Removed rpms
============

 - p11-kit-nss-trust

Added rpms
==========

 - mozilla-nss-certs

Package Source Changes
======================

MozillaThunderbird
+- Mozilla Thunderbird 91.8
+  * changed: Google accounts using password authentication will
+    be migrated to OAuth2. See KB Article.
+  * fixed: OpenPGP ECC keys created by Thunderbird could not be
+    imported into GnuPG
+  * fixed: Exporting multiple public PGP keys from Thunderbird
+    was not possible
+  * fixed: Replying to a newsgroup message erroneously displayed
+    a "No-reply" popup warning
+  * fixed: Opening `mid:` URLs on macOS failed
+  * fixed: Address books stored in older formats were loaded as
+    SQLite files, causing a crash
+  * fixed: Replicated LDAP directories were lost after switching
+    Thunderbird to "Offline"`mode
+  * fixed: Importing webcals from the commandline failed if the
+    URI ended with an `.ics` file extension
+  * fixed: Various security fixes
+  MFSA 2022-15 (bsc#1197903)
+  * CVE-2022-1097 (bmo#1745667)
+    Use-after-free in NSSToken objects
+  * CVE-2022-28281 (bmo#1755621)
+    Out of bounds write due to unexpected WebAuthN Extensions
+  * CVE-2022-1197 (bmo#1754985)
+    OpenPGP revocation information was ignored
+  * CVE-2022-1196 (bmo#1750679)
+    Use-after-free after VR Process destruction
+  * CVE-2022-28282 (bmo#1751609)
+    Use-after-free in DocumentL10n::TranslateDocument
+  * CVE-2022-28285 (bmo#1756957)
+    Incorrect AliasSet used in JIT Codegen
+  * CVE-2022-28286 (bmo#1735265)
+    iframe contents could be rendered outside the border
+  * CVE-2022-24713 (bmo#1758509)
+    Denial of Service via complex regular expressions
+  * CVE-2022-28289 (bmo#1663508, bmo#1744525, bmo#1753508,
+    bmo#1757476, bmo#1757805, bmo#1758549, bmo#1758776)
+    Memory safety bugs fixed in Thunderbird 91.8
+
+- Add cpu-flag `asimdrdm` to aarch64 constraints, to select newer,
+  faster buildhosts, as the others struggle to build TB.
+
branding-openSUSE
+- Skip *.tr files in /etc/bootsplash/themes/openSUSE/bootloader
+
dnsmasq
+- bsc#1197872, CVE-2022-0934, dnsmasq-CVE-2022-0934.patch:
+  Heap use after free in dhcp6_no_relay
+
hwdata
+- Update to version 0.357 (bsc#1196332):
+  + Updated pci, usb and vendor ids.
+
+- Update to version 0.356:
+  + Updated pci, usb and vendor ids.
+
hwinfo
+- merge gh#openSUSE/hwinfo#112
+- fix bug in determining serial console device name (bsc#1198043)
+- 21.81
+
+- merge gh#openSUSE/hwinfo#109
+- fix logic around cdrom detection
+- 21.80
+
+- merge gh#openSUSE/hwinfo#108
+- Donot close the open tray after read_cdrom_info.
+- Donot close the open tray after read.
+- 21.79
+
+- merge gh#openSUSE/hwinfo#106
+- Always read numerical 32bit serial number from EDID header.
+  Override this with ASCII serial number from display descriptor,
+  if available.
+- Display numerical 32bit serial number for monitors without serial
+  number display descriptor
+- 21.78
+
+- merge gh#openSUSE/hwinfo#105
+- Use license file from gnu.org
+- Fix spelling
+- Add missing final newline
+- Trim excess whitespace
+- Simple maintenance improvements
+- 21.77
+
+- merge gh#openSUSE/hwinfo#104
+- Fix timezone issue in SOURCE_DATE_EPOCH code
+- 21.76
+
+- merge gh#openSUSE/hwinfo#100
+- recognize loongarch64 architecture
+- 21.75
+
+- merge gh#openSUSE/hwinfo#98
+- update pci and usb ids
+- 21.74
+
+- merge gh#openSUSE/hwinfo#95
+- don't rely on select() updating its timeout arg (bsc#1184339)
+- 21.73
+
kernel-default
+- intel_idle: add core C6 optimization for SPR (bsc#1198602).
+- commit d6fb753
+
+- intel_idle: add 'preferred_cstates' module argument
+  (bsc#1198602).
+- commit 0bc7d2b
+
+- intel_idle: add SPR support (bsc#1198602).
+- commit 2bc31de
+
+- Move upstreamed patches into sorted section
+- commit e93d073
+
+- SCSI: iscsi: fix iscsi_endpoint changes (bsc#1197685).
+- SCSI: iscsi: fix iscsi_cls_conn changes (bsc#1197685).
+- scsi: qedi: Fix failed disconnect handling (bsc#1197685).
+- scsi: iscsi: Fix NOP handling during conn recovery
+  (bsc#1197685).
+- scsi: iscsi: Fix unbound endpoint error handling (bsc#1197685).
+- scsi: iscsi: Fix conn cleanup and stop race during iscsid
+  restart (bsc#1197685).
+- scsi: iscsi: Fix endpoint reuse regression (bsc#1197685).
+- scsi: iscsi: Release endpoint ID when its freed (bsc#1197685).
+- scsi: iscsi: Fix offload conn cleanup when iscsid restarts
+  (bsc#1197685).
+- scsi: iscsi: Move iscsi_ep_disconnect() (bsc#1197685).
+- commit d5cdaca
+
+- Sorted using series_sort.py
+  Since sequence_patch required it.
+- commit 6bf7976
+
+- PCI: hv: Remove unused hv_set_msi_entry_from_desc()
+  (bsc#1198228).
+- commit b61cd71
+
+- x86/platform/uv: Log gap hole end size (bsc#1198417).
+- commit 8618bf4
+
+- x86/platform/uv: Update TSC sync state for UV5 (bsc#1198417).
+- commit 3d0fd26
+
+- x86/platform/uv: Update NMI Handler for UV5 (bsc#1198417).
+- commit 76ba15c
+
+- powerpc/numa: Handle partially initialized numa nodes
+  (bsc#1197658).
+- commit 061e1c6
+
+- SUNRPC: Ensure we flush any closed sockets before
+  xs_xprt_free() (bsc#1198330 CVE-2022-28893).
+- commit d2a1b78
+
+- Drivers: hv: vmbus: Replace smp_store_mb() with virt_store_mb()
+  (bsc#1198228).
+- Drivers: hv: balloon: Disable balloon and hot-add accordingly
+  (bsc#1198228).
+- Drivers: hv: balloon: Support status report for larger page
+  sizes (bsc#1198228).
+- Drivers: hv: vmbus: Prevent load re-ordering when reading ring
+  buffer (bsc#1198228).
+- PCI: hv: Propagate coherence from VMbus device to PCI device
+  (bsc#1198228).
+- Drivers: hv: vmbus: Propagate VMbus coherence to each VMbus
+  device (bsc#1198228).
+- Drivers: hv: vmbus: Fix initialization of device object in
+  vmbus_device_register() (git-fixes).
+- Drivers: hv: vmbus: Deactivate sysctl_record_panic_msg by
+  default in isolated guests (bsc#1183682).
+- PCI: hv: Avoid the retarget interrupt hypercall in irq_unmask()
+  on ARM64 (bsc#1198228).
+- x86/hyperv: Output host build info as normal Windows version
+  number (git-fixes).
+- commit 0c3a755
+
+- additional reference for arm64 erratum 1418040 (bsc#1198228).
+- commit 7a1dfd5
+
+- supported.conf: move kmem and dax_hmem to support list
+  Moved kmem and dax_hmem to support list. (bsc#1195953)
+- commit fdf232f
+
+- btrfs: fix lzo_decompress_bio() kmap leakage (bsc#1193852).
+- Revert "btrfs: compression: drop kmap/kunmap from lzo"
+  (bsc#1193852).
+- Revert "btrfs: compression: drop kmap/kunmap from zlib"
+  (bsc#1193852).
+- Revert "btrfs: compression: drop kmap/kunmap from zstd"
+  (bsc#1193852).
+- Revert "btrfs: compression: drop kmap/kunmap from generic
+  helpers" (bsc#1193852).
+- commit c24af5b
+
kexec-tools
+- kexec-tools-print-error-if-kexec_file_load-fails.patch: print
+  error if kexec_file_load fails (bsc#1197176).
+
libgcrypt
+- FIPS: extend the service indicator [bsc#1190700]
+  * introduced a pk indicator function
+  * adapted the approved and non approved ciphersuites
+  * Add libgcrypt_indicators_changes.patch
+  * Add libgcrypt-indicate-shake.patch
+
libglvnd
+- provide/obsolete Mesa-libGLESv1_CM1 and Mesa-libGLESv2-2 packages
+  (bsc#1196576)
+
libtirpc
+- add option to enforce connection via protocol version 2 first
+  (bsc#1196647)
+  add 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
+
libxml2
+- Security fix: [bsc#1196490, CVE-2022-23308]
+  * Use-after-free of ID and IDREF attributes.
+- Add libxml2-CVE-2022-23308.patch
+
mozilla-nss
+- Add nss-fips-pbkdf-kat-compliance.patch (bsc#1192079). This
+  makes the PBKDF known answer test compliant with NIST SP800-132.
+
+- Mozilla NSS 3.68.3 (bsc#1197903)
+  This release improves the stability of NSS when used in a multi-threaded
+  environment. In particular, it fixes memory safety violations that
+  can occur when PKCS#11 tokens are removed while in use (CVE-2022-1097).
+  We presume that with enough effort these memory safety violations are exploitable.
+  * Remove token member from NSSSlot struct (bmo#1756271).
+  * Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots
+    (bmo#1755555).
+  * Check return value of PK11Slot_GetNSSToken (bmo#1370866).
+
net-snmp
+- Decouple snmp-mibs from net-snmp version to allow major version
+  upgrade (bsc#1196955).
+
open-iscsi
+- Updated to latest upstream, including bug fixes and cleanups.
+  Changes included:
+  * add handling name/value pairs for firmware login (bsc#1196113),
+    including man page update for same
+  * Fix bug where some package parts were installed using
+    DESTDIR twice
+  * general build cleanup (in prep for removing DB files from
+    /etc/iscsi some day soon)
+  Also, now delivering a "package config" file for libopeniscsiusr.
+
openjpeg2
+- Add security fixes:
+  openjpeg2-CVE-2018-5727.patch (CVE-2018-5727, bsc#1076314),
+  openjpeg2-CVE-2018-5785.patch (CVE-2018-5785, bsc#1076967),
+  openjpeg2-CVE-2018-6616.patch (CVE-2018-6616, bsc#1079845),
+  openjpeg2-CVE-2018-14423.patch (CVE-2018-14423, bsc#1102016),
+  openjpeg2-CVE-2018-16375.patch (CVE-2018-16375, bsc#1106882),
+  openjpeg2-CVE-2018-16376.patch (CVE-2018-16376, bsc#1106881),
+  openjpeg2-CVE-2018-20845.patch (CVE-2018-20845, bsc#1140130),
+  openjpeg2-CVE-2020-6851.patch (CVE-2020-6851, bsc#1160782),
+  openjpeg2-CVE-2020-8112.patch (CVE-2020-8112, bsc#1162090),
+  openjpeg2-CVE-2020-15389.patch (CVE-2020-15389, bsc#1173578),
+  openjpeg2-CVE-2020-27823.patch (CVE-2020-27823, bsc#1180457),
+  openjpeg2-CVE-2021-29338.patch (CVE-2021-29338, bsc#1184774),
+  openjpeg2-CVE-2022-1122.patch (CVE-2022-1122, bsc#1197738).
+
-- add libopenjp2.pc (demand introduced by ImageMagick 6.8.8-5)
-
patterns-base
+- Backports fips pattern from SLE15 SP4
+  * Since patterns_base has huge different compared to SLE ones,
+    backport fips pattern from SLE then fips pattern is not missing
+
s390-tools
+- Updated the cputype script to include the model number of IBM's
+  recently announced z16 processor.
+
+- Added the following patches for bsc#1198285:
+  s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch
+  s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
+  The certificate verification of check_hostkeydoc is too strict and
+  doesn't match the checking performed by genprotimg.
+- Added the following patch for bsc#1198284:
+  s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch
+  When re-enciphering the identity key and/or wrapping key of the
+  zkey KMIP plugin via 'zkey kms reencipher', the operation
+  completes without an error, but the secure keys are left
+  un-reenciphered.
+
systemd
+- Import commit 2bc0b2c447319a9156e7c5a18fe971f946554a6b
+  6256b14446 test: adapt install_pam() for openSUSE
+  3ea5b7e295 test: add test checking tmpfiles conf file precedence
+  e63e641ee8 test tmpfiles: add a test for 'w+'
+  b531758614 tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090)
+  ea98492c53 cryptsetup: fall back to traditional unlocking if any TPM2 operation fails
+- Move coredumpctl completion files into systemd-coredump sub-package.
+
webkit2gtk3:gtk3-soup2
-- Update to version 2.34.6:
+- Update to version 2.36.0 (boo#1198290):
+  + Add new accessibility implementation using ATSPI DBus
+    interfaces instead of ATK.
+  + Add support for requestVideoFrameCallback.
+  + Change hardware-acceleration-policy setting default value to
+    always.
+  + Add support for media session.
+  + Add new API to set HTTP response information to custom uri
+    schemes.
+  + Make user interactive threads (event handler, scrolling, …)
+    real time in linux.
+  + Security fixes: CVE-2022-22624, CVE-2022-22628, CVE-2022-22629.
+- Rebase no-forced-sse.patch.
+- Drop fix-warnings.patch and webkit2gtk3-link-fix.patch: fixed upstream.
+- Add webkit2gtk3-old-ruby.patch: fix a build failure.
+
+- Update to version 2.34.6 (boo#1196133):
+  + Security fixes: CVE-2022-22620.
-    CVE-2022-22594.
+    CVE-2022-22594, CVE-2022-22637.
wicked
+- version 0.6.69
+- redfish: decode smbios and setup host interface
+  Add initial support to decode the SMBIOS Management Controller Host
+  Interface (Type 42) structure and expose it as wicked `firmware:redfish`
+  configuration to setup a Host Network Interface (to the BMC) using the
+  `Redfish over IP` protocol allowing access to the Redfish Service (via
+  redfish-localhost in /etc/hosts) used to manage the computer system.
+  Tech Preview (jsc#SLE-17762).
+- buffer: fix size_t length downcast to uint, add guards to init functions
+- wireless: fix to not expect colons in 64byte long wpa-psk hex hash string
+- xml-schema: reference counting fix to not crash at exit on schema errors
+- compat-suse: match sysctl.d /etc vs. /run read order with systemd-sysctl,
+  remove obsolete (sle11/sysconfig) lines about ifup-sysctl from ifsysctl.5.
+- compat-suse: fix reading of sysctl addr_gen_mode to wrong variable
+- auto6: fix to apply DNS from RA rdnss after ifdown/ifup (bsc#1181429)
+- removed obsolete patch included in the master sources (bsc#1194392)
+  [- 0001-fsm-fix-device-rename-via-yast-bsc-1194392.patch]
+