Removed rpms
============
- libopenh264-6
- mozilla-openh264
Added rpms
==========
Package Source Changes
======================
Mesa
+- revert previous change, since it resulted in Xorg and Mesa no
+ longer being able to load "i965" driver at all! This affects many
+ if not almost all Intel GPU users. I can't tell why this happens,
+ but I'm afraid we need to act immediately (boo#1202850); reopened
+ boo#1200965 for now ...
+
+- change default driver from 'iris' back to 'i965' for Intel
+ Gen8-11 hardware; that way we also use the same driver used by X
+ and Mesa (boo#1200965); related bugs: boo#1197045, boo#1197046
+
Mesa-drivers
+- revert previous change, since it resulted in Xorg and Mesa no
+ longer being able to load "i965" driver at all! This affects many
+ if not almost all Intel GPU users. I can't tell why this happens,
+ but I'm afraid we need to act immediately (boo#1202850); reopened
+ boo#1200965 for now ...
+
+- change default driver from 'iris' back to 'i965' for Intel
+ Gen8-11 hardware; that way we also use the same driver used by X
+ and Mesa (boo#1200965); related bugs: boo#1197045, boo#1197046
+
audit-secondary
+- Update audit-secondary.spec: create symbolic link from
+ /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519).
+
btrfsprogs
+- Upstream behavior of btrfs compression=none (JSC#PED-1711)
+ * btrfs-progs_props_dont_translate_value_of_compression_none.patch
+
dracut
+- Update to version 055+suse.294.gc5bc4bb5:
+ Missing network-manager module fixes (bsc#1201975):
+ * fix(network-manager): avoid calling unavailable dracut-logger functions
+ * fix(network-manager): skip non-directories in /sys/class/net
+ * fix(network-manager): disable tty output if the console is not usable
+ * fix(network-manager): show output on console only with rd.debug enabled
+ * fix(network-manager): write DHCP filename option to dhcpopts file
+ * fix(network-manager): ensure safe content of /tmp/dhclient."$ifname".dhcpopts
+ * fix(network-manager): include nm-daemon-helper binary
+ * fix(network-manager): don't pull in systemd-udev-settle
+ * fix(network-manager): support teaming under NM+systemd
+ * fix(network-manager): pull in network.target in nm-initrd.service
+
+- Update to version 055+suse.283.ge98ece25:
+ * fix(network-manager): check for nm-initrd-generator in both /usr/{libexec,lib} (bsc#1201975)
+ * fix(network-legacy): add auto timeout to wicked DHCP test (bsc#1198709)
+
emacs-apel
+- Add emacs-apel-fix-build-error.patch: fix emacs-apel build error
+ on SLE-15-SP4 (bsc#1197714).
+
-- Add suse-start-apel.el.
-
gnutls
+- Security fix: [bsc#1202020, CVE-2022-2509]
+ * Fixed double free during verification of pkcs7 signatures
+ * Add gnutls-CVE-2022-2509.patch
+
+- FIPS:
+ * Modify gnutls-FIPS-force-self-test.patch [bsc#1198979]
+ - gnutls_fips140_run_self_tests now properly releases fips_context
+
+- FIPS:
+ * Add gnutls_ECDSA_signing.patch [bsc#1190698]
+ - Check minimum keylength for symmetric key generation
+ - Only allows ECDSA signature with valid set of hashes
+ (SHA2 and SHA3)
+ * Add gnutls-FIPS-force-self-test.patch [bsc#1198979]
+ - Provides interface for running library self tests on-demand
+ - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598
+
libnettle
+- update to 3.8.1:
+ * Avoid non-posix m4 argument references in the chacha
+ implementation for arm64, powerpc64 and s390x. Reported by
+ Christian Weisgerber, fix contributed by Mamone Tarsha.
+ * Use explicit .machine pseudo-ops where needed in s390x
+ assembly files. Bug report by Andreas K. Huettel, fix
+ contributed by Mamone Tarsha.
+
+- update to 3.8:
+ This release includes a couple of new features, and many
+ performance improvements. It adds assembly code for two more
+ architectures: ARM64 and S390x.
+ The new version is intended to be fully source and binary
+ compatible with Nettle-3.6. The shared library names are
+ libnettle.so.8.5 and libhogweed.so.6.5, with sonames
+ libnettle.so.8 and libhogweed.so.6.
+ New features:
+ * AES keywrap (RFC 3394), contributed by Nicolas Mora.
+ * SM3 hash function, contributed by Tianjia Zhang.
+ * New functions cbc_aes128_encrypt, cbc_aes192_encrypt,
+ cbc_aes256_encrypt.
+ On processors where AES is fast enough, e.g., x86_64 with
+ aesni instructions, the overhead of using Nettle's general
+ cbc_encrypt can be significant. The new functions can be
+ implemented in assembly, to do multiple blocks with reduced
+ per-block overhead.
+ Note that there's no corresponding new decrypt functions,
+ since the general cbc_decrypt doesn't suffer from the same
+ performance problem.
+ Bug fixes:
+ * Fix fat builds for x86_64 windows, these appear to never
+ have worked.
+ Optimizations:
+ * New ARM64 implementation of AES, GCM, Chacha, SHA1 and
+ SHA256, for processors supporting crypto extensions. Great
+ speedups, and fat builds are supported. Contributed by
+ Mamone Tarsha.
+ * New s390x implementation of AES, GCM, Chacha, memxor, SHA1,
+ SHA256, SHA512 and SHA3. Great speedups, and fat builds are
+ supported. Contributed by Mamone Tarsha.
+ * New PPC64 assembly for ecc modulo/redc operations,
+ contributed by Amitay Isaacs, Martin Schwenke and Alastair
+ D´Silva.
+ * The x86_64 AES implementation using aesni instructions has
+ been reorganized with one separate function per key size,
+ each interleaving the processing of two blocks at a time
+ (when the caller processes multiple blocks with each call).
+ This gives a modest performance improvement on some
+ processors.
+ * Rewritten and faster x86_64 poly1305 assembly.
+- drop libnettle-s390x-CPACF-SHA-AES-support.patch (included in 3.8)
+
+- Make shared libraries executable
+
mozilla-nss
+- update to NSS 3.79.1 (bsc#1202645)
+ * bmo#1366464 - compare signature and signatureAlgorithm fields in legacy certificate verifier.
+ * bmo#1771498 - Uninitialized value in cert_ComputeCertType.
+ * bmo#1759794 - protect SFTKSlot needLogin with slotLock.
+ * bmo#1760998 - avoid data race on primary password change.
+ * bmo#1330271 - check for null template in sec_asn1{d,e}_push_state.
+
+- Update nss-fips-approved-crypto-non-ec.patch to unapprove the
+ rest of the DSA ciphers, keeping signature verification only
+ (bsc#1201298).
+- Update nss-fips-constructor-self-tests.patch to fix compiler
+ warning.
+
openldap2
+- bsc#1198341 - Prevent memory reuse which may lead to instability
+ * 0243-Change-malloc-to-use-calloc-to-prevent-memory-reuse-.patch
+
perl-HTTP-Daemon
+- Fix request smuggling in HTTP::Daemon
+ (CVE-2022-31081, bsc#1201157)
+ * CVE-2022-31081.patch
+ * CVE-2022-31081-2.patch
+ * CVE-2022-31081-Add-new-test-for-Content-Length-issues.patch
+
procps
+- Add the patches
+ * procps-3.3.17-library-bsc1181475.patch
+ * procps-3.3.17-top-bsc1181475.patch
+ which are backports of current newlib tree to solve bug bsc#1181475
+ * 'free' command reports misleading "used" value
+
systemd
+- Don't replace /etc/systemd/system/tmp.mount symlink with a dangling one
+ pointing to /usr/lib/systemd/ (bsc#1201795)
+
+- Update 1009-Drop-or-soften-some-of-the-deprecation-warnings.patch (jsc#PED-944)
+ To decrease log level of messages about use of KillMode=none from warning to
+ debug. SAP still uses this deprecated option and the warnings emitted by PID1
+ confuse both SAP customers and support.
+
+- Import commit 7b70d88264a588fdba36c6e7655d1feea2b0e0a0 (merge of v249.12)
+ For a complete list of changes, visit:
+ https://github.com/openSUSE/systemd/compare/4949659dd6ce81845e13034504fe06b85a02f08b...7b70d88264a588fdba36c6e7655d1feea2b0e0a0
+
+- Import commit 4949659dd6ce81845e13034504fe06b85a02f08b
+ 0f096f16ba tmpfiles: check the directory we were supposed to create, not its parent
+ 82c3793e43 stat-util: replace is_dir() + is_dir_fd() by single is_dir_full() call
+ 2191a9ae95 logind: don't delay login for root even if systemd-user-sessions.service is not activated yet (bsc#1195059)
+
systemd-presets-common-SUSE
+- enable ignition-delete-config by default (bsc#1199524)
+
+- Modify branding-preset-states to fix systemd-presets-common-SUSE
+ not enabling new user systemd service preset configuration just
+ as it handles system service presets. By passing an (optional)
+ second parameter "user", the save/apply-changes commands now
+ work with user services instead of system ones (boo#1200485)
+
+- Add the wireplumber user service preset to enable it by default
+ in SLE15-SP4 where it replaced pipewire-media-session, but keep
+ pipewire-media-session preset so we don't have to branch the
+ systemd-presets-common-SUSE package for SP4 (boo#1200485)
+
timezone
+- Update to reflect new Chile DST change, bsc#1202310
+ * bsc1202310.patch
+
transactional-update
+- Version 4.0.1
+ - create_dirs_from_rpmdb: Just warn if no default SELinux context found
+ [gh#openSUSE/transactional-update#88], [bsc#1188215]
+ - create_dirs_from_rpmdb: Don't update the rpmdb cookie on failure
+ [gh#openSUSE/transactional-update#88]
+ - Handle directories owned by multiple packages
+ [gh#openSUSE/transactional-update#90], [bsc#1188215]
+
util-linux
+- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
+ util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
+- libmount: When moving a mount point, update all sub mount entries
+ in utab (bsc#1198731,
+ util-linux-libmount-moving-mount-point-sub-mounts.patch,
+ util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
+
util-linux-systemd
+- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
+ util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
+- libmount: When moving a mount point, update all sub mount entries
+ in utab (bsc#1198731,
+ util-linux-libmount-moving-mount-point-sub-mounts.patch,
+ util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
+
yast2
+- On transactional systems, inform the user that packages are
+ required to be installed manually (related to bsc#1199840)
+- 4.5.11
+
yast2-security
+- Do not crash when reading active LSM modules returns nil
+ (related to jsc#SLE-22069)
+- 4.5.1
+
yast2-tune
+- Added runtime dependency on hwinfo (bsc#1202651)
+- 4.5.1
+
yast2-users
+- AY: Fix writing ssh keys for user without specified home
+ (bsc#1201185)
+- 4.5.2
+
zlib
+- Fix heap-based buffer over-read or buffer overflow in inflate via
+ large gzip header extra field (bsc#1202175, CVE-2022-37434,
+ CVE-2022-37434-extra-header-1.patch,
+ CVE-2022-37434-extra-header-2.patch).
+