Removed rpms
============

 - libavif13
 - libopenssl1_1-32bit
 - librav1e0

Added rpms
==========

 - bluez-obexd
 - libgsttranscoder-1_0-0
 - openssh-server-config-rootlogin

Package Source Changes
======================

MozillaFirefox
+- Firefox Extended Support Release 115.8.0 ESR
+  * Fixed: Various security fixes and other quality improvements.
+- Mozilla Firefox ESR 115.8
+  MFSA 2024-UNKNOWN (bsc#1220048)
+  * NO CVE-NUMBER ASSIGNED YET (bmo#1843752)
+    Out-of-bounds memory read in networking channels
+  * NO CVE-NUMBER ASSIGNED YET (bmo#1877879)
+    Alert dialog could have been spoofed on another site
+  * NO CVE-NUMBER ASSIGNED YET (bmo#1832627)
+    Fullscreen Notification could have been hidden by select
+    element
+  * NO CVE-NUMBER ASSIGNED YET (bmo#1833814)
+    Custom cursor could obscure the permission dialog
+  * NO CVE-NUMBER ASSIGNED YET (bmo#1860065)
+    Mouse cursor re-positioned unexpectedly could have led to
+    unintended permission grants
+  * NO CVE-NUMBER ASSIGNED YET (bmo#1864385)
+    Multipart HTTP Responses would accept the Set-Cookie header
+    in response parts
+  * NO CVE-NUMBER ASSIGNED YET (bmo#1874502)
+    Incorrect code generation on 32-bit ARM devices
+  * NO CVE-NUMBER ASSIGNED YET (bmo#1855686, bmo#1867982, bmo#1871498,
+    bmo#1872296, bmo#1873521, bmo#1873577, bmo#1873597,
+    bmo#1873866, bmo#1874080, bmo#1874740, bmo#1875795,
+    bmo#1875906, bmo#1876425, bmo#1878211, bmo#1878286)
+    Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8,
+    and Thunderbird 115.8
+
+- Recommend libfido2-udev on codestreams that exist, in order to try
+  to get security keys (e.g. Yubikeys) work out of the box. (bsc#1184272)
+
-  Placeholder changelog-entry (bsc#1218955)
+  * Fixed: Various security fixes and other quality improvements.
+- Mozilla Firefox ESR 115.7
+  MFSA 2024-02 (bsc#1218955)
+  * CVE-2024-0741 (bmo#1864587)
+    Out of bounds write in ANGLE
+  * CVE-2024-0742 (bmo#1867152)
+    Failure to update user input timestamp
+  * CVE-2024-0746 (bmo#1660223)
+    Crash when listing printers on Linux
+  * CVE-2024-0747 (bmo#1764343)
+    Bypass of Content Security Policy when directive unsafe-
+    inline was set
+  * CVE-2024-0749 (bmo#1813463)
+    Phishing site popup could show local origin in address bar
+  * CVE-2024-0750 (bmo#1863083)
+    Potential permissions request bypass via clickjacking
+  * CVE-2024-0751 (bmo#1865689)
+    Privilege escalation through devtools
+  * CVE-2024-0753 (bmo#1870262)
+    HSTS policy on subdomain could bypass policy of upper domain
+  * CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701)
+    Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7,
+    and Thunderbird 115.7
autofs
+- Use %patch -P N instead of deprecated %patchN.
+
+- update to 5.1.9 (bsc#1219508)
+  * fix kernel mount status notification.
+  * fix fedfs build flags.
+  * fix set open file limit.
+  * improve descriptor open error reporting.
+  * fix root offset error handling.
+  * fix fix root offset error handling.
+  * fix nonstrict fail handling of last offset mount.
+  * dont fail on duplicate offset entry tree add.
+  * fix loop under run in cache_get_offset_parent().
+  * bailout on rpc systemerror.
+  * fix nfsv4 only mounts should not use rpcbind.
+  * simplify cache_add() a little.
+  * fix use after free in tree_mapent_delete_offset_tree().
+  * fix memory leak in xdr_exports().
+  * avoid calling pthread_getspecific() with NULL key_thread_attempt_id.
+  * fix sysconf(3) return handling.
+  * remove nonstrict parameter from tree_mapent_umount_offsets().
+  * fix handling of incorrect return from umount_ent().
+  * dont use initgroups() at spawn.
+  * fix bashism in configure.
+  * musl: fix missing include in hash.h.
+  * musl: define fallback dummy NSS config path
+  * musl: avoid internal stat.h definitions.
+  * musl: add missing include to hash.h for _WORDSIZE.
+  * musl: add missing include to log.h for pid_t.
+  * musl: define _SWORD_TYPE.
+  * add autofs_strerror_r() helper for musl.
+  * update configure.
+  * handle innetgr() not present in musl.
+  * fix missing unlock in sasl_do_kinit_ext_cc().
+  * fix a couple of null cache locking problems.
+  * restore gcc flags after autoconf Kerberos 5 check.
+  * prepare for OpenLDAP SASL binding.
+  * let OpenLDAP handle SASL binding.
+  * configure: LDAP function checks ignore implicit declarations.
+  * improve debug logging of LDAP binds.
+  * improve debug logging of SASL binds.
+  * internal SASL logging only in debug log mode.
+  * more comprehensive verbose logging for LDAP maps.
+  * fix invalid tsv access.
+  * support SCRAM for SASL binding.
+  * ldap_sasl_interactive_bind() needs credentials for auto-detection.
+  * fix autofs regression due to positive_timeout.
+  * fix parse module instance mutex naming.
+  * serialise lookup module open and reinit.
+  * coverity fix for invalid access.
+  * fix hosts map deadlock on restart.
+  * fix deadlock with hosts map reload.
+  * fix memory leak in update_hosts_mounts().
+  * fix minus only option handling in concat_options().
+  * fix incorrect path for is_mounted() in try_remount().
+  * fix additional tsv invalid access.
+  * fix use_ignore_mount_option description.
+  * include addtional log info for mounts.
+  * fail on empty replicated host name.
+  * improve handling of ENOENT in sss setautomntent().
+  * don't immediately call function when waiting.
+  * define LDAP_DEPRECATED during LDAP configure check.
+  * fix return status of mount_autofs().
+  * don't close lookup at umount.
+  * fix deadlock in lookups.
+  * dont delay expire.
+  * make amd mapent search function name clear.
+  * rename statemachine() to signal_handler().
+  * make signal handling consistent.
+  * eliminate last remaining state_pipe usage.
+  * add function master_find_mapent_by_devid().
+  * use device id to locate autofs_point when setting log priotity.
+  * add command pipe handling functions.
+  * switch to application wide command pipe.
+  * get rid of unused field submnt_count.
+  * fix mount tree startup reconnect.
+  * fix unterminated read in handle_cmd_pipe_fifo_message().
+  * fix memory leak in sasl_do_kinit()
+  * fix fix mount tree startup reconnect.
+  * fix amd selector function matching.
+  * get rid entry thid field.
+  * continue expire immediately after submount check.
+  * eliminate realpath from mount of submount.
+  * eliminate root param from autofs mount and umount.
+  * remove redundant fstat from do_mount_direct().
+  * get rid of strlen call in handle_packet_missing_direct().
+  * remove redundant stat call in lookup_ghost().
+  * set mapent dev and ino before adding to index.
+  * change to use printf functions in amd parser.
+  * dont call umount_subtree_mounts() on parent at umount.
+  * dont take parent source lock at mount shutdown.
+  * fix possible use after free in handle_mounts_exit().
+  * make submount cleanup the same as top level mounts.
+  * add soucre parameter to module functions.
+  * add ioctlfd open helper.
+  * make open files limit configurable.
+  * use correct reference for IN6 macro call.
+  * dont probe interface that cant send packet.
+  * fix some sss error return cases.
+  * fix incorrect matching of cached wildcard key.
+  * fix expire retry looping.
+  * allow -null map in indirect maps.
+  * fix multi-mount check.
+  * fix let OpenLDAP handle SASL binding.
+  * always recreate credential cache.
+  * fix ldap_parse_page_control() check.
+  * fix typo in create_cmd_pipe_fifo().
+  * add null check in master_kill().
+  * be more careful with cmd pipe at exit.
+  * rename configure.in to configure.ac.
+  * update autoconf macros.
+  * update autoconf release.
+  * update autofs release.
+- drop autofs-5-1-3-fix-unset-tsd-group-name-handling.patch, upstream
+  as ab8ca82 ("autofs-5.1.3 - fix unset tsd group name handling")
+- drop autofs-Test-TCP-request-correctly-in-nfs_get_info.patch,
+  superseded by 80845bb ("autofs-5.1.8 - fix nfsv4 only mounts should
+  not use rpcbind")
+- rebase autofs-5.1.1-dbus-udisks-monitor.patch atop 37fda2c
+  ("autofs-5.1.8 - add soucre parameter to module functions")
+
+
+- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch
+  Fix off-by-one error in recursive map handling. (bsc#1209653)
+
+
+
+
+
+- autofs-5.1.6-fix-quoted-string-length-calc-in-expand.patch
+  Fix problem with quote handling
+  (bsc#1181715)
+
+- 0005-autofs-5.1.4-fix-incorrect-locking-in-sss-lookup.patch
+  Fix locking problem that causes deadlock when sss used.
+  (bsc#1196485)
+
+- 0004-autofs-5.1.3-add-port-parameter-to-rpc_ping.patch
+  Suppress portmap calls when port explicitly given
+  (bsc#1195697)
+
+
+
+
+- Update pidfile path to /run from /var/run (bsc#1185155)
+
+
+
+
+
+
+
+
+
+
-- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch
-  Fix off-by-one error in recursive map handling. (bsc#1209653)
-
-- autofs-5.1.6-fix-quoted-string-length-calc-in-expand.patch
-  Fix problem with quote handling
-  (bsc#1181715)
-
-- 0005-autofs-5.1.4-fix-incorrect-locking-in-sss-lookup.patch
-  Fix locking problem that causes deadlock when sss used.
-  (bsc#1196485)
-
-- 0004-autofs-5.1.3-add-port-parameter-to-rpc_ping.patch
-  Suppress portmap calls when port explicitly given
-  (bsc#1195697)
-
-- Update pidfile path to /run from /var/run (bsc#1185155)
-
bluez
+- Add necessary Supplements (gnome-bluetooth, blueman, bluedevil5)
+  to bluez-obexd, so that file transfer features of the applications
+  can be used by default (bsc#1209153).
+- Update the description of bluez-obexd.
+
+- add fix-link-key-address-type.patch - thanks to
+  pallaswept for identifying the right patch for the pairing
+  regression
+
+- update to 5.71:
+  * Fix issue with not registering CSIS service.
+  * Fix issue with registering pairing callbacks.
+  * Fix issue with corruption during discovery filter parsing.
+- drop CVE-2023-45866.patch,
+  Fix-.device_probe-failing-if-SDP-record-is-not.patch: upstream
+- update bluez-disable-broken-tests.diff: disable failing vcp test
+
duktape
+- Ship libduktape206-32bit: needed by libproxy since version 0.5.
+
gcc7
+- Add gcc7-pr88345-min-func-alignment.diff to add support for
+  - fmin-function-alignment.  [bsc#1214934]
+
+- Use %{_target_cpu} to determine host and build.
+
gdm
+- Drop gdm-disable-wayland-on-mgag200-chipsets.patch: fixed
+  upstream since version 43.0.
+
glibc
+- Add libnsl1 to baselibs.conf (bsc#1219640)
+
glibc:i686
+- Add libnsl1 to baselibs.conf (bsc#1219640)
+
gnome-shell
+- Add gjs Requires, because ScreenSaver DBus daemon is a gjs
+  script. (bsc#1219359)
+
grub2
+- Fix grub.xen memdisk script doesn't look for /boot/grub/grub.cfg
+  (bsc#1219248) (bsc#1181762)
+  * grub2-xen-pv-firmware.cfg
+  * 0001-disk-Optimize-disk-iteration-by-moving-memdisk-to-th.patch
+
ipset
+- Update to release 7.21
+  * Save mode was broken; this was repaired.
+
+- Update to release 7.20
+  * Bash completion utility updated
+
+- Update to release 7.19
+  * Add json output to list command
+
+- Update to release 7.17
+  * No userspace changes (kernel modules are not generated
+    here for openSUSE, see kernel-default instead)
+
+- Update to release 7.16
+  * Add bitmask support to hash:netnet, hash:ipport, hash:ip
+  * Add support for new bitmask parameter
+
kernel-default
+- Refresh
+  patches.suse/dm_blk_ioctl-implement-path-failover-for-SG_IO.patch. (bsc#1216776, bsc#1220277)
+- commit 92057e0
+
+- supported.conf: Mark adin driver as supported (jsc#PED-4736 bsc#1220218)
+- commit ea21e8c
+
+- mm: move vma locking out of vma_prepare and dup_anon_vma
+  (bsc#1219558).
+- Refresh patches.suse/mm-mmap-fix-vma_merge-case-7.patch.
+- commit ce51ec9
+
+- mmap: fix error paths with dup_anon_vma() (bsc#1219558).
+- Refresh patches.suse/mm-mmap-fix-vma_merge-case-7.patch.
+- commit 04c8742
+
+- selftests/iommu: fix the config fragment (git-fixes).
+- platform/x86: thinkpad_acpi: Only update profile if successfully
+  converted (git-fixes).
+- platform/x86: intel-vbtn: Stop calling "VBDL" from
+  notify_handler (git-fixes).
+- platform/x86: touchscreen_dmi: Allow partial (prefix) matches
+  for ACPI names (git-fixes).
+- net: phy: realtek: Fix rtl8211f_config_init() for
+  RTL8211F(D)(I)-VD-CG PHY (git-fixes).
+- selftests: bonding: set active slave to primary eth1
+  specifically (git-fixes).
+- crypto: virtio/akcipher - Fix stack overflow on memcpy
+  (git-fixes).
+- can: netlink: Fix TDCO calculation using the old data bittiming
+  (git-fixes).
+- can: j1939: Fix UAF in j1939_sk_match_filter during
+  setsockopt(SO_J1939_FILTER) (git-fixes).
+- wifi: iwlwifi: mvm: fix a crash when we run out of stations
+  (git-fixes).
+- wifi: iwlwifi: uninitialized variable in
+  iwl_acpi_get_ppag_table() (git-fixes).
+- wifi: iwlwifi: Fix some error codes (git-fixes).
+- wifi: mac80211: reload info pointer in ieee80211_tx_dequeue()
+  (git-fixes).
+- spi-mxs: Fix chipselect glitch (git-fixes).
+- spi: ppc4xx: Drop write-only variable (git-fixes).
+- HID: wacom: generic: Avoid reporting a serial of '0' to
+  userspace (git-fixes).
+- HID: wacom: Do not register input devices until after
+  hid_hw_start (git-fixes).
+- commit aa892f5
+
+- mm, mmap: fix vma_merge() case 7 with vma_ops->close
+  (bsc#1217313).
+- commit 3278f37
+
+- Refresh
+  patches.suse/dm_blk_ioctl-implement-path-failover-for-SG_IO.patch.
+- commit 5d036a3
+
+- Rename and refresh
+  patches.suse/cpufreq-ondemand-Set-default-up_threshold-to-30-on-multi-core-systems.patch.
+- commit c52e450
+
+- netfilter: nft_set_rbtree: skip end interval element from gc
+  (bsc#1220144 CVE-2024-26581).
+- commit 66ac4ca
+
+- netfilter: nf_tables: nft_set_rbtree: fix spurious insertion
+  failure (git-fixes).
+- commit 1616b86
+
+- netfilter: nft_set_rbtree: skip sync GC for new elements in
+  this transaction (git-fixes).
+- commit fe02f5f
+
+- net: micrel: Fix PTP frame parsing for lan8814 (git-fixes).
+- commit fdde0d3
+
+- tun: add missing rx stats accounting in tun_xdp_act (git-fixes).
+- commit 54ceabf
+
+- tun: fix missing dropped counter in tun_xdp_act (git-fixes).
+- commit 81acbf0
+
+- Update patches.suse/powerpc-pseries-fix-accuracy-of-stolen-time.patch
+  (bsc#1215199 bsc#1220129 ltc#205683).
+- commit 3a6e250
+
+- nvme-fabrics: typo in nvmf_parse_key() (bsc#1219670).
+- commit aaaca39
+
+- scsi: ibmvfc: Open-code reset loop for target reset
+  (bsc#1220106).
+- commit d127e55
+
+- scsi: ibmvfc: Limit max hw queues by num_online_cpus()
+  (bsc#1220106).
+- commit 3ef410b
+
+- sched/membarrier: reduce the ability to hammer on sys_membarrier
+  (git-fixes).
+- commit 55d8e46
+
+- RDMA/srpt: fix function pointer cast warnings (git-fixes)
+- commit ddb0ea4
+
+- RDMA/qedr: Fix qedr_create_user_qp error flow (git-fixes)
+- commit f6e1202
+
+- RDMA/srpt: Support specifying the srpt_service_guid parameter (git-fixes)
+- commit 118994c
+
+- IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (git-fixes)
+- commit 86d2329
+
+- RDMA/irdma: Add AE for too many RNRS (git-fixes)
+- commit 39a8fd9
+
+- RDMA/irdma: Set the CQ read threshold for GEN 1 (git-fixes)
+- commit d6a78b2
+
+- RDMA/irdma: Validate max_send_wr and max_recv_wr (git-fixes)
+- commit 4ad24ee
+
+- RDMA/irdma: Fix KASAN issue with tasklet (git-fixes)
+- commit 3d431c6
+
+- IB/mlx5: Don't expose debugfs entries for RRoCE general parameters if not supported (git-fixes)
+- commit 5cf010f
+
+- RDMA/bnxt_re: Add a missing check in bnxt_qplib_query_srq (git-fixes)
+- commit e1fcbb3
+
+- RDMA/bnxt_re: Return error for SRQ resize (git-fixes)
+- commit 154ab68
+
+- RDMA/bnxt_re: Fix unconditional fence for newer adapters (git-fixes)
+- commit f16dc69
+
+- RDMA/bnxt_re: Remove a redundant check inside bnxt_re_vf_res_config (git-fixes)
+- commit ec51b18
+
+- RDMA/bnxt_re: Avoid creating fence MR for newer adapters (git-fixes)
+- commit 1e41e8f
+
+- IB/hfi1: Fix a memleak in init_credit_return (git-fixes)
+- commit 6060765
+
+- mm,page_owner: Update Documentation regarding page_owner_stacks
+  (jsc-PED#7423).
+- commit 84eb808
+
+- series.conf: temporarily disable upstream patch
+  patches.suse/md-bitmap-don-t-use-index-for-pages-backing-the-bitm-d703.patch
+  (bsc#1219261)
+- commit 57020cb
+
+- btrfs: don't clear qgroup reserved bit in release_folio
+  (bsc#1216196).
+- commit 3546ef4
+
+- btrfs: free qgroup pertrans reserve on transaction abort
+  (bsc#1216196).
+- commit 48e3e79
+
+- btrfs: fix qgroup_free_reserved_data int overflow (bsc#1216196).
+- commit 56f38ab
+
+- btrfs: free qgroup reserve when ORDERED_IOERR is set
+  (bsc#1216196).
+- commit c0918a8
+
+- net: openvswitch: limit the number of recursions from action
+  sets (bsc#1219835 CVE-2024-1151).
+- commit af45645
+
+- lib/stackdepot: add depot_fetch_stack helper (jsc-PED#7423).
+- commit 1be3e14
+
+- powerpc/pseries/iommu: DLPAR add doesn't completely initialize
+  pci_controller (bsc#1215199).
+- commit 5fb603b
+
+- igc: Remove temporary workaround (git-fixes).
+- commit eb132b5
+
+- igb: Fix string truncation warnings in igb_set_fw_version
+  (git-fixes).
+- commit 605f8bb
+
+- net: ravb: Count packets instead of descriptors in GbEth RX path
+  (git-fixes).
+- commit 2d0b099
+
+- pppoe: Fix memory leak in pppoe_sendmsg() (git-fixes).
+- commit 65a997a
+
+- ice: Add check for lport extraction to LAG init (git-fixes).
+- commit 5cd2e68
+
+- bnad: fix work_queue type mismatch (git-fixes).
+- commit 1a2a9a7
+
+- i40e: take into account XDP Tx queues when stopping rings
+  (git-fixes).
+- commit f377fcb
+
+- i40e: avoid double calling i40e_pf_rxq_wait() (git-fixes).
+- commit 925c60c
+
+- i40e: Fix wrong mask used during DCB config (git-fixes).
+- commit 498f506
+
+- i40e: Fix waiting for queues of all VSIs to be disabled
+  (git-fixes).
+- commit 4a4e88c
+
+- octeontx2-af: Remove the PF_FUNC validation for NPC transmit
+  rules (git-fixes).
+- commit 02c2bca
+
+- ionic: minimal work with 0 budget (git-fixes).
+- commit c0e1f7f
+
+- i40e: Do not allow untrusted VF to remove administratively
+  set MAC (git-fixes).
+- commit 530701b
+
+- lan966x: Fix crash when adding interface under a lag
+  (git-fixes).
+- commit 4cc5718
+
+- bonding: do not report NETDEV_XDP_ACT_XSK_ZEROCOPY (git-fixes).
+- commit 905320f
+
+- net/mlx5: DPLL, Fix possible use after free after delayed work
+  timer triggers (git-fixes).
+- commit 8d225a2
+
+- timers: Tag (hr)timer softirq as hotplug safe (git-fixes).
+- commit 37f54ca
+
+- blacklist.conf: false positive, fixed feature not backported
+- commit 6569781
+
+- Documentation: arm64: Correct SME ZA macros name (git-fixes).
+- commit 2f32046
+
+- docs: arm64: Move arm64 documentation under Documentation/arch/
+  (git-fixes).
+- Refresh
+  patches.suse/arm64-errata-Add-Cortex-A520-speculative-unprivilege.patch.
+- Refresh
+  patches.suse/arm64-errata-Mitigate-Ampere1-erratum-AC03_CPU_.patch.
+- Refresh
+  patches.suse/iommu-arm-smmu-v3-Document-MMU-700-erratum-281.patch.
+- Refresh
+  patches.suse/iommu-arm-smmu-v3-Document-nesting-related-err.patch.
+- Refresh
+  patches.suse/iommu-arm-smmu-v3-Work-around-MMU-600-erratum-.patch.
+- commit dbd8870
+
+- Delete
+  patches.suse/workqueue-Override-implicit-ordered-attribute-in-wor.patch.
+- blacklist.conf: the patch caused a regression and has been reverted
+  upstream (bsc#1219509)
+- commit 24b5f0d
+
+- Drop bcm5974 input patch causing a regression (bsc#1220030)
+- commit 63d5a46
+
+- lib/stackdepot: add refcount for records (jsc-PED#7423).
+- commit 150e517
+
+- net: qualcomm: rmnet: fix global oob in rmnet_policy
+  (git-fixes).
+- commit 890ecf9
+
+- Refresh
+  patches.suse/powerpc-pseries-papr-sysparm-use-u8-arrays-for-paylo.patch.
+- commit ee4a898
+
+- powerpc/64: Set task pt_regs->link to the LR value on scv entry
+  (bsc#1194869).
+- powerpc: add crtsavres.o to always-y instead of extra-y
+  (bsc#1194869).
+- powerpc/watchpoints: Annotate atomic context in more places
+  (bsc#1194869).
+- powerpc/watchpoint: Disable pagefaults when getting user
+  instruction (bsc#1194869).
+- powerpc/watchpoints: Disable preemption in thread_change_pc()
+  (bsc#1194869).
+- powerpc/pseries: Rework lppaca_shared_proc() to avoid
+  DEBUG_PREEMPT (bsc#1194869).
+- powerpc: Don't include lppaca.h in paca.h (bsc#1194869).
+- powerpc/powernv: Fix fortify source warnings in opal-prd.c
+  (bsc#1194869).
+- commit 72b942a
+
+- blacklist: Add more files for unsupported powerpc architectures
+- commit 47ca633
+
+- blacklist.conf: fix for config we don't have
+- commit 6278860
+
+- powerpc/kasan: Limit KASAN thread size increase to 32KB
+  (bsc#1215199).
+- commit a664cb1
+
+- leds: Change led_trigger_blink[_oneshot]() delay parameters
+  to pass-by-value (git-fixes).
+- commit a5e7aeb
+
+- usb: ucsi_acpi: Quirk to ack a connector change ack cmd
+  (git-fixes).
+- commit 3843488
+
+- nvme-keyring: restrict match length for version '1' identifiers
+  (bsc#1219670).
+- commit 131550a
+
+- Refresh sorted patches.
+- commit 6f4c0b8
+
+- block: sed-opal: handle empty atoms when parsing response
+  (jsc#PED-3545 git-fixes bsc#1220089 ltc#205305).
+- commit c7fe618
+
+- net: ravb: Wait for operating mode to be applied (git-fixes).
+- commit 40520b1
+
+- powerpc/pseries: fix accuracy of stolen time (bsc#1215199).
+- powerpc/64s: Increase default stack size to 32KB (bsc#1215199).
+- powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
+  (bsc#1215199).
+- powerpc/lib: Validate size for vector operations (bsc#1215199).
+- commit b3e0008
+
+- powerpc/iommu: Fix the missing iommu_group_put() during platform
+  domain attach (jsc#PED-7779 jsc#PED-7780 git-fixes).
+- commit 06cae39
+
+- mm,page_owner: Filter out stacks by a threshold (jsc-PED#7423).
+- commit 4b9a1a9
+
+- net: bcmgenet: Fix FCS generation for fragmented skbuffs (git-fixes).
+- commit 15da81c
+
+- mm,page_owner: Display all stacks and their count
+  (jsc-PED#7423).
+- commit 582b35c
+
+- mm,page_owner: Implement the tracking of the stacks count
+  (jsc-PED#7423).
+- commit 9af4176
+
+- mm,page_owner: Maintain own list of stack_records structs
+  (jsc-PED#7423).
+- commit 332036c
+
+- lib/stackdepot: Move stack_record struct definition into the
+  header (jsc-PED#7423).
+- commit 19fef81
+
+- lib/stackdepot: Fix first entry having a 0-handle
+  (jsc-PED#7423).
+- commit 3666049
+
+- kallsyms: ignore ARMv4 thunks along with others (git-fixes).
+- modpost: trim leading spaces when processing source files list
+  (git-fixes).
+- kbuild: Fix changing ELF file type for output of gen_btf for
+  big endian (git-fixes).
+- irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update (git-fixes).
+- irqchip/irq-brcmstb-l2: Add write memory barrier before exit
+  (git-fixes).
+- i2c: i801: Fix block process call transactions (git-fixes).
+- i2c: qcom-geni: Correct I2C TRE sequence (git-fixes).
+- commit 65eebf2
+
+- nvme-fabrics: fix I/O connect error handling (git-fixes).
+- commit b81dbf7
+
+- xfs: reset XFS_ATTR_INCOMPLETE filter on node removal
+  (git-fixes).
+- commit 387ed3b
+
+- xfs: ensure logflagsp is initialized in xfs_bmap_del_extent_real
+  (git-fixes).
+- commit 73bc52b
+
+- xfs: don't leak recovered attri intent items (git-fixes).
+- commit 3311908
+
+- xfs: dquot recovery does not validate the recovered dquot
+  (git-fixes).
+- commit 11dd393
+
+- xfs: clean up dqblk extraction (git-fixes).
+- commit 2a55daa
+
+- xfs: inode recovery does not validate the recovered inode
+  (git-fixes).
+- commit eb71955
+
+- xfs: handle nimaps=0 from xfs_bmapi_write in
+  xfs_alloc_file_space (git-fixes).
+- commit a21b8a6
+
+- xfs: introduce protection for drop nlink (git-fixes).
+- commit c20e066
+
+- xfs: rt stubs should return negative errnos when rt disabled
+  (git-fixes).
+- commit 3d89caf
+
+- xfs: prevent rt growfs when quota is enabled (git-fixes).
+- commit fff2e4b
+
+- xfs: hoist freeing of rt data fork extent mappings (git-fixes).
+- commit 44ca58e
+
+- xfs: bump max fsgeom struct version (git-fixes).
+- commit 7d7701a
+
+- driver core: fw_devlink: Improve detection of overlapping cycles
+  (git-fixes).
+- driver core: Fix device_link_flag_is_sync_state_only()
+  (git-fixes).
+- iio: adc: ad4130: only set GPIO_CTRL if pin is unused
+  (git-fixes).
+- iio: adc: ad4130: zero-initialize clock init data (git-fixes).
+- iio: accel: bma400: Fix a compilation problem (git-fixes).
+- iio: commom: st_sensors: ensure proper DMA alignment
+  (git-fixes).
+- staging: iio: ad5933: fix type mismatch regression (git-fixes).
+- iio: adc: ad_sigma_delta: ensure proper DMA alignment
+  (git-fixes).
+- iio: imu: adis: ensure proper DMA alignment (git-fixes).
+- iio: imu: bno055: serdev requires REGMAP (git-fixes).
+- iio: magnetometer: rm3100: add boundary check for the value
+  read from RM3100_REG_TMRC (git-fixes).
+- iio: pressure: bmp280: Add missing bmp085 to SPI id table
+  (git-fixes).
+- iio: core: fix memleak in iio_device_register_sysfs (git-fixes).
+- thunderbolt: Fix setting the CNS bit in ROUTER_CS_5 (git-fixes).
+- media: ir_toy: fix a memleak in irtoy_tx (git-fixes).
+- media: Revert "media: rkisp1: Drop IRQF_SHARED" (git-fixes).
+- commit 7fba7be
+
+- ASoC: amd: yc: Fix non-functional mic on Lenovo 82UU
+  (git-fixes).
+- ALSA: hda/realtek: cs35l41: Add internal speaker support for
+  ASUS UM3402 with missing DSD (git-fixes).
+- ALSA: hda: cs35l41: Support ASUS Zenbook UM3402YAR (git-fixes).
+- ALSA: hda: cs35l41: Support additional ASUS Zenbook UX3402VA
+  (git-fixes).
+- ALSA: hda: Increase default bdl_pos_adj for Apollo Lake
+  (git-fixes).
+- ALSA: hda: Replace numeric device IDs with constant values
+  (git-fixes).
+- ALSA: hda: generic: Remove obsolete call to ledtrig_audio_get
+  (git-fixes).
+- ALSA: hda: Properly setup HDMI stream (git-fixes).
+- commit 65b7327
+
+- ALSA: hda: Add Lenovo Legion 7i gen7 sound quirk (git-fixes).
+- commit 2ab077c
+
+- ALSA: hda/realtek: fix mute/micmute LED For HP mt645
+  (git-fixes).
+- ASoC: amd: yc: Add DMI quirk for Lenovo Ideapad Pro 5 16ARP8
+  (git-fixes).
+- ALSA: hda/realtek: add IDs for Dell dual spk platform
+  (git-fixes).
+- ALSA: hda/conexant: Add quirk for SWS JS201D (git-fixes).
+- commit 96b23dc
+
+- ALSA: usb-audio: More relaxed check of MIDI jack names
+  (git-fixes).
+- ASoC: SOF: IPC3: fix message bounds on ipc ops (git-fixes).
+- ASoC: q6dsp: fix event handler prototype (git-fixes).
+- ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()
+  (git-fixes).
+- ASoC: SOF: ipc3-topology: Fix pipeline tear down logic
+  (git-fixes).
+- ASoC: cs35l56: Fix deadlock in ASP1 mixer register
+  initialization (git-fixes).
+- ASoC: tas2781: add module parameter to tascodec_init()
+  (git-fixes).
+- ASoC: cs35l56: fix reversed if statement in
+  cs35l56_dspwait_asp1tx_put() (git-fixes).
+- ALSA: hda/realtek: cs35l41: Fix order and duplicates in quirks
+  table (git-fixes).
+- ALSA: hda/realtek: cs35l41: Fix device ID / model name
+  (git-fixes).
+- ALSA: hda/cs35l56: select intended config FW_CS_DSP (git-fixes).
+- wifi: brcmfmac: Adjust n_channels usage for __counted_by
+  (git-fixes).
+- USB: serial: option: add Fibocom FM101-GL variant (git-fixes).
+- USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e
+  (git-fixes).
+- USB: serial: cp210x: add ID for IMST iM871A-USB (git-fixes).
+- usb: dwc3: pci: add support for the Intel Arrow Lake-H
+  (git-fixes).
+- xhci: handle isoc Babble and Buffer Overrun events properly
+  (git-fixes).
+- xhci: process isoc TD properly when there was a transaction
+  error mid TD (git-fixes).
+- usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK (git-fixes).
+- Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU
+  (git-fixes).
+- selftests/net: change shebang to bash to support "source"
+  (git-fixes).
+- selftests/net: convert pmtu.sh to run it in unique namespace
+  (git-fixes).
+- selftests/net: convert unicast_extensions.sh to run it in
+  unique namespace (git-fixes).
+- commit 1f8c296
+
+- scsi: smartpqi: Bump driver version to 2.1.26-030 (bsc#1219987).
+- scsi: smartpqi: Fix logical volume rescan race condition
+  (bsc#1219987).
+- scsi: smartpqi: Add new controller PCI IDs (bsc#1219987).
+- commit 343b48a
+
+- scsi: mpt3sas: Reload SBR without rebooting HBA (bsc#1219551).
+- scsi: mpt3sas: Suppress a warning in debug kernel (bsc#1219551).
+- scsi: mpt3sas: Replace dynamic allocations with local variables
+  (bsc#1219551).
+- scsi: mpt3sas: Replace a dynamic allocation with a local
+  variable (bsc#1219551).
+- scsi: mpt3sas: Fix typo of "TRIGGER" (bsc#1219551).
+- scsi: mpt3sas: Fix an outdated comment (bsc#1219551).
+- scsi: mpt3sas: Remove the iounit_pg8 member of the per-adapter
+  struct (bsc#1219551).
+- scsi: mpt3sas: Use struct_size() for struct size calculations
+  (bsc#1219551).
+- scsi: mpt3sas: Make MPI26_CONFIG_PAGE_PIOUNIT_1::PhyData a
+  flexible array (bsc#1219551).
+- scsi: mpt3sas: Make MPI2_CONFIG_PAGE_SASIOUNIT_1::PhyData a
+  flexible array (bsc#1219551).
+- scsi: mpt3sas: Make MPI2_CONFIG_PAGE_SASIOUNIT_0::PhyData a
+  flexible array (bsc#1219551).
+- scsi: mpt3sas: Make MPI2_CONFIG_PAGE_RAID_VOL_0::PhysDisk a
+  flexible array (bsc#1219551).
+- scsi: mpt3sas: Make MPI2_CONFIG_PAGE_IO_UNIT_8::Sensor a
+  flexible array (bsc#1219551).
+- scsi: mpt3sas: Use flexible arrays when obviously possible
+  (bsc#1219551).
+- commit 472a48e
+
+- nvme: enable retries for authentication commands (bsc#1186716).
+- nvme: change __nvme_submit_sync_cmd() calling conventions
+  (bsc#1186716).
+- nvme-auth: open-code single-use macros (bsc#1186716).
+- nvme: use ctrl state accessor (bsc#1186716).
+- commit f8cc1d3
+
+- Delete patches.suse/scsi-lpfc-limit-irq-vectors-to-online-cpus-if-kdump-kernel.patch.
+  Should be addressed by the previously merged upstream solution (bsc#1218180 ltc#204476).
+- commit ebf5676
+
+- powerpc/smp: Remap boot CPU onto core 0 if >= nr_cpu_ids
+  (bsc#1218180 ltc#204476).
+- powerpc/smp: Factor out assign_threads() (bsc#1218180
+  ltc#204476).
+- powerpc/smp: Lookup avail once per device tree node (bsc#1218180
+  ltc#204476).
+- powerpc/smp: Increase nr_cpu_ids to include the boot CPU
+  (bsc#1218180 ltc#204476).
+- powerpc/smp: Adjust nr_cpu_ids to cover all threads of a core
+  (bsc#1218180 ltc#204476).
+- commit 4c4f84a
+
+- KVM: VMX: Move VERW closer to VMentry for MDS mitigation (git-fixes).
+- KVM: VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (git-fixes).
+- x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (git-fixes).
+- x86/entry_32: Add VERW just before userspace transition (git-fixes).
+- x86/entry_64: Add VERW just before userspace transition (git-fixes).
+- x86/bugs: Add asm helpers for executing VERW (git-fixes).
+- commit 6f2943c
+
+- net: ethernet: mtk_wed: fix possible NULL pointer dereference
+  in mtk_wed_wo_queue_tx_clean() (git-fixes).
+- commit f6c1c6f
+
+- net: ks8851: Fix TX stall caused by TX buffer overrun
+  (git-fixes).
+- commit 309032b
+
+- net: mscc: ocelot: fix pMAC TX RMON stats for bucket 256-511
+  and above (git-fixes).
+- commit f51244f
+
+- net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511
+  and above (git-fixes).
+- commit 0cdf0a3
+
+- net: atlantic: fix double free in ring reinit logic (git-fixes).
+- commit 7354340
+
+- net: stmmac: Handle disabled MDIO busses from devicetree
+  (git-fixes).
+- commit be25be7
+
+- dpaa2-switch: do not ask for MDB, VLAN and FDB replay
+  (git-fixes).
+- commit c6e8879
+
+- dpaa2-switch: fix size of the dma_unmap (git-fixes).
+- commit 23ea26f
+
+- stmmac: dwmac-loongson: drop useless check for compatible
+  fallback (git-fixes).
+- commit 02807a5
+
+- stmmac: dwmac-loongson: Make sure MDIO is initialized before
+  use (git-fixes).
+- commit c27d9ce
+
+- net: fec: correct queue selection (git-fixes).
+- commit 7f02173
+
+- qca_spi: Fix reset behavior (git-fixes).
+- commit f971346
+
+- qca_debug: Fix ethtool -G iface tx behavior (git-fixes).
+- commit 87b783f
+
+- qca_debug: Prevent crash on TX ring changes (git-fixes).
+- commit a319e0e
+
+- clocksource: Replace all non-returning strlcpy with strscpy
+  (bsc#1219953).
+- commit b844ff1
+
+- x86/smpboot: Avoid pointless delay calibration if TSC is
+  synchronized (bsc#1219953).
+- commit 7dfe12b
+
+- rcutorture: Add fqs_holdoff check before fqs_task is created
+  (bsc#1219953).
+- commit d6f81ac
+
+- locktorture: Increase Hamming distance between call_rcu_chain
+  and rcu_call_chains (bsc#1219953).
+- commit 82380d1
+
+- asm-generic: qspinlock: fix queued_spin_value_unlocked()
+  implementation (bsc#1219953).
+- commit a3ab6e9
+
+- locktorture: Check the correct variable for allocation failure
+  (bsc#1219953).
+- commit 5884e2f
+
+- rcutorture: Traverse possible cpu to set maxcpu in
+  rcu_nocb_toggle() (bsc#1219953).
+- commit ac1c709
+
+- rcutorture: Replace schedule_timeout*() 1-jiffy waits with HZ/20
+  (bsc#1219953).
+- commit de5b047
+
+- locktorture: Rename readers_bind/writers_bind to
+  bind_readers/bind_writers (bsc#1219953).
+- commit 1dc09ec
+
+- doc: Catch-up update for locktorture module parameters
+  (bsc#1219953).
+- commit 19c054c
+
+- locktorture: Add call_rcu_chains module parameter (bsc#1219953).
+- commit 9348bbf
+
+- locktorture: Add new module parameters to
+  lock_torture_print_module_parms() (bsc#1219953).
+- commit 59c9dd5
+
+- torture: Print out torture module parameters (bsc#1219953).
+- commit f0a2f52
+
+- locktorture: Add acq_writer_lim to complain about long
+  acquistion times (bsc#1219953).
+- commit 495f129
+
+- locktorture: Consolidate "if" statements in
+  lock_torture_writer() (bsc#1219953).
+- commit 19cd3cf
+
+- locktorture: Alphabetize torture_param() entries (bsc#1219953).
+- commit 4d45162
+
+- locktorture: Add readers_bind and writers_bind module parameters
+  (bsc#1219953).
+- commit d4bab3f
+
+- rcutorture: Fix stuttering races and other issues (bsc#1219953).
+- commit 14a2209
+
+- torture: Move rcutorture_sched_setaffinity() out of rcutorture
+  (bsc#1219953).
+- commit ec64c16
+
+- torture: Make torture_hrtimeout_ns() take an hrtimer mode
+  parameter (bsc#1219953).
+- commit 7155d42
+
+- torture: Share torture_random_state with torture_shuffle_tasks()
+  (bsc#1219953).
+- commit abf8744
+
+- locking/lockdep: Fix string sizing bug that triggers a
+  format-truncation compiler-warning (bsc#1219953).
+- commit 23d08c5
+
+- locking/debug: Fix debugfs API return value checks to use
+  IS_ERR() (bsc#1219953).
+- commit 048609a
+
+- locking/ww_mutex/test: Make sure we bail out instead of livelock
+  (bsc#1219953).
+- commit 4038509
+
+- locking/ww_mutex/test: Fix potential workqueue corruption
+  (bsc#1219953).
+- commit def0333
+
+- locking/ww_mutex/test: Use prng instead of rng to avoid hangs
+  at bootup (bsc#1219953).
+- commit aacf9cc
+
+- asm-generic: ticket-lock: Optimize arch_spin_value_unlocked()
+  (bsc#1219953).
+- commit b967504
+
+- futex: Use a folio instead of a page (bsc#1219953).
+- commit a11123c
+
+- locking/seqlock: Do the lockdep annotation before locking in
+  do_write_seqcount_begin_nested() (bsc#1219953).
+- commit d372072
+
+- rcutorture: Stop right-shifting torture_random() return values
+  (bsc#1219953).
+- commit a88dc75
+
+- torture: Stop right-shifting torture_random() return values
+  (bsc#1219953).
+- commit 9c51efc
+
+- torture: Move stutter_wait() timeouts to hrtimers (bsc#1219953).
+- commit 8bcefe1
+
+- torture: Move torture_shuffle() timeouts to hrtimers
+  (bsc#1219953).
+- commit 24edc78
+
+- torture: Move torture_onoff() timeouts to hrtimers
+  (bsc#1219953).
+- commit c16d2c1
+
+- torture: Make torture_hrtimeout_*() use TASK_IDLE (bsc#1219953).
+- commit 15e523b
+
+- torture: Add lock_torture writer_fifo module parameter
+  (bsc#1219953).
+- commit 86a51c8
+
+- torture: Add a kthread-creation callback to
+  _torture_create_kthread() (bsc#1219953).
+- commit a568efe
+
+- torture: Support randomized shuffling for proxy exec testing
+  (bsc#1219953).
+- commit dfb6658
+
+- rcutorture: Dump grace-period state upon rtort_pipe_count
+  incidents (bsc#1219953).
+- commit 39c3645
+
+- powerpc/kcsan: Properly instrument arch_spin_unlock()
+  (bsc#1219953).
+- commit 49ef44f
+
+- locktorture: Add long_hold to adjust lock-hold delays
+  (bsc#1219953).
+- commit 21a09d3
+
+- intel_idle: add Sierra Forest SoC support (jsc#PED-5816).
+- commit d8dfa47
+
+- intel_idle: add Grand Ridge SoC support (jsc#PED-5816).
+- commit be47fec
+
+- powerpc/pseries/papr-sysparm: use u8 arrays for payloads
+  (jsc#PED-4486 git-fixes).
+- commit 8b94284
+
+- PCI: Add PCIE_PME_TO_L2_TIMEOUT_US L2 ready timeout value
+  (git-fixes).
+- commit a77e06b
+
+- PCI: dwc: Drop host prefix from struct dw_pcie_host_ops members
+  (git-fixes).
+- commit 4a87954
+
+- PCI: dwc: endpoint: Introduce .pre_init() and .deinit()
+  (git-fixes).
+- commit 75c1ddc
+
+- PCI: dwc: Add host_post_init() callback (git-fixes).
+- commit 5c6ab40
+
+- PCI: dwc: Implement generic suspend/resume functionality
+  (git-fixes).
+- commit 42b5947
+
+- dmaengine: dw-edma: Rename dw_edma_core_ops structure to
+  dw_edma_plat_ops (git-fixes).
+- commit a3742cf
+
+- blacklist.conf: obsoleted
+- commit c534e08
+
+- PCI: dwc: Fix a 64bit bug in dw_pcie_ep_raise_msix_irq()
+  (git-fixes).
+- commit 686e708
+
+- PCI: dwc: Use FIELD_GET/PREP() (git-fixes).
+- commit 34f9411
+
+- PCI/ASPM: Fix deadlock when enabling ASPM (git-fixes).
+- commit aa4d6dc
+
+- PCI: qcom: Clean up ASPM comment (git-fixes).
+- commit a57ad60
+
+- PCI: qcom: Fix potential deadlock when enabling ASPM
+  (git-fixes).
+- commit adc25b6
+
+- PCI: qcom: Enable ASPM for platforms supporting 1.9.0 ops
+  (git-fixes).
+- commit c63fc13
+
+- PCI: qcom: Use PCIE_SPEED2MBS_ENC() macro for encoding link
+  speed (git-fixes).
+- commit a80c081
+
+- PCI: qcom: Do not advertise hotplug capability for IP v2.1.0
+  (git-fixes).
+- commit 756f736
+
+- PCI: qcom: Do not advertise hotplug capability for IP v1.0.0
+  (git-fixes).
+- commit 00fef1b
+
+- PCI: qcom: Use post init sequence of IP v2.3.2 for v2.4.0
+  (git-fixes).
+- commit 2132a8c
+
+- PCI: qcom: Do not advertise hotplug capability for IP v2.3.2
+  (git-fixes).
+- commit 1e670bc
+
+- PCI: qcom: Do not advertise hotplug capability for IPs v2.3.3
+  and v2.9.0 (git-fixes).
+- commit 2b2b866
+
+- PCI: qcom: Do not advertise hotplug capability for IPs v2.7.0
+  and v1.9.0 (git-fixes).
+- commit c7b4716
+
+- blacklist.conf: false positive
+- commit 88b8f1d
+
+- x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6
+  (git-fixes).
+- commit 5367630
+
+- pm: Introduce DEFINE_NOIRQ_DEV_PM_OPS() helper (git-fixes).
+- commit 3f9a915
+
+- platform: mellanox: Cosmetic changes (git-fixes).
+- commit 201fef6
+
+- blacklist.conf: false positive
+- commit 569fb89
+
+- blacklist.conf: stupid cleanup
+- commit 7489b61
+
+- platform/mellanox: mlxbf-bootctl: add NET dependency into
+  Kconfig (git-fixes).
+- commit c7f1631
+
+- platform/chrome: cros_ec_lpc: Remove EC panic shutdown timeout
+  (git-fixes).
+- commit d61129c
+
+- maple_tree: do not preallocate nodes for slot stores
+  (bsc#1219404).
+- commit 2307e38
+
+- mm: always lock new vma before inserting into vma tree
+  (bsc#1219558).
+- commit 4dd5f88
+
+- mm: lock vma explicitly before doing vm_flags_reset and
+  vm_flags_reset_once (bsc#1219558).
+- commit 3ebd604
+
+- mm: replace mmap with vma write lock assertions when operating
+  on a vma (bsc#1219558).
+- commit 50e3b4d
+
+- mm: for !CONFIG_PER_VMA_LOCK equate write lock assertion for
+  vma and mmap (bsc#1219558).
+- commit b999b29
+
+- mmap: fix vma_iterator in error path of vma_merge()
+  (bsc#1219558).
+- commit af3b8c0
+
+- mm: fix vm_brk_flags() to not bail out while holding lock
+  (bsc#1219558).
+- commit 817bef2
+
+- mm/mmap: change vma iteration order in do_vmi_align_munmap()
+  (bsc#1219558).
+- commit 8f876cd
+
+- mm: set up vma iterator for vma_iter_prealloc() calls
+  (bsc#1219558).
+- commit 2d402b6
+
+- mm: use vma_iter_clear_gfp() in nommu (bsc#1219558).
+- commit 666385f
+
+- mm: remove re-walk from mmap_region() (bsc#1219558).
+- commit 85c7321
+
+- mm: remove prev check from do_vmi_align_munmap() (bsc#1219558).
+- commit d77a7e1
+
+- mm: change do_vmi_align_munmap() tracking of VMAs to remove
+  (bsc#1219558).
+- commit 595be09
+
+- mm/mmap: clean up validate_mm() calls (bsc#1219558).
+- Refresh patches.suse/mm-re-introduce-vm_flags-to-do_mmap.patch.
+- commit 5726712
+
+- mm/mmap: move vma operations to mm_struct out of the critical
+  section of file mapping lock (bsc#1219558).
+- commit 4a16ce1
+
+- maple_tree: add MAS_UNDERFLOW and MAS_OVERFLOW states
+  (bsc#1219558).
+- maple_tree: add mas_is_active() to detect in-tree walks
+  (bsc#1219558).
+- maple_tree: shrink struct maple_tree (bsc#1219558).
+- maple_tree: clean up mas_wr_append() (bsc#1219558).
+- maple_tree: reduce resets during store setup (bsc#1219558).
+- maple_tree: refine mas_preallocate() node calculations
+  (bsc#1219558).
+- maple_tree: move mas_wr_end_piv() below mas_wr_extend_null()
+  (bsc#1219558).
+- maple_tree: adjust node allocation on mas_rebalance()
+  (bsc#1219558).
+- maple_tree: re-introduce entry to mas_preallocate() arguments
+  (bsc#1219558).
+- commit 911aa39
+
+- maple_tree: introduce __mas_set_range() (bsc#1219558).
+- maple_tree: add benchmarking for mas_prev() (bsc#1219558).
+- maple_tree: add benchmarking for mas_for_each (bsc#1219558).
+- maple_tree: Be more strict about locking (bsc#1219558).
+- mm/mmap: change detached vma locking scheme (bsc#1219558).
+- maple_tree: relax lockdep checks for on-stack trees
+  (bsc#1219558).
+- maple_tree: mtree_insert: fix typo in kernel-doc description
+  of GFP flags (bsc#1219558).
+- maple_tree: mtree_insert*: fix typo in kernel-doc description
+  (bsc#1219558).
+- maple_tree: drop mas_first_entry() (bsc#1219558).
+- maple_tree: replace mas_logical_pivot() with mas_safe_pivot()
+  (bsc#1219558).
+- commit a3884af
+
+- maple_tree: update mt_validate() (bsc#1219558).
+- maple_tree: make mas_validate_limits() check root node and
+  node limit (bsc#1219558).
+- maple_tree: fix mas_validate_child_slot() to check last missed
+  slot (bsc#1219558).
+- maple_tree: make mas_validate_gaps() to check metadata
+  (bsc#1219558).
+- maple_tree: don't use MAPLE_ARANGE64_META_MAX to indicate no
+  gap (bsc#1219558).
+- maple_tree: add a fast path case in mas_wr_slot_store()
+  (bsc#1219558).
+- maple_tree: optimize mas_wr_append(), also improve duplicating
+  VMAs (bsc#1219558).
+- maple_tree: add test for mas_wr_modify() fast path
+  (bsc#1219558).
+- maple_tree: fix a few documentation issues (bsc#1219558).
+- commit ed58165
+
+- vm: fix move_vma() memory accounting being off (bsc#1219404).
+- commit 8061f6c
+
+- mm: Update do_vmi_align_munmap() return semantics (bsc#1219404).
+- Refresh patches.suse/mm-re-introduce-vm_flags-to-do_mmap.patch.
+- commit 7580cf9
+
+- mm: don't do validate_mm() unnecessarily and without mmap
+  locking (bsc#1219404).
+- mm: validate the mm before dropping the mmap lock (bsc#1219404).
+- mm: Always downgrade mmap_lock if requested (bsc#1219404).
+- userfaultfd: fix regression in userfaultfd_unmap_prep()
+  (bsc#1219404).
+- mm/mmap: separate writenotify and dirty tracking logic
+  (bsc#1219404).
+- commit b6ee33d
+
+- maple_tree: add comments and some minor cleanups to
+  mas_wr_append() (bsc#1219404).
+- Refresh
+  patches.suse/maple_tree-disable-mas_wr_append-when-other-re.patch.
+- commit 8ab650e
+
+- maple_tree: relocate the declaration of mas_empty_area_rev()
+  (bsc#1219404).
+- maple_tree: simplify and clean up mas_wr_node_store()
+  (bsc#1219404).
+- maple_tree: rework mas_wr_slot_store() to be cleaner and more
+  efficient (bsc#1219404).
+- maple_tree: add mas_wr_new_end() to calculate new_end accurately
+  (bsc#1219404).
+- maple_tree: make the code symmetrical in mas_wr_extend_null()
+  (bsc#1219404).
+- maple_tree: simplify mas_is_span_wr() (bsc#1219404).
+- maple_tree: drop mas_{rev_}alloc() and mas_fill_gap()
+  (bsc#1219404).
+- maple_tree: rework mtree_alloc_{range,rrange}() (bsc#1219404).
+- commit d2740e9
+
+- maple_tree: update testing code for mas_{next,prev,walk}
+  (bsc#1219404).
+- Refresh
+  patches.suse/maple_tree-fix-32-bit-mas_next-testing.patch.
+- commit befb467
+
+- mm: avoid rewalk in mmap_region (bsc#1219404).
+- mm: add vma_iter_{next,prev}_range() to vma iterator
+  (bsc#1219404).
+- maple_tree: clear up index and last setting in single entry tree
+  (bsc#1219404).
+- maple_tree: add mas_prev_range() and mas_find_range_rev
+  interface (bsc#1219404).
+- maple_tree: introduce mas_prev_slot() interface (bsc#1219404).
+- maple_tree: relocate mas_rewalk() and mas_rewalk_if_dead()
+  (bsc#1219404).
+- maple_tree: add mas_next_range() and mas_find_range() interfaces
+  (bsc#1219404).
+- maple_tree: introduce mas_next_slot() interface (bsc#1219404).
+- maple_tree: change RCU checks to WARN_ON() instead of BUG_ON()
+  (bsc#1219404).
+- commit ac1cd44
+
+- maple_tree: make test code work without debug enabled
+  (bsc#1219404).
+- Refresh
+  patches.suse/maple_tree-add-GFP_KERNEL-to-allocations-in-mas_expe.patch.
+- commit c5591fa
+
+- maple_tree: fix testing mas_empty_area() (bsc#1219404).
+- maple_tree: revise limit checks in mas_empty_area{_rev}()
+  (bsc#1219404).
+- maple_tree: try harder to keep active node with mas_prev()
+  (bsc#1219404).
+- maple_tree: try harder to keep active node after mas_next()
+  (bsc#1219404).
+- mm/mmap: change do_vmi_align_munmap() for maple tree iterator
+  changes (bsc#1219404).
+- maple_tree: mas_start() reset depth on dead node (bsc#1219404).
+- maple_tree: remove unnecessary check from mas_destroy()
+  (bsc#1219404).
+- mm: update vma_iter_store() to use MAS_WARN_ON() (bsc#1219404).
+- mm: update validate_mm() to use vma iterator (bsc#1219404).
+- commit b5f7997
+
+- maple_tree: return error on mte_pivots() out of range
+  (bsc#1219404).
+- maple_tree: use MAS_BUG_ON() prior to calling mas_meta_gap()
+  (bsc#1219404).
+- maple_tree: use MAS_WR_BUG_ON() in mas_store_prealloc()
+  (bsc#1219404).
+- maple_tree: use MAS_BUG_ON() in mas_set_height() (bsc#1219404).
+- maple_tree: convert debug code to use MT_WARN_ON() and
+  MAS_WARN_ON() (bsc#1219404).
+- maple_tree: convert BUG_ON() to MT_BUG_ON() (bsc#1219404).
+- maple_tree: clean up mas_dfs_postorder() (bsc#1219404).
+- maple_tree: avoid unnecessary ascending (bsc#1219404).
+- maple_tree: fix static analyser cppcheck issue (bsc#1219404).
+- commit e7b5e3b
+
+- maple_tree: update mas_preallocate() testing (bsc#1219404).
+- commit 49b074b
+
+- livepatch: Add sample livepatch module (bsc#1218644).
+- commit 87a7c27
+
+- kbuild/modpost: integrate klp-convert (bsc#1218644).
+- commit 1f6875e
+
+- livepatch: Add klp-convert tool (bsc#1218644).
+- commit dd2884f
+
+- livepatch: Create and include UAPI headers (bsc#1218644).
+- commit d3771a8
+
+- dm: dm_blk_ioctl: implement path failover for SG_IO (bsc#1183045, bsc#1216776).
+- commit 41f0e96
+
libvirt
+- Add SLE virtiofsd path to apparmor profiles
+  bsc#1219772
+
+- Fix return value when libnetcontrol fails to initialize
+  boo#1219986
+
mdadm
+- Update mdadm-4.3 to latest status (jsc#PED-7542)
+  - Remove hardcoded checkpoint interval checking
+    0001-Remove-hardcoded-checkpoint-interval-checking.patch
+  - monitor: refactor checkpoint update
+    0002-monitor-refactor-checkpoint-update.patch
+  - Super-intel: Fix first checkpoint restart
+    0003-Super-intel-Fix-first-checkpoint-restart.patch
+  - Grow: Move update_tail assign to Grow_reshape()
+    0004-Grow-Move-update_tail-assign-to-Grow_reshape.patch
+  - Add understanding output section in man
+    0005-Add-understanding-output-section-in-man.patch
+
+- Upgrade to mdadm-4.3 (jsc#PED-7542). Beside previous already back
+  ported patches, mdadm-4.3 has the following extra changes since
+  last update upto commit 582945c2d3bb,
+  - Fix null pointer for incremental in mdadm.
+  - Super1: fix truncation check for journal device.
+  - Fix some cases eyesore formatting.
+  - Bump minimum kernel version to 2.6.32.
+  - Remove the config files in mdcheck_start|continue service.
+  - Define DEV_MD_DIR, DEV_NUM_PREF, is_devname_ignore(),
+    ident_set_devname().
+  - Enable RAID for SATA under VMD.
+  - Imsm: Fix possible segfault in check_no_platform()
+  - Imsm refactor on imsm_get_free_size(), merge_extents().
+  - Imsm: return free space after volume for expand.
+  - Imsm: fix free space calculations.
+  - Add secure gethostname() wrapper.
+  - mdadm: Stop mdcheck_continue timer when mdcheck_start service can
+    finish check.
+  - Fix memory leak in files Assemble.c, Kill.c, Manage.c, mdadm.c.
+  - Fix unsafe string functions.
+  - platform-intel: limit guid length.
+  - Imsm: Add reading vmd register for finding imsm capability.
+  - Add compiler defenses flags.
+  - Assemble: fix redundant memory free.
+  - More regression test cases added into tests.
+  - Mdadm: set ident.devname if applicable.
+  - Mdadm: refactor ident->name handling.
+  - Mdadm: Follow POSIX Portable Character Set.
+  - Incremental: remove obsoleted calls to udisks.
+  - Fix race of "mdadm --add" and "mdadm --incremental".
+  - mdadm/ddf: Abort when raid disk is smaller in getinfo_super_ddf.
+  - mdadm/super1: Add MD_FEATURE_RAID0_LAYOUT if kernel>=5.4.
+  - Fix assembling RAID volume by using incremental.
+  - Mdmonitor: Improve udev event handling.
+  - Udev: Move udev_block() and udev_unblock() into udev.c.
+  - Manage: adjust checking subarray state in update_subarray.
+  - Super1: remove support for name= in config.
+  - Mdadm: fix update=resync regression.
+- Rebase to keep consistent behavior for current code base.
+  - 1004-call-mdadm_env.sh-from-usr-libexec-mdadm.patch
+- The following patches are moved from package because they are all
+  included in mdadm-4.3,
+  - 0001-Unify-error-message.patch
+  - 0002-mdadm-Fix-double-free.patch
+  - 0003-Grow_reshape-Add-r0-grow-size-error-message-and-upda.patch
+  - 0004-udev-adapt-rules-to-systemd-v247.patch
+  - 0005-Replace-error-prone-signal-with-sigaction.patch
+  - 0006-mdadm-Respect-config-file-location-in-man.patch
+  - 0007-mdadm-Update-ReadMe.patch
+  - 0008-mdadm-Update-config-man-regarding-default-files-and-.patch
+  - 0009-mdadm-Update-config-manual.patch
+  - 0010-Create-Build-use-default_layout.patch
+  - 0011-mdadm-add-map_num_s.patch
+  - 0012-mdmon-Stop-parsing-duplicate-options.patch
+  - 0013-Grow-block-n-on-external-volumes.patch
+  - 0014-Incremental-Fix-possible-memory-and-resource-leaks.patch
+  - 0015-Mdmonitor-Fix-segfault.patch
+  - 0016-Mdmonitor-Improve-logging-method.patch
+  - 0017-Fix-possible-NULL-ptr-dereferences-and-memory-leaks.patch
+  - 0018-imsm-Remove-possibility-for-get_imsm_dev-to-return-N.patch
+  - 0019-Revert-mdadm-fix-coredump-of-mdadm-monitor-r.patch
+  - 0020-util-replace-ioctl-use-with-function.patch
+  - 0021-mdadm-super1-restore-commit-45a87c2f31335-to-fix-clu.patch
+  - 0022-imsm-introduce-get_disk_slot_in_dev.patch
+  - 0023-imsm-use-same-slot-across-container.patch
+  - 0024-imsm-block-changing-slots-during-creation.patch
+  - 0025-mdadm-block-update-ppl-for-non-raid456-levels.patch
+  - 0026-mdadm-Fix-array-size-mismatch-after-grow.patch
+  - 0027-mdadm-Remove-dead-code-in-imsm_fix_size_mismatch.patch
+  - 0028-Monitor-use-devname-as-char-array-instead-of-pointer.patch
+  - 0029-Monitor-use-snprintf-to-fill-device-name.patch
+  - 0030-Makefile-Don-t-build-static-build-with-everything-an.patch
+  - 0031-DDF-Cleanup-validate_geometry_ddf_container.patch
+  - 0032-DDF-Fix-NULL-pointer-dereference-in-validate_geometr.patch
+  - 0033-mdadm-Grow-Fix-use-after-close-bug-by-closing-after-.patch
+  - 0034-monitor-Avoid-segfault-when-calling-NULL-get_bad_blo.patch
+  - 0035-mdadm-Fix-mdadm-r-remove-option-regression.patch
+  - 0036-mdadm-Fix-optional-write-behind-parameter.patch
+  - 0037-mdadm-Replace-obsolete-usleep-with-nanosleep.patch
+  - 0038-mdadm-remove-symlink-option.patch
+  - 0039-mdadm-move-data_offset-to-struct-shape.patch
+  - 0040-mdadm-Don-t-open-md-device-for-CREATE-and-ASSEMBLE.patch
+  - 0041-Grow-Split-Grow_reshape-into-helper-function.patch
+  - 0042-Assemble-check-if-device-is-container-before-schedul.patch
+  - 0043-super1-report-truncated-device.patch
+  - 0044-mdadm-Correct-typos-punctuation-and-grammar-in-man.patch
+  - 0046-Monitor-Fix-statelist-memory-leaks.patch
+  - 0047-mdadm-added-support-for-Intel-Alderlake-RST-on-VMD-p.patch
+  - 0048-mdadm-Add-Documentation-entries-to-systemd-services.patch
+  - 0049-ReadMe-fix-command-line-help.patch
+  - 0050-mdadm-replace-container-level-checking-with-inline.patch
+  - 0051-Mdmonitor-Omit-non-md-devices.patch
+  - 0052-mdmon-fix-segfault.patch
+  - 0053-util-remove-obsolete-code-from-get_md_name.patch
+  - 0054-mdmon-don-t-test-both-all-and-container_name.patch
+  - 0055-mdmon-change-systemd-unit-file-to-use-foreground.patch
+  - 0056-mdmon-Remove-need-for-KillMode-none.patch
+  - 0057-mdmon-Improve-switchroot-interactions.patch
+  - 0058-mdopen-always-try-create_named_array.patch
+  - 0059-Improvements-for-IMSM_NO_PLATFORM-testing.patch
+  - 0060-Grow-fix-possible-memory-leak.patch
+  - 0061-Grow-fix-can-t-change-bitmap-type-from-none-to-clustered.patch
+  - 0062-Manage-Block-unsafe-member-failing.patch
+  - 0063-Mdmonitor-Split-alert-into-separate-functions.patch
+  - 0064-Monitor-block-if-monitor-modes-are-combined.patch
+  - 0065-Update-mdadm-Monitor-manual.patch
+  - 0066-mdadm-create-ident_init.patch
+  - 0067-mdadm-Add-option-validation-for-update-subarray.patch
+  - 0068-Fix-update-subarray-on-active-volume.patch
+  - 0069-Add-code-specific-update-options-to-enum.patch
+  - 0070-super-ddf-Remove-update_super_ddf.patch
+  - 0071-super0-refactor-the-code-for-enum.patch
+  - 0072-super1-refactor-the-code-for-enum.patch
+  - 0073-super-intel-refactor-the-code-for-enum.patch
+  - 0074-Change-update-to-enum-in-update_super-and-update_sub.patch
+  - 0075-Manage-Incremental-code-refactor-string-to-enum.patch
+  - 0076-Change-char-to-enum-in-context-update-refactor-code.patch
+  - 0077-mdadm-udev-Don-t-handle-change-event-on-raw-devices.patch
+  - 0078-Manage-do-not-check-array-state-when-drive-is-remove.patch
+  - 0079-incremental-manage-do-not-verify-if-remove-is-safe.patch
+  - 0080-super-intel-make-freesize-not-required-for-chunk-siz.patch
+  - 0081-manage-move-comment-with-function-description.patch
+  - 0082-Fix-NULL-dereference-in-super_by_fd.patch
+  - 0083-Mdmonitor-Make-alert_info-global.patch
+  - 0084-Mdmonitor-Pass-events-to-alert-using-enums-instead-o.patch
+  - 0085-Mdmonitor-Add-helper-functions.patch
+  - 0086-Add-helpers-to-determine-whether-directories-or-file.patch
+  - 0087-Mdmonitor-Refactor-write_autorebuild_pid.patch
+  - 0088-Mdmonitor-Refactor-check_one_sharer-for-better-error.patch
+  - 0089-util.c-reorder-code-lines-in-parse_layout_faulty.patch
+  - 0090-util.c-fix-memleak-in-parse_layout_faulty.patch
+  - 0091-Detail.c-fix-memleak-in-Detail.patch
+  - 0092-isuper-intel.c-fix-double-free-in-load_imsm_mpb.patch
+  - 0093-super-intel.c-fix-memleak-in-find_disk_attached_hba.patch
+  - 0094-super-ddf.c-fix-memleak-in-get_vd_num_of_subarray.patch
+  - 0095-Create-goto-abort_locked-instead-of-return-1-in-erro.patch
+  - 0096-Create-remove-safe_mode_delay-local-variable.patch
+  - 0097-Create-Factor-out-add_disks-helpers.patch
+  - 0098-mdadm-Introduce-pr_info.patch
+  - 0099-mdadm-Add-write-zeros-option-for-Create.patch
+  - 0100-manpage-Add-write-zeroes-option-to-manpage.patch
+  - 0101-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch
+  - 0102-Use-existence-of-etc-initrd-release-to-detect-initrd.patch
+  - 0103-Create-Fix-checking-for-container-in-update_metadata.patch
+
mdevctl
+- Add /usr/lib/mdevctl/scripts.d/{callouts,notifiers} directories
+
netcfg
+- Add krb-prop entry, fix for bsc#1211886.
+
nftables
+- port python-single-spec logic from Factory package to allow shipment of
+  python311 modules as well (bsc#1219253).
+
openssh
-- Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385).
-  This limits the use of shell metacharacters in host- and
-  user names.
-
-- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795).
-  This mitigates a prefix truncation attack that could be used to
-  undermine channel security.
-
-- Enhanced SELinux functionality. Added
-  * openssh-7.8p1-role-mls.patch
-    Proper handling of MLS systems and basis for other SELinux
-    improvements
-  * openssh-6.6p1-privsep-selinux.patch
-    Properly set contexts during privilege separation
-  * openssh-6.6p1-keycat.patch
-    Add ssh-keycat command to allow retrival of authorized_keys
-    on MLS setups with polyinstantiation
-  * openssh-6.6.1p1-selinux-contexts.patch
-    Additional changes to set the proper context during privilege
-    separation
-  * openssh-7.6p1-cleanup-selinux.patch
-    Various changes and putting the pieces together
-  For now we don't ship the ssh-keycat command, but we need the patch
-  for the other SELinux infrastructure
-  This change fixes issues like bsc#1214788, where the ssh daemon
-  needs to act on behalf of a user and needs a proper context for this
-
-- Add openssh-CVE-2023-38408-PKCS11-execution.patch, Abort if
-  requested to load a PKCS#11 provider that isnt a PKCS#11
-  provider (bsc#1213504,CVE-2023-38408)
+- Merge updates from openSUSE. Existing patches were rebased.
+- Remove openssh-7.6p1-audit_race_condition.patch: Merged with
+  audit patch.
+- Remove openssh-CVE-2021-28041-agent-double-free.patch: Fixed
+  upstream.
+- Remove openssh-bsc1190975-CVE-2021-41617-authorizedkeyscommand.patch:
+  Fixed upstream.
+- Remove openssh-CVE-2023-38408-PKCS11-execution.patch: Fixed
+  upstream.
+- Add cb4ed12f.patch from upstream, allowing newer versions of
+  zlib to be used.
+- Add logind_set_tty.patch by Thorsten Kukuk. This informs
+  systemd-logind of the login TTY and prevents having to parse utmp,
+  which is deprecated by glibc.
+
+- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
+  = Security
+  * Fix CVE-2023-38408 - a condition where specific libaries loaded via
+    ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
+    code execution via a forwarded agent socket if the following
+    conditions are met:
+  * Exploitation requires the presence of specific libraries on
+    the victim system.
+  * Remote exploitation requires that the agent was forwarded
+    to an attacker-controlled system.
+    Exploitation can also be prevented by starting ssh-agent(1) with an
+    empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
+    an allowlist that contains only specific provider libraries.
+    This vulnerability was discovered and demonstrated to be exploitable
+    by the Qualys Security Advisory team.
+    In addition to removing the main precondition for exploitation,
+    this release removes the ability for remote ssh-agent(1) clients
+    to load PKCS#11 modules by default (see below).
+  = Potentially-incompatible changes
+  * ssh-agent(8): the agent will now refuse requests to load PKCS#11
+    modules issued by remote clients by default. A flag has been added
+    to restore the previous behaviour "-Oallow-remote-pkcs11".
+    Note that ssh-agent(8) depends on the SSH client to identify
+    requests that are remote. The OpenSSH >=8.9 ssh(1) client does
+    this, but forwarding access to an agent socket using other tools
+    may circumvent this restriction.
+- Update to openssh 9.3p1:
+  = Security
+  * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
+  per-hop destination constraints (ssh-add -h ...) added in
+  OpenSSH 8.9, a logic error prevented the constraints from being
+  communicated to the agent. This resulted in the keys being added
+  without constraints. The common cases of non-smartcard keys and
+  keys without destination constraints are unaffected. This
+  problem was reported by Luci Stanescu.
+  * ssh(1): Portable OpenSSH provides an implementation of the
+  getrrsetbyname(3) function if the standard library does not
+  provide it, for use by the VerifyHostKeyDNS feature. A
+  specifically crafted DNS response could cause this function to
+  perform an out-of-bounds read of adjacent stack data, but this
+  condition does not appear to be exploitable beyond denial-of-
+  service to the ssh(1) client.
+  The getrrsetbyname(3) replacement is only included if the
+  system's standard library lacks this function and portable
+  OpenSSH was not compiled with the ldns library (--with-ldns).
+  getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
+  fetch SSHFP records. This problem was found by the Coverity
+  static analyzer.
+  = New features
+  * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
+    when outputting SSHFP fingerprints to allow algorithm
+    selection. bz3493
+  * sshd(8): add a `sshd -G` option that parses and prints the
+    effective configuration without attempting to load private keys
+    and perform other checks. This allows usage of the option
+    before keys have been generated and for configuration
+    evaluation and verification by unprivileged users.
+  = Bugfixes
+  * scp(1), sftp(1): fix progressmeter corruption on wide displays;
+    bz3534
+  * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing
+    usability of private keys as some systems are starting to
+    disable RSA/SHA1 in libcrypto.
+  * sftp-server(8): fix a memory leak. GHPR363
+  * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
+    compatibility code and simplify what's left.
+  * Fix a number of low-impact Coverity static analysis findings.
+    These include several reported via bz2687
+  * ssh_config(5), sshd_config(5): mention that some options are
+    not first-match-wins.
+  * Rework logging for the regression tests. Regression tests will
+    now capture separate logs for each ssh and sshd invocation in
+    a test.
+  * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
+    says it should; bz3532.
+  * ssh(1): ensure that there is a terminating newline when adding
+    a new entry to known_hosts; bz3529
+  = Portability
+  * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
+    mmap(2), madvise(2) and futex(2) flags, removing some
+    concerning kernel attack surface.
+  * sshd(8): improve Linux seccomp-bpf sandbox for older systems;
+    bz3537
+- Update to openssh 9.2p1:
+  = Security
+  * sshd(8): fix a pre-authentication double-free memory fault
+    introduced in OpenSSH 9.1. This is not believed to be
+    exploitable, and it occurs in the unprivileged pre-auth process
+    that is subject to chroot(2) and is further sandboxed on most
+    major platforms.
+  * ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen
+    option would ignore its first argument unless it was one of the
+    special keywords "any" or "none", causing the permission list
+    to fail open if only one permission was specified. bz3515
+  * ssh(1): if the CanonicalizeHostname and
+    CanonicalizePermittedCNAMEs options were enabled, and the
+    system/libc resolver did not check that names in DNS responses
+    were valid, then use of these options could allow an attacker
+    with control of DNS to include invalid characters (possibly
+    including wildcards) in names added to known_hosts files when
+    they were updated. These names would still have to match the
+    CanonicalizePermittedCNAMEs allow-list, so practical
+    exploitation appears unlikely.
+  = Potentially-incompatible changes
+  * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option
+    that controls whether the client-side ~C escape sequence that
+    provides a  command-line is available. Among other things, the
+    ~C command-line could be used to add additional port-forwards
+    at runtime.
+    This option defaults to "no", disabling the ~C command-line
+    that was previously enabled by default. Turning off the
+    command-line allows platforms that support sandboxing of the
+    ssh(1) client (currently only OpenBSD) to use a stricter
+    default sandbox policy.
+  = New features
+  * sshd(8): add support for channel inactivity timeouts via a new
+    sshd_config(5) ChannelTimeout directive. This allows channels
+    that have not seen traffic in a configurable interval to be
+    automatically closed. Different timeouts may be applied to
+    session, X11, agent and TCP forwarding channels.
+  * sshd(8): add a sshd_config UnusedConnectionTimeout option to
+    terminate client connections that have no open channels for a
+    length of time. This complements the ChannelTimeout option
+    above.
+  * sshd(8): add a -V (version) option to sshd like the ssh client
+    has.
+  * ssh(1): add a "Host" line to the output of ssh -G showing the
+    original hostname argument. bz3343
+  * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
+    allow control over some SFTP protocol parameters: the copy
+    buffer length and the number of in-flight requests, both of
+    which are used during upload/download. Previously these could
+    be controlled in sftp(1) only. This makes them available in
+    both SFTP protocol clients using the same option character
+    sequence.
+  * ssh-keyscan(1): allow scanning of complete CIDR address ranges,
+    e.g.  "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed,
+    then it will be expanded to all possible addresses in the range
+    including the all-0s and all-1s addresses. bz#976
+  * ssh(1): support dynamic remote port forwarding in escape
+    command-line's -R processing. bz#3499
+  = Bugfixes
+  * ssh(1): when restoring non-blocking mode to stdio fds, restore
+    exactly the flags that ssh started with and don't just clobber
+    them with zero, as this could also remove the append flag from
+    the set. bz3523
+  * ssh(1): avoid printf("%s", NULL) if using
+    UserKnownHostsFile=none and a hostkey in one of the system
+    known hosts file changes.
+  * scp(1): switch scp from using pipes to a socket-pair for
+    communication with its ssh sub-processes, matching how sftp(1)
+    operates.
+  * sshd(8): clear signal mask early in main(); sshd may have been
+    started with one or more signals masked (sigprocmask(2) is not
+    cleared on fork/exec) and this could interfere with various
+    things, e.g. the login grace timer. Execution environments that
+    fail to clear the signal mask before running sshd are clearly
+    broken, but apparently they do exist.
+  * ssh(1): warn if no host keys for hostbased auth can be loaded.
+  * sshd(8): Add server debugging for hostbased auth that is queued
+    and sent to the client after successful authentication, but
+    also logged to assist in diagnosis of HostbasedAuthentication
+    problems. bz3507
+  * ssh(1): document use of the IdentityFile option as being usable
+    to list public keys as well as private keys. GHPR352
+  * sshd(8): check for and disallow MaxStartups values less than or
+    equal to zero during config parsing, rather than failing later
+    at runtime.  bz3489
+  * ssh-keygen(1): fix parsing of hex cert expiry times specified
+    on the command-line when acting as a CA.
+  * scp(1): when scp(1) is using the SFTP protocol for transport
+    (the default), better match scp/rcp's handling of globs that
+    don't match the globbed characters but do match literally (e.g.
+    trying to transfer a file named "foo.[1]"). Previously scp(1)
+    in SFTP mode would not match these pathnames but legacy scp/rcp
+    mode would. bz3488
+  * ssh-agent(1): document the "-O no-restrict-websafe"
+    command-line option.
+  * ssh(1): honour user's umask(2) if it is more restrictive then
+    the ssh default (022).
+  = Portability
+  * sshd(8): allow writev(2) in the Linux seccomp sandbox. This
+    seems to be used by recent glibcs at least in some
+    configurations during error conditions. bz3512.
+  * sshd(8): simply handling of SSH_CONNECTION PAM env var,
+    removing global variable and checking the return value from
+    pam_putenv. bz3508
+  * sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was
+    mistakenly enabled during the OpenSSH 9.1 release cycle.
+  * misc: update autotools and regenerate the config files using
+    the latest autotools
+  * all: use -fzero-call-used-regs=used on clang 15 instead of
+  - fzero-call-used-reg=all, as some versions of clang 15 have
+    miscompile code when it was enabled. bz3475
+  * sshd(8): defer PRNG seeding until after the initial
+    closefrom(2) call. PRNG seeding will initialize OpenSSL, and
+    some engine providers (e.g. Intel's QAT) will open descriptors
+    for their own use that closefrom(2) could clobber. bz3483
+  * misc: in the poll(2)/ppoll(2) compatibility code, avoid
+    assuming the layout of fd_set.
+  * sftp-server(8), ssh-agent(1): fix ptrace(2) disabling on older
+    FreeBSD kernels. Some versions do not support using id 0 to
+    refer to the current PID for procctl, so try again with
+    getpid() explicitly before failing.
+  * configure.ac: fix -Wstrict-prototypes in configure test code.
+    Clang 16 now warns on this and legacy prototypes will be
+    removed in C23. GHPR355
+  * configure.ac: fix setres*id checks to work with clang-16. glibc
+    has the prototypes for setresuid behind _GNU_SOURCE, and
+    clang 16 will error out on implicit function definitions.
+    bz3497
+- Update to openssh 9.1p1:
+  = Security
+  * ssh-keyscan(1): fix a one-byte overflow in SSH- banner
+    processing.
+    Reported by Qualys
+  * ssh-keygen(1): double free() in error path of file hashing step
+    in signing/verify code; GHPR333
+  * ssh-keysign(8): double-free in error path introduced in
+    openssh-8.9
+  = Potentially-incompatible changes
+  * The portable OpenSSH project now signs commits and release tags
+    using git's recent SSH signature support. The list of developer
+    signing keys is included in the repository as
+    .git_allowed_signers and is cross-signed using the PGP key that
+    is still used to sign release artifacts:
+    https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
+  * ssh(1), sshd(8): SetEnv directives in ssh_config and
+    sshd_config are now first-match-wins to match other directives.
+    Previously if an environment variable was multiply specified
+    the last set value would have been used. bz3438
+  * ssh-keygen(8): ssh-keygen -A (generate all default host key
+    types) will no longer generate DSA keys, as these are insecure
+    and have not been used by default for some years.
+  = New features
+  * ssh(1), sshd(8): add a RequiredRSASize directive to set a
+    minimum RSA key length. Keys below this length will be ignored
+    for user authentication and for host authentication in sshd(8).
+    ssh(1) will terminate a connection if the server offers an RSA
+    key that falls below this limit, as the SSH protocol does not
+    include the ability to retry a failed key exchange.
+  * sftp-server(8): add a "users-groups-by-id@openssh.com"
+    extension request that allows the client to obtain user/group
+    names that correspond to a set of uids/gids.
+  * sftp(1): use "users-groups-by-id@openssh.com" sftp-server
+    extension (when available) to fill in user/group names for
+    directory listings.
+  * sftp-server(8): support the "home-directory" extension request
+    defined in draft-ietf-secsh-filexfer-extensions-00. This
+    overlaps a bit with the existing "expand-path@openssh.com", but
+    some other clients support it.
+  * ssh-keygen(1), sshd(8): allow certificate validity intervals,
+    sshsig verification times and authorized_keys expiry-time
+    options to accept dates in the UTC time zone in addition to the
+    default of interpreting them in the system time zone. YYYYMMDD
+    and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if
+    suffixed with a 'Z' character.
+    Also allow certificate validity intervals to be specified in
+    raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890.
+    This is intended for use by regress tests and other tools that
+    call ssh-keygen as part of a CA workflow. bz3468
+  * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
+    "/usr/libexec/sftp-server -el debug3"
+  * ssh-keygen(1): allow the existing -U (use agent) flag to work
+    with "-Y sign" operations, where it will be interpreted to
+    require that the private keys is hosted in an agent; bz3429
+  = Bugfixes
+  * ssh-keygen(1): implement the "verify-required" certificate
+    option.
+    This was already documented when support for user-verified FIDO
+    keys was added, but the ssh-keygen(1) code was missing.
+  * ssh-agent(1): hook up the restrict_websafe command-line flag;
+    previously the flag was accepted but never actually used.
+  * sftp(1): improve filename tab completions: never try to
+    complete names to non-existent commands, and better match the
+    completion type (local or remote filename) against the argument
+    position being completed.
+  * ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key
+    handling, especially relating to keys that request
+    user-verification. These should reduce the number of
+    unnecessary PIN prompts for keys that support intrinsic user
+    verification. GHPR302, GHPR329
+  * ssh-keygen(1): when enrolling a FIDO resident key, check if a
+    credential with matching application and user ID strings
+    already exists and, if so, prompt the user for confirmation
+    before overwriting the credential. GHPR329
+  * sshd(8): improve logging of errors when opening authorized_keys
+    files. bz2042
+  * ssh(1): avoid multiplexing operations that could cause SIGPIPE
+    from causing the client to exit early. bz3454
+  * ssh_config(5), sshd_config(5): clarify that the RekeyLimit
+    directive applies to both transmitted and received data.
+    GHPR328
+  * ssh-keygen(1): avoid double fclose() in error path.
+  * sshd(8): log an error if pipe() fails while accepting a
+    connection. bz3447
+  * ssh(1), ssh-keygen(1): fix possible NULL deref when built
+    without FIDO support. bz3443
+  * ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage.
+    GHPR294.
+  * sshd(8): ensure that authentication passwords are cleared from
+    memory in error paths. GHPR286
+  * ssh(1), ssh-agent(1): avoid possibility of notifier code
+    executing kill(-1). GHPR286
+  * ssh_config(5): note that the ProxyJump directive also accepts
+    the same tokens as ProxyCommand. GHPR305.
+  * scp(1): do not not ftruncate(3) files early when in sftp mode.
+    The previous behaviour of unconditionally truncating the
+    destination file would cause "scp ~/foo localhost:foo" and the
+    reverse "scp localhost:foo ~/foo" to delete all the contents of
+    their destination. bz3431
+  * ssh-keygen(1): improve error message when 'ssh-keygen -Y sign'
+    is unable to load a private key; bz3429
+  * sftp(1), scp(1): when performing operations that glob(3) a
+    remote path, ensure that the implicit working directory used to
+    construct that path escapes glob(3) characters. This prevents
+    glob characters from being processed in places they shouldn't,
+    e.g. "cd /tmp/a*/", "get *.txt" should have the get operation
+    treat the path "/tmp/a*" literally and not attempt to expand
+    it.
+  * ssh(1), sshd(8): be stricter in which characters will be
+    accepted in specifying a mask length; allow only 0-9. GHPR278
+  * ssh-keygen(1): avoid printing hash algorithm twice when dumping
+    a KRL
+  * ssh(1), sshd(8): continue running local I/O for open channels
+    during SSH transport rekeying. This should make ~-escapes work
+    in the client (e.g. to exit) if the connection happened to have
+    stalled during a rekey event.
+  * ssh(1), sshd(8): avoid potential poll() spin during rekeying
+  * Further hardening for sshbuf internals: disallow "reparenting"
+    a hierarchical sshbuf and zero the entire buffer if
+    reallocation fails. GHPR287
+  = Portability
+  * ssh(1), ssh-keygen(1), sshd(8): automatically enable the
+    built-in FIDO security key support if libfido2 is found and
+    usable, unless --without-security-key-builtin was requested.
+  * ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello
+    FIDO device usable on Cygwin. The windows://hello FIDO device
+    will be automatically used by default on this platform unless
+    requested otherwise, or when probing resident FIDO credentials
+    (an operation not currently supported by WinHello).
+  * Portable OpenSSH: remove workarounds for obsolete and
+    unsupported versions of OpenSSL libcrypto. In particular, this
+    release removes fallback support for OpenSSL that lacks AES-CTR
+    or AES-GCM. Those AES cipher modes were added to OpenSSL prior
+    to the minimum version currently supported by OpenSSH, so this
+    is not expected to impact any currently supported
+    configurations.
+  * sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current
+    Linux/glibc
+  * All: resync and clean up internal CSPRNG code.
+  * scp(1), sftp(1), sftp-server(8): avoid linking these programs
+    with unnecessary libraries. They are no longer linked against
+    libz and libcrypto. This may be of benefit to space constrained
+    systems using any of those components in isolation.
+  * sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox
+    architectures.
+  * configure: remove special casing of crypt(). configure will no
+    longer search for crypt() in libcrypto, as it was removed from
+    there years ago. configure will now only search libc and
+    libcrypt.
+  * configure: refuse to use OpenSSL 3.0.4 due to potential RCE in
+    its RSA implementation (CVE-2022-2274) on x86_64.
+  * All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR322
+  * ssh(1), ssh-keygen(1), sshd(8): fix a number of missing
+    includes required by the XMSS code on some platforms.
+  * sshd(8): cache timezone data in capsicum sandbox.
+- Update to openssh 9.0p1:
+  = Potentially-incompatible changes
+  * This release switches scp(1) from using the legacy scp/rcp
+    protocol to using the SFTP protocol by default.
+    Legacy scp/rcp performs wildcard expansion of remote filenames
+    (e.g. "scp host:* .") through the remote shell. This has the
+    side effect of requiring double quoting of shell
+    meta-characters in file names included on scp(1) command-lines,
+    otherwise they could be interpreted as shell commands on the
+    remote side.
+    This creates one area of potential incompatibility: scp(1) when
+    using the SFTP protocol no longer requires this finicky and
+    brittle quoting, and attempts to use it may cause transfers to
+    fail. We consider the removal of the need for double-quoting
+    shell characters in file names to be a benefit and do not
+    intend to introduce bug-compatibility for legacy scp/rcp in
+    scp(1) when using the SFTP protocol.
+    Another area of potential incompatibility relates to the use of
+    remote paths relative to other user's home directories, for
+    example - "scp host:~user/file /tmp". The SFTP protocol has no
+    native way to expand a ~user path. However, sftp-server(8) in
+    OpenSSH 8.7 and later support a protocol extension
+    "expand-path@openssh.com" to support this.
+    In case of incompatibility, the scp(1) client may be instructed
+    to use the legacy scp/rcp using the -O flag.
+  = New features
+  * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519
+    key exchange method by default
+    ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is
+    believed to resist attacks enabled by future quantum computers
+    and is paired with the X25519 ECDH key exchange (the previous
+    default) as a backstop against any weaknesses in NTRU Prime
+    that may be discovered in the future. The combination ensures
+    that the hybrid exchange offers at least as good security as
+    the status quo.
+    We are making this change now (i.e. ahead of cryptographically-
+    relevant quantum computers) to prevent "capture now, decrypt
+    later" attacks where an adversary who can record and store SSH
+    session ciphertext would be able to decrypt it once a
+    sufficiently advanced quantum computer is available.
+  * sftp-server(8): support the "copy-data" extension to allow
+    server-side copying of files/data, following the design in
+    draft-ietf-secsh-filexfer-extensions-00. bz2948
+  * sftp(1): add a "cp" command to allow the sftp client to perform
+    server-side file copies.
+  = Bugfixes
+  * ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's
+    output fd closes without data in the channel buffer. bz3405 and
+    bz3411
+  * sshd(8): pack pollfd array in server listen/accept loop. Could
+    cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE
+  * ssh-keygen(1): avoid NULL deref via the find-principals and
+    check-novalidate operations. bz3409 and GHPR307 respectively.
+  * scp(1): fix a memory leak in argument processing. bz3404
+  * sshd(8): don't try to resolve ListenAddress directives in the
+    sshd re-exec path. They are unused after re-exec and parsing
+    errors (possible for example if the host's network
+    configuration changed) could prevent connections from being
+    accepted.
+  * sshd(8): when refusing a public key authentication request from
+    a client for using an unapproved or unsupported signature
+    algorithm include the algorithm name in the log message to make
+    debugging easier.
+  = Portability
+  * sshd(8): refactor platform-specific locked account check,
+    fixing an incorrect free() on platforms with both libiaf and
+    shadow passwords (probably only Unixware) GHPR284,
+  * ssh(1), sshd(8): Fix possible integer underflow in
+    scan_scaled(3) parsing of K/M/G/etc quantities. bz#3401.
+  * sshd(8): provide killpg implementation (mostly for Tandem
+    NonStop) GHPR301.
+  * Check for missing ftruncate prototype. GHPR301
+  * sshd(8): default to not using sandbox when cross compiling. On
+    most systems poll(2) does not work when the number of FDs is
+    reduced with setrlimit, so assume it doesn't when cross
+    compiling and we can't run the test.  bz#3398.
+  * sshd(8): allow ppoll_time64 in seccomp sandbox. Should fix
+    sandbox violations on some (at least i386 and armhf) 32bit
+    Linux platforms. bz#3396.
+  * Improve detection of -fzero-call-used-regs=all support in
+    configure script.
+- Add patch that explicitly adds -lz in Makefile.in to some
+  binaries which need it:
+  * fix-missing-lz.patch
+- Rebase patches:
+  * openssh-7.7p1-fips.patch
+  * openssh-7.7p1-fips_checks.patch
+  * openssh-7.7p1-ldap.patch
+  * openssh-7.7p1-pam_check_locks.patch
+  * openssh-7.7p1-seccomp_ipc_flock.patch
+  * openssh-7.7p1-sftp_print_diagnostic_messages.patch
+  * openssh-7.7p1-systemd-notify.patch
+  * openssh-8.0p1-gssapi-keyex.patch
+  * openssh-8.1p1-audit.patch
+  * openssh-8.1p1-ed25519-use-openssl-rng.patch
+  * openssh-8.4p1-vendordir.patch
+  * openssh-reenable-dh-group14-sha1-default.patch
+  * openssh-whitelist-syscalls.patch
+  * wtmpdb.patch
+- Fix setting libexec dir in the LDAP patch.
+- Fix build in Leap 15.x which doesn't use %{_distconfdir}
+
+- Add _multibuild to define 2nd spec file as additional flavor.
+  Eliminates the need for source package links in OBS.
+
+- wtmpdb.patch: add support for wtmpdb to sshd [jsc#PED-3144]
+
+- Rename sshd.pamd to sshd-sle.pamd and fix order of pam_keyinit
+- Add new sshd.pamd including postlogin-* config files
+
+- Remove BuildRequires for libtirpc, we don't use it
+
+- Remove pam_lastlog from sshd PAM config. sshd is doing the same,
+  too, which leads to e.g. duplicate entries in wtmp [bsc#1208243]
+
+- Adapt OpenSSH to build with OpenSSL 3, use new KDF API (bsc#1205042)
+  Add openssh-openssl-3.patch
+
+- limit to openssl < 3.0 as this version is not compatible (bsc#1205042)
+  next version update will fix it
+
+- Update openssh-8.1p1-audit.patch: Merge fix for race condition
+  (bsc#1115550, bsc#1174162).
+- Add openssh-do-not-send-empty-message.patch, which prevents
+  superfluous newlines with empty MOTD files (bsc#1192439).
+
+- Use %_pam_vendordir
+
+- openssh-8.4p1-ssh_config_d.patch: admin overrides should take
+  priority (listed first) over package defaults
+
+- read ssh and sshd config file also from /usr/etc
+- add openssh-server-config-rootlogin subpackage that enabled PermitRootLogin
+
+- Version update to 8.9p1:
+  = Security
+  * sshd(8): fix an integer overflow in the user authentication path
+    that, in conjunction with other logic errors, could have yielded
+    unauthenticated access under difficult to exploit conditions.
+    This situation is not exploitable because of independent checks in
+    the privilege separation monitor. Privilege separation has been
+    enabled by default in since openssh-3.2.2 (released in 2002) and
+    has been mandatory since openssh-7.5 (released in 2017). Moreover,
+    portable OpenSSH has used toolchain features available in most
+    modern compilers to abort on signed integer overflow since
+    openssh-6.5 (released in 2014).
+    Thanks to Malcolm Stagg for finding and reporting this bug.
+  = Potentially-incompatible changes
+  * sshd(8), portable OpenSSH only: this release removes in-built
+    support for MD5-hashed passwords. If you require these on your
+    system then we recommend linking against libxcrypt or similar.
+  * This release modifies the FIDO security key middleware interface
+    and increments SSH_SK_VERSION_MAJOR.
+  = New features
+  * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
+    restricting forwarding and use of keys added to ssh-agent(1)
+    A detailed description of the feature is available at
+    https://www.openssh.com/agent-restrict.html and the protocol
+    extensions are documented in the PROTOCOL and PROTOCOL.agent
+    files in the source release.
+  * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
+    ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
+    default KEXAlgorithms list (after the ECDH methods but before the
+    prime-group DH ones). The next release of OpenSSH is likely to
+    make this key exchange the default method.
+  * ssh-keygen(1): when downloading resident keys from a FIDO token,
+    pass back the user ID that was used when the key was created and
+    append it to the filename the key is written to (if it is not the
+    default). Avoids keys being clobbered if the user created multiple
+    resident keys with the same application string but different user
+    IDs.
+  * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys
+    on tokens that provide user verification (UV) on the device itself,
+    including biometric keys, avoiding unnecessary PIN prompts.
+  * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to
+    perform matching of principals names against an allowed signers
+    file. To be used towards a TOFU model for SSH signatures in git.
+  * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added
+    to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at
+    authentication time.
+  * ssh-keygen(1): allow selection of hash at sshsig signing time
+    (either sha512 (default) or sha256).
+  * ssh(1), sshd(8): read network data directly to the packet input
+    buffer instead of indirectly via a small stack buffer. Provides a
+    modest performance improvement.
+  * ssh(1), sshd(8): read data directly to the channel input buffer,
+    providing a similar modest performance improvement.
+  * ssh(1): extend the PubkeyAuthentication configuration directive to
+    accept yes|no|unbound|host-bound to allow control over one of the
+    protocol extensions used to implement agent-restricted keys.
+  = Bugfixes
+  * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and
+    PubkeyAuthOptions can be used in a Match block. PR277.
+  * sshd(8): fix possible string truncation when constructing paths to
+    .rhosts/.shosts files with very long user home directory names.
+  * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512
+    exchange hashes
+  * ssh(1): don't put the TTY into raw mode when SessionType=none,
+    avoids ^C being unable to kill such a session. bz3360
+  * scp(1): fix some corner-case bugs in SFTP-mode handling of
+    ~-prefixed paths.
+  * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to
+    select RSA keys when only RSA/SHA2 signature algorithms are
+    configured (this is the default case). Previously RSA keys were
+    not being considered in the default case.
+  * ssh-keysign(1): make ssh-keysign use the requested signature
+    algorithm and not the default for the key type. Part of unbreaking
+    hostbased auth for RSA/SHA2 keys.
+  * ssh(1): stricter UpdateHostkey signature verification logic on
+    the client- side. Require RSA/SHA2 signatures for RSA hostkeys
+    except when RSA/SHA1 was explicitly negotiated during initial
+    KEX; bz3375
+  * ssh(1), sshd(8): fix signature algorithm selection logic for
+    UpdateHostkeys on the server side. The previous code tried to
+    prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some
+    cases. This will use RSA/SHA2 signatures for RSA keys if the
+    client proposed these algorithms in initial KEX. bz3375
+  * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2).
+    This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1)
+    and sftp-server(8), as well as the sshd(8) listen loop and all
+    other FD read/writability checks. On platforms with missing or
+    broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is
+    available.
+  * ssh-keygen(1): the "-Y find-principals" command was verifying key
+    validity when using ca certs but not with simple key lifetimes
+    within the allowed signers file.
+  * ssh-keygen(1): make sshsig verify-time argument parsing optional
+  * sshd(8): fix truncation in rhosts/shosts path construction.
+  * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA
+    keys (we already did this for RSA keys). Avoids fatal errors for
+    PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B
+    "cryptoauthlib"; bz#3364
+  * ssh(1), ssh-agent(1): improve the testing of credentials against
+    inserted FIDO: ask the token whether a particular key belongs to
+    it in cases where the token supports on-token user-verification
+    (e.g. biometrics) rather than just assuming that it will accept it.
+    Will reduce spurious "Confirm user presence" notifications for key
+    handles that relate to FIDO keys that are not currently inserted in at
+    least some cases. bz3366
+  * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to
+    allow for the preceding two ECN bits. bz#3373
+  * ssh-keygen(1): add missing -O option to usage() for the "-Y sign"
+    option.
+  * ssh-keygen(1): fix a NULL deref when using the find-principals
+    function, when matching an allowed_signers line that contains a
+    namespace restriction, but no restriction specified on the
+    command-line
+  * ssh-agent(1): fix memleak in process_extension(); oss-fuzz
+    issue #42719
+  * ssh(1): suppress "Connection to xxx closed" messages when LogLevel
+    is set to "error" or above. bz3378
+  * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing
+    compressed packet data. bz3372
+  * scp(1): when recursively transferring files in SFTP mode, create the
+    destination directory if it doesn't already exist to match scp(1) in
+    legacy RCP mode behaviour.
+  * scp(1): many improvements in error message consistency between scp(1)
+    in SFTP mode vs legacy RCP mode.
+  * sshd(8): fix potential race in SIGTERM handling PR289
+  * ssh(1), ssh(8): since DSA keys are deprecated, move them to the
+    end of the default list of public keys so that they will be tried
+    last. PR295
+  * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match
+    wildcard principals in allowed_signers files
+  = Portability
+  * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's
+    implementation does not work in a chroot when the kernel does not
+    have close_range(2). It tries to read from /proc/self/fd and when
+    that fails dies with an assertion of sorts. Instead, call
+    close_range(2) directly from our compat code and fall back if
+    that fails.  bz#3349,
+  * OS X poll(2) is broken; use compat replacement. For character-
+    special devices like /dev/null, Darwin's poll(2) returns POLLNVAL
+    when polled with POLLIN. Apparently this is Apple bug 3710161 -
+    not public but a websearch will find other OSS projects
+    rediscovering it periodically since it was first identified in
+    2005.
+  * Correct handling of exceptfds/POLLPRI in our select(2)-based
+    poll(2)/ppoll(2) compat implementation.
+  * Cygwin: correct checking of mbstowcs() return value.
+  * Add a basic SECURITY.md that refers people to the openssh.com
+    website.
+  * Enable additional compiler warnings and toolchain hardening flags,
+    including -Wbitwise-instead-of-logical, -Wmisleading-indentation,
+  - fzero-call-used-regs and -ftrivial-auto-var-init.
+  * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version
+    is not reliable.
+- Rebased patches:
+  * openssh-7.7p1-ldap.patch
+  * openssh-8.0p1-gssapi-keyex.patch
+  * openssh-8.1p1-audit.patch
+  * openssh-8.4p1-vendordir.patch
+  * openssh-reenable-dh-group14-sha1-default.patch
+
+- Version update to 8.8p1:
+  = Security
+  * sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
+    supplemental groups when executing an AuthorizedKeysCommand or
+    AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
+    AuthorizedPrincipalsCommandUser directive has been set to run the
+    command as a different user. Instead these commands would inherit
+    the groups that sshd(8) was started with.
+    Depending on system configuration, inherited groups may allow
+    AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
+    gain unintended privilege.
+    Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
+    enabled by default in sshd_config(5).
+  = Potentially-incompatible changes
+  * This release disables RSA signatures using the SHA-1 hash algorithm
+    by default. This change has been made as the SHA-1 hash algorithm is
+    cryptographically broken, and it is possible to create chosen-prefix
+    hash collisions for <USD$50K.
+    For most users, this change should be invisible and there is
+    no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
+    RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
+    will automatically use the stronger algorithm where possible.
+    Incompatibility is more likely when connecting to older SSH
+    implementations that have not been upgraded or have not closely tracked
+    improvements in the SSH protocol. For these cases, it may be necessary
+    to selectively re-enable RSA/SHA1 to allow connection and/or user
+    authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
+    options.
+  = New features
+  * ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs
+    directive to accept a "none" argument to specify the default
+    behaviour.
+  = Bugfixes
+  * scp(1): when using the SFTP protocol, continue transferring files
+    after a transfer error occurs, better matching original scp/rcp
+    behaviour.
+  * ssh(1): fixed a number of memory leaks in multiplexing,
+  * ssh-keygen(1): avoid crash when using the -Y find-principals
+    command.
+  * A number of documentation and manual improvements, including
+    bz#3340, PR139, PR215, PR241, PR257
+- Additional changes from 8.7p1 release:
+  = Potentially-incompatible changes
+  * scp(1): this release changes the behaviour of remote to remote
+    copies (e.g. "scp host-a:/path host-b:") to transfer through the
+    local host by default. This was previously available via the -3
+    flag. This mode avoids the need to expose credentials on the
+    origin hop, avoids triplicate interpretation of filenames by the
+    shell (by the local system, the copy origin and the destination)
+    and, in conjunction with the SFTP support for scp(1) mentioned
+    below, allows use of all authentication methods to the remote
+    hosts (previously, only non-interactive methods could be used).
+    A -R flag has been added to select the old behaviour.
+  * ssh(1)/sshd(8): both the client and server are now using a
+    stricter configuration file parser. The new parser uses more
+    shell-like rules for quotes, space and escape characters. It is
+    also more strict in rejecting configurations that include options
+    lacking arguments. Previously some options (e.g. DenyUsers) could
+    appear on a line with no subsequent arguments. This release will
+    reject such configurations. The new parser will also reject
+    configurations with unterminated quotes and multiple '='
+    characters after the option name.
+  * ssh(1): when using SSHFP DNS records for host key verification,
+    ssh(1) will verify all matching records instead of just those
+    with the specific signature type requested. This may cause host
+    key verification problems if stale SSHFP records of a different
+    or legacy signature type exist alongside other records for a
+    particular host. bz#3322
+  * ssh-keygen(1): when generating a FIDO key and specifying an
+    explicit attestation challenge (using -Ochallenge), the challenge
+    will now be hashed by the builtin security key middleware. This
+    removes the (undocumented) requirement that challenges be exactly
+    32 bytes in length and matches the expectations of libfido2.
+  * sshd(8): environment="..." directives in authorized_keys files are
+    now first-match-wins and limited to 1024 discrete environment
+    variable names.
+  = New features
+  * scp(1): experimental support for transfers using the SFTP protocol
+    as a replacement for the venerable SCP/RCP protocol that it has
+    traditionally used. SFTP offers more predictable filename handling
+    and does not require expansion of glob(3) patterns via the shell
+    on the remote side.
+  * sftp-server(8): add a protocol extension to support expansion of
+    ~/ and ~user/ prefixed paths. This was added to support these
+    paths when used by scp(1) while in SFTP mode.
+  * ssh(1): add a ForkAfterAuthentication ssh_config(5) counterpart to
+    the ssh(1) -f flag. GHPR231
+  * ssh(1): add a StdinNull directive to ssh_config(5) that allows the
+    config file to do the same thing as -n does on the ssh(1) command-
+    line. GHPR231
+  * ssh(1): add a SessionType directive to ssh_config, allowing the
+    configuration file to offer equivalent control to the -N (no
+    session) and -s (subsystem) command-line flags. GHPR231
+  * ssh-keygen(1): allowed signers files used by ssh-keygen(1)
+    signatures now support listing key validity intervals alongside
+    they key, and ssh-keygen(1) can optionally check during signature
+    verification whether a specified time falls inside this interval.
+    This feature is intended for use by git to support signing and
+    verifying objects using ssh keys.
+  * ssh-keygen(8): support printing of the full public key in a sshsig
+    signature via a -Oprint-pubkey flag.
+  = Bugfixes
+  * ssh(1)/sshd(8): start time-based re-keying exactly on schedule in
+    the client and server mainloops. Previously the re-key timeout
+    could expire but re-keying would not start until a packet was sent
+    or received, causing a spin in select() if the connection was
+    quiescent.
+  * ssh-keygen(1): avoid Y2038 problem in printing certificate
+    validity lifetimes. Dates past 2^31-1 seconds since epoch were
+    displayed incorrectly on some platforms. bz#3329
+  * scp(1): allow spaces to appear in usernames for local to remote
+    and scp -3 remote to remote copies. bz#1164
+  * ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication
+    in favour of KbdInteractiveAuthentication. The former is what was in
+    SSHv1, the latter is what is in SSHv2 (RFC4256) and they were
+    treated as somewhat but not entirely equivalent. We retain the old
+    name as a deprecated alias so configuration files continue to work
+    as well as a reference in the man page for people looking for it.
+    bz#3303
+  * ssh(1)/ssh-add(1)/ssh-keygen(1): fix decoding of X.509 subject name
+    when extracting a key from a PKCS#11 certificate. bz#3327
+  * ssh(1): restore blocking status on stdio fds before close. ssh(1)
+    needs file descriptors in non-blocking mode to operate but it was
+    not restoring the original state on exit. This could cause
+    problems with fds shared with other programs via the shell,
+    bz#3280 and GHPR246
+  * ssh(1)/sshd(8): switch both client and server mainloops from
+    select(3) to pselect(3). Avoids race conditions where a signal
+    may arrive immediately before select(3) and not be processed until
+    an event fires. bz#2158
+  * ssh(1): sessions started with ControlPersist were incorrectly
+    executing a shell when the -N (no shell) option was specified.
+    bz#3290
+  * ssh(1): check if IPQoS or TunnelDevice are already set before
+    overriding. Prevents values in config files from overriding values
+    supplied on the command line. bz#3319
+  * ssh(1): fix debug message when finding a private key to match a
+    certificate being attempted for user authentication. Previously it
+    would print the certificate's path, whereas it was supposed to be
+    showing the private key's path. GHPR247
+  * sshd(8): match host certificates against host public keys, not
+    private keys. Allows use of certificates with private keys held in
+    a ssh-agent.  bz#3524
+  * ssh(1): add a workaround for a bug in OpenSSH 7.4 sshd(8), which
+    allows RSA/SHA2 signatures for public key authentication but fails
+    to advertise this correctly via SSH2_MSG_EXT_INFO. This causes
+    clients of these server to incorrectly match
+    PubkeyAcceptedAlgorithmse and potentially refuse to offer valid
+    keys. bz#3213
+  * sftp(1)/scp(1): degrade gracefully if a sftp-server offers the
+    limits@openssh.com extension but fails when the client tries to
+    invoke it. bz#3318
+  * ssh(1): allow ssh_config SetEnv to override $TERM, which is
+    otherwise handled specially by the protocol. Useful in ~/.ssh/config
+    to set TERM to something generic (e.g. "xterm" instead of
+    "xterm-256color") for destinations that lack terminfo entries.
+  * sftp-server(8): the limits@openssh.com extension was incorrectly
+    marked as an operation that writes to the filesystem, which made it
+    unavailable in sftp-server read-only mode. bz#3318
+  * ssh(1): fix SEGV in UpdateHostkeys debug() message, triggered when
+    the update removed more host keys than remain present.
+  * Many manual page fixes.
+- Additional changes from 8.6p1 release:
+  = Security
+  * sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this
+    option was enabled with a set of patterns that activated logging
+    in code that runs in the low-privilege sandboxed sshd process, the
+    log messages were constructed in such a way that printf(3) format
+    strings could effectively be specified the low-privilege code.
+  = New features
+  * sftp-server(8): add a new limits@openssh.com protocol extension
+    that allows a client to discover various server limits, including
+    maximum packet size and maximum read/write length.
+  * sftp(1): use the new limits@openssh.com extension (when available)
+    to select better transfer lengths in the client.
+  * sshd(8): Add ModuliFile keyword to sshd_config to specify the
+    location of the "moduli" file containing the groups for DH-GEX.
+  * unit tests: Add a TEST_SSH_ELAPSED_TIMES environment variable to
+    enable printing of the elapsed time in seconds of each test.
+  = Bugfixes
+  * ssh_config(5), sshd_config(5): sync CASignatureAlgorithms lists in
+    manual pages with the current default. GHPR174
+  * ssh(1): ensure that pkcs11_del_provider() is called before exit.
+    GHPR234
+  * ssh(1), sshd(8): fix problems in string->argv conversion. Multiple
+    backslashes were not being dequoted correctly and quoted space in
+    the middle of a string was being incorrectly split. GHPR223
+  * ssh(1): return non-zero exit status when killed by signal; bz#3281
+  * sftp-server(8): increase maximum SSH2_FXP_READ to match the maximum
+    packet size. Also handle zero-length reads that are not explicitly
+    banned by the spec.
+- Additional changes from 8.5p1 release:
+  = Security
+  * ssh-agent(1): fixed a double-free memory corruption that was
+    introduced in OpenSSH 8.2 . We treat all such memory faults as
+    potentially exploitable. This bug could be reached by an attacker
+    with access to the agent socket.
+  = Potentially-incompatible changes
+  * ssh(1), sshd(8): this release changes the first-preference signature
+    algorithm from ECDSA to ED25519.
+  * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration
+    for interactive use prior to TCP connect. The connection phase of
+    the SSH session is time-sensitive and often explicitly interactive.
+    The ultimate interactive/bulk TOS/DSCP will be set after
+    authentication completes.
+  * ssh(1), sshd(8): remove the pre-standardization cipher
+    rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before
+    it was standardized in RFC4253 (2006), has been deprecated and
+    disabled by default since OpenSSH 7.2 (2016) and was only briefly
+    documented in ssh.1 in 2001.
+  * ssh(1), sshd(8): update/replace the experimental post-quantum
+    hybrid key exchange method based on Streamlined NTRU Prime coupled
+    with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org
+    method is replaced with sntrup761x25519-sha512@openssh.com.
+  * ssh(1): disable CheckHostIP by default. It provides insignificant
+    benefits while making key rotation significantly more difficult,
+    especially for hosts behind IP-based load-balancers.
+  = New features
+  * ssh(1): this release enables UpdateHostkeys by default subject to
+    some conservative preconditions:
+  - The key was matched in the UserKnownHostsFile (and not in the
+    GlobalKnownHostsFile).
+  - The same key does not exist under another name.
+  - A certificate host key is not in use.
+  - known_hosts contains no matching wildcard hostname pattern.
+  - VerifyHostKeyDNS is not enabled.
+  - The default UserKnownHostsFile is in use.
+  * ssh(1), sshd(8): add a new LogVerbose configuration directive for
+    that allows forcing maximum debug logging by file/function/line
+    pattern-lists.
+  * ssh(1): when prompting the user to accept a new hostkey, display
+    any other host names/addresses already associated with the key.
+  * ssh(1): allow UserKnownHostsFile=none to indicate that no
+    known_hosts file should be used to identify host keys.
+  * ssh(1): add a ssh_config KnownHostsCommand option that allows the
+    client to obtain known_hosts data from a command in addition to
+    the usual files.
+  * ssh(1): add a ssh_config PermitRemoteOpen option that allows the
+    client to restrict the destination when RemoteForward is used
+    with SOCKS.
+  * ssh(1): for FIDO keys, if a signature operation fails with a
+    "incorrect PIN" reason and no PIN was initially requested from the
+    user, then request a PIN and retry the operation. This supports
+    some biometric devices that fall back to requiring PIN when reading
+    of the biometric failed, and devices that require PINs for all
+    hosted credentials.
+  * sshd(8): implement client address-based rate-limiting via new
+    sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize
+    directives that provide more fine-grained control on a per-origin
+    address basis than the global MaxStartups limit.
+  = Bugfixes
+  * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to
+  make it easier to determine which connection they are associated
+  with in cases like scp -3, ProxyJump, etc. bz#3224
+  * sshd(8): fix sshd_config SetEnv directives located inside Match
+    blocks. GHPR201
+  * ssh(1): when requesting a FIDO token touch on stderr, inform the
+    user once the touch has been recorded.
+  * ssh(1): prevent integer overflow when ridiculously large
+    ConnectTimeout values are specified, capping the effective value
+    (for most platforms) at 24 days. bz#3229
+  * ssh(1): consider the ECDSA key subtype when ordering host key
+    algorithms in the client.
+  * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
+    PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
+    that it control allowed key algorithms, when this option actually
+    specifies the signature algorithms that are accepted. The previous
+    name remains available as an alias. bz#3253
+  * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and
+    HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.
+  * sftp-server(8): add missing lsetstat@openssh.com documentation
+    and advertisement in the server's SSH2_FXP_VERSION hello packet.
+  * ssh(1), sshd(8): more strictly enforce KEX state-machine by
+    banning packet types once they are received. Fixes memleak caused
+    by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
+  * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit
+    platforms instead of being limited by LONG_MAX. bz#3206
+  * Minor man page fixes (capitalization, commas, etc.) bz#3223
+  * sftp(1): when doing an sftp recursive upload or download of a
+    read-only directory, ensure that the directory is created with
+    write and execute permissions in the interim so that the transfer
+    can actually complete, then set the directory permission as the
+    final step. bz#3222
+  * ssh-keygen(1): document the -Z, check the validity of its argument
+    earlier and provide a better error message if it's not correct.
+    bz#2879
+  * ssh(1): ignore comments at the end of config lines in ssh_config,
+    similar to what we already do for sshd_config. bz#2320
+  * sshd_config(5): mention that DisableForwarding is valid in a
+    sshd_config Match block. bz3239
+  * sftp(1): fix incorrect sorting of "ls -ltr" under some
+    circumstances. bz3248.
+  * ssh(1), sshd(8): fix potential integer truncation of (unlikely)
+    timeout values. bz#3250
+  * ssh(1): make hostbased authentication send the signature algorithm
+    in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
+    This make HostbasedAcceptedAlgorithms do what it is supposed to -
+    filter on signature algorithm and not key type.
+- Rebased patches:
+  * openssh-7.7p1-IPv6_X_forwarding.patch
+  * openssh-7.7p1-X11_trusted_forwarding.patch
+  * openssh-7.7p1-X_forward_with_disabled_ipv6.patch
+  * openssh-7.7p1-cavstest-ctr.patch
+  * openssh-7.7p1-cavstest-kdf.patch
+  * openssh-7.7p1-disable_openssl_abi_check.patch
+  * openssh-7.7p1-eal3.patch
+  * openssh-7.7p1-enable_PAM_by_default.patch
+  * openssh-7.7p1-fips.patch
+  * openssh-7.7p1-fips_checks.patch
+  * openssh-7.7p1-host_ident.patch
+  * openssh-7.7p1-hostname_changes_when_forwarding_X.patch
+  * openssh-7.7p1-ldap.patch
+  * openssh-7.7p1-no_fork-no_pid_file.patch
+  * openssh-7.7p1-pam_check_locks.patch
+  * openssh-7.7p1-pts_names_formatting.patch
+  * openssh-7.7p1-remove_xauth_cookies_on_exit.patch
+  * openssh-7.7p1-seccomp_ipc_flock.patch
+  * openssh-7.7p1-seccomp_stat.patch
+  * openssh-7.7p1-send_locale.patch
+  * openssh-7.7p1-sftp_force_permissions.patch
+  * openssh-7.7p1-sftp_print_diagnostic_messages.patch
+  * openssh-7.7p1-systemd-notify.patch
+  * openssh-7.9p1-keygen-preserve-perms.patch
+  * openssh-7.9p1-revert-new-qos-defaults.patch
+  * openssh-8.0p1-gssapi-keyex.patch
+  * openssh-8.1p1-audit.patch
+  * openssh-8.1p1-seccomp-clock_gettime64.patch
+  * openssh-8.1p1-seccomp-clock_nanosleep.patch
+  * openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
+  * openssh-8.1p1-use-openssl-kdf.patch
+  * openssh-8.4p1-vendordir.patch
+  * openssh-fips-ensure-approved-moduli.patch
+  * openssh-link-with-sk.patch
+  * openssh-reenable-dh-group14-sha1-default.patch
+  * openssh-whitelist-syscalls.patch
+- Removed openssh-fix-ssh-copy-id.patch (fixed upstream).
+- openssh.keyring: rotated to new key from https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
+
+- sshd-gen-keys-start:
+  - only source sysconfig file if it exists.
+  - create /etc/ssh if it does not exists.
+  Required for image based installation/updates.
+
+- The linux kernel has close_range(2) syscall which current glibc
+  uses to implement closefrom(3) which will be then used by openssh.
+  whitelist the new system call so closefrom does not fail or
+  fallback to iterating proc/self/fd (openssh-whitelist-syscalls.patch)
+
+- Don't move user-modified ssh_config and sshd_config files to
+  .rpmsave on upgrade.
+
+- Use pam_motd to unify motd message output [bsc#1185897]
+  (openssh-8.4p1-pam_motd.patch)
+
+- Change vendor configuration dir from /usr/share/ssh/ to
+  /usr/etc/ssh/.
+- Remove upgrade enablement hack. This has been fixed in
+  systemd-rpm-macros (bsc#1180083).
+
+- Add support for vendor provided configuration files in
+  /usr/share/ssh/ (openssh-8.4p1-vendordir.patch)
+- Move configuration files from /etc/ssh/ to /usr/share/ssh/
+
+- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login
+  as root via password by default (is also upstream default). Comment
+  indicates that this was a temporary meassure that we now had for
+  five years, time to get rid of it (bsc#1173067)
+
+- Add openssh-whitelist-syscalls.patch (bsc#1182232), fixing
+  failure to accept connections on 32-bit platforms with
+  glibc 2.33+.
+
+- Add support for /etc/ssh/ssh_config.d and /etc/ssh/sshd_config.d
+  (openssh-8.4p1-ssh_config_d.patch)
+
openssh-askpass-gnome
+- Update to openssh 9.3p2
+  * No changes for askpass, see main package changelog for
+    details
+
+- openssh-askpass-gnome: require only openssh-clients, not the full
+  openssh (including -server), to avoid pulling in excessive
+  dependencies when installing git on Gnome (boo#1211446)
+
+- Update to openssh 9.3p1
+  * No changes for askpass, see main package changelog for
+    details
+
+- Version upgrade to 8.8p1
+  * No changes for askpass, see main package changelog for
+    details
+
pam-config
+- Fix pam_gnome_keyring module for AUTH.
+  [pam-config-fix-pam_gnome_keyring.patch, bsc#1219767]
+
patterns-base
+- Backport changes from SLE15-SP6
+  * Enhanced base system: recommend openssh-server-config-rootlogin (bsc#1220594):
+    openssh in SLE15 has always allowed password root logins by default.
+    New openssh packaging split the configuration in a separate package.
+    Ensure it gets recommended in order to keep a consistent behaviour
+    with older Service Packs.
+
patterns-server
+- kvm and xen: recommend openssh-server-config-rootlogin (bsc#1220594)
+  * openssh in SLE15 has always allowed password root logins by default.
+    New openssh packaging split the configuration in a separate package.
+    Ensure it gets recommended in order to keep a consistent behaviour
+    with older Service Packs.
+
protobuf-c
+- update to 1.5.0:
+  * Use CMAKE_CURRENT_BINARY_DIR instead of CMAKE_BINARY_DIR
+  * remove deprecated functionality
+  * Avoid "unused variable" compiler warning
+  * Update autotools
+  * Support for new Google protobuf 22.x, 23.x releases
+  * Remove protobuf 2.x support
+
pulseaudio
+- Do not BuildRequire pkgconfig(webrtc-audio-processing-1) on big
+  endian architectures (s390, s390x, ppc64) as the dependency is
+  not available:
+  * WebRTC echo canceller will be disabled there
+
+- Add cherry-picks to fix UCM crashes
+  * pulseaudio-replace-port-device-UCM-context-assertion-with-an-error.patch
+  * pulseaudio-check-UCM-verb-before-working-with-device-status.patch
+
qemu
+- Backports and bugfixes:
+  * [openSUSE]: Increase default phys bits to 42, if host supports that
+    (bsc#1205978, bsc#1219977)
+  * vfio/pci: Clear MSI-X IRQ index always (bsc#1220275)
+
+- Just "prettify" the spec files a little:
+  * [openSUSE][RPM] Cosmetic fixes to spec files (copyright, sorting, etc)
+
+- Patchqueue shrinking and  bugfixing (actually, more of a temporary
+  workaround, until a proper solution is found upstream):
+  * [openSUSE] roms/seabios: revert some upstream commits that
+    break a lot of use-cases
+  * [openSUSE] roms/seabios: Drop an old (and no longer necessary)
+    downstream patch (bsc#1219977)
+
+Update to latest stable version (8.2.1)
+- Downstream changes:
+  * [openSUSE][RPM]: Install the VGA module "more often" (bsc#1219164)
+  * [openSUSE][RPM] Fix handling of qemu-kvm legacy package for RISCV
+  * [openSUSE][RPM] factor common definitions between qemu and qemu-linux-user spec files
+- Upstream backports:
+  * target/arm: Fix incorrect aa64_tidcp1 feature check
+  * target/arm: Fix A64 scalar SQSHRN and SQRSHRN
+  * target/xtensa: fix OOB TLB entry access
+  * qtest: bump aspeed_smc-test timeout to 6 minutes
+  * monitor: only run coroutine commands in qemu_aio_context
+  * iotests: port 141 to Python for reliable QMP testing
+  * iotests: add filter_qmp_generated_node_ids()
+  * block/blklogwrites: Fix a bug when logging "write zeroes" operations.
+  * virtio-net: correctly copy vnet header when flushing TX (bsc#1218484, CVE-2023-6693)
+  * tcg/arm: Fix SIGILL in tcg_out_qemu_st_direct
+  * linux-user/riscv: Adjust vdso signal frame cfa offsets
+  * linux-user: Fixed cpu restore with pc 0 on SIGBUS
+  * block/io: clear BDRV_BLOCK_RECURSE flag after recursing in bdrv_co_block_status
+  * coroutine-ucontext: Save fake stack for pooled coroutine
+  * tcg/s390x: Fix encoding of VRIc, VRSa, VRSc insns
+  * accel/tcg: Revert mapping of PCREL translation block to multiple virtual addresses
+  * acpi/tests/avocado/bits: wait for 200 seconds for SHUTDOWN event from bits VM
+  * s390x/pci: drive ISM reset from subsystem reset
+  * s390x/pci: refresh fh before disabling aif
+  * s390x/pci: avoid double enable/disable of aif
+  * hw/scsi/esp-pci: set DMA_STAT_BCMBLT when BLAST command issued
+  * hw/scsi/esp-pci: synchronise setting of DMA_STAT_DONE with ESP completion interrupt
+  * hw/scsi/esp-pci: generate PCI interrupt from separate ESP and PCI sources
+  * hw/scsi/esp-pci: use correct address register for PCI DMA transfers
+  * migration/rdma: define htonll/ntohll only if not predefined
+  * hw/pflash: implement update buffer for block writes
+  * hw/pflash: use ldn_{be,le}_p and stn_{be,le}_p
+  * hw/pflash: refactor pflash_data_write()
+  * backends/cryptodev: Do not ignore throttle/backends Errors
+  * target/i386: pcrel: store low bits of physical address in data[0]
+  * target/i386: fix incorrect EIP in PC-relative translation blocks
+  * target/i386: Do not re-compute new pc with CF_PCREL
+  * load_elf: fix iterator's type for elf file processing
+  * target/hppa: Update SeaBIOS-hppa to version 15
+  * target/hppa: Fix IOR and ISR on error in probe
+  * target/hppa: Fix IOR and ISR on unaligned access trap
+  * target/hppa: Export function hppa_set_ior_and_isr()
+  * target/hppa: Avoid accessing %gr0 when raising exception
+  * hw/hppa: Move software power button address back into PDC
+  * target/hppa: Fix PDC address translation on PA2.0 with PSW.W=0
+  * hw/pci-host/astro: Add missing astro & elroy registers for NetBSD
+  * hw/hppa/machine: Disable default devices with --nodefaults option
+  * hw/hppa/machine: Allow up to 3840 MB total memory
+  * readthodocs: fully specify a build environment
+  * .gitlab-ci.d/buildtest.yml: Work around htags bug when environment is large
+  * target/s390x: Fix LAE setting a wrong access register
+  * tests/qtest/virtio-ccw: Fix device presence checking
+  * tests/acpi: disallow tests/data/acpi/virt/SSDT.memhp changes
+  * tests/acpi: update expected data files
+  * edk2: update binaries to git snapshot
+  * edk2: update build config, set PcdUninstallMemAttrProtocol = TRUE.
+  * edk2: update to git snapshot
+  * tests/acpi: allow tests/data/acpi/virt/SSDT.memhp changes
+  * util: fix build with musl libc on ppc64le
+  * tcg/ppc: Use new registers for LQ destination
+  * hw/intc/arm_gicv3_cpuif: handle LPIs in in the list registers
+  * hw/vfio: fix iteration over global VFIODevice list
+  * vfio/container: Replace basename with g_path_get_basename
+  * edu: fix DMA range upper bound check
+  * hw/net: cadence_gem: Fix MDIO_OP_xxx values
+  * audio/audio.c: remove trailing newline in error_setg
+  * chardev/char.c: fix "abstract device type" error message
+  * target/riscv: Fix mcycle/minstret increment behavior
+  * hw/net/can/sja1000: fix bug for single acceptance filter and standard frame
+  * target/i386: the sgx_epc_get_section stub is reachable
+  * configure: use a native non-cross compiler for linux-user
+  * include/ui/rect.h: fix qemu_rect_init() mis-assignment
+  * target/riscv/kvm: do not use non-portable strerrorname_np()
+  * iotests: Basic tests for internal snapshots
+  * vl: Improve error message for conflicting -incoming and -loadvm
+  * block: Fix crash when loading snapshot on inactive node
+- Fixes:
+  * bsc#1218484 (CVE-2023-6693)
+
rdma-core
+- Add kernel-boot-do-not-load-module-unsupported-on-s390.patch
+  to prevent autoload of module not supported on s390. (bsc#1219805)
+
rpm
+- backport lua support for rpm.execute to ease migrating [bnc#1216752]
+  * new patch: luaexecute.diff
+
samba
+- Update to 4.19.5
+  * Windows 2016 fails to restore previous version of a file from
+    a shadow_copy2 snapshot; (bso#13688).
+  * Symlinks on AIX are broken in 4.19 (and a few version before
+    that); (bso#15549).
+  * Fake directory create times has no effect; (bso#12421).
+  * ctime mixed up with mtime by smbd; (bso#15550).
+  * samba-gpupdate --rsop fails if machine is not in a site;
+    (bso#15548).
+  * gpupdate: The root cert import when NDES is not available is
+    broken; (bso#15557).
+  * samba-gpupdate should print a useful message if cepces-submit
+    can't be found; (bso#15552).
+  * samba-gpupdate logging doesn't work; (bso#15558).
+  * smbpasswd reset permissions only if not 0600; (bso#15555).
+
systemd-rpm-macros
+- Bump version to 15
+
+- Order packages that requires systemd after systemd-sysvcompat when this part
+  of the transaction (bsc#1217964)
+  systemd-sysvcompat has been introduced recently and contains the compatibility
+  scripts used to support SysV init scripts. Make sure that the packages ordered
+  after systemd are also ordered after systemd-sysvcompat so theirs rpm
+  scriptlets can still rely on the compat scripts.
+  On distributions where systemd-sysvcompat doesn't exist, the new ordering
+  constraint should be a nop.
+
tigervnc
+- buildrequire xorg-x11-server-source/-sdk >= 21.1.11 and trigger
+  rebuild with newer xorg-x11-server-source package (bsc#1219311,
+  bsc#1219205)
+
virtiofsd
+- Spec: Adjust libvirt/virtiofsd interop config file to handle differences in
+  the definition of libexecdir macro on SLE and Tumbleweed (bsc#1219772)
+
-- Update to upstream version v1.7.2 (jsc#4980)
+- Update to upstream version v1.7.2 (jsc#PED-4980)
xfsprogs
+- update to 6.6.0
+  - xfs_scrub: add missing license and copyright information
+  - xfs_db: report the device associated with each io cursor
+  - libxfs: Fix UAF in a requeued EFI
+  - xfs_io: Add new option, to exercise log2_data_unit_size in kernel fscrypt_policy_v2
+  - xfs_db: Add upport to read from external log device
+  - metadump: New metadump format
+  - xfs_quota: fix missing mount point warning
+
yast2
+- removed "journalctl --dmesg" from save_y2los
+- 4.6.7
+
+- replaced "journalctl --dmesg" with "journalctl -b"
+- 4.6.6
+
+- Allow host/domain names starting with an underscore (bsc#1219920)
+- 4.6.5
+
yast2-packager
+- Display a better product summary for the SLE_HPC => SLES upgrade
+  (jsc#PED-7841)
+- 4.6.8
+
zchunk
+- Add OpenSSL 3.x support: [jsc#PED-6570, bsc#1217722]
+  * Rework hash code to support openSSL 3.x EVP API [8be0795f]
+  * Update tests to handle zstd 1.5.4 [7b84aabb]
+  * Add upstream patches:
+  - zchunk-OpenSSL-3-EVP-API.patch
+  - zchunk-OpenSSL-3-tests.patch
+