). - wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: ath12k: using msdu end descriptor to check for rx multicast packets (stable-fixes). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - commit b75f8f8 - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - PCI: Add ACS quirk for Loongson PCIe (stable-fixes). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - power: supply: max17040: adjust thermal channel scaling (stable-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - platform-msi: Add msi_remove_device_irq_domain() in platform_device_msi_free_irqs_all() (stable-fixes). - wifi: rtw89: phy: add dummy C2H event handler for report of TAS power (stable-fixes). - commit 132d8d6 - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - hid-asus: check ROG Ally MCU version and warn (stable-fixes). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - gpiolib: of: Add polarity quirk for s5m8767 (stable-fixes). - Make 'cc-option' work correctly for the -Wno-xyzzy pattern (stable-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - commit 1379ece - drm/xe/gt: Update handling of xe_force_wake_get return (stable-fixes). - Refresh patches.suse/drm-xe-Fix-GT-for-each-engine-workarounds.patch. - commit b01435e - drm/xe: Process deferred GGTT node removals on device unwind (git-fixes). - drm/xe/display: Add check for alloc_ordered_workqueue() (git-fixes). - drm/i915: fix build error some more (git-fixes). - drm/amd: Adjust output for discovery error handling (git-fixes). - drm/xe/bmg: Update Wa_16023588340 (git-fixes). - drm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()` (stable-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - drm/amdgpu: read back register after written for VCN v4.0.5 (stable-fixes). - drm/xe: Wire up device shutdown handler (stable-fixes). - commit 425e83a - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: hda/realtek: Add quirk for Asus GU605C (stable-fixes). - ALSA: hda/realtek - Add mute LED support for HP Victus 16-s1xxx and HP Victus 15-fa1xxx (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - Bluetooth: btusb: Add new VID/PID 13d3/3584 for MT7922 (stable-fixes). - Bluetooth: btusb: Add new VID/PID 13d3/3630 for MT7925 (stable-fixes). - ACPI: Add missing prototype for non CONFIG_SUSPEND/CONFIG_X86 case (stable-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ACPICA: Apply pack(1) to union aml_resource (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: intel/sdw_utils: Assign initial value in asoc_sdw_rt_amp_spk_rtd_init() (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - commit 36941d3 ++++ at-spi2-core: - Update to version 2.56.3: + DeviceEventController: update mouse coordinates before sending button events + atspi-device-legacy: Don't crash when XkbGetMap fails + Return localized role name for ATSPI_ROLE_EDITBAR ------------------------------------------------------------------ ------------------ 2025-6-28 - Jun 28 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - Revert "block/bdev: enable large folio support for large logical block" (bsc#1245444) This reverts commit 03e169f9e789f08bac7bdb238dbd9bd7cfd00142. - commit f46bdc5 ------------------------------------------------------------------ ------------------ 2025-6-27 - Jun 27 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Bump version: 10.2.25 → 10.2.26 - Add kernel parameter support for dm-verity options Implement rd.kiwi.verity_options= parameter to allow runtime customization of veritysetup options Closes #2837 - Fix shim lookup for arm on SUSE Add missing search path for shim binary on arm based SUSE systems. Also update the tumbleweed/test-image-live-disk integration test for arm to build with secure boot enabled to actually test a secure boot enabled ISO build. This Fixes #2842 ++++ kernel-default: - Update patches.suse/ALSA-pcm-Fix-race-of-buffer-access-at-PCM-OSS-layer.patch (stable-fixes CVE-2025-38078 bsc#1244737). - Update patches.suse/ASoC-SOF-Intel-hda-Fix-UAF-when-reloading-module.patch (git-fixes CVE-2025-38056 bsc#1244748). - Update patches.suse/HID-bpf-abort-dispatch-if-device-destroyed.patch (git-fixes CVE-2025-38016 bsc#1244745). - Update patches.suse/HID-uclogic-Add-NULL-check-in-uclogic_input_configur.patch (git-fixes CVE-2025-38007 bsc#1244938). - Update patches.suse/KVM-arm64-Fix-uninitialized-memcache-pointer-in-user.patch (git-fixes CVE-2025-37996 bsc#1243828). - Update patches.suse/PCI-endpoint-pci-epf-test-Fix-double-free-that-cause.patch (stable-fixes CVE-2025-38069 bsc#1245246). - Update patches.suse/RDMA-core-Fix-KASAN-slab-use-after-free-Read-in-ib_r.patch (git-fixes CVE-2025-38022 bsc#1245003). - Update patches.suse/RDMA-rxe-Fix-slab-use-after-free-Read-in-rxe_queue_c.patch (git-fixes CVE-2025-38024 bsc#1245025). - Update patches.suse/block-fix-race-between-set_blocksize-and-read-paths.patch (git-fixes CVE-2025-38073 bsc#1244741). - Update patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-csu.patch (bsc#1243342 CVE-2025-38059 bsc#1244759). - Update patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-ext.patch (bsc#1236208 CVE-2025-21658). - Update patches.suse/btrfs-zoned-fix-extent-range-end-unlock-in-cow_file_.patch (bsc#1239514 CVE-2025-21942 bsc#1240704). - Update patches.suse/can-bcm-add-locking-for-bcm_op-runtime-updates.patch (git-fixes CVE-2025-38004 bsc#1244274). - Update patches.suse/can-bcm-add-missing-rcu-read-protection-for-procfs-c.patch (git-fixes CVE-2025-38003 bsc#1244275). - Update patches.suse/can-m_can-m_can_class_allocate_dev-initialize-spin-l.patch (git-fixes CVE-2025-37993 bsc#1243822). - Update patches.suse/crypto-algif_hash-fix-double-free-in-hash_accept.patch (git-fixes CVE-2025-38079 bsc#1245217). - Update patches.suse/crypto-lzo-Fix-compression-buffer-overrun.patch (stable-fixes CVE-2025-38068 bsc#1245210). - Update patches.suse/dm-cache-prevent-BUG_ON-by-blocking-retries-on-faile.patch (git-fixes CVE-2025-38066 bsc#1244909). - Update patches.suse/dm-fix-unconditional-IO-throttle-caused-by-REQ_PREFL.patch (git-fixes CVE-2025-38063 bsc#1245202). - Update patches.suse/dmaengine-idxd-Refactor-remove-call-with-idxd_cleanu.patch (git-fixes CVE-2025-38014 bsc#1244732). - Update patches.suse/dmaengine-idxd-fix-memory-leak-in-error-handling-pat-46a5cca.patch (git-fixes CVE-2025-38015 bsc#1244789). - Update patches.suse/dmaengine-ti-k3-udma-Add-missing-locking.patch (git-fixes CVE-2025-38005 bsc#1244727). - Update patches.suse/drm-amd-display-Fix-invalid-context-error-in-dml-hel.patch (git-fixes CVE-2025-37965 bsc#1244174). - Update patches.suse/drm-amd-display-Increase-block_sequence-array-size.patch (stable-fixes CVE-2025-38080 bsc#1244738). - Update patches.suse/drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch (stable-fixes CVE-2025-38011 bsc#1244729). - Update patches.suse/espintcp-fix-skb-leaks.patch (git-fixes CVE-2025-38057 bsc#1244862). - Update patches.suse/ext4-avoid-journaling-sb-update-on-error-if-journal-is-des.patch (bsc#1241967 CVE-2025-22113 bsc#1241617). - Update patches.suse/ext4-goto-right-label-out_mmap_sem-in-ext4_setattr.patch (bsc#1242556 CVE-2025-22120 bsc#1241592). - Update patches.suse/firmware-arm_ffa-Set-dma_mask-for-ffa-devices.patch (stable-fixes CVE-2025-38043 bsc#1245081). - Update patches.suse/fs-erofs-fileio-call-erofs_onlinefolio_split-after-bio_add_folio.patch (git-fixes CVE-2025-37999 bsc#1243846). - Update patches.suse/gpio-virtuser-fix-potential-out-of-bound-write.patch (stable-fixes CVE-2025-38082 bsc#1244740). - Update patches.suse/md-fix-mddev-uaf-while-iterating-all_mddevs-list.patch (git-fixes CVE-20255-22126 bsc#1241597 CVE-2025-22126). - Update patches.suse/media-cx231xx-set-device_caps-for-417.patch (stable-fixes CVE-2025-38044 bsc#1245082). - Update patches.suse/net-mlx5e-Disable-MACsec-offload-for-uplink-represen.patch (git-fixes CVE-2025-38020 bsc#1245001). - Update patches.suse/net-pktgen-fix-access-outside-of-user-given-buffer-i.patch (git-fixes CVE-2025-38061 bsc#1245440). - Update patches.suse/net-tls-fix-kernel-panic-when-alloc_page-failed.patch (git-fixes CVE-2025-38018 bsc#1244999). - Update patches.suse/net_sched-prio-fix-a-race-in-prio_tune.patch (git-fixes CVE-2025-38083 bsc#1245183). - Update patches.suse/nfs-handle-failure-of-nfs_get_lock_context-in-unlock-path.patch (git-fixes CVE-2025-38023 bsc#1245004). - Update patches.suse/nvmet-tcp-don-t-restore-null-sk_state_change.patch (git-fixes CVE-2025-38035 bsc#1244801). - Update patches.suse/padata-do-not-leak-refcount-in-reorder_work.patch (git-fixes CVE-2025-38031 bsc#1245046). - Update patches.suse/perf-x86-intel-Fix-segfault-with-PEBS-via-PT-with-sample_f.patch (git-fixes CVE-2025-38055 bsc#1244747). - Update patches.suse/phy-tegra-xusb-Use-a-bitmask-for-UTMI-pad-power-stat.patch (git-fixes CVE-2025-38010 bsc#1244996). - Update patches.suse/platform-x86-dell-wmi-sysman-Avoid-buffer-overflow-i.patch (git-fixes CVE-2025-38077 bsc#1244736). - Update patches.suse/ptp-ocp-Limit-signal-freq-counts-in-summary-output-f.patch (git-fixes CVE-2025-38054 bsc#1244752). - Update patches.suse/regulator-max20086-fix-invalid-memory-access.patch (git-fixes CVE-2025-38027 bsc#1245042). - Update patches.suse/sched-numa-fix-memory-leak-due-to-the-overwritten-vma-numab_state.patch (git fixes (sched/numa) CVE-2024-56613 bsc#1244176). - Update patches.suse/serial-mctrl_gpio-split-disable_ms-into-sync-and-no_.patch (git-fixes CVE-2025-38040 bsc#1245078). - Update patches.suse/spi-rockchip-Fix-register-out-of-bounds-access.patch (stable-fixes CVE-2025-38081 bsc#1244739). - Update patches.suse/staging-bcm2835-camera-Initialise-dev-in-v4l2_dev.patch (git-fixes CVE-2025-37971 bsc#1244173). - Update patches.suse/tracing-Have-process_string-also-allow-arrays.patch (git-fixes CVE-2024-57930 bsc#1236194). - Update patches.suse/usb-typec-ucsi-displayport-Fix-NULL-pointer-access.patch (git-fixes CVE-2025-37994 bsc#1243823). - Update patches.suse/wifi-cfg80211-fix-out-of-bounds-access-during-multi-.patch (git-fixes CVE-2025-37973 bsc#1244172). - Update patches.suse/wifi-iwlwifi-fix-debug-actions-order.patch (stable-fixes CVE-2025-38045 bsc#1245083). - Update patches.suse/wifi-mac80211-Set-n_channels-after-allocating-struct.patch (git-fixes CVE-2025-38013 bsc#1244731). - Update patches.suse/wifi-mt76-disable-napi-on-driver-removal.patch (git-fixes CVE-2025-38009 bsc#1244995). - Update patches.suse/x86-microcode-AMD-Fix-__apply_microcode_amd-s-return-value.patch (git-fixes CVE-2025-22047 bsc#1241437). - commit db15093 - cpufreq/ondemand: Set io_is_busy to 1 by default on all platforms (bsc#1233975). - commit e5c69ac - Delete patches.suse/cpufreq-amd-pstate-Default-to-powersave-governor-whe.patch (jsc#PED-13111). - commit e2263cb - HID: wacom: fix crash in wacom_aes_battery_handler() (git-fixes). - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - commit ea1fa22 ++++ pango: - Update to version 1.56.4: + fontconfig: - Improve the add_font_file implementation - Combine font features and style variants - Make sure font faces stay alive + win32: - Drop some caching - Make sure font faces stay alive - Modernize and simplify the code - Stop synthesizing fonts - Implement list models + coretext: Support synthetic small caps + layout: Avoid assertions in line breaking + build: Require GLib 2.82 ++++ libxml2: - security update - added patches CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS) CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS) + libxml2-CVE-2025-49794,49796.patch CVE-2025-49795 [bsc#1244555], null pointer dereference may lead to Denial of service (DoS) + libxml2-CVE-2025-49795.patch - security update - added patches CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash + libxml2-CVE-2025-6170,6021.patch ++++ libxml2-python: - security update - added patches CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS) CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS) + libxml2-CVE-2025-49794,49796.patch CVE-2025-49795 [bsc#1244555], null pointer dereference may lead to Denial of service (DoS) + libxml2-CVE-2025-49795.patch - security update - added patches CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash + libxml2-CVE-2025-6170,6021.patch ++++ ovmf: - Enables UEFI Shell support for virtual machines on X64 and AARCH64 platforms (bsc#1244266) - Build Shell.efi and install it to /usr/share/ovmf/ - Add ovmf-ShellPkg-Add-post-script-for-Shell-installation.patch - Add post-install and post-uninstall scripts in /usr/share/ovmf/ - Install Shell.efi to the EFI boot partition (/boot/efi/EFI/opensuse/ or /boot/efi/EFI/sles/) - Register Shell.efi as a UEFI boot entry ++++ selinux-policy: - Update to version 20250627+git0.1805634d: * Set /srv/www = /var/www as equivalent file context (bsc#1239177) * Add a smoke test to the gitlab-ci * Add a default PR template * allow openvpn to attach to wicked owned tun interfaces (bsc#1243291) * allow wicked to connect to networkmanager and mange pid files for it (bsc#1243291) * allow wicked to transition to openvswitch domain (bsc#1243291) * allow wicked to start systemd services (bsc#1243291) * allow wicked to controll firewalld services (bsc1243291) * allow wicked interaction with tmpfs files and creation of sysfs files (bsc#1243291) * introduce fs_dontaudit_exec_tmpfs_files interface * Trigger the gitlab-ci tests only for merge requests to factory * Move 'logging_mounton_syslog_pid_socket' to end of file * Revert "Allow init_t create syslog files (bsc#1230134)" * Allow mdadm nosuid_transition * Label plasma user service files as xdm_unit_file_t. * Revert "Allow systemd-homed to start services." * Allow virtstoraged write qemu runtime files * Allow virtqemud read/write/setattr input event devices * Allow systemd create journal pid files * Allow networkmanager send a general signal to iptables * Allow syslogd watch syslog_conf_t directories * Revert downstream fix for bsc#1199630 due to regression (bsc#1243242) * Allow systemd-machined work with its private tmp and tmpfs files * Allow geoclue read virt lib files * Fix files_dontaudit_delete_all_files() * Label /run/polkit-1 with policykit_var_run_t * Label /dev/diag as diagnostic_device_t * Allow systemd-homed to start services. * Allow named_t to read NetworkManager's runtime files * Improve README* documentation * Add missing permissions for ftpd_anon_write to manage NFS directories * Add missing permissions for ftpd_anon_write to manage CIFS directories * Allow nut-upsmon write systemd inhibit pipes * Allow systemd-user-runtime-dir connect to systemd-userdbd over a unix socket * Remove permissive domain for systemd_vsftpd_generator_t * Change generator-specific rules to apply to systemd_generator * Define file equivalency for /var/etc * Allow tuned-ppd create ppd_base_profile with a file transition * Allow lldpd connect to systemd-homed over a unix socket * Allow sysadm_sudo_t signal rpm script * Fix the "/var/cache/systemd/home(/.*)?" regex * allow selinux_autorelabel_generator_t dac_read_search (bsc#1237511) * do not set sulogin_no_pam (bsc#1237511) - Replace internal slfo-main git branch with factory ------------------------------------------------------------------ ------------------ 2025-6-26 - Jun 26 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit-machines: - Patch cockpit-machines to ignore domain not found errors when domain is deleted (bsc#1236383) * added nic-domain-not-found.patch ++++ git: - Fix git-gui citool SHA256 repo handling: refreshed 0002-git-gui-Add-support-of-SHA256-repo.patch ++++ gpg2: - Security fix: [bsc#1236931, bsc#1239119, CVE-2025-30258] * gpg: Fix another regression due to the T7547 fix. * The fix for CVE-2025-30258 was introduced in 2.5.5 * Add gnupg-gpg-Fix-another-regression-due-to-the-T7547-fix.patch ++++ kernel-default: - mm/memory-tier: Fix abstract distance calculation overflow (bsc#1244051). - commit 3248628 - x86/xen: Fix __xen_hypercall_setfunc() (git-fixes). - commit 76c9b78 - x86: don't re-generate cpufeaturemasks.h so eagerly (git-fixes). - commit 1bde9b6 - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - btrfs: prepare btrfs_page_mkwrite() for large folios (git-fixes). - commit e702032 - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - commit ecc292a - kabi/severities: ignore nf_flow_register_bpf() that depends on CONFIG_DEBUG_* (bsc#1245399) - commit f7994ea - x86/cpufeatures: Use AWK to generate {REQUIRED|DISABLED}_MASK_BIT_SET in (git-fixes). - Refresh patches.suse/kabi-reserve-cpuid-leaves.patch. - commit c797ea7 - x86/cpufeatures: Remove {disabled,required}-features.h (git-fixes). - Refresh patches.suse/kabi-reserve-cpuid-leaves.patch. - commit 7c1ff00 - x86/cpufeatures: Generate the header based on build config (git-fixes). - commit aa4d1af - x86/cpufeatures: Add {REQUIRED,DISABLED} feature configs (git-fixes). - commit 130db28 - x86/cpufeatures: Rename X86_CMPXCHG64 to X86_CX8 (git-fixes). - commit c39c8b4 - KVM: SVM: Add Idle HLT intercept support (jsc#PED-12577). - commit 9b4ced8 - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - commit 4553ae3 - x86/cpufeatures: Add CPUID feature bit for Idle HLT intercept (jsc#PED-12577). - commit c78722e - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - cgroup/cpuset: Don't allow creation of local partition over a remote one (bsc#1241166). - commit 0392529 - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - commit 1216762 - vmxnet3: update MTU after device quiesce (bsc#1244626). - commit d22f709 ++++ kmod: - Fix testsuite on Leap 16.0 (bsc#1240126) * Revert-build-check-for-__xstat-declarations.patch ++++ gcc15: - Update to GCC 15 branch head, 15.1.1+git9866 - Fix PR120827, ICE due to splitter emitting constant loads directly ++++ ovmf: - Add patch to make Ovmf builds reproducible in OvmfPkg and ArmVirtPkg (bsc#1244218) - Add ovmf-OvmfPkg-ArmVirtPkg-Keep-JSON-stack-cookie-files.patch ------------------------------------------------------------------ ------------------ 2025-6-25 - Jun 25 2025 ------------------- ------------------------------------------------------------------ ++++ docker: - Update to Docker 28.3.0-ce. See upstream changelog online at bsc#1246556 - Rebase patches: * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch ++++ python-kiwi: - Add container_import template test - Bump version: 10.2.24 → 10.2.25 - Fixed get_partition_node_name The function get_partition_node_name takes the disk device and the partition index as arguments to match against the respective device node for this partition index. The partition index is the position of the partition in the partition table according to their start offset. For the code to function properly it is required that the list of partitions provided by lsblk is ordered according to the start address of the partitions in the table. The way lsblk was called did not enforce this ordering. This commit enforces the order to be done against the start offset and fixes bsc#1245190 ++++ kernel-default: - btrfs: factor out nocow ordered extent and extent map generation into a helper (git-fixes). - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - btrfs: move ordered extent cleanup to where they are allocated (git-fixes). - btrfs: remove the unused locked_folio parameter from btrfs_cleanup_ordered_extents() (git-fixes). - btrfs: use unsigned types for constants defined as bit shifts (git-fixes). - Refresh patches.suse/0005-btrfs-do-proper-folio-cleanup-when-run_delalloc_noco.patch. - commit a1f80d1 - tracing: Fix compilation warning on arm32 (bsc#1243551). - commit 5ab4900 - cpufreq/amd-pstate: Add support for the "Requested CPU Min frequency" BIOS option (jsc#PED-13164). - cpufreq/amd-pstate: Add offline, online and suspend callbacks for amd_pstate_driver (jsc#PED-13164). - cpufreq/amd-pstate: Move max_perf limiting in amd_pstate_update (jsc#PED-13164). - commit c625c71 - cpufreq/amd-pstate: Enable ITMT support after initializing core rankings (jsc#PED-13164). - cpufreq/amd-pstate: Fix min_limit perf and freq updation for performance governor (jsc#PED-13164). - commit f84536f - cpufreq/amd-pstate: Set different default EPP policy for Epyc and Ryzen (jsc#PED-13164). - Refresh patches.suse/cpufreq-amd-pstate-Default-to-powersave-governor-whe.patch. - commit f5fec72 - ata: ahci: Disallow LPM for Asus B550-F motherboard (git-fixes). - commit 50509e4 - ata: ahci: Disallow LPM for ASUSPRO-D840SA motherboard (git-fixes). - commit 1162257 - ata: ahci: Use correct BIOS build date for ThinkPad W541 quirk (git-fixes). - commit be1e349 - pidfs: ensure that PIDFS_INFO_EXIT is available (jsc#PED-13113). - blacklist.conf: Guard against unused prerequisite - commit 872e385 - exit: fix the usage of delay_group_leader->exit_code in do_notify_parent() and pidfs_exit() (jsc#PED-13113). - pidfs: improve multi-threaded exec and premature thread-group leader exit polling (jsc#PED-13113). - commit c5e2e6c - ata: Fix typos in the comment (git-fixes). - commit c056491 - cpufreq/amd-pstate: Drop actions in amd_pstate_epp_cpu_offline() (jsc#PED-13164). - cpufreq/amd-pstate: Stop caching EPP (jsc#PED-13164). - cpufreq/amd-pstate: Rework CPPC enabling (jsc#PED-13164). - cpufreq/amd-pstate: Drop debug statements for policy setting (jsc#PED-13164). - cpufreq/amd-pstate: Update cppc_req_cached for shared mem EPP writes (jsc#PED-13164). - cpufreq/amd-pstate: Move all EPP tracing into *_update_perf and *_set_epp functions (jsc#PED-13164). - cpufreq/amd-pstate: Cache CPPC request in shared mem case too (jsc#PED-13164). - cpufreq/amd-pstate: Replace all AMD_CPPC_* macros with masks (jsc#PED-13164). - cpufreq/amd-pstate-ut: Adjust variable scope (jsc#PED-13164). - cpufreq/amd-pstate-ut: Run on all of the correct CPUs (jsc#PED-13164). - cpufreq/amd-pstate-ut: Drop SUCCESS and FAIL enums (jsc#PED-13164). - cpufreq/amd-pstate-ut: Allow lowest nonlinear and lowest to be the same (jsc#PED-13164). - cpufreq/amd-pstate-ut: Use _free macro to free put policy (jsc#PED-13164). - cpufreq/amd-pstate: Drop `cppc_cap1_cached` (jsc#PED-13164). - cpufreq/amd-pstate: Overhaul locking (jsc#PED-13164). - cpufreq/amd-pstate: Move perf values into a union (jsc#PED-13164). - cpufreq/amd-pstate: Drop min and max cached frequencies (jsc#PED-13164). - cpufreq/amd-pstate: Show a warning when a CPU fails to setup (jsc#PED-13164). - cpufreq/amd-pstate: Invalidate cppc_req_cached during suspend (jsc#PED-13164). - cpufreq/amd-pstate: Fix the clamping of perf values (jsc#PED-13164). - commit 0b848ba - bpf: abort verification if env->cur_state->loop_entry != NULL (CVE-2025-38060 bsc#1245155). - commit 3e1f9c9 - tracing: Fix oob write in trace_seq_to_buffer() (CVE-2025-37923 bsc#1243551). - commit 3a99a12 - cpufreq/amd-pstate: Remove the unncecessary driver_lock in amd_pstate_update_limits (jsc#PED-13164). - cpufreq/amd-pstate: Use scope based cleanup for cpufreq_policy refs (jsc#PED-13164). - cpufreq/amd-pstate: Remove the unnecessary cpufreq_update_policy call (jsc#PED-13164). - cpufreq/amd-pstate: Modularize perf<->freq conversion (jsc#PED-13164). - Refresh patches.suse/cpufreq-amd-pstate-Add-missing-NULL-ptr-check-in-amd.patch. - cpufreq/amd-pstate: Convert all perf values to u8 (jsc#PED-13164). - Refresh patches.suse/cpufreq-amd-pstate-Add-missing-NULL-ptr-check-in-amd.patch. - cpufreq/amd-pstate: Pass min/max_limit_perf as min/max_perf to amd_pstate_update (jsc#PED-13164). - cpufreq/amd-pstate: Remove the redundant des_perf clamping in adjust_perf (jsc#PED-13164). - cpufreq/amd-pstate: Modify the min_perf calculation in adjust_perf callback (jsc#PED-13164). - commit 21b14f2 - tracing: Fix use-after-free in print_graph_function_flags during tracer switching (CVE-2025-22035 bsc#1241544). - commit 49f381e - bpf: free verifier states when they are no longer referenced (CVE-2025-38060 bsc#1245155). - Refresh patches.suse/kABI-padding-for-bpf.patch. - commit 06e2482 - bpf: fix env->peak_states computation (CVE-2025-38060 bsc#1245155). - commit 53d5bd3 - bpf: use list_head to track explored states and free list (CVE-2025-38060 bsc#1245155). - bpf: do not update state->loop_entry in get_loop_entry() (CVE-2025-38060 bsc#1245155). - bpf: make state->dfs_depth < state->loop_entry->dfs_depth an invariant (CVE-2025-38060 bsc#1245155). - bpf: detect infinite loop in get_loop_entry() (CVE-2025-38060 bsc#1245155). - selftests/bpf: check states pruning for deeply nested iterator (CVE-2025-38060 bsc#1245155). - bpf: don't do clean_live_states when state->loop_entry->branches > 0 (CVE-2025-38060 bsc#1245155). - selftests/bpf: test correct loop_entry update in copy_verifier_state (CVE-2025-38060 bsc#1245155). - bpf: copy_verifier_state() should copy 'loop_entry' field (CVE-2025-38060 bsc#1245155). - commit 6388e16 - bpf: Fix deadlock between rcu_tasks_trace and event_mutex (CVE-2025-37884 bsc#1243060). - commit 1feaa51 ++++ kernel-firmware-media: - Update to version 20250624 (git commit b05fabcd6f2a): * qcom: venus-5.4: add the firmware binary for qcs615 ++++ ldmtool: - Update to version 0.2.5 (jsc#PED-12706) * Fix crash while creating mapper for a volume which lacks of partitions * Make libldm to parse and return volume GUID * Change the way we sanitise LDM partition name * Set UUID for device mapper devices (partitions and volumes) * Fix potential memory leak * Use device mapper device UUID instead of name to find device in a tree * New API: ldm_volume_dm_get_device * New API: ldm_partition_dm_get_device * Fix bug in libldm to allow for all spanned LDM volumes to bex correctly identified/mounted - Upstream fixes post 0.2.5 001-Add-example-systemd-unit-file.patch 002-ldmtool-fix-NULL-pointer-dereference.patch 003-Add-ability-to-override-device-mapper-UUID.patch 004-src-Fix-declaration-of-ldm_new.patch 005-Update-gtkdocize.patch - Drop patch contained in new tarball Remove-deprecated-g_type_class_add_private.patch ++++ xfsprogs: - update to 6.15.0 - xfs_mdrestore: don't allow restoring onto zoned block devices - man: adjust description of the statx manpage - xfs_protofile: fix permission octet when suid/guid is set - xfs_repair: fix libxfs abstraction mess - xfs_growfs: support internal RT devices - xfs_mdrestore: support internal RT devices - xfs_scrub: support internal RT device - xfs_spaceman: handle internal RT devices - xfs_io: handle internal RT devices in fsmap output - xfs_io: don't re-query fs_path information in fsmap_f - xfs_io: correctly report RGs with internal rt dev in bmap output - man: document XFS_FSOP_GEOM_FLAGS_ZONED - xfs_mkfs: document the new zoned options in the man page - xfs_mkfs: reflink conflicts with zoned file systems for now - xfs_mkfs: default to rtinherit=1 for zoned file systems - xfs_mkfs: calculate zone overprovisioning when specifying size - xfs_mkfs: support creating file system with zoned RT devices - xfs_mkfs: factor out a validate_rtgroup_geometry helper - xfs_repair: validate rt groups vs reported hardware zones - xfs_repair: fix the RT device check in process_dinode_int - xfs_repair: support repairing zoned file systems - libfrog: report the zoned geometry - xfs_repair: phase6: scan longform entries before header check - xfs_repair: Bump link count if longform_dir2_rebuild yields shortform dir - mkfs: fix the issue of maxpct set to 0 not taking effect - mkfs: fix blkid probe API violations causing weird output - xfs_io: make statx mask parsing more generally useful - xfs_io: redefine what statx -m all does - xfs_io: catch statx fields up to 6.15 - man: fix missing cachestat manpage ------------------------------------------------------------------ ------------------ 2025-6-24 - Jun 24 2025 ------------------- ------------------------------------------------------------------ ++++ python-kiwi: - Add support for container-snap as a container-image engine With this commit, we can now pre-load images using container-snap directly during the kiwi image build - Update test-image-MicroOS for local build Fix bootstrap setup such that micro-os patterns can resolve - Fix logging of stderr data in command calls The stderr data was presented as one blob without line breaks. Hard to read and smells like a bug. This commit fixes the output to become readable - Update test-image-MicroOS/disk.sh Add a findmnt for / to check if there is a proper root device reference ++++ kernel-default: - netfilter: nft_exthdr: fix offset with ipv4_find_option() (git-fixes). - commit be2a228 - netfilter: conntrack: Bound nf_conntrack sysctl writes (git-fixes). - commit 0ac13d2 - netfilter: nf_tables: Only use nf_skip_indirect_calls() when MITIGATION_RETPOLINE (git-fixes). - commit 114a1de - netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only (git-fixes). - commit fd8be75 - netfilter: nft_quota: match correctly when the quota just depleted (git-fixes). - commit 563b1e8 - netfilter: nf_set_pipapo_avx2: fix initial map fill (git-fixes). - commit 5316618 - netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it (git-fixes). - commit 3a5285b - netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy (git-fixes). - commit 18d1e67 - netfilter: nf_tables: nft_fib: consistent l3mdev handling (git-fixes). - commit 2b7f119 - s390/pci: Fix s390_mmio_read/write syscall page fault handling (git-fixes bsc#1245291). - commit 2f37aef - s390: Fix linker error when -no-pie option is unavailable (git-fixes bsc#1245290). - commit 788b161 - Delete patches.suse/nvdimm-disable-namespace-on-error.patch. We think the patch is not needed and the issue bsc#1166486 has actually been resolved by upstream commit c1f45d86a522. The upstream submission never got any reply [*], so if we decide we in the end want the patch, it should be resent there first. [*] https://lore.kernel.org/nvdimm/20211201164844.125296-1-colyli@suse.de/ - commit ecc0f57 - s390/vfio-ap: Fix no AP queue sharing allowed message written to kernel log (git-fixes bsc#1245285). - commit 9d4cdf8 - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - commit 1fc590c ++++ kernel-firmware-amdgpu: - Update to version 20250623 (git commit dbfe16e9e8ac): * amdgpu: update dmcub fw for dcn401 ++++ kernel-firmware-brcm: - Update to version 20250623 (git commit dbfe16e9e8ac): * brcm: Fix symlinks for Khadas VIM SDIO wifi config ++++ util-linux-systemd: - Update to version 2.41.1: * cfdisk: fix memory leak and possible NULL dereference * fdisk: fix possible memory leak * findmnt: fix -k option parsing regression (boo#1242705, drop util-linux-libblkid-econf-parse.patch) * hardlink: fix performance regression * include/cctype: fix string comparison * libblkid: * Fix crash while parsing config with libeconf * befs fix underflow * avoid strcasecmp() for ASCII-only strings * libblkid/src/topology/dm: fix fscanf return value check to match expected number of parsed items * libmount: * (subdir) restrict for real mounts only * (subdir) remove unused code * avoid calling memset() unnecessarily * fix --no-canonicalize regression (boo#1244251, drop libmount-fix-no-canonicalize-regression.patch) * lsblk: * use ID_PART_ENTRY_SCHEME as fallback for PTTYPE * avoid strcasecmp() for ASCII-only strings * lscpu: * fix possible buffer overflow in cpuinfo parser * Fix loongarch op-mode output with recent kernel * lsfd: * scan the protocol field of /proc/net/packet as a hex number * fix the description for PACKET.PROTOCOL column * lsns: * enhance compilation without USE_NS_GET_API * fix undefined reference to add_namespace_for_nsfd #3483 * more: * fix broken ':!command' command key * fix implicit previous shell_line execution #3508 * tests: (test_mkfds::mapped-packet-socket) add a new parameter, protocol * treewide: * add ul_ to parse_timestamp() function name (drop util-linux-rename-common-symbols-4.patch) * add ul_ to parse_switch() function name (drop util-linux-rename-common-symbols-3.patch) * add ul_ to parse_size() function name (drop util-linux-rename-common-symbols-2.patch) * add ul_ to parse_range() function name (drop util-linux-rename-common-symbols-1.patch) * fix optional arguments usage * avoid strcasecmp() for ASCII-only strings * Wipefs: improve --all descriptions for whole-disks * Misc: Do not call exit() on code ending in shared libraries * Other fixes. For complete list see https://kernel.org/pub/linux/utils/util-linux/v2.41/v2.41.1-ReleaseNotes - Fix problem with uname26 listed twice. ++++ util-linux: - Update to version 2.41.1: * cfdisk: fix memory leak and possible NULL dereference * fdisk: fix possible memory leak * findmnt: fix -k option parsing regression (boo#1242705, drop util-linux-libblkid-econf-parse.patch) * hardlink: fix performance regression * include/cctype: fix string comparison * libblkid: * Fix crash while parsing config with libeconf * befs fix underflow * avoid strcasecmp() for ASCII-only strings * libblkid/src/topology/dm: fix fscanf return value check to match expected number of parsed items * libmount: * (subdir) restrict for real mounts only * (subdir) remove unused code * avoid calling memset() unnecessarily * fix --no-canonicalize regression (boo#1244251, drop libmount-fix-no-canonicalize-regression.patch) * lsblk: * use ID_PART_ENTRY_SCHEME as fallback for PTTYPE * avoid strcasecmp() for ASCII-only strings * lscpu: * fix possible buffer overflow in cpuinfo parser * Fix loongarch op-mode output with recent kernel * lsfd: * scan the protocol field of /proc/net/packet as a hex number * fix the description for PACKET.PROTOCOL column * lsns: * enhance compilation without USE_NS_GET_API * fix undefined reference to add_namespace_for_nsfd #3483 * more: * fix broken ':!command' command key * fix implicit previous shell_line execution #3508 * tests: (test_mkfds::mapped-packet-socket) add a new parameter, protocol * treewide: * add ul_ to parse_timestamp() function name (drop util-linux-rename-common-symbols-4.patch) * add ul_ to parse_switch() function name (drop util-linux-rename-common-symbols-3.patch) * add ul_ to parse_size() function name (drop util-linux-rename-common-symbols-2.patch) * add ul_ to parse_range() function name (drop util-linux-rename-common-symbols-1.patch) * fix optional arguments usage * avoid strcasecmp() for ASCII-only strings * Wipefs: improve --all descriptions for whole-disks * Misc: Do not call exit() on code ending in shared libraries * Other fixes. For complete list see https://kernel.org/pub/linux/utils/util-linux/v2.41/v2.41.1-ReleaseNotes - Fix problem with uname26 listed twice. ++++ libguestfs: - Update to version 1.56.1 (jsc#PED-12706) * lib: Enable ACPI for the libvirt backend for x86_64 and arm - Only build the inspect-icons RPM for Tumbleweed. Tumbleweed is the only place where icoutils package exists which it requires. ++++ numactl: - Fix Node0 does not exist (bsc#1244492) A 4abeee1aac20a7a2552870e0359b8df013ae9037.patch ++++ ceph: - Disable ceph-mgr-cephadm in ring1 ++++ libssh: - Update to version 0.11.2 * Security: * CVE-2025-4877 - Write beyond bounds in binary to base64 conversion (bsc#1245309) * CVE-2025-4878 - Use of uninitialized variable in privatekey_from_file() (bsc#1245310) * CVE-2025-5318 - Likely read beyond bounds in sftp server handle management (bsc#1245311) * CVE-2025-5351 - Double free in functions exporting keys (bsc#1245312) * CVE-2025-5372 - ssh_kdf() returns a success code on certain failures (bsc#1245314) * CVE-2025-5449 - Likely read beyond bounds in sftp server message decoding (bsc#1245316) * CVE-2025-5987 - Invalid return code for chacha20 poly1305 with OpenSSL (bsc#1245317) * Compatibility * Fixed compatibility with CPM.cmake * Compatibility with OpenSSH 10.0 * Tests compatibility with new Dropbear releases * Removed p11-kit remoting from the pkcs11 testsuite * Bugfixes * Implement missing packet filter for DH GEX * Properly process the SSH2_MSG_DEBUG message * Allow escaping quotes in quoted arguments to ssh configuration * Do not fail with unknown match keywords in ssh configuration * Process packets before selecting signature algorithm during authentication * Do not fail hard when the SFTP status message is not sent by noncompliant servers - Removed libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch - Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch ++++ nvidia-open-driver-G06-signed: - 0003-nv-dmabuf-Inline-dma_buf_attachment_is_dynamic.patch 0004-nvidia-uvm-Disable-SVA-support-for-6.16.patch * buildfixes against Kernel 6.16 picked up from https://github.com/CachyOS/CachyOS-PKGBUILDS.git - -> nvidia/nvidia-utils ------------------------------------------------------------------ ------------------ 2025-6-23 - Jun 23 2025 ------------------- ------------------------------------------------------------------ ++++ busybox: - enable halt, poweroff, reboot commands (bsc#1243201) ++++ busybox-links: - Blacklist creating links for halt, reboot, shutdown commands to avoid accidental use in a fully booted system (bsc#1243201) ++++ docker: [ This update is a no-op, only needed to work around unfortunate automated packaging script behaviour on SLES. ] - The following patches were removed in openSUSE in the Docker 28.1.1-ce update, but the patch names were later renamed in a SLES-only update before Docker 28.1.1-ce was submitted to SLES. This causes the SLES build scripts to refuse the update because the patches are not referenced in the changelog. There is no obvious place to put the patch removals (the 28.1.1-ce update removing the patches chronologically predates their renaming in SLES), so they are included here a dummy changelog entry to work around the issue. - 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch - 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch ++++ python-kiwi: - Fix mount system for root_is_snapper_snapshot If root is a snapper snapshot we have to tell the chroot a proper root mount point which can be achieved by a bind mount pointing to itself. This Fixes bsc#1244668 ++++ kernel-default: - fs/mpage: use blocks_per_folio instead of blocks_per_page (bsc#1245219). - commit 6f61662 - fs/mpage: avoid negative shift for large blocksize (bsc#1245219). - commit f40b15c - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245230). - commit 5f783ee - pidfs: never refuse ppid == 0 in PIDFD_GET_INFO (jsc#PED-13113). - commit 4327fa2 - iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (CVE-2025-37927 bsc#1243620). - commit 0e060e5 - Move upstreamed patch "genksyms: Fix enum consts from a reference affecting new values" into the sorted section (git-fixes). - commit 7c87e2b - s390/boot: Use -D__DISABLE_EXPORTS (bsc#1245126). - commit 79382ab - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme-tcp: remove tag set when second admin queue config fails (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - nvme: fix command limits status code (git-fixes). - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvmet-fcloop: don't wait for lport cleanup (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - commit 60761a1 - btrfs: fix fsync of files with no hard links not persisting deletion (bsc#1245068). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (bsc#1245068). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (bsc#1245068). - commit 188ca65 - Remove host-memcpy-hack.h This might have been usefult at some point but we have more things that depend on specific library versions today. - commit 0396c23 - Remove compress-vmlinux.sh /usr/lib/rpm/brp-suse.d/brp-99-compress-vmlinux was added in pesign-obs-integration during SLE12 RC. This workaround can be removed. - commit 19caac0 - Remove try-disable-staging-driver The config for linux-next is autogenerated from master config, and defaults filled for missing options. This is unlikely to enable any staging driver in the first place. - commit a6f21ed - btrfs: always fallback to buffered write if the inode requires checksum (bsc#1245067). - commit b160824 - cpufreq: Default to performance governor on servers (jsc#PED-13111). - commit 0f4c2f8 - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - commit 753d7ae - nfsd: use threads array as-is in netlink interface (git-fixes). - commit 3a8806c - Refresh patches.suse/x86-entry-Add-__init-to-ia32_emulation_override_cmdline.patch. - commit 15f587c - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - commit 0b0ecd8 - x86/virt/tdx: Avoid indirect calls to TDX assembly functions (git-fixes). - Refresh patches.suse/x86-virt-tdx-Mark-memory-cache-state-incoherent-when-making-seamcall.patch. - commit a3e640a - Revert "mm/execmem: Unify early execmem_cache behaviour" (git-fixes). - commit 99e2ca1 - x86/its: explicitly manage permissions for ITS pages (git-fixes). - commit 4d57729 - x86/Kconfig: only enable ROX cache in execmem when STRICT_MODULE_RWX is set (git-fixes). - commit d3bec4e ++++ libblockdev: - suppress privilege escalation during xfs fs resize (CVE-2025-6019) (bsc#1243285) * add 0001-dont-allow-suid-and-dev-set-on-fs-resize.patch ++++ python-urllib3: - Update to 2.5.0: * Security issues Pool managers now properly control redirects when retries is passed (CVE-2025-50181, GHSA-pq67-6m6q-mj2v, bsc#1244925) Redirects are now controlled by urllib3 in the Node.js runtime (CVE-2025-50182, GHSA-48p4-8xcf-vxj5, bsc#1244924) * Features Added support for the compression.zstd module that is new in Python 3.14. Added support for version 0.5 of hatch-vcs * Bugfixes Raised exception for HTTPResponse.shutdown on a connection already released to the pool. Fixed incorrect CONNECT statement when using an IPv6 proxy with connection_from_host. Previously would not be wrapped in []. ------------------------------------------------------------------ ------------------ 2025-6-22 - Jun 22 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - md/raid1,raid10: don't handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - commit 0ec5b97 - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - commit 58c3f30 ------------------------------------------------------------------ ------------------ 2025-6-21 - Jun 21 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - commit 0071891 - ALSA: hda: Apply volume control on speaker+lineout for HP EliteStudio AIO (stable-fixes). - commit ba1a979 - ALSA: hda/realtek - Support mute led function for HP platform (stable-fixes). - commit 74fc8d1 - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - gpio: pca953x: fix wrong error probe return value (git-fixes). - drm/xe: Fix memset on iomem (git-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE (git-fixes). - drm/msm: Fix CP_RESET_CONTEXT_STATE bitfield names (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - ALSA: hda/realtek: Add support for Acer Helios Laptops using CS35L41 HDA (stable-fixes). - commit 26d96c5 ++++ kernel-firmware-amdgpu: - Update to version 20250620 (git commit 49c833a10ad9): * amdgpu: update renoir firmware * amdgpu: update vcn 5.0.0 firmware * amdgpu: update smu 14.0.3 firmware * amdgpu: update sdma 7.0.1 firmware * amdgpu: update psp 14.0.3 firmware * amdgpu: update gc 12.0.1 firmware * amdgpu: update navy flounder firmware * amdgpu: update psp 14.0.4 firmware * amdgpu: update gc 11.5.2 firmware * amdgpu: update sienna cichlid firmware * amdgpu: add raven2 ip discovery firmware * amdgpu: update smu 14.0.2 firmware * amdgpu: update sdma 7.0.0 firmware * amdgpu: update psp 14.0.2 firmware * amdgpu: update gc 12.0.0 firmware * amdgpu: update vcn 4.0.6 firmware * amdgpu: update psp 14.0.1 firmware * amdgpu: update gc 11.5.1 firmware * amdgpu: update psp 13.0.11 firmware * amdgpu: update gc 11.0.4 firmware * amdgpu: add picasso ip discovery firmware * amdgpu: add raven ip discovery firmware * amdgpu: update vega20 firmware * amdgpu: update vega12 firmware * amdgpu: update smu 13.0.7 firmware * amdgpu: update vcn 4.0.4 firmware * amdgpu: update psp 13.0.7 firmware * amdgpu: update gc 11.0.2 firmware * amdgpu: update navi14 firmware * amdgpu: update vega10 firmware * amdgpu: update gc 10.3.6 firmware * amdgpu: update smu 13.0.10 firmware * amdgpu: update psp 13.0.10 firmware * amdgpu: update gc 11.0.3 firmware * amdgpu: update navi12 firmware * amdgpu: update vangogh firmware * amdgpu: update navi10 firmware * amdgpu: add smu 13.0.0 kicker firmware * amdgpu: add psp 13.0.0 kicker firmware * amdgpu: add gc 11.0.0 kicker firmware * amdgpu: add vcn 5.0.1 firmware * amdgpu: add sdma 4.4.4 firmware * amdgpu: add psp 13.0.12 firmware * amdgpu: add gc 9.5.0 firmware * amdgpu: add arcturus IP discovery firmware * amdgpu: update vcn 4.0.0 firmware * amdgpu: update smu 13.0.0 firmware * amdgpu: update psp 13.0.0 firmware * amdgpu: update gc 11.0.0 firmware * amdgpu: update psp 13.0.14 firmware * amdgpu: update gc 9.4.4 firmware * amdgpu: update psp 13.0.6 firmware * amdgpu: update gc 9.4.3 firmware * amdgpu: update beige_goby firmware * amdgpu: update vcn 4.0.5 firmware * amdgpu: update gc 11.5.0 firmware * amdgpu: update vcn 4.0.2 firmware * amdgpu: update gc 11.0.1 firmware * amdgpu: update dimgrey_cavefish firmware * amdgpu: update aldebaran firmware ++++ kernel-firmware-iwlwifi: - Update aliases ++++ kernel-firmware-mediatek: - Update aliases ++++ kernel-firmware-network: - Update aliases ++++ kernel-firmware-platform: - Update aliases ++++ kernel-firmware-realtek: - Update aliases ++++ kernel-firmware-sound: - Update aliases ++++ python313-core: - adjusted sofilename for "nogil" build correctly. ++++ python313: - adjusted sofilename for "nogil" build correctly. ------------------------------------------------------------------ ------------------ 2025-6-20 - Jun 20 2025 ------------------- ------------------------------------------------------------------ ++++ transactional-update: - Add correct SELinux policy version dependency for SLE 16 ++++ kernel-default: - libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743, CVE-2025-38072). - commit 100db61 - mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios (CVE-2025-38050 bsc#1244751). - commit 805754b - config: enable rbd and libceph (jsc#PED-13108) - commit 793f4d9 - s390/purgatory: Use -D__DISABLE_EXPORTS (bsc#1245126). - commit 490ac3b - wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 (git-fixes). - commit 6b57cd2 - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - NFC: nci: uart: Set tty->disc_data only in success path (git-fixes). - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - hwmon: (ltc4282) avoid repeated register write (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: don't wait when there is no vdev started (git-fixes). - wifi: ath11k: don't use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - net: wwan: mhi_wwan_mbim: use correct mux_id for multiplexing (git-fixes). - pinctrl: samsung: add gs101 specific eint suspend/resume callbacks (git-fixes). - pinctrl: samsung: add dedicated SoC eint suspend/resume callbacks (stable-fixes). - pinctrl: samsung: refactor drvdata suspend & resume callbacks (stable-fixes). - Bluetooth: ISO: Fix not using SID from adv report (stable-fixes). - wifi: ath12k: refactor ath12k_hw_regs structure (stable-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - thermal/drivers/mediatek/lvts: Remove unused lvts_debugfs_exit (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - commit 9415389 - workqueue: Initialize wq_isolated_cpumask in workqueue_init_early() (bsc#1245101). - commit 6bd2836 - Revert "rpm/config.sh: Use suse-kabi-tools (jsc#PED-12618)" This breaking build on s390x and blocking upcoming submissions: Failed to read symtypes from '.': arch/s390/lib/string.symtypes:3: Export 'strlen' is duplicate, previous occurrence found in 'arch/s390/purgatory/string.symtypes' This reverts commit a0854fc92f0d8c56e48e96980cea7efe15509265. - commit 672894a - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - commit 666ce5b - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - commit bd3ade1 - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - commit 035ae9a - net_sched: tbf: fix a race in tbf_change() (git-fixes). - commit 4131c83 - net_sched: red: fix a race in __red_change() (git-fixes). - commit f0af35e - net_sched: prio: fix a race in prio_tune() (git-fixes). - commit 13ce5f2 - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - commit dc06830 - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - commit 9d72614 - KEYS: trusted: don't fail module __init if SHA1 is unavailable (bsc#1240423 jsc#PED-12225). - commit 93f363a - pidfs: lookup pid through rbtree (jsc#PED-13113). - commit eead84f ++++ kernel-firmware-amdgpu: - Update to version 20250619 (git commit dcd2ee2f57a7): * amdgpu: update dmcub fw for dcn32 and dcn401 ++++ kernel-firmware-mediatek: - Update to version 20250619 (git commit dcd2ee2f57a7): * mediatek: Update mt8186 SCP firmware ++++ qemu: - Add Live migration support for QEMU-emulated AMD IOMMU (jsc#PED-13144): * hw/i386/amd_iommu: Allow migration when explicitly create the AMDVI-PCI device (jsc#PED-PED-13144) * hw/i386/amd_iommu: Isolate AMDVI-PCI from amd-iommu device to allow full control over the PCI device creation (jsc#PED-13144) ++++ ovmf: - Enable TDVF firmware to boot TDX guest VM with Secure boot (jsc#PED-13070) - Add ovmf-x86_64-tdx-secureboot.bin - Add 60-ovmf-x86_64-tdx.json ------------------------------------------------------------------ ------------------ 2025-6-19 - Jun 19 2025 ------------------- ------------------------------------------------------------------ ++++ cockpit: - Add kdump-nfs-fixes.patch to fix bsc#1241949 ++++ kernel-default: - Update patches.suse/dlm-mask-sk_shutdown-value.patch (bsc#1241278). - Update patches.suse/dlm-use-SHUT_RDWR-for-SCTP-shutdown.patch (bsc#1241278). Original bsc number was wrong. Fix it. - commit 4a3a0a7 - selftests/ftrace: Use readelf to find entry point in uprobe test (bsc#1242836). - commit c5198f9 - selftests/ftrace: Make uprobe test more robust against binary name (bsc#1242836). - commit 97eea6a ++++ systemd: - Import commit 1e42ecf5a145589954df77da05937ee69619f3e5 1e42ecf5a1 firstboot: make sure labelling is enabled 3bdb2efbe0 tmpfiles: fix symlink creation when replacing 61c228d2cc firstboot: use WRITE_STRING_FILE_LABEL more f5148acf37 env-file: port write_env_file() to label_ops_pre() bbff8b5523 fs-util: replace symlink_atomic_full_label() by a flag to symlinkat_atomic_full() (bsc#1244237) 2b39393efa env-file: rework write_env_file() to make use of O_TMPFILE ------------------------------------------------------------------ ------------------ 2025-6-18 - Jun 18 2025 ------------------- ------------------------------------------------------------------ ++++ docker: - Update to docker-buildx v0.25.0. Upstream changelog: ++++ python-kiwi: - There is no shim for aarch64 on SUSE Fix integration test for standard EFI (no secure boot) setup on arm ++++ kernel-default: - rpm/config.sh: Use suse-kabi-tools (jsc#PED-12618) Fix for bsc#1245126 was merged. - rpm/config.sh: Use suse-kabi-tools (jsc#PED-12618) - commit 90af69e - net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (CVE-2025-38001 bsc#1244234). - commit 031f2d0 - block: flip iter directions in blk_rq_integrity_map_user() (git-fixes). - loop: add file_start_write() and file_end_write() (git-fixes). - brd: fix discard end sector (git-fixes). - brd: fix aligned_sector from brd_do_discard() (git-fixes). - block: only update request sector if needed (git-fixes). - block: fix race between set_blocksize and read paths (git-fixes). - badblocks: Fix a nonsense WARN_ON() which checks whether a u64 variable < 0 (git-fixes). - blk-throttle: don't take carryover for prioritized processing of metadata (git-fixes). - ublk: enforce ublks_max only for unprivileged devices (git-fixes). - block: mark bounce buffering as incompatible with integrity (git-fixes). - ublk: complete command synchronously on error (git-fixes). - loop: check in LO_FLAGS_DIRECT_IO in loop_default_blocksize (git-fixes). - commit 9c6fb7f - packaging: Add support for suse-kabi-tools The current workflow to check kABI stability during the RPM build of SUSE kernels consists of the following steps: * The downstream script rpm/modversions unpacks the consolidated kABI symtypes reference data from kabi//symtypes- and creates individual symref files. * The build performs a regular kernel make. During this operation, genksyms is invoked for each source file. The tool determines type signatures of all exports within the file, reports any differences compared to the associated symref reference, calculates symbol CRCs from the signatures and writes new type data into a symtypes file. * The script rpm/modversions is invoked again, this time it packs all new symtypes files to a consolidated kABI file. * The downstream script rpm/kabi.pl checks symbol CRCs in the new build and compares them to a reference from kabi//symvers-, taking kabi/severities into account. suse-kabi-tools is a new set of tools to improve the kABI checking process. The suite includes two tools, ksymtypes and ksymvers, which replace the existing scripts rpm/modversions and rpm/kabi.pl, as well as the comparison functionality previously provided by genksyms. The tools have their own source repository and package. The tools provide faster operation and more detailed, unified output. In addition, they allow the use of the new upstream tool gendwarfksyms, which lacks any built-in comparison functionality. The updated workflow is as follows: * The build performs a regular kernel make. During this operation, genksyms (gendwarfksyms) is invoked as usual, determinining signatures and CRCs of all exports and writing the type data to symtypes files. However, genksyms no longer performs any comparison. * 'ksymtypes consolidate' packs all new symtypes files to a consolidated kABI file. * 'ksymvers compare' checks symbol CRCs in the new build and compares them to a reference from kabi//symvers-, taking kabi/severities into account. The tool writes its result in a human-readable form on standard output and also writes a list of all changed exports (not ignored by kabi/severities) to the changed-exports file. * 'ksymtypes compare' takes the changed-exports file, the consolidated kABI symtypes reference data from kabi//symtypes- and the new consolidated data. Based on this data, it produces a detailed report explaining why the symbols changed. The patch enables the use of suse-kabi-tools via rpm/config.sh, providing explicit control to each branch. To enable the support, set USE_SUSE_KABI_TOOLS=Yes in the config file. - commit a2c6f89 - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86/amd: pmf: Prevent amd_pmf_tee_deinit() from running twice (git-fixes). - platform/x86/amd: pmf: Use device managed allocations (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - commit 89154c9 ++++ ceph: - Added cephadm-fix-get_cluster_count_when_data_dir_is_missing.patch - Add ceph-rocksdb-gcc15.patch ++++ libsoup: - Add libsoup-CVE-2025-4945.patch: add value checks for date/time parsing (boo#1243314 CVE-2025-4945). ++++ libzypp: - Enhancements regarding mirror handling during repo refresh. Added means to disable the use of mirrors when downloading security relevant files. Requires updaing zypper to 1.14.91. - Fix autotestcase writer if ZYPP_FULLLOG=1 (bsc#1244042) If ZYPP_FULLLOG=1 a solver testcase to "/var/log/YaST2/autoTestcase" should be written for each solver run. There was no testcase written for the very first solver run. This is now fixed. - Pass $1==2 to %posttrans script if it's an update (bsc#1243279) - version 17.37.6 (35) ++++ pam: - hardcode disabling elogind, meson detection is unreliable in OBS - Update to version 1.7.1 - pam_access: do not resolve ttys or display variables as hostnames. - pam_access: added "nodns" option to disallow resolving of tokens as hostnames (CVE-2024-10963). - pam_limits: added support for rttime (RLIMIT_RTTIME). - pam_namespace: fixed potential privilege escalation (CVE-2025-6020). - meson: added support of elogind as a logind provider. - Multiple minor bug fixes, build fixes, portability fixes, documentation improvements, and translation updates. - pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted ++++ pam-config: - Update to version 2.12+git.20250516: * Don't add pam_env twice ++++ pam-full-src: - hardcode disabling elogind, meson detection is unreliable in OBS - Update to version 1.7.1 - pam_access: do not resolve ttys or display variables as hostnames. - pam_access: added "nodns" option to disallow resolving of tokens as hostnames (CVE-2024-10963). - pam_limits: added support for rttime (RLIMIT_RTTIME). - pam_namespace: fixed potential privilege escalation (CVE-2025-6020). - meson: added support of elogind as a logind provider. - Multiple minor bug fixes, build fixes, portability fixes, documentation improvements, and translation updates. - pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted ++++ virt-manager: - bsc#1244685 - Could not find an installable distribution with virt-install command virtinst-add-sle16-detection-support.patch ++++ zypper: - BuildRequires: libzypp-devel >= 17.37.6. Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes. (bsc#1230267) - version 1.14.91 ------------------------------------------------------------------ ------------------ 2025-6-17 - Jun 17 2025 ------------------- ------------------------------------------------------------------ ++++ afterburn: - Fix Requires in noarch package to not be arch specific (bsc#1244675) ++++ drbd-utils: - merge upstream patch to fix build error * add patch + DRBDmon-Add-missing-default_types.h-include-in-strin.patch - Fix SELinux equivalency rules in module (bsc#1242915) * add patch + 0001-Fix-selinux-policy-for-usr-bin-equivalency-rules.patch + 0002-Fix-selinux-module-for-run-lock-equivalency-rules.patch + 0003-Fix-selinux-module-for-run-equivalency-rules.patch ++++ git: - update to 2.50.0 https://about.gitlab.com/blog/what-s-new-in-git-2-50-0/ https://raw.githubusercontent.com/git/git/refs/tags/v2.50.0/Documentation/RelNotes/2.50.0.adoc ++++ glibc: - ppc64le-revert-power10-strcmp.patch: Revert optimized POWER10 strcmp, strncmp implementations (CVE-2025-5745, CVE-2025-5702, bsc#1244184, bsc#1244182, BZ #33060, BZ #33056) - ppc64le-revert-power10-memcmp.patch: Revert optimized POWER10 memcmp implementation (BZ #33059) ++++ gpg2: - Don't install expired sks certificate [bsc#1243069] * Add patch gnupg-dirmngr-Don-t-install-expired-sks-certificate.patch ++++ kernel-default: - loop: factor out a loop_assign_backing_file helper (git-fixes). - Refresh patches.suse/loop-Add-sanity-check-for-read-write_iter.patch. - commit 6b2b09e - platform/x86/amd/hsmp: mark hsmp_msg_desc_table as maybe_unused (git-fixes). - commit a5ad60f - iommu: Clear iommu-dma ops on cleanup (CVE-2025-37877 bsc#1243058). - commit 5ecb9e1 - kernel-source: Remove log.sh from sources - commit 96bd779 - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - commit e772925 ++++ kernel-firmware-amdgpu: - Update to version 20250616 (git commit 1d98972a5635): * amdgpu: Update DMCUB fw for DCN401 & DCN315 ++++ kernel-firmware-qcom: - Update to version 20250616 (git commit 1d98972a5635): * qcom: add gpu firmwares for X1P42100 chipset ++++ vim: - Fix bsc#1228776 / CVE-2024-41965. - Fix bsc#1239602 / CVE-2025-29768. - Refresh patch: vim-7.3-sh_is_bash.patch - Update to 9.1.1406: 9.1.1406: crash when importing invalid tuple 9.1.1405: tests: no test for mapping with special keys in session file 9.1.1404: wrong link to Chapter 2 in new-tutor 9.1.1403: expansion of 'tabpanelopt' value adds wrong values 9.1.1402: multi-byte mappings not properly stored in session file 9.1.1401: list not materialized in prop_list() 9.1.1400: [security]: use-after-free when evaluating tuple fails 9.1.1399: tests: test_codestyle fails for auto-generated files 9.1.1398: completion: trunc does not follow Pmenu highlighting attributes 9.1.1397: tabpanel not correctly updated on :tabonly 9.1.1396: 'errorformat' is a global option 9.1.1395: search_stat not reset when pattern differs in case 9.1.1394: tabpanel not correctly redrawn on tabonly 9.1.1393: missing test for switching buffers and reusing curbuf 9.1.1392: missing patch number 9.1.1391: Vim does not have a vertical tabpanel 9.1.1390: style: more wrong indentation 9.1.1389: completion: still some issue when 'isexpand' contains a space 9.1.1388: Scrolling one line too far with 'nosmoothscroll' page scrolling 9.1.1387: memory leak when buflist_new() fails to reuse curbuf 9.1.1386: MS-Windows: some minor problems building on AARCH64 9.1.1385: inefficient loop for 'nosmoothscroll' scrolling 9.1.1384: still some problem with the new tutors filetype plugin 9.1.1383: completion: 'isexpand' option does not handle space char correct 9.1.1382: if_ruby: unused compiler warnings from ruby internals 9.1.1381: completion: cannot return to original text 9.1.1380: 'eventignorewin' only checked for current buffer 9.1.1379: MS-Windows: error when running evim when space in path 9.1.1378: sign without text overwrites number option 9.1.1377: patch v9.1.1370 causes some GTK warning messages 9.1.1376: quickfix dummy buffer may remain as dummy buffer 9.1.1375: [security]: possible heap UAF with quickfix dummy buffer 9.1.1374: completion: 'smartcase' not respected when filtering matches 9.1.1373: 'completeopt' checking logic can be simplified 9.1.1372: style: braces issues in various files 9.1.1371: style: indentation and brace issues in insexpand.c 9.1.1370: CI Tests favor GTK2 over GTK3 9.1.1369: configure still using autoconf 2.71 9.1.1368: GTK3 and GTK4 will drop numeric cursor support. 9.1.1367: too many strlen() calls in gui.c 9.1.1366: v9.1.1364 unintentionally changed sign.c and sound.c 9.1.1365: MS-Windows: compile warnings and too many strlen() calls 9.1.1364: style: more indentation issues 9.1.1363: style: inconsistent indentation in various files 9.1.1362: Vim9: type ignored when adding tuple to instance list var 9.1.1361: [security]: possible use-after-free when closing a buffer 9.1.1360: filetype: GNU Radio companion files are not recognized 9.1.1359: filetype: GNU Radio config files are not recognized 9.1.1358: if_lua: compile warnings with gcc15 9.1.1357: Vim incorrectly escapes tags with "[" in a help buffer 9.1.1356: Vim9: crash when unletting variable 9.1.1355: The pum_redraw() function is too complex 9.1.1354: tests: Test_terminalwinscroll_topline() fails on Windows 9.1.1353: missing change from v9.1.1350 9.1.1352: style: inconsistent indent in insexpand.c 9.1.1351: Return value of getcmdline() inconsistent in CmdlineLeavePre 9.1.1350: tests: typo in Test_CmdlineLeavePre_cabbr() 9.1.1349: CmdlineLeavePre may trigger twice 9.1.1348: still E315 with the terminal feature 9.1.1347: small problems with gui_w32.c 9.1.1346: missing out-of-memory check in textformat.c 9.1.1345: tests: Test_xxd_color2() test failure dump diff is misleading 9.1.1344: double free in f_complete_match() (after v9.1.1341) 9.1.1343: filetype: IPython files are not recognized 9.1.1342: Shebang filetype detection can be improved 9.1.1341: cannot define completion triggers 9.1.1340: cannot complete :filetype arguments 9.1.1339: missing out-of-memory checks for enc_to_utf16()/utf16_to_enc() 9.1.1338: Calling expand() interferes with cmdcomplete_info() 9.1.1337: Undo corrupted with 'completeopt' "preinsert" when switching buffer 9.1.1336: comment plugin does not support case-insensitive 'commentstring' 9.1.1335: Coverity complains about Null pointer dereferences 9.1.1334: Coverity complains about unchecked return value 9.1.1333: Coverity: complains about unutilized variable 9.1.1332: Vim9: segfault when using super within a lambda 9.1.1331: Leaking memory with cmdcomplete() ------------------------------------------------------------------ ------------------ 2025-6-16 - Jun 16 2025 ------------------- ------------------------------------------------------------------ ++++ cifs-utils: - Update cifs-utils to 7.4 * mount.cifs: retry mount on -EINPROGRESS * cifs.upcall: correctly treat UPTARGET_UNSPECIFIED as UPTARGET_APP * cifs.upcall: fix memory leaks in check_service_ticket_exits() * cifs-utils: bump version to 7.4 * getcifsacl, setcifsacl: use for basename * cifscreds: use for basename ++++ cockpit: - Update to 340 * Detect multiple mount points when creating btrfs subvolumes * Disk Self-Test error warnings on the overview page * Prevent modifying partitions in unsupported places * Bug fixes and translation updates ++++ cockpit-machines: - Update to 333 * Bug fixes * The "shareable" attribute of disks is no longer modified by Cockpit * Virtual network interfaces can now select source mode ++++ cockpit-podman: - Update to 107 * Bug fixes * Translation updates ++++ python-kiwi: - Add driver configuration support for dracut initrd Add driver configuration support for dracut initrd Add support for specifying kernel drivers to be included or omitted in the dracut initrd configuration. This extends the existing dracut configuration capabilities like in the following example ++++ kernel-default: - block/bdev: enable large folio support for large logical block sizes (git-fixes). - commit 03e169f - x86/amd_node: Add support for debugfs access to SMN registers (jsc#PED-13094). - commit 718f7f2 - x86/amd_node: Add SMN offsets to exclusive region access (jsc#PED-13094). - commit 8b0488f - x86/amd_node: Use defines for SMN register offsets (jsc#PED-13094). - commit fdceb0c - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - Refresh patches.suse/0008-ima-track-the-set-of-PCRs-ever-extended.patch. - commit 87b6eff - wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash (bsc#1240998). - wifi: ath12k: Resolve multicast packet drop by populating key_cipher in ath12k_install_key() (bsc#1240998). - commit 7530032 - wifi: ath12k: ath12k_mac_op_set_key(): fix uninitialized symbol 'ret' (bsc#1240998). - commit f7be9d8 - wifi: ath12k: Fix for out-of bound access error (bsc#1240998 CVE-2024-58015 bsc#1238995). - blacklist.conf: - commit 3c5bf1f - wifi: ath12k: fix key cache handling (bsc#1240998). - commit dcb3d62 - wifi: ath12k: convert tasklet to BH workqueue for CE interrupts (bsc#1240998). - wifi: ath12k: fix A-MSDU indication in monitor mode (bsc#1240998). - wifi: ath12k: use tail MSDU to get MSDU information (bsc#1240998). - wifi: ath12k: delete NSS and TX power setting for monitor vdev (bsc#1240998). - wifi: ath12k: fix struct hal_rx_mpdu_start (bsc#1240998). - wifi: ath12k: fix struct hal_rx_phyrx_rssi_legacy_info (bsc#1240998). - wifi: ath12k: fix struct hal_rx_ppdu_start (bsc#1240998). - wifi: ath12k: fix struct hal_rx_ppdu_end_user_stats (bsc#1240998). - wifi: ath12k: remove unused variable monitor_present (bsc#1240998). - commit 8ed2a0a - wifi: ath12k: modify link arvif creation and removal for MLO (bsc#1240998). - Refresh patches.suse/wifi-ath12k-fix-read-pointer-after-free-in-ath12k_ma.patch. - commit 66e4cb1 - wifi: ath12k: update ath12k_mac_op_update_vif_offload() for MLO (bsc#1240998). - wifi: ath12k: update ath12k_mac_op_conf_tx() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_mac_op_set_key() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_mac_op_bss_info_changed() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_get_arvif_iter() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_mac_vif_chan() for MLO (bsc#1240998). - wifi: ath12k: prepare vif config caching for MLO (bsc#1240998). - wifi: ath12k: prepare sta data structure for MLO handling (bsc#1240998). - wifi: ath12k: pass ath12k_link_vif instead of vif/ahvif (bsc#1240998). - commit e2a68c7 - wifi: ath12k: prepare vif data structure for MLO handling (bsc#1240998). - Refresh patches.suse/wifi-ath12k-Handle-error-cases-during-extended-skb-a.patch. - Refresh patches.suse/wifi-ath12k-fix-tx-power-max-reg-power-update-to-fir.patch. - commit be086ca - wifi: ath12k: Add firmware coredump collection support (bsc#1240998). - Update config files. - commit 13fc60a - wifi: ath12k: Support BE OFDMA Pdev Rate Stats (bsc#1240998). - wifi: ath12k: Support Pdev Scheduled Algorithm Stats (bsc#1240998). - wifi: ath12k: Support DMAC Reset Stats (bsc#1240998). - wifi: ath12k: add missing lockdep_assert_wiphy() for ath12k_mac_op_ functions (bsc#1240998). - wifi: ath12k: ath12k_mac_op_sta_state(): clean up update_wk cancellation (bsc#1240998). - wifi: ath12k: ath12k_mac_set_key(): remove exit label (bsc#1240998). - commit 4d42f04 - wifi: ath12k: switch to using wiphy_lock() and remove ar->conf_mutex (bsc#1240998). - Refresh patches.suse/wifi-ath12k-fix-node-corruption-in-ar-arvifs-list.patch. - Refresh patches.suse/wifi-ath12k-fix-read-pointer-after-free-in-ath12k_ma.patch. - commit 728526a - wifi: ath12k: convert struct ath12k_sta::update_wk to use struct wiphy_work (bsc#1240998). - commit 91ddf3a - wifi: ath12k: Support Pdev OBSS Stats (bsc#1240998). - wifi: ath12k: Support pdev CCA Stats (bsc#1240998). - wifi: ath12k: Support pdev Transmit Multi-user stats (bsc#1240998). - wifi: ath12k: Support Ring and SFM stats (bsc#1240998). - wifi: ath12k: Support Self-Generated Transmit stats (bsc#1240998). - wifi: ath12k: Modify print_array_to_buf() to support arrays with 1-based semantics (bsc#1240998). - wifi: ath12k: move txbaddr/rxbaddr into struct ath12k_dp (bsc#1240998). - wifi: ath12k: make read-only array svc_id static const (bsc#1240998). - commit 3509024 - x86/bugs: Restructure ITS mitigation (git-fixes). - commit 085abef - x86/bugs: Fix spectre_v2 mitigation default on Intel (git-fixes). - commit f344e75 - KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions (git-fixes). - commit b648f1d - platform/x86/amd/hsmp: fix building with CONFIG_HWMON=m (jsc#PED-13094). - commit dc03ed2 - platform/x86/amd/hsmp: acpi: Add sysfs files to display HSMP telemetry (jsc#PED-13094). - commit d63496c - platform/x86/amd/hsmp: Report power via hwmon sensors (jsc#PED-13094). - commit 357c2f9 - platform/x86/amd/hsmp: Use a single DRIVER_VERSION for all usmp modules (jsc#PED-13094). - commit 60b1624 - platform/x86/amd/hsmp: Make amd_hsmp and hsmp_acpi as mutually exclusive drivers (jsc#PED-13094). - Refresh patches.suse/x86-platform-amd-Move-the-asm-amd_hsmp.h-header-to-asm-amd.patch. - commit 02efe4c - x86/platform/amd: Move the header to (jsc#PED-13094). - commit cd8f689 - x86/amd_node, platform/x86/amd/hsmp: Have HSMP use SMN through AMD_NODE (jsc#PED-13094). - commit 84c6aed - x86/amd_node: Remove dependency on AMD_NB (jsc#PED-13094). - commit 7a96278 - x86/amd_node: Update __amd_smn_rw() error paths (jsc#PED-13094). - commit 4c71e32 - x86/amd_nb: Move SMN access code to a new amd_node driver (jsc#PED-13094). - commit e227b52 - x86/amd_nb, hwmon: (k10temp): Simplify amd_pci_dev_to_node_id() (jsc#PED-13094). - commit 4ab060a - x86/amd_nb: Simplify function 3 search (jsc#PED-13094). - commit 995c30f - x86/amd_nb: Use topology info to get AMD node count (jsc#PED-13094). - commit 92a3127 - x86/amd_nb: Simplify root device search (jsc#PED-13094). - commit 99743f8 - x86/amd_nb: Simplify function 4 search (jsc#PED-13094). - commit 969836a - x86: Start moving AMD node functionality out of AMD_NB (jsc#PED-13094). - commit dedae8e - x86/amd_nb: Clean up early_is_amd_nb() (jsc#PED-13094). - commit 3e7ae58 - x86/amd_nb: Restrict init function to AMD-based systems (jsc#PED-13094). - commit 4581815 - x86/mce/amd: Remove shared threshold bank plumbing (jsc#PED-13094). - commit 5e367df - platform/x86: amd: Use *-y instead of *-objs in Makefiles (jsc#PED-13094). - commit 80da452 - platform/x86/amd/hsmp: Constify 'struct bin_attribute' (jsc#PED-13094). - commit ed01393 - Refresh patches.suse/drm-panel-simple-Update-timings-for-AUO-G101EVN010.patch. - Refresh patches.suse/drm-xe-Fix-and-re-enable-xe_print_blob_ascii85.patch. - commit 7527c99 - platform/x86/amd/hsmp: Add support for HSMP protocol version 7 messages (jsc#PED-13094). - commit 98c4882 - platform/x86/amd/hsmp: Change the error type (jsc#PED-13094). - commit a450822 - platform/x86/amd/hsmp: Add new error code and error logs (jsc#PED-13094). - commit 2c1e1e0 - platform/x86/amd/hsmp: Make hsmp_pdev static instead of global (jsc#PED-13094). - commit 25dfaea ++++ ovmf: - Add the patch from edk2-stable202505 (bsc#1243199) - ovmf-OvmfPkg-CcExitLib-Use-the-proper-register-when-filte.patch 856bdc8eec0f OvmfPkg/CcExitLib: Use the proper register when filtering MSRs ------------------------------------------------------------------ ------------------ 2025-6-15 - Jun 15 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-firmware-bluetooth: - Update to version 20250613 (git commit 12fe085fa409): * QCA: Update WCN785x btusb firmware to 2.0.0-00799-5 ++++ kernel-firmware-mediatek: - Update to version 20250613 (git commit 12fe085fa409): * linux-firmware: update firmware for MT7986 * linux-firmware: update firmware for MT7981 * linux-firmware: update firmware for MT7916 ++++ kernel-firmware-qcom: - Update to version 20250613 (git commit 12fe085fa409): * qcom: sc8280xp: Updated power FW for X13s ++++ kernel-firmware-realtek: - Update to version 20250613 (git commit 12fe085fa409): * rtl_nic: update firmware of RTL8153A ++++ kernel-firmware-sound: - Update to version 20250613 (git commit 12fe085fa409): * cirrus: cs35l41: Add Firmware for ASUS NUC using CS35L41 ++++ nvidia-open-driver-G06-signed: - update non-CUDA variant to 570.169 (boo#1244614) ------------------------------------------------------------------ ------------------ 2025-6-14 - Jun 14 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - udmabuf: use sgtable-based scatterlist wrappers (git-fixes). - drm/meson: fix more rounding issues with 59.94Hz modes (git-fixes). - drm/meson: use vclk_freq instead of pixel_freq in debug print (git-fixes). - drm/meson: fix debug log statement when setting the HDMI clocks (git-fixes). - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - spi: omap2-mcspi: Disable multi-mode when the previous message kept CS asserted (git-fixes). - spi: omap2-mcspi: Disable multi mode when CS should be kept asserted after message (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - commit 8d2d704 - config: arm64: default: enable mtu3 dual-role support for MediaTek platforms (bsc#1245206) MediaTek MTU3 dual-role switch with USB TYPE-C support is ready for most of the platforms since kernel 6.14. Hence to update the following default settings in arm64 default config. - disable CONFIG_USB_MTU3_HOST - enable CONFIG_USB_MTU3_DUAL_ROLE - commit 232c82c ------------------------------------------------------------------ ------------------ 2025-6-13 - Jun 13 2025 ------------------- ------------------------------------------------------------------ ++++ git: - Refresh gitk SHA256 patch and add SHA256 support to git-gui (bsc#1239989): 0001-gitk-Add-support-of-SHA256-repo.patch 0002-git-gui-Add-support-of-SHA256-repo.patch The previous patches are dropped: 0001-gitk-Add-a-basic-support-of-SHA256-repositories-into.patch 0002-gitk-Add-auto-select-length-preference-for-SHA256.patch ++++ glib2: - Update to version 2.84.3: + Bug fixed: gstring: Fix overflow check when expanding the string (CVE-2025-6052, boo#1244596). ++++ kernel-default: - Revert "openvswitch: switch to per-action label counting in conntrack" (CVE-2025-21958 bsc#1240758). - commit 99845fa - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - commit bbb8b6d - platform/x86/amd/hsmp: Use dev_groups in the driver structure (jsc#PED-13094). - commit 0d0227e - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - commit 1e81e5c - platform/x86/amd/hsmp: Use name space while exporting module symbols (jsc#PED-13094). - commit 43e9d2b - platform/x86/amd/hsmp: Create separate ACPI, plat and common drivers (jsc#PED-13094). - Update config files. - commit 1820255 - mm/damon: fix order of arguments in damos_before_apply tracepoint (git-fixes). - commit 573e8fc - platform/x86/amd/hsmp: Change generic plat_dev name to hsmp_pdev (jsc#PED-13094). - commit e81369a - platform/x86/amd/hsmp: Move ACPI code to acpi.c (jsc#PED-13094). - commit 4d8807d - platform/x86/amd/hsmp: Move platform device specific code to plat.c (jsc#PED-13094). - commit a6d1274 - platform/x86/amd/hsmp: Move structure and macros to header file (jsc#PED-13094). - commit 226e6d8 - platform/x86/amd/hsmp: Convert amd_hsmp_rdwr() to a function pointer (jsc#PED-13094). - commit cfa6b2b - platform/x86/amd/hsmp: Create wrapper function init_acpi() (jsc#PED-13094). - commit 7b2aa8b - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - commit b955896 - platform/x86/amd/hsmp: Create hsmp/ directory (jsc#PED-13094). - Refresh patches.suse/sysfs-treewide-constify-attribute-callback-of-bin_is.patch. - commit fb1429d - tracing: Fix function name for trampoline (git-fixes). - commit db0dd06 - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - commit 58aed75 - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - commit 4902f47 - x86/bugs: Restructure SRSO mitigation (git-fixes). - commit b308adf - x86/bugs: KVM: Add support for SRSO_MSR_FIX (git-fixes). - commit d3911cf - x86/bugs: Restructure L1TF mitigation (git-fixes). - Refresh patches.suse/x86-sme-Use-percpu-boolean-to-control-wbinvd-during-kexec.patch. - commit 1d465a8 - x86/bugs: Restructure SSB mitigation (git-fixes). - commit 4fad51e - x86/bugs: Restructure spectre_v2 mitigation (git-fixes). - commit 811ec5d - x86/bugs: Restructure BHI mitigation (git-fixes). - commit 185e70f - x86/bugs: Restructure spectre_v2_user mitigation (git-fixes). - commit 7ec3712 - x86/bugs: Remove X86_FEATURE_USE_IBPB (git-fixes). - commit fa88ebe - KVM: nVMX: Always use IBPB to properly virtualize IBRS (git-fixes). - blacklist.conf: Removed the patch - commit 557f9fb - x86/bugs: Use a static branch to guard IBPB on vCPU switch (git-fixes). - commit e724e81 - x86/bugs: Remove the X86_FEATURE_USE_IBPB check in ib_prctl_set() (git-fixes). - commit 42db235 - x86/mm: Remove X86_FEATURE_USE_IBPB checks in cond_mitigation() (git-fixes). - commit 4022f33 - x86/bugs: Move the X86_FEATURE_USE_IBPB check into callers (git-fixes). - Refresh patches.suse/x86-bugs-Fix-RSB-clearing-in-indirect_branch_prediction_ba.patch. - commit 68a66c6 - x86/bugs: Use the cpu_smt_possible() helper instead of open-coded code (git-fixes). - commit a3f48f2 - x86/bugs: Restructure retbleed mitigation (git-fixes). - commit 57e9149 - x86/bugs: Allow retbleed=stuff only on Intel (git-fixes). - commit be36749 - x86/bugs: Restructure spectre_v1 mitigation (git-fixes). - commit 9d9c4f9 - x86/bugs: Restructure GDS mitigation (git-fixes). - commit 07ce138 - x86/bugs: Restructure SRBDS mitigation (git-fixes). - commit 985324a - x86/bugs: Remove md_clear_*_mitigation() (git-fixes). - commit 3670fb7 - x86/bugs: Restructure RFDS mitigation (git-fixes). - commit 5f6d514 - x86/bugs: Restructure MMIO mitigation (git-fixes). - commit fbecfda - x86/bugs: Rename mmio_stale_data_clear to cpu_buf_vm_clear (git-fixes). - commit 6562e0a - x86/bugs: Restructure TAA mitigation (git-fixes). - commit 2b3c942 - x86/bugs: Restructure MDS mitigation (git-fixes). - commit d61c636 - x86/bugs: Add AUTO mitigations for mds/taa/mmio/rfds (git-fixes). - commit 8f40133 - x86/bugs: Relocate mds/taa/mmio/rfds defines (git-fixes). - commit dd6ad69 - x86/bugs: Add X86_BUG_SPECTRE_V2_USER (git-fixes). - Refresh patches.suse/x86-its-Add-vmexit-option-to-skip-mitigation-on-some-CPUs.patch. - Refresh patches.suse/x86-its-Enumerate-Indirect-Target-Selection-ITS-bug.patch. - commit 2251acf - net: ibmveth: Refactored veth_pool_store for better maintainability (jsc#PED-3944). - net: ibmveth: added KUnit tests for some buffer pool functions (jsc#PED-3944). - net: ibmveth: Reset the adapter when unexpected states are detected (jsc#PED-3944). - net: ibmveth: Indented struct ibmveth_adapter correctly (jsc#PED-3944). - commit 8a53c7b - patches.suse/block-make-sure-nr_integrity_segments-is-cloned-in-blk_rq_.patch: (git-fixes, bsc#1243874). Patch metadata - commit 3065561 - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - commit 497daab - Bluetooth: MGMT: Fix sparse errors (git-fixes). - commit f4127bc - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - Revert "wifi: mwifiex: Fix HT40 bandwidth issue." (git-fixes). - Bluetooth: eir: Fix possible crashes on eir_create_adv_data (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: btintel_pcie: Reduce driver buffer posting to prevent race condition (git-fixes). - Bluetooth: btintel_pcie: Increase the tx and rx descriptor count (git-fixes). - Bluetooth: btintel_pcie: Fix driver not posting maximum rx buffers (git-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - ptp: ocp: Limit signal/freq counts in summary output functions (git-fixes). - ptp: ocp: fix start time alignment in ptp_ocp_signal_set (git-fixes). - ptp: ocp: reject unsupported periodic output flags (git-fixes). - ptp: Properly handle compat ioctls (git-fixes). - commit ad94026 - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PCI/pwrctrl: Cancel outstanding rescan work when unregistering (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - PCI: apple: Use helper function for_each_child_of_node_scoped() (git-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - commit f6125e9 ++++ libguestfs: - Drop gzip mtime from base.tar.gz (bsc#1216986) ++++ osinfo-db: - Update to database version 20250606 (jsc#PED-12706) osinfo-db-20250606.tar.xz - Drop add-Windows-Server-2025.patch ------------------------------------------------------------------ ------------------ 2025-6-12 - Jun 12 2025 ------------------- ------------------------------------------------------------------ ++++ transactional-update: - Version 5.0.4 - Don't override soft-reboot with hard reboot - Fix stdio when returning from selfupdate [boo#1243910], [gh#openSUSE/transactional-update#151] ++++ jq: - Add patch CVE-2024-23337.patch (CVE-2024-23337, bsc#1243450) ++++ kernel-default: - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - commit 6750876 - scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels (git-fixes). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: logging: Fix scsi_logging_level bounds (git-fixes). - scsi: mpi3mr: Update timestamp only for supervisor IOCs (git-fixes). - scsi: scsi_debug: First fixes for tapes (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - commit edc8361 - sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (CVE-2025-38000 bsc#1244277). - commit 57fc275 - ring-buffer: Limit time with disabled interrupts in rb_check_pages() (git-fixes). - commit eb4c51a - bpf: Force uprobe bpf program to always return 0 (git-fixes). - commit 8c62ccf - tracing: Fix function timing profiler to initialize hashtable (git-fixes). - commit bb3c8fc - xfs: don't lose solo dquot update transactions (bsc#1244502). - commit de784a3 - xfs: don't lose solo superblock counter update transactions (bsc#1244502). - commit d46099b - xfs: avoid nested calls to __xfs_trans_commit (bsc#1244502). - commit 0e219be - netfilter: ipset: fix region locking in hash types (CVE-2025-37997 bsc#1243832). - commit 7805bf7 - Revert "sysctl: update common tuning parameters for SAP workloads" This reverts commit 86d9b0692912bbfa298dbe77683f16d0872aaf27. jsc#PED-11676 has been rejected. - commit 346a6d9 - supported.conf: mark mana drivers as external - uio_hv_generic: Set event for all channels on the device (git-fixes). - Drivers: hv: Always select CONFIG_SYSFB for Hyper-V guests (git-fixes). - Drivers: hv: vmbus: Add comments about races with "channels" sysfs dir (git-fixes). - PCI: hv: Remove unnecessary flex array in struct pci_packet (git-fixes). - Drivers: hv: Use kzalloc for panic page allocation (git-fixes). - uio_hv_generic: Align ring size to system page (git-fixes). - uio_hv_generic: Use correct size for interrupt and monitor pages (git-fixes). - Drivers: hv: Allocate interrupt and monitor pages aligned to system page boundary (git-fixes). - x86/hyperv: Fix APIC ID and VP index confusion in hv_snp_boot_ap() (git-fixes). - Drivers: hv: vmbus: Introduce hv_get_vmbus_root_device() (git-fixes). - Drivers: hv: vmbus: Get the IRQ number from DeviceTree (git-fixes). - arm64, x86: hyperv: Report the VTL the system boots in (git-fixes). - arm64: hyperv: Initialize the Virtual Trust Level field (git-fixes). - Drivers: hv: Provide arch-neutral implementation of get_vtl() (git-fixes). - Drivers: hv: Enable VTL mode for arm64 (git-fixes). - tools: hv: Enable debug logs for hv_kvp_daemon (git-fixes). - net: mana: Add support for auxiliary device servicing events (git-fixes). - RDMA/mana_ib: unify mana_ib functions to support any gdma device (git-fixes). - RDMA/mana_ib: Add support of mana_ib for RNIC and ETH nic (git-fixes). - net: mana: Probe rdma device in mana driver (git-fixes). - RDMA/mana_ib: Add support of 4M, 1G, and 2G pages (git-fixes). - RDMA/mana_ib: support of the zero based MRs (git-fixes). - RDMA/mana_ib: Access remote atomic for MRs (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - commit e5bb2a2 ++++ kernel-firmware-nvidia: - Fix zypper conflict about directory -> symlink workaround (bsc#1244458) ++++ kernel-firmware-qcom: - Better workaround for directory -> symlink change (bsc#1244458) ++++ virt-manager: - Upstream bug fixes (bsc#1027942) 050-Validation-allow-spaces-disallow-slashes.patch 051-fix-default-start_folder-to-None.patch 052-Add-Ctrl+Alt+Shift+Esc-key-command-for-loginds-SecureAttentionKey.patch ------------------------------------------------------------------ ------------------ 2025-6-11 - Jun 11 2025 ------------------- ------------------------------------------------------------------ ++++ NetworkManager: - document static ip setup on boot (bsc#1244072) add 0001-man-document-static-ip-setup-differences-to-dracut-n.patch ++++ fde-tools: - Add fde-tools-bsc1244323-firstboot-fix-lsinitrd.patch to fix the empty LUKS header checksum from lsinitrd (bsc#1244323) ++++ kernel-default: - Revert "ipv6: save dontfrag in cork (git-fixes)." This reverts commit f07ae24f52481201baa11e1e91aab0812e1043c6. See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/ and https://bugzilla.suse.com/show_bug.cgi?id=1244313. - commit a4337cd - Revert "kABI: ipv6: save dontfrag in cork (git-fixes)." This reverts commit c19b92367fe535ac505c72a32609b2b5aa190746. See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/ and https://bugzilla.suse.com/show_bug.cgi?id=1244313. - commit d9787d8 - rxrpc: Fix handling of received connection abort (CVE-2024-58053 bsc#1238982). - commit 6192989 - tipc: fix memory leak in tipc_link_xmit (CVE-2025-37757 bsc#1242521) - commit c36615f - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). Return the correct upper limit of the allocated cpumask. modified: - patches.suse/lib-group_cpus-honor-housekeeping-config-when-grouping-cpus.patch. - patches.suse/lib-group_cpus-let-group_cpu_evenly-return-number-initialized-masks.patch. - commit 55c520e - Refresh patches.suse/sd-always-retry-READ-CAPACITY-for-ALUA-state-transit.patch This patch has two identical hunks but there is only one site where the hunk can be applied. - commit da23587 - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - commit 5fb1a6c - Revert "arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - commit 0ba4e57 - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - commit 1f1b63d - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - commit ba34170 - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - commit db6d17b - ALSA: hda: Add new pci id for AMD GPU display HD audio controller (stable-fixes). - ALSA: hda: hda-intel: add Wildcat Lake support (stable-fixes). - ALSA: hda: add HDMI codec ID for Intel WCL (stable-fixes). - PCI: Add Intel Wildcat Lake audio Device ID (stable-fixes). - ALSA: hda: cs35l41: Fix swapped l/r audio channels for Acer Helios laptops (stable-fixes). - commit b41ea81 - accel/ivpu: Trigger device recovery on engine reset/resume failure (git-fixes). - accel/ivpu: Use firmware names from upstream repo (git-fixes). - commit cfcd050 - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands (git-fixes). - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - net: lan743x: Fix memleak issue when GSO enabled (git-fixes). - accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW (stable-fixes). - PCI/ASPM: Disable L1 before disabling L1 PM Substates (stable-fixes). - accel/ivpu: Update power island delays (stable-fixes). - accel/ivpu: Add initial Panther Lake support (stable-fixes). - commit 122402d ++++ libguestfs: - Update to version 1.56.0 (jsc#PED-12706) * Add support for Windows 2025 (thanks Ming Xie). * Add support for TencentOS (Denise Cheng). * Inspection of Ubuntu 22+ guests that use a split /usr configuration now works properly (thanks Jaroslav Spanko, Daniel Berrange). * Inspecting guests that have duplicated root mountpoints now works. * Inspection of SUSE Linux guests using btrfs snapshots now ignores snapshots that mirror content in the root filesystem (thanks Ming Xie). * Inspection of SUSE Linux >= 15 now returns the correct osinfo short name (eg. "sle15") (thanks Ming Xie). * New command_out and sh_out APIs which allow you to capture output from guest commands that generate more output than the protocol limit allows. * New btrfs_scrub_full API which runs a full Btrfs scrub, synchronously. It works more like fsck for other filesystems. * The fstrim API has been modified to work around several issues in upstream and RHEL 9 kernels related to XFS support (Eric Sandeen, Dave Chinner). * The existing e2fsck API has a new FORCENO option enabling use of the command line -n flag. * json-c is now required. This replaces Jansson which was previously used for parsing JSON input files. * OCaml ≥ 4.08 is now required. * When using ./configure --disable-daemon we no longer require augeas and hivex (thanks Mohamed Akram). * zfs-fuse support has been dropped. The project is unmaintained upstream (thanks Paul Bolle, Gwyn Ciesla, Timothée Ravier). * Fix compatibility with GNU gettext 0.25. * Fix dhcpcd failing on systemd-resolved stub (Thomas Wouters). * Add support for dhcpcd and sfdisk on Debian (Daniel Gomez). * Print the kernel utsname in debug output. * We no longer emit a false warning about BLKDISCARD when creating a block device. * If qemu-img(1) commands fail during snapshot creation, make sure we capture and print stderr from the qemu command (Cole Robinson). * For a complete list of changes and bug fixes see, https://libguestfs.org/guestfs-release-notes-1.56.1.html - bsc#1216986 - libguestfs: embeds /etc/hosts reproducible-builds.patch ++++ python313-core: - Update to 3.13.5: - Tests - gh-135120: Add test.support.subTests(). - Library - gh-133967: Do not normalize locale name ‘C.UTF-8’ to ‘en_US.UTF-8’. - gh-135326: Restore support of integer-like objects with __index__() in random.getrandbits(). - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the BINSTRING opcode in the C implementation of pickle. - gh-135276: Backported bugfixes in zipfile.Path from zipp 3.23. Fixed .name, .stem and other basename-based properties on Windows when working with a zipfile on disk. - gh-134151: email: Fix TypeError in email.utils.decode_params() when sorting RFC 2231 continuations that contain an unnumbered section. - gh-134152: email: Fix parsing of email message ID with invalid domain. - gh-127081: Fix libc thread safety issues with os by replacing getlogin with getlogin_r re-entrant version. - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - Core and Builtins - gh-135171: Roll back changes to generator and list comprehensions that went into 3.13.4 to fix gh-127682, but which involved semantic and bytecode changes not appropriate for a bugfix release. - C API - gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE macros in the limited C API 3.11 and older: don’t treat Py_None, Py_True and Py_False as immortal. Patch by Victor Stinner. - gh-134989: Implement PyObject_DelAttr() and PyObject_DelAttrString() as macros in the limited C API 3.12 and older. Patch by Victor Stinner. - Substantially rewritten doc-py38-to-py36.patch patch to be more flexible and covering even unexpected changes. ++++ nvidia-open-driver-G06-signed: - 60-nvidia-$flavor.conf * Don't try to load the driver if config and GSP firmware files are not available. Otherwise let the default install rule 'install nvidia-drm /sbin/modprobe --ignore-install nvidia-drm' of 50-nvidia.conf win, which comes together with config and GSP firmware files (package nvidia-common-G06). ++++ python313: - Update to 3.13.5: - Tests - gh-135120: Add test.support.subTests(). - Library - gh-133967: Do not normalize locale name ‘C.UTF-8’ to ‘en_US.UTF-8’. - gh-135326: Restore support of integer-like objects with __index__() in random.getrandbits(). - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the BINSTRING opcode in the C implementation of pickle. - gh-135276: Backported bugfixes in zipfile.Path from zipp 3.23. Fixed .name, .stem and other basename-based properties on Windows when working with a zipfile on disk. - gh-134151: email: Fix TypeError in email.utils.decode_params() when sorting RFC 2231 continuations that contain an unnumbered section. - gh-134152: email: Fix parsing of email message ID with invalid domain. - gh-127081: Fix libc thread safety issues with os by replacing getlogin with getlogin_r re-entrant version. - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - Core and Builtins - gh-135171: Roll back changes to generator and list comprehensions that went into 3.13.4 to fix gh-127682, but which involved semantic and bytecode changes not appropriate for a bugfix release. - C API - gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE macros in the limited C API 3.11 and older: don’t treat Py_None, Py_True and Py_False as immortal. Patch by Victor Stinner. - gh-134989: Implement PyObject_DelAttr() and PyObject_DelAttrString() as macros in the limited C API 3.12 and older. Patch by Victor Stinner. - Substantially rewritten doc-py38-to-py36.patch patch to be more flexible and covering even unexpected changes. ++++ python-argcomplete: - Remove executable bit on files installed outside of the path. (bsc#1244435) ++++ xfsprogs: - update to 6.14.0 - xfs_scrub_all: localize the strings in the program - xfs_protofile: add messages to localization catalog - Makefile: inject package name/version/bugreport into pot file - xfs_scrub_all: rename source code to .py.in - xfs_protofile: rename source code to .py.in - xfs_repair: handling a block with bad crc, bad uuid, and bad magic number needs fixing - xfs_repair: fix stupid argument error in verify_inode_chunk - xfs_repair: fix infinite loop in longform_dir2_entry_check* - xfs_repair: fix crash in reset_rt_metadir_inodes - xfs_repair: don't recreate /quota metadir if there are no quota inodes - xfs_repair: fix wording of error message about leftover CoW blocks on the rt device - xfs_io: Add cachestat syscall support - xfs_io: Add RWF_DONTCACHE support to preadv2 - xfs_io: Add RWF_DONTCACHE support to pwritev2 - xfs_io: Add support for preadv2 - make: remove the .extradep file in libxfs on "make clean" - xfs_{admin,repair},man5: tell the user to mount with nouuid for snapshots - xfsprogs: Fix mismatched return type of filesize() - xfs_io: don't fail FS_IOC_FSGETXATTR on filesystems that lack support - configure: additionally get icu-uc from pkg-config - xfs_scrub: use the display mountpoint for reporting file corruptions - xfs_scrub: don't warn about zero width joiner control characters - xfs_scrub: fix buffer overflow in string_escape - xfs_db: add command to copy directory trees out of filesystems - xfs_db: make listdir more generally useful - xfs_db: use an empty transaction to try to prevent livelocks in path_navigate - xfs_db: pass const pointers when we're not modifying them - mkfs: enable reflink on the realtime device - mkfs: validate CoW extent size hint when rtinherit is set - xfs_logprint: report realtime CUIs - xfs_repair: validate CoW extent size hint on rtinherit directories - xfs_repair: allow realtime files to have the reflink flag set - xfs_repair: rebuild the realtime refcount btree - xfs_repair: reject unwritten shared extents - xfs_repair: check existing realtime refcountbt entries against observed refcounts - xfs_repair: compute refcount data for the realtime groups - xfs_repair: find and mark the rtrefcountbt inode - xfs_repair: use realtime refcount btree data to check block types - xfs_repair: allow CoW staging extents in the realtime rmap records - xfs_spaceman: report health of the realtime refcount btree - xfs_db: add rtrefcount reservations to the rgresv command - xfs_db: copy the realtime refcount btree - xfs_db: support the realtime refcountbt - xfs_db: display the realtime refcount btree contents - man: document userspace API changes due to rt reflink - mkfs: create the realtime rmap inode - xfs_logprint: report realtime RUIs - xfs_repair: reserve per-AG space while rebuilding rt metadata - xfs_repair: rebuild the bmap btree for realtime files - xfs_repair: check for global free space concerns with default btree slack levels - xfs_repair: rebuild the realtime rmap btree - xfs_repair: always check realtime file mappings against incore info - xfs_repair: check existing realtime rmapbt entries against observed rmaps - xfs_repair: find and mark the rtrmapbt inodes - xfs_repair: refactor realtime inode check - xfs_repair: create a new set of incore rmap information for rt groups - xfs_repair: use realtime rmap btree data to check block types - xfs_repair: flag suspect long-format btree blocks - xfs_repair: tidy up rmap_diffkeys - xfs_spaceman: report health status of the realtime rmap btree - xfs_db: add an rgresv command - xfs_db: make fsmap query the realtime reverse mapping tree - xfs_db: copy the realtime rmap btree - xfs_db: support the realtime rmapbt - xfs_db: display the realtime rmap btree contents - xfs_db: don't abort when bmapping on a non-extents/bmbt fork - xfs_db: compute average btree height - man: document userspace API changes due to rt rmap - xfs_scrub: try harder to fill the bulkstat array with bulkstat() - xfs_scrub: ignore freed inodes when single-stepping during phase 3 - xfs_scrub: hoist the phase3 bulkstat single stepping code - xfs_scrub: don't blow away new inodes in bulkstat_single_step - xfs_scrub: return early from bulkstat_for_inumbers if no bulkstat data - xfs_scrub: don't complain if bulkstat fails - xfs_scrub: don't - xfs_scrub: don't double-scan inodes during phase 3 - xfs_scrub: actually iterate all the bulkstat records - xfs_scrub: selectively re-run bulkstat after re-running inumbers - xfs_scrub: remove flags argument from scrub_scan_all_inodes - xfs_scrub: call bulkstat directly if we're only scanning user files - xfs_scrub: don't report data loss in unlinked inodes twice - man: document new XFS_BULK_IREQ_METADIR flag to bulkstat - xfs_db: obfuscate rt superblock label when metadumping - mkfs,xfs_repair: don't pass a daddr as the flags argument - drop mkfs-fix-filesize-function-compilation-error-on-32-b.patch - now part of the release (merged in v6.14.0) ------------------------------------------------------------------ ------------------ 2025-6-10 - Jun 10 2025 ------------------- ------------------------------------------------------------------ ++++ branding-SLE: - Merge all files from distributions-logos-SLE into distributions-logos-branding-SLE. ++++ python-kiwi: - Fixed rootfs size calculation with spare part In case a spare_part setup is combined with the root_clone feature, the size calculation for the rootfs did not take the cloning into account and lead to the wrong value. In addition when requesting the spare part to be last and no size information was given, the partition was not created at all. This commit fixes both defects and Fixes #2831 ++++ iputils: - Security fix [bsc#1243772, CVE-2025-48964] * Fix integer overflow in ping statistics via zero timestamp * Add iputils-CVE-2025-48964_01.patch * Add iputils-CVE-2025-48964_02.patch * Add iputils-CVE-2025-48964_03.patch * Add iputils-CVE-2025-48964_regression.patch ++++ kernel-default: - net: lan743x: Fix memleak issue when GSO enabled (CVE-2025-37909 bsc#1243467). - vxlan: vnifilter: Fix unlocked deletion of default FDB entry (CVE-2025-37921 bsc#1243480). - commit 1e0ef1b - ucsi_debugfs_entry: restore u32 respectively s32 for int (git-fixes). - commit 94a62e7 - tracing: Verify event formats that have "%*p.." (CVE-2025-37938 bsc#1243544). - tracing: Have process_string() also allow arrays (git-fixes). - tracing: Check "%s" dereference via the field and not the TP_printk format (git-fixes). - tracing: Add "%s" check in test_event_printk() (git-fixes). - tracing: Add missing helper functions in event pointer dereference check (git-fixes). - tracing: Fix test_event_printk() to process entire print argument (git-fixes). - tracing: Add __print_dynamic_array() helper (git-fixes). - commit 4da5a05 - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - Refresh patches.suse/paddings-add-paddings-to-TypeC-stuff.patch. - commit f07681a - usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink() (git-fixes). - commit 31571ee - module: ensure that kobject_put() is safe for module type kobjects (CVE-2025-37995 bsc#1243827) - commit ca96390 - ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations (CVE-2025-37910 bsc#1243468) - commit c0e3266 - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - commit 7c95ae0 - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - commit 43c5814 - xen/x86: fix initial memory balloon target (git-fixes). - commit af7a319 - kABI: kabi fix after vsock/virtio: fix `rx_bytes` accounting (git-fixes). - commit d25e930 - vsock/virtio: fix `rx_bytes` accounting for stream sockets (git-fixes). - commit 86c965e - Delete patches.suse/Restore-kABI-for-NVidia-vGPU-driver.patch. - commit 56249f7 - gfs2: Don't start unnecessary transactions during log flush (bsc#1243993). - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dlm: mask sk_shutdown value (bsc#1228854). - commit 691de31 - bpf: Search and add kfuncs in struct_ops prologue and epilogue (git-fixes). - selftests/bpf: Fix stdout race condition in traffic monitor (git-fixes). - selftests/bpf: Fix freplace_link segfault in tailcalls prog test (git-fixes). - selftests: bpf: test batch lookup on array of maps with holes (git-fixes). - bpf: skip non exist keys in generic_map_lookup_batch (git-fixes). - commit 63fb01b - selftests/bpf: Add distilled BTF test about marking BTF_IS_EMBEDDED (git-fixes). - libbpf: Fix incorrect traversal end type ID when marking BTF_IS_EMBEDDED (git-fixes). - libbpf: Fix return zero when elf_begin failed (git-fixes). - selftests/bpf: Fix btf leak on new btf alloc failure in btf_distill test (git-fixes). - libbpf: Fix segfault due to libelf functions not setting errno (git-fixes). - libbpf: Prevent compiler warnings/errors (git-fixes). - resolve_btfids: Fix compiler warnings (git-fixes). - commit f3a284f ++++ kernel-firmware-iwlwifi: - Update to version 20250609 (git commit 0d92efb540f4): * Revert "iwlwifi: add Bz/gl FW for core96-76 release" ++++ util-linux-systemd: - Fix libmount --no-canonicalize regression (boo#1244251, gh#util-linux/util-linux#3479, libmount-fix-no-canonicalize-regression.patch). ++++ gcc15: - Remove all %gcc_icecream mode cross-compilers and the corresponding icecream backend subpackages. Instead use glibc-bootstrap only configs for cross-x86_64-gcc (ipxe,ovmf,qemu), cross-ppc64-gcc (qemu) and cross-arm-gcc (ovmf). ++++ util-linux: - Fix libmount --no-canonicalize regression (boo#1244251, gh#util-linux/util-linux#3479, libmount-fix-no-canonicalize-regression.patch). ++++ python-requests: - update to 2.32.4: * CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file * Numerous documentation improvements * Added support for pypy 3.11 for Linux and macOS. * Dropped support for pypy 3.9 following its end of support. - drop CVE-2024-47081.patch (merged upstream) ------------------------------------------------------------------ ------------------ 2025-6-9 - Jun 9 2025 ------------------- ------------------------------------------------------------------ ++++ kernel-default: - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1244280). - commit d830b32 - MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b ("bs-upload-kernel: Pass limit_packages also on multibuild") - commit f4c6047 - MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed. - commit e4c2851 - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1244278). - commit fb0286b - uprobes/x86: Harden uretprobe syscall trampoline check (CVE-2025-22046 bsc#1241434). - commit 5cc86ac - MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ("MyBS: Use buildflags to set which package to build") - commit 27588c9 - bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ("MyBS: Use buildflags to set which package to build") Fixes: 747f601d4156 ("bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)") - commit 8ef486c - ftrace: Avoid potential division by zero in function_stat_show() (CVE-2025-21898 bsc#1240610). - commit 13235ba - x86/microcode/AMD: Fix __apply_microcode_amd()'s return value (git-fixes). - commit 2343c8f - sort series.conf - commit 7c822ea - tracing: Fix bad hist from corrupting named_triggers list (CVE-2025-21899 bsc#1240577). - commit b162509 - ring-buffer: Validate the persistent meta data subbuf array (CVE-2025-21777 bsc#1238764). - commit b030dbe - x86/usercopy: Fix kernel-doc func param name in clean_cache_range()'s description (git-fixes). - commit 2e19a8b - x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2 (git-fixes). - commit 895937c - x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches (git-fixes). - commit a46ec06 - x86/microcode/AMD: Add some forgotten models to the SHA check (git-fixes). - commit 5ed1d64 - x86/microcode/AMD: Load only SHA256-checksummed patches (git-fixes). - commit c395380 - x86/alternative: Remove unused header #defines (git-fixes). - commit 0ced93a - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - commit 1051216 - x86/microcode/AMD: Add get_patch_level() (git-fixes). - commit 08a178d - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - commit 563faf8 - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - commit 409c545 - x86/microcode/AMD: Remove unused save_microcode_in_initrd_amd() declarations (git-fixes). - commit 5d4cce2 - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - commit dc8a454 - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - commit 3dd0b23 - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - commit 31a173d - Sort series.conf - commit 4948d54 - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - commit 913f1ca - selftests/bpf: Add selftest for may_goto (bsc#1241460 CVE-2025-22087). - selftests/bpf: Introduce __load_if_JITed annotation for tests (bsc#1241460 CVE-2025-22087). - bpf: Fix array bounds error with may_goto (bsc#1241460 CVE-2025-22087). - commit 4c36585 - selftests/bpf: Check for timeout in perf_link test (git-fixes). - commit 73ccf26 ++++ libgcrypt: - Security fix [bsc#1221107, CVE-2024-2236] * Add --enable-marvin-workaround to spec to enable workaround * Fix timing based side-channel in RSA implementation ( Marvin attack ) * Add libgcrypt-CVE-2024-2236.patch ++++ python313-core: - Update to 3.13.4: - Security - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138 (bsc#1244059), CVE-2025-4330 (bsc#1244060), and CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435 (gh#135034, bsc#1244061). - gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler (CVE-2025-4516, bsc#1243273). - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-134718: ast.dump() now only omits None and [] values if they are default values. - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134696: Built-in HACL* and OpenSSL implementations of hash function constructors now correctly accept the same documented named arguments. For instance, md5() could be previously invoked as md5(data=data) or md5(string=string) depending on the underlying implementation but these calls were not compatible. Patch by Bénédikt Tran. - gh-134210: curses.window.getch() now correctly handles signals. Patch by Bénédikt Tran. - gh-80334: multiprocessing.freeze_support() now checks for work on any “spawn” start method platform rather than only on Windows. - gh-114177: Fix asyncio to not close subprocess pipes which would otherwise error out when the event loop is already closed. - gh-134152: Fixed UnboundLocalError that could occur during email header parsing if an expected trailing delimiter is missing in some contexts. - gh-62184: Remove import of C implementation of io.FileIO from Python implementation which has its own implementation - gh-133982: Emit RuntimeWarning in the Python implementation of io when the file-like object is not closed explicitly in the presence of multiple I/O layers. - gh-133890: The tarfile module now handles UnicodeEncodeError in the same way as OSError when cannot extract a member. - gh-134097: Fix interaction of the new REPL and -X showrefcount command line option. - gh-133889: The generated directory listing page in http.server.SimpleHTTPRequestHandler now only shows the decoded path component of the requested URL, and not the query and fragment. - gh-134098: Fix handling paths that end with a percent-encoded slash (%2f or %2F) in http.server.SimpleHTTPRequestHandler. - gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and IPv6Network objects. - gh-133745: In 3.13.3 we accidentally changed the signature of the asyncio create_task() family of methods and how it calls a custom task factory in a backwards incompatible way. Since some 3rd party libraries have already made changes to work around the issue that might break if we simply reverted the changes, we’re instead changing things to be backwards compatible with 3.13.2 while still supporting those workarounds for 3.13.3. In particular, the special-casing of name and context is back (until 3.14) and consequently eager tasks may still find that their name hasn’t been set before they execute their first yielding await. - gh-71253: Raise ValueError in open() if opener returns a negative file-descriptor in the Python implementation of io to match the C implementation. - gh-77057: Fix handling of invalid markup declarations in html.parser.HTMLParser. - gh-133489: random.getrandbits() can now generate more that 231 bits. random.randbytes() can now generate more that 256 MiB. - gh-133290: Fix attribute caching issue when setting ctypes._Pointer._type_ in the undocumented and deprecated ctypes.SetPointerType() function and the undocumented set_type() method. - gh-132876: ldexp() on Windows doesn’t round subnormal results before Windows 11, but should. Python’s math.ldexp() wrapper now does round them, so results may change slightly, in rare cases of very small results, on Windows versions before 11. - gh-133089: Use original timeout value for subprocess.TimeoutExpired when the func subprocess.run() is called with a timeout instead of sometimes a confusing partial remaining time out value used internally on the final wait(). - gh-133009: xml.etree.ElementTree: Fix a crash in Element.__deepcopy__ when the element is concurrently mutated. Patch by Bénédikt Tran. - gh-132995: Bump the version of pip bundled in ensurepip to version 25.1.1 - gh-132017: Fix error when pyrepl is suspended, then resumed and terminated. - gh-132673: Fix a crash when using _align_ = 0 and _fields_ = [] in a ctypes.Structure. - gh-132527: Include the valid typecode ‘w’ in the error message when an invalid typecode is passed to array.array. - gh-132439: Fix PyREPL on Windows: characters entered via AltGr are swallowed. Patch by Chris Eibl. - gh-132429: Fix support of Bluetooth sockets on NetBSD and DragonFly BSD. - gh-132106: QueueListener.start now raises a RuntimeError if the listener is already started. - gh-132417: Fix a NULL pointer dereference when a C function called using ctypes with restype py_object returns NULL. - gh-132385: Fix instance error suggestions trigger potential exceptions in object.__getattr__() in traceback. - gh-132308: A traceback.TracebackException now correctly renders the __context__ and __cause__ attributes from falsey Exception, and the exceptions attribute from falsey ExceptionGroup. - gh-132250: Fixed the SystemError in cProfile when locating the actual C function of a method raises an exception. - gh-132063: Prevent exceptions that evaluate as falsey (namely, when their __bool__ method returns False or their __len__ method returns 0) from being ignored by concurrent.futures.ProcessPoolExecutor and concurrent.futures.ThreadPoolExecutor. - gh-119605: Respect follow_wrapped for __init__() and __new__() methods when getting the class signature for a class with inspect.signature(). Preserve class signature after wrapping with warnings.deprecated(). Patch by Xuehai Pan. - gh-91555: Ignore log messages generated during handling of log messages, to avoid deadlock or infinite recursion. - gh-131434: Improve error reporting for incorrect format in time.strptime(). - gh-131127: Systems using LibreSSL now successfully build. - gh-130999: Avoid exiting the new REPL and offer suggestions even if there are non-string candidates when errors occur. - gh-130941: Fix configparser.ConfigParser parsing empty interpolation with allow_no_value set to True. - gh-129098: Fix REPL traceback reporting when using compile() with an inexisting file. Patch by Bénédikt Tran. - gh-130631: http.cookiejar.join_header_words() is now more similar to the original Perl version. It now quotes the same set of characters and always quote values that end with "\n". - gh-129719: Fix missing socket.CAN_RAW_ERR_FILTER constant in the socket module on Linux systems. It was missing since Python 3.11. - gh-124096: Turn on virtual terminal mode and enable bracketed paste in REPL on Windows console. (If the terminal does not support bracketed paste, enabling it does nothing.) - gh-122559: Remove __reduce__() and __reduce_ex__() methods that always raise TypeError in the C implementation of io.FileIO, io.BufferedReader, io.BufferedWriter and io.BufferedRandom and replace them with default __getstate__() methods that raise TypeError. This restores fine details of behavior of Python 3.11 and older versions. - gh-122179: hashlib.file_digest() now raises BlockingIOError when no data is available during non-blocking I/O. Before, it added spurious null bytes to the digest. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the