Removed rpms
============


Added rpms
==========

 - wicked-nbft

Package Source Changes
======================

ImageMagick
+  fix CVE-2022-44267 [bsc#1207982], denial of service when parsing a PNG image
+  fix CVE-2022-44268 [bsc#1207983], arbitrary file disclosure when parsing a PNG image
+  + ImageMagick-CVE-2022-44267,44268.patch
+
+- security update
+- added patches
apr-util
+- security fix CVE-2022-25147, bsc#1207866: buffer overflow
+  possible with specially crafted input
+  + added patch apr-util-CVE-2022-25147.patch
+
bind
+- Update to release 9.16.37
+  Security Fixes:
+  * An UPDATE message flood could cause named to exhaust all
+    available memory. This flaw was addressed by adding a new
+    update-quota option that controls the maximum number of
+    outstanding DNS UPDATE messages that named can hold in a queue
+    at any given time (default: 100). (CVE-2022-3094)
+  * named could crash with an assertion failure when an RRSIG query
+    was received and stale-answer-client-timeout was set to a
+    non-zero value. This has been fixed. (CVE-2022-3736)
+  * named running as a resolver with the
+    stale-answer-client-timeout option set to any value greater
+    than 0 could crash with an assertion failure, when the
+    recursive-clients soft quota was reached. This has been fixed.
+    (CVE-2022-3924)
+  New Features:
+  * The new update-quota option can be used to control the number
+    of simultaneous DNS UPDATE messages that can be processed to
+    update an authoritative zone on a primary server, or forwarded
+    to the primary server by a secondary server. The default is
+    100. A new statistics counter has also been added to record
+    events when this quota is exceeded, and the version numbers for
+    the XML and JSON statistics schemas have been updated.
+  Feature Changes:
+  * The Differentiated Services Code Point (DSCP) feature in BIND
+    has been deprecated. Configuring DSCP values in named.conf now
+    causes a warning to be logged. Note that this feature has only
+    been partly operational since the new Network Manager was
+    introduced in BIND 9.16.0.
+  * The catalog zone implementation has been optimized to work with
+    hundreds of thousands of member zones.
+  Bug Fixes:
+  * In certain query resolution scenarios (e.g. when following
+    CNAME records), named configured to answer from stale cache
+    could return a SERVFAIL response despite a usable, non-stale
+    answer being present in the cache. This has been fixed.
+  [bsc#1207471, bsc#1207473, bsc#1207475, jsc#SLE-24600]
+
+- Update to release 9.16.36
+  Feature Changes:
+  * The auto-dnssec option has been deprecated and will be removed
+    in a future BIND 9.19.x release. Please migrate to
+    dnssec-policy.
+  Bug Fixes:
+  * When a catalog zone was removed from the configuration, in some
+    cases a dangling pointer could cause the named process to
+    crash.
+  * When a zone was deleted from a server, a key management object
+    related to that zone was inadvertently kept in memory and only
+    released upon shutdown. This could lead to constantly
+    increasing memory use on servers with a high rate of changes
+    affecting the set of zones being served.
+  * In certain cases, named waited for the resolution of
+    outstanding recursive queries to finish before shutting down.
+  * The zone <name>/<class>: final reference detached log message
+    was moved from the INFO log level to the DEBUG(1) log level to
+    prevent the named-checkzone tool from superfluously logging
+    this message in non-debug mode.
+  [jsc#SLE-24600]
+
curl
+- Security Fix: [bsc#1207992, CVE-2023-23916]
+  * HTTP multi-header compression denial of service
+  * Add curl-CVE-2023-23916.patch
+
+- Security Fixes:
+  * HSTS ignored on multiple requests [bsc#1207990, CVE-2023-23914]
+  * HSTS amnesia with --parallel [bsc#1207991, CVE-2023-23915]
+  * Add curl-CVE-2023-23914-23915.patch
+
f2fs-tools
+- Replace transitional %usrmerged macro with regular version check (boo#1206798)
+
graphite2
+- fixed license string [bsc#1207676]:
+  LGPL-2.1-or-later OR MPL-2.0 OR GPL-2.0-or-later
+
-- Remove harfbuzz dep. Breaks another buildcycle.
-  This effectively means we are not running tests. No functional
-  changes otherwise.
-
-- Remove texlive dep to remove dep circle.
-
-- Use rpath so the tests work.
-
-- Enable the tests. They work on 13.1 but fail on Factory...
-
-- Version bump to 1.2.4:
-  * Various bugfixes
-  * Expanded testsuite
-- Remove graphite2-arm.patch - applied upstream
-- Add patches from debian:
-  * soname.diff
-  * no-specific-nunit-version.diff
-- Run^Wdocument tests and generate documentation
-
-- Use cmake macros for nice and tidy setup.
-
-- Add baselibs.conf and provide libgraphite2-3-32bit, which is at
-  this moment required by harfbuzz.
-
-- graphite2-arm.patch :Fix build in arm and possible other platforms, we should
-  notuse -nodefaultlibs as a linker flag and let the system
-  do its job automatically.
-- freetype-devel should be freetype2-devel
-
-- license update: LGPL-2.1+ or GPL-2.0+ or MPL-1.1
-  See License file (most source code notices concur)
-
-- Whitespace trying to figure out why spec file is interpreted as
-  binary.
-
-- Fix desc not to mention libexttextcat.
-
-- Initial commit version 1.2.0.
-
kernel-default
+- aquantia: Do not purge addresses when setting the number of
+  rings (jsc#PED-1530).
+- commit 39a03b2
+
+- net: atlantic: macsec: clear encryption keys from the stack
+  (jsc#PED-1530).
+- commit 643f719
+
+- atlantic: fix deadlock at aq_nic_stop (jsc#PED-1530).
+- commit 4a9a64f
+
+- net: atlantic: fix potential memory leak in aq_ndev_close()
+  (jsc#PED-1530).
+- commit 719db2f
+
+- net: atlantic: remove aq_nic_deinit() when resume
+  (jsc#PED-1530).
+- commit ff2f581
+
+- net: atlantic: remove deep parameter on suspend/resume functions
+  (jsc#PED-1530).
+- commit 9e96b4d
+
+- net: atlantic:fix repeated words in comments (jsc#PED-1530).
+- commit d6d4ffb
+
+- net: atlantic: verify hw_head_ lies within TX buffer ring
+  (jsc#PED-1530).
+- commit 7059ede
+
+- net: atlantic: add check for MAX_SKB_FRAGS (jsc#PED-1530).
+- commit e719b81
+
+- net: atlantic: reduce scope of is_rsc_complete (jsc#PED-1530).
+- commit b04c254
+
+- net: atlantic: fix "frag[0] not initialized" (jsc#PED-1530).
+- commit 0263576
+
+- Update
+  patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch
+  (bsc#1207361 bsc#1207036 CVE-2023-23454).
+- commit 521fdca
+
+- Update
+  patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch
+  (bsc#1207361 bc#1207125 CVE-2023-23455).
+- commit c8b6243
+
+- io_uring/poll: fix poll_refs race with cancelation (bsc#1207511
+  CVE-2023-0468).
+- io_uring: make poll refs more robust (bsc#1207511
+  CVE-2023-0468).
+- io_uring: cmpxchg for poll arm refs release (bsc#1207511
+  CVE-2023-0468).
+- io_uring: fix tw losing poll events (bsc#1207511 CVE-2023-0468).
+- io_uring: update res mask in io_poll_check_events (bsc#1207511
+  CVE-2023-0468).
+- commit 4fe9bfe
+
+- io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and
+  wakeups (bsc#1207100).
+- eventfd: provide a eventfd_signal_mask() helper (bsc#1207100).
+- eventpoll: add EPOLL_URING_WAKE poll wakeup flag (bsc#1207100).
+- commit 9e5a117
+
+- fbdev: Fix invalid page access after closing deferred I/O
+  devices (bsc#1207284).
+- commit 6a8d940
+
+- ipmi:ssif: Add 60ms time internal between write retries
+  (bsc#1206459).
+- ipmi:ssif: Increase the message retry time (bsc#1206459).
+- commit 14626c0
+
less
+- Apply "cve-2022-46663.patch" to fix a vulnerability in less that
+  could be exploited for denial-of-service attacks or even remote
+  code execution by printing specially crafted escape sequences to
+  the terminal. [CVE-2022-46663, bsc#1207815]
+
mozilla-nss
+- update to NSS 3.79.4 (bsc#1208138)
+  * Bug 1804640 - improve handling of unknown PKCS#12 safe bag types.
+    (CVE-2023-0767)
+
tiff
+  * CVE-2022-48281 [bsc#1207413]
+    + tiff-CVE-2022-48281.patch
+
+- security update:
yast2-bootloader
+- make secure boot for ppc64 consistent with how secure boot works
+  on other architectures (bsc#1206295)
+- 4.5.8
+
yast2-iscsi-client
+- Expose all core functionality from IscsiClientLib, with options
+  to suppress usage of pop-ups (related t gh#yast/d-installer#402).
+
+- Finish client: copy the content of both /etc/iscsi and
+  /var/lib/iscsi (bsc#1207374).
+- Finish client: never enable both the iscsid socket and the
+  service (partial fix for bsc#1207839).
+- 4.5.7
+
yast2-network
+- Fix calling method read on nil crash in bootloader caused by
+  not restoring SCR chroot in save_network client when running
+  in autoyast (bsc#1207968)
+- 4.5.16
+
yast2-packager
+- Prevent crash if nil dependencies instead of [] (bsc#1208068)
+- 4.5.14
+