Removed rpms
============

 - corepack20
 - gnutls-guile
 - google-noto-fonts-doc
 - libclc
 - libgdal-drivers
 - libgdal33
 - libgit2-1_3
 - libgit2-1_3-32bit
 - libgnutls30-hmac
 - libgnutls30-hmac-32bit
 - libgnutlsxx28
 - libibmtss1
 - libpoppler126
 - libpoppler126-32bit
 - libqgpgme7
 - libqgpgme7-32bit
 - libsemanage1
 - libsemanage1-32bit
 - libsepol1
 - libsepol1-32bit
 - libvdpau_virtio_gpu
 - libvdpau_virtio_gpu-32bit
 - mpich-ofi_4_0_2-gnu-hpc
 - mpich-ofi_4_0_2-gnu-hpc-devel
 - mpich-ofi_4_0_2-gnu-hpc-devel-static
 - mpich-ofi_4_0_2-gnu-hpc-macros-devel
 - mpich_4_0_2-gnu-hpc
 - mpich_4_0_2-gnu-hpc-devel
 - mpich_4_0_2-gnu-hpc-devel-static
 - mpich_4_0_2-gnu-hpc-macros-devel
 - nodejs20
 - nodejs20-devel
 - nodejs20-docs
 - noto-mono-fonts
 - noto-sans-cjk-fonts
 - noto-sans-display-fonts
 - noto-sans-jp-black-fonts
 - noto-sans-jp-bold-fonts
 - noto-sans-jp-demilight-fonts
 - noto-sans-jp-fonts
 - noto-sans-jp-fonts-full
 - noto-sans-jp-light-fonts
 - noto-sans-jp-medium-fonts
 - noto-sans-jp-mono-fonts
 - noto-sans-jp-regular-fonts
 - noto-sans-jp-thin-fonts
 - noto-sans-kr-black-fonts
 - noto-sans-kr-bold-fonts
 - noto-sans-kr-demilight-fonts
 - noto-sans-kr-fonts
 - noto-sans-kr-fonts-full
 - noto-sans-kr-light-fonts
 - noto-sans-kr-medium-fonts
 - noto-sans-kr-mono-fonts
 - noto-sans-kr-regular-fonts
 - noto-sans-kr-thin-fonts
 - noto-sans-sc-black-fonts
 - noto-sans-sc-bold-fonts
 - noto-sans-sc-demilight-fonts
 - noto-sans-sc-fonts
 - noto-sans-sc-fonts-full
 - noto-sans-sc-light-fonts
 - noto-sans-sc-medium-fonts
 - noto-sans-sc-mono-fonts
 - noto-sans-sc-regular-fonts
 - noto-sans-sc-thin-fonts
 - noto-sans-syriaceastern-fonts
 - noto-sans-syriacestrangela-fonts
 - noto-sans-syriacwestern-fonts
 - noto-sans-tc-black-fonts
 - noto-sans-tc-bold-fonts
 - noto-sans-tc-demilight-fonts
 - noto-sans-tc-fonts
 - noto-sans-tc-fonts-full
 - noto-sans-tc-light-fonts
 - noto-sans-tc-medium-fonts
 - noto-sans-tc-mono-fonts
 - noto-sans-tc-regular-fonts
 - noto-sans-tc-thin-fonts
 - noto-sans-tibetan-fonts
 - noto-serif-jp-black-fonts
 - noto-serif-jp-bold-fonts
 - noto-serif-jp-extralight-fonts
 - noto-serif-jp-fonts
 - noto-serif-jp-fonts-full
 - noto-serif-jp-light-fonts
 - noto-serif-jp-medium-fonts
 - noto-serif-jp-regular-fonts
 - noto-serif-jp-semibold-fonts
 - noto-serif-kr-black-fonts
 - noto-serif-kr-bold-fonts
 - noto-serif-kr-extralight-fonts
 - noto-serif-kr-fonts
 - noto-serif-kr-fonts-full
 - noto-serif-kr-light-fonts
 - noto-serif-kr-medium-fonts
 - noto-serif-kr-regular-fonts
 - noto-serif-kr-semibold-fonts
 - noto-serif-sc-black-fonts
 - noto-serif-sc-bold-fonts
 - noto-serif-sc-extralight-fonts
 - noto-serif-sc-fonts
 - noto-serif-sc-fonts-full
 - noto-serif-sc-light-fonts
 - noto-serif-sc-medium-fonts
 - noto-serif-sc-regular-fonts
 - noto-serif-sc-semibold-fonts
 - noto-serif-tc-black-fonts
 - noto-serif-tc-bold-fonts
 - noto-serif-tc-extralight-fonts
 - noto-serif-tc-fonts
 - noto-serif-tc-fonts-full
 - noto-serif-tc-light-fonts
 - noto-serif-tc-medium-fonts
 - noto-serif-tc-regular-fonts
 - noto-serif-tc-semibold-fonts
 - npm20
 - php7-libphutil
 - php7-lzf
 - php7-maxminddb
 - php7-memcached
 - php7-phalcon
 - php7-phpunit8
 - php7-smbclient
 - php7-uuid
 - python3-apsw
 - python3-pytest-console-scripts
 - rime-schema-jyutping
 - sssd-common
 - sssd-common-32bit
 - warewulf4-ipxe

Added rpms
==========

 - emptyepsilon
 - gpg2-tpm
 - guile-gnutls
 - libgdal32
 - libgit2-1_7
 - libgit2-tools
 - libgnutlsxx30
 - libibmtss2
 - libicu73_2-32bit
 - libicu73_2-devel-32bit
 - liblsof0
 - libpoppler132
 - libpoppler132-32bit
 - libqgpgme15
 - libqgpgme15-32bit
 - libqgpgmeqt6-15
 - libqgpgmeqt6-devel
 - libraw23
 - libraw23-32bit
 - libsemanage-conf
 - libsemanage2
 - libsemanage2-32bit
 - libsepol2
 - libsepol2-32bit
 - lsof-devel
 - mpich-ofi_4_1_2-gnu-hpc
 - mpich-ofi_4_1_2-gnu-hpc-devel
 - mpich-ofi_4_1_2-gnu-hpc-devel-static
 - mpich-ofi_4_1_2-gnu-hpc-macros-devel
 - mpich_4_1_2-gnu-hpc
 - mpich_4_1_2-gnu-hpc-devel
 - mpich_4_1_2-gnu-hpc-devel-static
 - mpich_4_1_2-gnu-hpc-macros-devel
 - pacemaker-schemas
 - python3-pacemaker
 - python311-apsw
 - python311-pytest-console-scripts
 - python311-ruff
 - python311-selinux
 - ugrep-bash-completion
 - ugrep-fish-completion
 - ugrep-zsh-completion
 - whois-bash-completion

Package Source Changes
======================

389-ds
+- bsc#1217581 - Replica ID cannot be specified for consumer and hub roles
+- Update to version 2.2.8~git51.3688d68:
+  * Issue 5984 - Crash when paged result search are abandoned - fix2 (#5987)
+  * Issue 5984 - Crash when paged result search are abandoned (#5985)
+  * Issue 5971 - CLI - Fix password prompt for repl status (#5972)
+  * Issue 5956 - After an upgrade the server won't start - nsslapd-connta…  …blesize (#5963)
+  * Issue 3555 - UI - Fix audit issue with npm - babel/traverse (#5959)
+  * Issue 5966 - CLI - Custom schema object is removed on a failed edit (#5967)
+  * Issue 5956 - After an upgrade the server won't start - nsslapd-conntablesize (#5957)
+  * issue 5924 - ASAN server build crash when looping opening/closing connections (#5926)
+  * Issue 5848 - Fix condition and add a CI test (#5916)
+  * Issue 5909 - Multi listener hang with 20k connections (#5917)
+  * Issue 5853 - Revert MSRV check (#5908)
+  * Issue 5722 - improve testcase (#5904)
+  * Bug Description:
+  * Issue 5858 - WebUI monitoring test fails to run
+
MozillaFirefox
+- Firefox Extended Support Release 115.6.0 ESR
+  Placeholder changelog-entry (bsc#1217974)
+
-  Placeholder changelog-entry (bsc#1217230)
+  * Fixed: Various security fixes and other quality improvements.
+  MFSA 2023-50 (bsc#1217230)
+  * CVE-2023-6204 (bmo#1841050)
+    Out-of-bound memory access in WebGL2 blitFramebuffer
+  * CVE-2023-6205 (bmo#1854076)
+    Use-after-free in MessagePort::Entangled
+  * CVE-2023-6206 (bmo#1857430)
+    Clickjacking permission prompts using the fullscreen
+    transition
+  * CVE-2023-6207 (bmo#1861344)
+    Use-after-free in ReadableByteStreamQueueEntry::Buffer
+  * CVE-2023-6208 (bmo#1855345)
+    Using Selection API would copy contents into X11 primary
+    selection.
+  * CVE-2023-6209 (bmo#1858570)
+    Incorrect parsing of relative URLs starting with "///"
+  * CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252,
+    bmo#1856072, bmo#1856091, bmo#1859030, bmo#1860943,
+    bmo#1862782)
+    Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5,
+    and Thunderbird 115.5
avahi
+- Add avahi-CVE-2023-38472.patch: Fix reachable assertion in
+  avahi_rdata_parse (bsc#1216853, CVE-2023-38472).
+
booth
+- Update to version 1.1+git0.09b0074:
+  * build: Prepare version 1.1 release
+  * build: Make distcheck work for non-root user
+  * build: Include icons in release tarballs
+  * build: Add release.mk
+  * build: Add gitlog-to-changelog
+  * tests: Fix Python 3.12 warning
+  * attr: Fix glib hash_table != NULL assert
+  * attr: Fix memory leak for list and get operation
+  * main: Fix exit code on grant/revoke command error
+  * spec: Migrate to SPDX license
+- Added hardening to systemd service(s). Added patch(es):
+  * harden_booth-arbitrator.service.patch
+
+- Update to version 1.0+20221117.9d4029a:
+  * man: Add generated html files into gitignore
+  * man: remove literal paragraph format from boothd.8
+  * man: Remove italic bold formatting
+  * man: Do not format __defaults__
+  * man: Indent peers counters
+  * man: Move debug description to better place
+  * test: Add test for unknown/unexpected keyword
+  * config: Include protocol in error message
+  * config: Include keyword in error message
+  * unit file: Remove Alias directive
+
brickd
+- New Version 2.4.5
+  - Add Raspberry Pi 5 support for HAT (Zero) Brick
+  - Fix rare crash in initial USB device scan
+
+- Fix build error with conflicting strcasestr definition
+
+- Fixed brickd-rpmlintrc source reference in spec file
+  removed upstream patch a679ca31b8dbd412e5f379b624200e3a96dda0ce.patch
+
+- New Version 2.4.4
+  - Add menu entry to clear Live Log in Windows Log Viewer
+  - Abort delayed USB stall recovery if device was removed in the meantime
+  - Add rate limit for Bricklet error messages
+  - Increase libusb requirement from 1.0.6 to 1.0.20
+  - Allow to disable mesh gateway
+  - Update bundled libusb to 1.0.26.11755 on Windows (Windows Vista or newer
+    required) and macOS
+
+- add a679ca31b8dbd412e5f379b624200e3a96dda0ce.patch for RISCV support
+- spec-cleaner
+
brise
+- Update brise.spec:
+  * Add Conflicts condition to insure brise could update successfully
+    from brise binary rpm, for SUSE:SLE-SP6 update.
+  * Replace rime-schema-all dependence to real package name to
+    avoid 2 level of virtual packages when it installed.
+
+- update brise 20230603+git.5fdd2d6
+  * replace io/ioutil usage
+  * deprecate rime-jyutping with rime-cantonese
+  * add rime-custom
+
+- update brise 20230528+git.cece251
+  * rime-plum-go supports github's "main" default branch
+  * brise data is updated to 20230528
+
budgie-extras
+- Budgie Extras 1.7.1 "Tinker Tailor..."
+  * CVE-2023-49347: budgie-wpreviews: use of fixed paths in /tmp
+    (bsc#1213341)
+  * CVE-2023-49344: windowshufflerdaemon: uses various fixed /tmp
+    file paths (bsc#1213342)
+  * CVE-2023-49345: budgie-takeabreak: fixed /tmp path use in
+    /tmp/nextbreak_<user> (bsc#1216281)
+  * CVE-2023-49346: budgie-weathershow: use of fixed path in
+    /tmp/<username>_weatherdata (bsc#1216282)
+  * CVE-2023-49342: budgie-clockworks: uses fixed temporary files
+    in /tmp/<user>_clockworks (bsc#1217595)
+  * CVE-2023-49343: budgie-dropby: use of fixed paths in
+    /tmp/<user>_call_dropby and /tmp/<user>_dropby_icon_copy
+    (bsc#1217597)
+
checkpolicy
+- Update to version 3.5
+  * error out if required permission would exceed limit
+  * Improve error message for type bounds
+- Added additional developer key (Jason Zaman)
+
+- Update to version 3.4
+  * warn on bogus IP address or netmask in nodecon statement
+  * allow wildcard permissions in constraints
+  * mention class name on invalid permission
+
+- Update to version 3.3
+  * When reading a binary policy by checkpolicy, do not automatically change the version
+    to the max policy version supported by libsepol or, if specified, the value given
+    using the "-c" flag.
+  * Updated documentation
+  * Prints the reason why opening a source policy file failed
+
+- Update to version 3.2
+  * Fix a memleak and an integer overflow
+
clamav-database
+- database refresh on 2023-12-25 (bsc#1084929)
+
+- database refresh on 2023-12-18 (bsc#1084929)
+
+- database refresh on 2023-12-11 (bsc#1084929)
+
cloud-regionsrv-client
+- Update to version 10.1.5 (bsc#1217583)
+  + Fix fallback path when IPv6 network path is not usable
+  + Enable an IPv6 fallback path in IMDS access if it cannot be accessed
+    over IPv4
+  + Enable IMDS access over IPv6
+
+- Update to version 10.1.4 (bsc#1217451)
+  + Fetch cert for new update server during failover
+
containerd
+- Update to containerd v1.7.8. Upstream release notes:
+  <https://github.com/containerd/containerd/releases/tag/v1.7.8> bsc#1200528
+- Rebase patches:
+  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
+
cosign
+- updated to 2.2.1 (jsc#SLE-23879)
+  This release comes with a fix for
+  CVE-2023-46737 / bsc#1216933 described in this [Github Security
+  Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).
+  Enhancements:
+  * feat: Support basic auth and bearer auth login to registry (#3310)
+  * add support for ignoring certificates with pkcs11 (#3334)
+  * Support ReplaceOp in Signatures (#3315)
+  * feat: added ability to get image digest back via triangulate (#3255)
+  * feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247)
+  * feat: add support attaching a Rekor bundle to a container (#3246)
+  * feat: add support outputting rekor response on signing (#3248)
+  * feat: improve dockerfile verify subcommand (#3264)
+  * Add guard flag for experimental OCI 1.1 verify. (#3272)
+  * Deprecate SBOM attachments (#3256)
+  * feat: dedent line in cosign copy doc (#3244)
+  * feat: add platform flag to cosign copy command (#3234)
+  * Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
+  * attest: pass OCI remote opts to att resolver. (#3225)
+  Bug Fixes:
+  * Merge pull request from GHSA-vfp6-jrw2-99g9
+  * fix: allow cosign download sbom when image is absent (#3245)
+  * ci: add a OCI registry test for referrers support (#3253)
+  * Fix ReplaceSignatures (#3292)
+  * Stop using deprecated in_toto.ProvenanceStatement (#3243)
+  * Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
+  * fix: update error in `SignedEntity` to be more descriptive (#3233)
+  * Fail timestamp verification if no root is provided (#3224)
+  Documentation:
+  * Add some docs about verifying in an air-gapped environment (#3321)
+  * Update CONTRIBUTING.md (#3268)
+  * docs: improves the Contribution guidelines (#3257)
+  * Remove security policy (#3230)
+  Others:
+  * Set go to min 1.21 and update dependencies  (#3327)
+  * Update contact for code of conduct (#3266)
+  * Update .ko.yaml (#3240)
+
+- updated to 2.2.0 (jsc#SLE-23879)
+  - Enhancements
+  * switch to uploading DSSE types to rekor instead of intoto (#3113)
+  * add 'cosign sign' command-line parameters for mTLS (#3052)
+  * improve error messages around bundle != payload hash (#3146)
+  * make VerifyImageAttestation function public (#3156)
+  * Switch to cryptoutils function for SANS (#3185)
+  * Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
+  - Bug Fixes
+  * Fix nondeterminsitic timestamps (#3121)
+  - Documentation
+  * doc: Add example of sign-blob with key in env var (#3152)
+  * add deprecation notice for cosign-releases GCS bucket (#3148)
+  * update doc links (#3186)
+
+- updated to 2.1.1 (jsc#SLE-23879)
+  - Bug Fixes
+  - wait for the workers become available again to continue the execution (#3084)
+  - fix help text when in a container (#3082)
+- updated to 2.1.0 (jsc#SLE-23879)
+  - Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.
+  - Enhancements
+  - Verify sigs and attestations in parallel (#3066)
+  - Deep inspect attestations when filtering download (#3031)
+  - refactor bundle validation code, add support for DSSE rekor type (#3016)
+  - Allow overriding remote options (#3049)
+  - feat: adds no cert found on sig exit code (#3038)
+  - Make predicate a required flag in attest commands (#3033)
+  - Added support for attaching Time stamp authority Response in attach command (#3001)
+  - Add sign --sign-container-identity CLI (#2984)
+  - Feature: Allow cosign to sign digests before they are uploaded. (#2959)
+  - accepts attachment-tag-prefix for cosign copy (#3014)
+  - Feature: adds '--allow-insecure-registry' for cosign load (#3000)
+  - download attestation: support --platform flag (#2980)
+  - Cleanup: Add Digest to the SignedEntity interface. (#2960)
+  - verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845)
+  - verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069)
+  - Bug Fixes
+  - Fix pkg/cosign/errors (#3050)
+  - Fix: update doc to refer to github-actions oidc provider (#3040)
+  - Fix: prefer GitHub OIDC provider if enabled (#3044)
+  - Fix --sig-only in cosign copy (#3074)
+  - Documentation
+  - Fix links to sigstore/docs in markdown files (#3064)
+
+- update to 2.0.2 (jsc#SLE-23879)
+  Enhancements
+  - Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891)
+  - feat: Make cosign copy faster (#2901)
+  - remove sget (#2885)
+  - Require a payload to be provided with a signature (#2785)
+  Bug Fixes
+  - cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876)
+  - Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878)
+  Documentation
+  - Remove experimental warning from Fulcio flags (#2923)
+  - add missing oidc provider (#2922)
+  - Add zot as a supported registry (#2920)
+  - deprecates kms_support docs (#2900)
+  - chore(docs) deprecate note for usage docs (#2906)
+  - adds note of deprecation for examples.md docs (#2899)
+
cppcheck
+- add CVE-2023-39070.patch (CVE-2023-39070, bsc#1215233)
+
crmsh
+- Update to version 4.6.0+20231206.a903b854:
+  * To polish and improve crm report along with PED-5774 (jsc#PED-5774)
+  * Fix: bootstrap: fix the owner and permission of file authorized_keys (bsc#1217279)
+  * Fix: prun: should not call user_pair_for_ssh() when target host is localhost (bsc#1217094)
+  * Fix: utils: Add 'sudo' only when there is a sudoer(bsc#1215549)
+
csp-billing-adapter
+- Update to version 0.8.0:
+  * Clear billing status with an empty dictionary
+
+- Update to version 0.7.0:
+  * Add get version hook spec
+
csp-billing-adapter-local
-- Update to version 0.2.1:
-  * Bump version: 0.2.0 → 0.2.1
-  * Add changelog
-  * Use date_fmt variable with underscore
-  * Set date format from core adapter
-  * Bump version: 0.1.1 → 0.2.0
-  * Import format from core adapter
-  * Bump version: 0.1.0 → 0.1.1
-  * Clearer import
+- Update to version 0.4.1:
+  * Edit the build requirement for core adapter module
-- Update to 0.2.1
-  + Use the same formatter for log file as core adapter
-  + Add timestamp with the same format as core adapter
-  + Add reporting time
+- Update to version 0.4.0:
+  * Drop logs for cache and csp-config functions
+
+- Update to version 0.3.0:
+  * Add get version hook implementation
+
+- Update to version 0.2.1
+  * Add timestamp with the same format as core adapter
+- Update to version 0.2.0
+  * Use the same formatter for log file as core adapter
+- Update to version 0.1.1
+  * Add reporting time to usage data
+  * Refactor tests
csp-billing-adapter-microsoft
+- Update to version 0.2.1:
+  * Get credentials for VM
+
+- Update to version 0.2.0:
+  * Add get version hook implementation
+
+
+- Update to version 0.1.0~git2.e424147:
-  * Update changelog for v0.1.1
+  * Bump version: 0.0.1 → 0.1.0
+  * Update changelog for v0.1.0
-- Update to version 0.1.0
-  + Implement plugin metadata functions and unit tests
-
curl
+- Fix: libssh: Implement SFTP packet size limit (bsc#1216987)
+  * Add curl-libssh_Implement_SFTP_packet_size_limit.patch
+
deepin-compressor
+- Add fix-Zip-Path-Traversal.patch
+  * Fix Zip Path Traversal (boo#1218428 and CVE-2023-50255)
+
distribution
+- update to 2.8.3 (bsc#1216491):
+  * Pass `BUILDTAGS` argument to `go build`
+  * Enable Go build tags
+  * `reference`: replace deprecated function `SplitHostname`
+  * Dont parse errors as JSON unless Content-Type is set to JSON
+  * update to go 1.20.8
+  * Set `Content-Type` header in registry client `ReadFrom`
+  * deprecate reference package, migrate to
+    github.com/distribution/reference
+  * `digestset`: deprecate package in favor of `go-
+    digest/digestset`
+  * Do not close HTTP request body in HTTP handler
+  * Add v2.8.3 release notes
+
entr
+- update to 5.5:
+  * Report correct error if open(3) fails
+
+- Update to version 5.4
+  * 'make test' runs a quick smoketest, 'make check' runs regressions
+  * Set IN_CLOEXEC only for inotify_init, kqueue uses similar setting by default
+  * Unconditionally try to set soft file limit to 2^16 on MacOS
+  * Use non-reentrant calls sparingly in signal handlers
+  * configure: use TARGET_OS to override the output of uname(1)
+- added only basic smoke test
+
+- Update to version 5.3
+  * Symlink changes detected on Linux by setting
+    'ENTR_INOTIFY_SYMLINK'.
+  * Use /dev/null rather then closed pipe for stdin in -r mode.
+  * Utilize {O,FD}_CLOEXEC flag for unintentional leaks of
+    descriptors to executed utilities.
+  * Remove C unit tests.
+  * Only respond to attribute/inode changes on Linux.
+- Drop tests. The new tests do not run within a chroot.
+
+- Update to version 5.2
+  * Update copy of strlcpy(3) for Linux
+  * Detect file deletion from directories on Linux
+  * Print the signal that terminated a child when using '-s'
+  * Return 128+signal that terminated a child when using '-z'
+  * Ensure terminal settings are reset when '-z' is set
+
+- Update to version 5.1
+  * Detect files moved to or from directories on Linux.
+  * Allow detection of directory entries beginning with '.' by
+    specifying '-d' twice.
+  * Only reset terminal settings in exit handler if settings were
+    changed.
+
+- Update to version 5.0
+  * Eliminate memory management warnings on Linux.
+  * EV_TRACE prints file mode and file name.
+- Update to version 4.8
+  * EV_TRACE also prints file/notify descriptor limit.
+  * Set 2^16 watches if inotify limits cannot be read.
+  * Raise an error and suggest '-n' if terminal attributes cannot
+    be read.
+
+- Update to version 4.8
+  * Set a maximum of 2^19 watches to guard against absurd file
+    open limits on MacOS.
+  * Use control sequences to clear the display and specify '-c'
+    twice to erase the scrollback buffer.
+
+- update to 4.7:
+  * Use system file descriptor limits when max_user_watches is not accessible
+  * Return the exit status of the child process when the '-z' option is used
+  * Handle SIGHUP so child process are terminated when a terminal is closed
+  * More accurately return shell exit code using '-s' option
+
+- Update to version 4.6
+  * Always call waitpid(2) to avoid dead processes
+  * Duplicate STDIN file descriptor before closing; for the '-r'
+    option
+
+- Update to version 4.5
+  * New '-z' "one-shot" option self-terminates after the utility
+    exits
+  * Termination by 'q' or 'SIGINT' results in an exit status of 0
+- Add source verification
+
+- Update to version 4.4
+  * Use a single inotify queue on Linux, limited by
+    /proc/sys/fs/inotify/max_user_watches
+  * Set the environment variable `ENTR_INOTIFY_WORKAROUND` to
+    enable a compatibility mode for platforms with deformed
+    inotify support
+
+- Update to version 4.3
+  * No functional changes
+
+- Update to version 4.2
+  * New '-a' option enables response to events that occur while the
+    utility is running
+  * Correctly report error when a file cannot be reopened
+- Includes change from 4.1
+  * New '-n' non-interactive option disables keyboard input
+  * EV_TRACE environment variable enables file system event
+    tracing.
+  * Track changes to the inode number as a workaround for missing
+    delete events on the Linux kernel
+
freerdp
+- Add freerdp-CVE-2023-39350-to-2023-40589.patch
+  + Multiple CVE fixes
+  * bsc#1214856, CVE-2023-39350
+  * bsc#1214857, CVE-2023-39351
+  * bsc#1214858, CVE-2023-39352
+  * bsc#1214859, CVE-2023-39353
+  * bsc#1214860, CVE-2023-39354
+  * bsc#1214862, CVE-2023-39356
+  * bsc#1214863, CVE-2023-40181
+  * bsc#1214864, CVE-2023-40186
+  * bsc#1214866, CVE-2023-40188
+  * bsc#1214867, CVE-2023-40567
+  * bsc#1214868, CVE-2023-40569
+  * bsc#1214869, CVE-2023-40574
+  * bsc#1214870, CVE-2023-40575
+  * bsc#1214871, CVE-2023-40576
+  * bsc#1214872, CVE-2023-40589
+
gdal
-- Add Conflicts entry between drivers package and old library version
-
-- Seperate drivers.ini from the library package
-
-- update to bugfix release version 3.7.1
-  * see https://github.com/OSGeo/gdal/blob/v3.7.1/NEWS.md
-- update to feature release version 3.7.0
-  + see https://github.com/OSGeo/gdal/blob/v3.7.0/NEWS.md
-- packaging:
-  * add new buildrequire pkgconfig(libarchive)
-    for new /vsi7z/ and /vsirar/ virtual file systems
-  * handle new delivered files
-    data/gfs.xsd: XML schema for .gfs files (#6655)
-    data/gml_registry.xsd: new file with XML schema of
-    gml_registry.xml (#6716)
-    data/ogrinfo_output.json.schema: validate ogrinfo -json output
-    data/gdalinfo_output.schema.json: validate gdalinfo -json
-    output (fixes #6850)
-    data/grib2_table_4_2_0_21.csv
-    data/grib2_table_4_2_2_6.csv
-    bin/sozip
-  * spec-cleaner
-  * remove limitation for python < 3.11 as Factory has 3.11.4
-
ghostscript
+- CVE-2023-46751.patch is derived for Ghostscript-9.52 from
+  https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13
+  (there is no "device initialization redesign" in Ghostscript-9.52)
+  that fixes CVE-2023-46751
+  "dangling pointer in gdev_prn_open_printer_seekable()"
+  see https://bugs.ghostscript.com/show_bug.cgi?id=707264
+  (bsc#1217871)
+
gimp
+- Add gimp-CVE-2023-44442.patch: fix gimp file parsing heap-based
+  buffer overflow (boo#1217161 CVE-2023-44442)
+- Add gimp-CVE-2023-44443-44444.patch: fix gimp file parsing Integer
+  overflow remote code execution vulnerability (boo#1217162
+  CVE-2023-44443) fix gimp file parsing Off-By-One remote code
+  execution vulnerability(boo#1217163 CVE-2023-44444)
+- Add gimp-CVE-2023-44441.patch: fix gimp DDS file parsing heap-based
+  buffer overflow remote code execution vulnerability (boo#1217160
+  CVE-2023-44441)
+
glibc
+- aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr
+  (bsc#1217445, BZ #31113)
+
+- Remove systemd from shadow and gshadow lookups (bsc#1217220)
+
glibc:i686
+- aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr
+  (bsc#1217445, BZ #31113)
+
+- Remove systemd from shadow and gshadow lookups (bsc#1217220)
+
glibc:utils
+- aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr
+  (bsc#1217445, BZ #31113)
+
+- Remove systemd from shadow and gshadow lookups (bsc#1217220)
+
gnome-screenshot
+- Add b60dad3c2536c17bd201f74ad8e40eb74385ed9f.patch: Fix build
+  with meson 0.60 and newer.
+- Replace pkgconfig(appstream-glib) with appstream-glib and
+  desktop-file-utils BuildRequires, and add a check section and run
+  meson_test macro, validate metainfo and desktop file during build
+  via upstream provided automated tests.
+
gnuhealth-client
+- version 4.2.1
+  * Various Tryton-patches applied, see Changelog for details
+
+- Remove %python3_install prefix and root options, that's included in
+  the macro by default.
+
gnutls
-- FIPS: PBKDF2 additional requirements [bsc#1209001]
-  * Set the minimum output key length to 112 bits (FIPS 140-3 IG D.N)
-  * Set the minimum salt length to 128 bits (SP 800-132 sec. 5.1)
-  * Set the minimum iterations count to 1000 (SP 800-132 sec 5.2)
-  * Set the minimum passlen of 20 characters (SP SP800-132 sec 5)
-  * Add regression tests for the new PBKDF2 requirements.
-  * Add gnutls-FIPS-pbkdf2-additional-requirements.patch
-
-- libgnutls: Increase the limit of TLS PSK usernames from 128 to
-  65535 characters. [bsc#1208237, jsc#PED-1562]
-  * Upstream: https://gitlab.com/gnutls/gnutls/commit/f032324a
-  * Add gnutls-increase-TLS-PSK-username-limit.patch
-
-- FIPS: Fix pct_test() return code in case of error [bsc#1207183]
-  * Rebase with the upstream version: gnutls-FIPS-PCT-DH.patch
+- Fix missing GNUTLS_NO_EXTENSIONS compatibility.
+  * Upstream: gitlab.com/gnutls/gnutls/commit/abfa8634
+  * Add gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch
+
+- tests: Fix the SRP test that fails with SIGPIPE signal return due
+  to a socket being closed before using it.
+  * Add gnutls-srp-test-SIGPIPE.patch
+
+- Update to version 3.8.1:
+  * libgnutls: ClientHello extensions are randomized by default
+    To make fingerprinting harder, TLS extensions in ClientHello
+    messages are shuffled. As this behavior may cause compatibility
+    issue with legacy applications that do not accept the last
+    extension without payload, the behavior can be reverted with the
+    %NO_SHUFFLE_EXTENSIONS priority keyword.
+  * libgnutls: Add support for RFC 9258 external PSK importer.
+    This enables to deploy the same PSK across multiple TLS versions
+    (TLS 1.2 and TLS 1.3) in a secure manner. To use, the application
+    needs to set up a callback that formats the PSK identity using
+    gnutls_psk_format_imported_identity().
+  * libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to
+    %GNUTLS_NO_DEFAULT_EXTENSIONS.
+  * libgnutls: Add additional PBKDF limit checks in FIPS mode as
+    defined in SP 800-132. Minimum salt length is 128 bits and
+    minimum iterations bound is 1000 for PBKDF in FIPS mode.
+  * libgnutls: Add a mechanism to control whether to enforce extended
+    master secret (RFC 7627). FIPS 140-3 mandates the use of TLS
+    session hash (extended master secret, EMS) in TLS 1.2. To enforce
+    this, a new priority keyword %FORCE_SESSION_HASH is added and if
+    it is set and EMS is not set, the peer aborts the connection. This
+    behavior is the default in FIPS mode, though it can be overridden
+    through the configuration file with the "tls-session-hash" option.
+    In either case non-EMS PRF is reported as a non-approved operation
+    through the FIPS service indicator.
+  * New option --attime to specify current time.
+    To make testing with different timestamp to the system easier, the
+    tools doing certificate verification now provide a new option
+  - -attime, which takes an arbitrary time.
+  * API and ABI modifications:
+    gnutls_psk_client_credentials_function3: New typedef
+    gnutls_psk_server_credentials_function3: New typedef
+    gnutls_psk_set_server_credentials_function3: New function
+    gnutls_psk_set_client_credentials_function3: New function
+    gnutls_psk_format_imported_identity: New function
+    GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags
+  * Rebase patches:
+  - gnutls-FIPS-140-3-references.patch
+  - gnutls-FIPS-jitterentropy.patch
+  * Remove patches merged/fixed upstream:
+  - gnutls-FIPS-PCT-DH.patch
+  - gnutls-FIPS-PCT-ECDH.patch
+
+- FIPS: Fix baselibs.conf to mention libgnutls30-hmac [bsc#1211476]
+  Extend also the checks in gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
+
+- FIPS: Skip the fixed HMAC verification for nettle, hogweed and
+  gmp libraries. These calculated HMACs change for every build of
+  each of these packages, we only have to verify that for gnutls.
+  * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476]
+
+- FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116]
+
+- Disable GNULIB's year2038 also for 32-bit arm - boo#1211394
+
+- Temporarily disable GNULIB's year2038 support for 64bit time_t
+  by using the --disable-year2038 flag. This omits support for
+  timestamps past the year 2038:
+  * Fixes the public API on 32-bit architectures avoiding to
+    change the size of time_t as it cannot be changed without
+    breaking the ABI compatibility.
+  * Upstream issue: https://gitlab.com/gnutls/gnutls/-/issues/1466
+
+- Update to 3.8.0: [bsc#1205763, bsc#1209627]
+  * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key
+    exchange. Reported by Hubert Kario (#1050). Fix developed by
+    Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium]
+    [CVE-2023-0361]
+  * libgnutls: C++ library is now header only. All definitions
+    from gnutlsxx.c have been moved into gnutlsxx.h. Users of the
+    C++ interface have two options:
+    1. include gnutlsxx.h in their application and link against
+    the C library. (default)
+    2. include gnutlsxx.h in their application, compile with
+    GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link
+    against the C++ library.
+  * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST
+    priority modifier have been added to allow disabling of the
+    status_request TLS extension in the client side.
+  * libgnutls: TLS heartbeat is disabled by default.
+    The heartbeat extension in TLS (RFC 6520) is not widely used
+    given other implementations dropped support for it. To enable
+    back support for it, supply --enable-heartbeat-support to
+    configure script.
+  * libgnutls: SRP authentication is now disabled by default.
+    It is disabled because the SRP authentication in TLS is not
+    up to date with the latest TLS standards and its ciphersuites
+    are based on the CBC mode and SHA-1. To enable it back, supply
+  - -enable-srp-authentication option to configure script.
+  * libgnutls: All code has been indented using "indent -ppi1 -linux".
+    CI/CD has been adjusted to catch regressions. This is implemented
+    through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s
+    commit-check. You may run devel/indent-gnutls to fix any
+    indentation issues if you make code modifications.
+  * guile: Guile-bindings removed. They have been extracted into a
+    separate project to reduce complexity and to simplify maintenance,
+    see <https://gitlab.com/gnutls/guile/>.
+  * minitasn1: Upgraded to libtasn1 version 4.19.
+  * API and ABI modifications:
+    GNUTLS_NO_STATUS_REQUEST: New flag
+    GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member
+    GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member
+  * Merge gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
+    and gnutls-FIPS-jitterentropy-threadsafe.patch into the main
+    patch gnutls-FIPS-jitterentropy.patch
+  * Rebase gnutls-FIPS-140-3-references.patch
+  * Rebase patches with upstream version:
+  - gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch
+  * Remove patches merged/fixed upstream:
+  - gnutls-FIPS-disable-failing-tests.patch
+  - gnutls-verify-library-HMAC.patch
+  - gnutls_ECDSA_signing.patch
+  - gnutls-Make-XTS-key-check-failure-not-fatal.patch
+  - gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
+  * Update keyring with https://gnutls.org/gnutls-release-keyring.gpg
-- Security Fix: [bsc#1208143, CVE-2023-0361]
-  * Bleichenbacher oracle in TLS RSA key exchange
-  * Add gnutls-CVE-2023-0361.patch
+- Update to 3.7.9: [bsc#1208143, CVE-2023-0361]
+  * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key
+    exchange. [GNUTLS-SA-2020-07-14, CVSS: medium][CVE-2023-0361]
+  * Rebase gnutls-FIPS-140-3-references.patch
-- Fix AVX CPU feature detection for OSXSAVE [bsc#1203299]
-  * Fixes a SIGILL termination at the verzoupper instruction when
-    trying to run GnuTLS on a Linux kernel with the noxsave command
-    line parameter set. Relevant mostly for virutal systems.
-  * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1282
-  * Add gnutls-clear-AVX-bits-if-it-cannot-be-queried-XSAVE.patch
+- switch to pkgconfig(zlib) so that alternative providers can be
+  used
+
+- Verify only the libgnutls library HMAC [bsc#1199881]
+  * Do not use the brp-50-generate-fips-hmac script as this
+    is now calculated with the internal fipshmac tool.
+  * Add gnutls-verify-library-HMAC.patch
+
+- Temporarily revert the jitterentropy patches in s390 and s390x
+  architectures until a fix is provided [bsc#1204937]
+- Disable flaky test that fails in s390x architecture:
+  * Add gnutls-disable-flaky-test-dtls-resume.patch
+
+- Consolidate the FIPS hmac files [bsc#1203245]
+  * Use the gnutls fipshmac tool instead of the brp-check-suse
+    and rename it to reflect on the library version.
+  * Remove not needed gnutls-FIPS-Run-CFB8-without-offset.patch
+- Add a gnutls.rpmlintrc file to remove a hidden-file-or-dir false
+  positive for the FIPS hmac calculation.
+
+- Update to 3.7.8:
+  * libgnutls: In FIPS140 mode, RSA signature verification is an
+    approved operation if the key has modulus with known sizes
+    (1024, 1280, 1536, and 1792 bits), in addition to any modulus
+    sizes larger than 2048 bits, according to SP800-131A rev2.
+  * libgnutls: gnutls_session_channel_binding performs additional
+    checks when GNUTLS_CB_TLS_EXPORTER is requested. According to
+    RFC9622 4.2, the "tls-exporter" channel binding is only usable
+    when the handshake is bound to a unique master secret (i.e.,
+    either TLS 1.3 or extended master secret extension is
+    negotiated). Otherwise the function now returns error.
+  * libgnutls: usage of the following functions, which are designed
+    to loosen restrictions imposed by allowlisting mode of
+    configuration, has been additionally restricted. Invoking
+    them is now only allowed if system-wide TLS priority string
+    has not been initialized yet:
+  - gnutls_digest_set_secure
+  - gnutls_sign_set_secure
+  - gnutls_sign_set_secure_for_certs
+  - gnutls_protocol_set_enabled
+  * Delete gnutls-3.6.6-set_guile_site_dir.patch and use the
+  - -with-guile-extension-dir configure option to properly
+    handle the guile extension directory.
+  * Rebase gnutls-Make-XTS-key-check-failure-not-fatal.patch
+  * Update gnutls.keyring
+  * Add a build depencency on gtk-doc required by autoreconf
-- FIPS: Zeroize the calculated hmac and new_hmac in the
-  check_binary_integrity() function. [bsc#1191021]
-  * Add gnutls-FIPS-Zeroize-check_binary_integrity.patch
+- FIPS: Run the CFB8 cipher selftest without offset [bsc#1203245]
+  * CFB8 list of ciphers: GNUTLS_CIPHER_AES_{128,192,256}_CFB8
+  * Add gnutls-FIPS-Run-CFB8-without-offset.patch
+
+- provide a libgnutls30-hmac-32bit to avoid uninstallable wine
+  when pattern-base-fips is installed [boo#1203353]
-- Security fix: [bsc#1202020, CVE-2022-2509]
-  * Fixed double free during verification of pkcs7 signatures
-  * Add gnutls-CVE-2022-2509.patch
-
-- FIPS:
-  * Modify gnutls-FIPS-force-self-test.patch [bsc#1198979]
-  - gnutls_fips140_run_self_tests now properly releases fips_context
+- Update to 3.7.7: [bsc#1202020, CVE-2022-2509]
+  * libgnutls: Fixed double free during verification of pkcs7
+    signatures. CVE-2022-2509
+  * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument
+    less than or equal to 255 times hash digest size, to comply with
+    RFC 5869 2.3.
+  * libgnutls: Length limit for TLS PSK usernames has been increased
+    from 128 to 65535 characters
+  * libgnutls: AES-GCM encryption function now limits plaintext
+    length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
+  * libgnutls: New block cipher functions have been added to
+    transparently handle padding. gnutls_cipher_encrypt3 and
+    gnutls_cipher_decrypt3 can be used in combination of
+    GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove
+    padding if the length of the original plaintext is not a multiple
+    of the block size.
+  * libgnutls: New function for manual FIPS self-testing.
+  * API and ABI modifications:
+  - gnutls_fips140_run_self_tests: New function
+  - gnutls_cipher_encrypt3: New function
+  - gnutls_cipher_decrypt3: New function
+  - gnutls_cipher_padding_flags_t: New enum
+  * guile: Guile 1.8 is no longer supported
+  * guile: Session record port treats premature termination as EOF Previously,
+    a 'gnutls-error' exception with the 'error/premature-termination' value
+    would be thrown while reading from a session record port when the
+    underlying session was terminated prematurely. This was inconvenient
+    since users of the port may not be prepared to handle such an exception.
+    Reading from the session record port now returns the end-of-file object
+    instead of throwing an exception, just like it would for a proper
+    session termination.
+  * guile: Session record ports can have a 'close' procedure. The
+    'session-record-port' procedure now takes an optional second parameter,
+    and a new 'set-session-record-port-close!' procedure is provided to
+    specify a 'close' procedure for a session record port. This 'close'
+    procedure lets users specify cleanup operations for when the port is
+    closed, such as closing the file descriptor or port that backs the
+    underlying session.
+  * Rebase patches:
+  - gnutls-3.6.6-set_guile_site_dir.patch
+  - gnutls-FIPS-TLS_KDF_selftest.patch
+  - gnutls-FIPS-disable-failing-tests.patch
+  * Remove patch merged upstream:
+  - gnutls-FIPS-PBKDF2-KAT-requirements.patch
+  - https://gitlab.com/gnutls/gnutls/merge_requests/1561
-  * Add gnutls-FIPS-force-self-test.patch [bsc#1198979]
-  - Provides interface for running library self tests on-demand
-  - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598
-
-- FIPS: Make sure zeroization is performed in all API functions
-  * Add gnutls-zeroization-API-functions.patch [bsc#1191021]
-  * Upsream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1573
-
-- FIPS: Add missing requirements for the SLI [bsc#1190698]
-  * Remove 3DES from FIPS approved algorithms:
-  - gnutls-Remove-3DES-from-FIPS-approved-algos.patch
-  - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1570
-  * DRBG service (gnutls_rnd) should be considered approved:
-  - gnutls-Add-missing-FIPS-service-indicator-transitions.patch
-  - gnutls-Add-missing-FIPS-service-indicator-transitions-tests.patch
-  - gnutls-pkcs12-tighten-algorithm-checks-under-FIPS.patch
-  - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1569
-
-- FIPS: Mark AES-GCM as approved in the TLS context [bsc#1194907]
-  * Add gnutls-FIPS-Mark-HKDF-and-AES-GCM-as-approved-when-used-in-TLS.patch
-  * Upstream issue: https://gitlab.com/gnutls/gnutls/issues/1311
+
+- Update to version 3.7.6:
+  * libgnutls: Fixed invalid write when gnutls_realloc_zero() is
+    called with new_size < old_size. This bug caused heap
+    corruption when gnutls_realloc_zero() has been set as gmp
+    reallocfunc.
+  * Remove gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fixed
+    upstream.
+
+- Add gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fix memory
+  corruption in gnutls_realloc_zero (gl#gnutls/gnutls#1367,
+  boo#1199929).
+
+- update to 3.7.5:
+  * add options disable session ticket usage in TLS 1.2 because
+    it does not provide forward secrecy
+  * For TLS 1.3 where session tickets do provide forward secrecy,
+    the PFS priority string now only disables session tickets in
+    TLS 1.2.
+  * Future backward incompatibility: in the next major release of
+    GnuTLS those flag and modifier are planned to be removed
+  * gnutls-cli, gnutls-serv: Channel binding for printing
+    information has been changed from tls-unique to tls-exporter
+    as tls-unique is not supported in TLS 1.3.
+  * Certificate sanity checks has been enhanced to make gnutls
+    more RFC 5280 compliant:
+  * Removed 3DES from FIPS approved algorithms
+  * Optimized support for AES-SIV-CMAC algorithms
+  * libgnutls: HKDF and AES-GCM algorithms are now approved in
+    FIPS-140 mode when used in TLS
+
+- disable kcapi usage for now, as kernel-obs-build not adjusted
+  to contain the algorithms. bsc#1189283
-  * Upstream: https://gitlab.com/gnutls/gnutls/merge_requests/1561
+- Update to 3.7.4:
+  * libgnutls: Added support for certificate compression as defined
+    in RFC8879.
+  * certtool: Added option --compress-cert that allows user to
+    specify compression  methods for certificate compression.
+  * libgnutls: GnuTLS can now be compiled with --enable-strict-x509
+    configure option to enforce stricter certificate sanity checks
+    that are compliant with RFC5280.
+  * libgnutls: Removed IA5String type from DirectoryString within
+    issuer and subject name to make DirectoryString RFC5280 compliant.
+  * libgnutls: Added function to retrieve the name of current
+    ciphersuite from session.
+  * Bump libgnutlsxx soname due to ABI break
+  * API and ABI modifications:
+  - GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
+  - GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
+  - gnutls_compress_certificate_get_selected_method: Added
+  - gnutls_compress_certificate_set_methods: Added
+  * Update gnutls.keyring
+
+- build with lto
+- build with -Wl,-z,now -Wl,-z,relro
+- build without -fanalyzer, which cuts build time in ~ half
+
-  - gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
-- Add crypto-policies support in SLE-15-SP4 [jsc#SLE-20287]
-
-- Account for the libnettle soname bump [jsc#SLE-19765]
+- Add crypto-policies support for Leap and SLE 15.4 [jsc#SLE-20287]
+- Add DANE guards
-- Update to 3.7.2 in SLE-15-SP4: [jsc#SLE-19765, jsc#SLE-18139]
-  - Add gnutls-temporarily_disable_broken_guile_reauth_test.patch
-  - Rebased patches:
-  * disable-psk-file-test.patch
-  * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
-  * gnutls-fips_mode_enabled.patch
-  - Remove patches merged upstream:
-  * gnutls-CVE-2020-11501.patch
-  * gnutls-CVE-2020-13777.patch
-  * gnutls-CVE-2020-24659.patch
-  * gnutls-CVE-2021-20231.patch
-  * gnutls-CVE-2021-20232.patch
-  * gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch
-  * gnutls-fips_XTS_key_check.patch
-  * 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch
-  * 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
-  * 0003-x509-trigger-fallback-verification-path-when-cert-is.patch
-  * 0004-tests-add-test-case-for-certificate-chain-supersedin.patch
-  * 0001-Add-Full-Public-Key-Check-for-DH.patch
-  * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch
-  * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch
-  * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch
-  * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch
-  * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch
-  * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch
-  * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch
-  * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch
-  * 0001-dh-check-validity-of-Z-before-export.patch
-  * 0002-ecdh-check-validity-of-P-before-export.patch
-  * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch
-  * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch
-  * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch
-  * 0001-Vendor-in-XTS-functionality-from-Nettle.patch
-  * 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch
-  * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
-  * gnutls-3.6.7-fix-FTBFS-2024.patch
-  * gnutls-3.6.7-reproducible-date.patch
+- Remove gnutls-temporarily_disable_broken_guile_reauth_test.patch
+  since its already working.
-- Add gnutls-3.6.7-fix-FTBFS-2024.patch to let tests pass after 2024 (boo#1186579)
-- Add gnutls-3.6.7-reproducible-date.patch to override build date (boo#1047218)
+- Rework the crypto-policies dependencies in libraries [bsc#1186385]
+
+- Compute the FIPS hmac file without re-defining the
+  __os_install_post macro, use the brp-50-generate-fips-hmac
+  script instead. [bsc#1184555]
-- Security fix: [bsc#1183456, CVE-2021-20232]
-  * A use after free issue in client_send_params
-    in lib/ext/pre_shared_key.c may lead to memory
-    corruption and other potential consequences.
-- Add gnutls-CVE-2021-20232.patch
-
-- Security fix: [bsc#1183457, CVE-2021-20231]
-  * A use after free issue in client sending key_share extension
-    may lead to memory corruption and other consequences.
-- Add gnutls-CVE-2021-20231.patch
+- Require the main package in devel and lib packages as the default
+  priorities are now set via crypto-policies. [bsc#1183082]
-    verification
+  verification
+- Add version guards for the crypto-policies package
-- Avoid spurious audit messages about incompatible signature algorithms
-  (bsc#1172695)
-  * add 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch
+- Require the crypto-policies package [bsc#1180051]
-- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
-  * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
-- FIPS: Add TLS KDF selftest (bsc#1176671)
-  * add gnutls-FIPS-TLS_KDF_selftest.patch
-
-- Escape rpm command %%expand when used in comment.
+- Use the centralized crypto policy profile (jsc#SLE-15832)
-
-- Fix heap buffer overflow in handshake with no_renegotiation alert sent
-  * CVE-2020-24659 (bsc#1176181)
-- add gnutls-CVE-2020-24659.patch
-
-- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
-- add patches
-  * 0001-Add-Full-Public-Key-Check-for-DH.patch
-  * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch
-  * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch
-  * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch
-  * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch
-  * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch
-  * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch
-  * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch
-  * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch
-  * 0001-dh-check-validity-of-Z-before-export.patch
-  * 0002-ecdh-check-validity-of-P-before-export.patch
-  * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch
-  * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch
-  * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch
-- drop obsolete gnutls-3.6.7-fips_DH_ECDH_key_tests.patch
+- Escape rpm command %%expand when used in comment.
-- GNUTLS-SA-2020-06-03 (Fixed insecure session ticket key construction)
-  The TLS server would not bind the session ticket encryption key with a
-  value supplied by the application until the initial key rotation, allowing
-  attacker to bypass authentication in TLS 1.3 and recover previous
-  conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777)
-  * add patches:
-    + gnutls-CVE-2020-13777.patch
-- Fixed handling of certificate chain with cross-signed intermediate
-  CA certificates (#1008). (bsc#1172461)
-  * add patches:
-    +  0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch
-    +  0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
-    +  0003-x509-trigger-fallback-verification-path-when-cert-is.patch
-    +  0004-tests-add-test-case-for-certificate-chain-supersedin.patch
-
-- Add RSA 4096 key generation support in FIPS mode (bsc#1171422)
-  * add gnutls-3.6.7-fips-rsa-4096.patch
-
-- Don't check for /etc/system-fips which we don't have (bsc#1169992)
-  * add gnutls-fips_mode_enabled.patch
-
-- Backport AES XTS support (bsc#1168835)
-  * add 0001-Vendor-in-XTS-functionality-from-Nettle.patch
-  * add gnutls-fips_XTS_key_check.patch
-
-  * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support)
+  * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3
+  support)
-- Fix zero random value in DTLS client hello
-  (CVE-2020-11501, bsc#1168345)
-  * add gnutls-CVE-2020-11501.patch
-
-  * update baselibs.conf
-
-- bsc#1166881 - FIPS: gnutls: cfb8 decryption issue
-  * No longer truncate output IV if input is shorter than block size.
-  * Added gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch
-
-- bsc#1155327 jira#SLE-9518 - FIPS: add DH key test
-  * Added Diffie Hellman public key verification test.
-  * gnutls-3.6.7-fips_DH_ECDH_key_tests.patch
-- Explicitly require libnettle 3.4.1 (bsc#1134856)
-  * The RSA decryption code was rewritten in GnuTLS 3.6.5 in order
-    to fix CVE-2018-16868, the new implementation makes use of a new
-    rsa_sec_decrypt() function introduced in libnettle 3.4.1
-  * libnettle was recently updated to the 3.4.1 version but we need
-    to add explicit dependency on it to prevent missing symbol errors
-    with the older versions
-
-- Restored autoreconf in build.
-- Removed gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch
-  since the version requirements of required libraries are once again
-  automatically determined.
-- Added gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch because it is a
-  better patch name for handling the '--with-guile-site-dir=' problem in
-  3.6.7.
-
-- Disabled dane support since dane is not shipped with SLE-15
+- Disabled dane support in SLE since dane is not shipped there
-  option '--with-guile-site-dir=' was removed from the configure script in 3.6.7.
-  * * Modified gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch
+  option '--with-guile-site-dir=' was removed from the configure script.
+  * * Added gnutls-3.6.6-set_guile_site_dir.patch
-- Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification
-  and padding oracle verification (in 3.6.5) [bsc#1118087] (CVE-2018-16868)
-- FATE#327114 - Update gnutls to 3.6.6 to support TLS 1.3
+- Update to 3.6.6
-  * Removed patches:
-    0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch
-    0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
-    0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
-    0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
-  * Added Patches:
-  * * disable failing psk-file test (race condition):
-    disable-psk-file-test.patch
-  * * Patch configure script to accept specific versions of autotools and guile
-    that are present in SUSE-SLE15. (A bug prevents configure from accepting
-    a range of compatible versions. Upstream's solution is to hardwire for
-    the most current versions.)
-    gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch
-  * Modified:
-  * * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
-- Security update
-  Improve mitigations against Lucky 13 class of attacks
-  * "Just in Time" PRIME + PROBE cache-based side channel attack
-    can lead to plaintext recovery (CVE-2018-10846, bsc#1105460)
-  * HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of
-    wrong constant (CVE-2018-10845, bsc#1105459)
-  * HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not
-    enough dummy function calls (CVE-2018-10844, bsc#1105437)
-  * add patches:
-    0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch
-    0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
-    0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
-    0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
-
google-guest-agent
+- Update to version 20231031.01 (bsc#1216547, bsc#1216751)
+  * Add prefix to scheduler logs (#325)
+- from version 20231030.00
+  * Test configuration files are loaded in the documented
+    order. Fix initial integration test. (#324)
+  * Enable mTLS by default (#323)
+- from version 20231026.00
+  * Rotate MDS root certificate (#322)
+- from version 20231020.00
+  * Update response struct, add tests (#315)
+  * Don't try to schedule mTLS job twice (#317)
+- from version 20231019.00
+  * snapshot: Add context cancellation handling (#318)
+
+- Bump the golang compiler version to 1.21 (bsc#1216546)
+
+- Update to version 20231016.00
+  * instance setup: trust/rely on metadata package's retry (#316)
+- from version 20231013.01
+  * Update known cert dirs for updaters (#314)
+- from version 20231011.00
+  * Verify cert refresher is enabled before running (#312)
+- from version 20231009.00
+  * Add support for the SSH key options (#296)
+- from version 20231006.01
+  * Events interface improvement (#290)
+- from version 20231006.00
+  * Refactor script runner to use common metadata package (#311)
+  * Schedule MTLS job before notifying systemd (#310)
+  * Refactor authorized keys to use metadata package (#300)
+- from version 20231005.00
+  * docs update: add configuration and event manager's docs. (#309)
+- from version 20231004.01
+  * Fix license header (#301)
+  * packaging(deb): add epoch to oslogin dep declaration (#308)
+- from version 20231004.00
+  * packaging(deb): ignore suffix of version (#306)
+  * packaging: force epoch and ignore suffix of version (#305)
+- from version 20231003.01
+  * oslogin: declare explicitly dependency (#304)
+  * oslogin: remove Unstable.pamless_auth_stack feature flag (#303)
+- from version 20231003.00
+  * oslogin: resort ssh configuration keys (#299)
+- from version 20230925.00
+  * oslogin: introduce a feature flag to cert auth (#298)
+- from version 20230923.00
+  * gitignore: unify ignore in the root dir (#297)
+- from version 20230921.01
+  * managers: we accidentally disabled addressMgr, bring it back (#295)
+  * cfg: fix typos (#294)
+  * cfg: config typos (#293)
+  * cfg: introduce a configuration management package (#288)
+- from version 20230921.00
+  * mtls: bring it back (#292)
+- from version 20230920.01
+  * Fix permissions on file created by SaferWriteFile() (#291)
+- from version 20230920.00
+  * sshca: re-enable the event watcher & handler (#289)
+- from version 20230919.01
+  * oslogin: add PAMless Authorization Stack configuration (#285)
+- from version 20230919.00
+  * Preparing it for review (#287)
+  * sshca: make sure to restore SELinux context of the pipe (#286)
+  * remove deprecated usage, fix warnings (#282)
+  * Update system store (#278)
+  * Update workload certificate endpoints, use metadata package (#275)
+  * metadata: use url package to form metadata URLs (#284)
+- from version 20230913.00
+  * release prep: disable ssh trusted ca module (#281)
+- from version 20230912.00
+  * New Guest Agent Release (#280)
+- from version 20230909.00
+  * Revert "service: remove the use of the service library (#273)" (#276)
+  * service: remove the use of the service library (#273)
+- from version 20230906.01
+  * Store keys to machine keyset (#272)
+- from version 20230905.00
+  * restorecon: first try to determine if it's installed (#271)
+  * run: change all commands to use CommandContext (#268)
+  * Notify systemd after scheduling required jobs (#270)
+  * Store certs in ProgramData instead of Program Files (#269)
+  * metadata watcher: remove local retry & implement unit tests (#267)
+  * run: split command running utilities into its own package (#265)
+
+- Update to version 20230828.00
+  * snapshot: Use main context rather than create its own (#266)
+- from version 20230825.01
+  * Verify if cert was successfully added to certpool (#264)
+- from version 20230825.00
+  * Find previous cert for cleanup using one stored on disk (#263)
+- from version 20230823.00
+  * Revert "sshtrustedca: configure selinux context
+    for sshtrustedca pipe (#256)" (#262)
+  * Update credentials directory on Linux (#260)
+- from version 20230821.00
+  * Update owners (#261)
+- from version 20230819.00
+  * Revert "guest-agent: prepare for public release (#258)" (#259)
+- from version 20230817.00
+  * guest-agent: prepare for public release (#258)
+- from version 20230816.01
+  * Enable telemetry collection by default (#253)
+- from version 20230816.00
+  * Add pkcs12 license and update retry logic (#257)
+  * sshtrustedca: Configure selinux context for sshtrustedca pipe (#256)
+  * Store windows certs in certstore (#255)
+  * events: Multiplex event watchers (#250)
+  * Scheduler fixes (#254)
+  * Update license files (#251)
+  * Run telemetry every 24 hours, record pretty name on linux (#248)
+
+- Update to version 20230811.00
+  * sshca: move the event handler to its own package (#247)
+- from version 20230809.02
+  * Move scheduler package to google_guest_agent (#249)
+- from version 20230809.01
+  * Add scheduler utility to run jobs at interval (#244)
+- from version 20230809.00
+  * sshca: transform the format from json to openssh (#246)
+- from version 20230803.00
+  * Add support for reading UEFI variables on windows (#243)
+- from version 20230801.03
+  * sshtrustedca watcher: fix concurrency error (#242)
+- from version 20230801.02
+  * metadata: add a delta between http client timeout and hang (#241)
+- from version 20230801.00
+  * metadata: properly set request config (#240)
+  * main: bring back the mds client initialization (#239)
+  * metadata: don't try to use metadata before agentInit() is done (#238)
+  * Add (disabled) telemetry logic to GuestAgent (#219)
+  * metadata event handler: updates and bug fixes (#235)
+  * Verify client credentials are signed by root CA before writing on disk (#236)
+  * metadata: properly handle context cancelation (#234)
+  * metadata: fix context cancelation error check (#233)
+  * metadata: remove the sleep around metadata in instance setup (#232)
+  * metadata: implement backoff strategy (#231)
+  * Decrypt and store client credentials on disk (#230)
+  * Upgrade Go version 1.20 (#228)
+  * Fetch guest credentials and add MDS response proto (#226)
+  * metadata: pass main context to WriteGuestAttributes() (#227)
+  * Support for reading & writing Root CA cert from UEFI variable (#225)
+  * ssh_trusted_ca: enable the feature (#224)
+  * sshTrustedCA: add pipe event handler (#222)
+  * events: start using events layer (#223)
+- from version 20230726.00
+  * events: introducing a events handling subsystem (#221)
+- from version 20230725.00
+  * metadata: add metadata client interface (#220)
+- from version 20230711.00
+  * metadata: moving to its own package (#218)
+- from version 20230707.00
+  * snapshot: fix request handling error (#217)
+- Bump Go API version to 1.20
+
google-guest-oslogin
+- Update to version 20231101.00 (bsc#1216548, bsc#1216750)
+  * Fix HTTP calls retry logic (#117)
+
+- Update to version 20231004
+  * packaging: Make the dependency explicit (#120)
+
+- update to 20230926.00:
+  * fix suse build
+  * selinux: fix selinux build (#114)
+  * test: align CXX Flags
+  * sshca: Make the implementation more C++ like
+  * sshca: Add a SysLog wrapper
+  * oslogin_utils: introduce AuthorizeUser() API
+  * sshca: move it out of pam dir
+  * pam: start disabling the use of oslogin_sshca
+  * sshca: consider sshca API to assume a cert only
+  * authorized principals: introduce the new command
+  * authorize keys: update to use new APIs
+  * pam modules: remove pam_*_admin and update pam_*_login
+  * cache_refresh: should be catching by reference.
+
+- Update to version 20230823.00
+  * selinux: Add sshd_key_t type enforcement to trusted user ca (#113)
+- from version 20230822.00
+  * sshca: Add tests with fingerprint and multiple extensions (#111)
+- from version 20230821.01
+  * sshca: Support method token and handle multi line (#109)
+- from version 20230821.00
+  * Update owners (#110)
+
+- Update to version 20230808.00
+  * byoid: extract and apply the ca fingerprint to policy call (#106)
+
+- Update to version 20230502.00
+  * Improve the URL in 2fa prompt (#104)
+- from version 20230406.02
+  * Check open files (#101)
+- from version 20230406.01
+  * Initialize variables (#100)
+  * Fix formatting (#102)
+- from version 20230406.00
+  * PAM cleanup: remove duplicates (#97)
+- from version 20230405.00
+  * NSS cleanup (#98)
+- from version 20230403.01
+  * Cleanup Makefiles (#95)
+- from version 20230403.00
+  * Add anandadalton to the owners list (#96)
+
+- Update to version 20230217.00
+  * Update OWNERS (#91)
+- from version 20230202.00
+  * Update owners file (#89)
+
google-noto-sans-cjk-fonts
+- use synthetic version 20201202.2.2004, as maintenance updates cannot
+  do version downgrades.
+
+feat!: rename noto-*-cjk-fonts -> google-noto-*-cjk-fonts
+- The Noto Coloremoji fonts have already been renamed by now
+- The other Noto fonts will be renamed once upstream finishes migrating them to the new website
+  * https://github.com/notofonts/notofonts.github.io
+  fix: move zh_MO obsoletes and provides to Hong Kong TC fonts
+- Macau is physically and culturally closer to Hong Kong than Taiwan
+  fix: summary and description for Hong Kong TC fonts
+
+- Move google-noto-serif-cjk-fonts into its own repository again
+
+- Update version to 2.004
+- Follow upstream versioning: use version numbers instead of dates
+
+- Fix the source URL to be properly downloadable
+
+- Update version to 2.002(20201202)
+  * The copyright year was changed from “2014–2019” to “2014–2020.”
+  * Addressed Issue #207 including glyph changes to U+4E08 and U+5C83.
+    Extension G encodings were added for U+30729, U+30EDD, U+30EDE,
+    and U+3106C and the previous GSUB rules were removed.
+  * Updated Korean glyph for U+58C4 as reported in Source Han Serif Issue #87
+  * Addressed Issue #204 for U+50E7, U+89E6, U+8FD0, U+9EA4, U+25C4A
+  * Mapped HK U+5C13 尓 to JP glyph
+  * Fixed U+21B9 as reported in Issue #260
+  * Changed Korean mapping for U+51A4 as reported in Issue #202
+  * The weights for Kanbun glyphs U+3191–U+319F have been adjusted
+    as mentioned in the table at the beginning of Issue #205.
+  * Fixed Korean IVS mapping for U+8ACB as reported in Issue #276
+- Fix descriptions for *-full packages
+
+- Update version to 2.001(20190410)
+  * A second flavor of Traditional Chinese, for Hong Kong and supporting the
+    HKSCS-2016 standard, was add- ed, which increased the total number of font
+    resources by 16, from 72 to 88.
+  * 155 new mappings have been added to the CMap resources. 66 are from BMP code
+    points, 22 are from Plane 1 code points, and the remaining 67 are from
+    Plane 2 code points. Among the 67 new Plane 2 code points, 57 are from
+    Extension B, two are from Extension C, three are from Extension E, and the
+    remaining five are from Extension F.
+  * As a result of removing approximately 1,750 glyphs in order to make room for
+    approximately 1,750 new glyphs, the CID assignments of the glyphs
+    necessarily—and drastically—changed. The CID assignments of exactly 200
+    glyphs are unchanged from Version 1.004: 0–107, 2570–2633, 47223–47232,
+    47262–47272, 47281–47286, and 65484.
+  * The Traditional Chinese form of the Radical #162 čžś component was improved.
+  * The URO is complete up through U+9FEF (Unicode Version 11.0).
+  * The glyphs for some of the kana were tweaked.
+  * The glyphs and support for bopomofo, along with their tone marks, were
+    improved. This involved adding the 'GDEF' (Glyph Definition) table, the
+    'mark' (Mark Positioning) GPOS feature, and the 'ruby' (Ruby Nota- tion
+    Forms) GSUB feature.
+  * The language and script declarations in the 'locl' and 'vert' GSUB features
+    were improved.
+  * The 13-page glyph synopsis PDFs for the 500 pre-composed high-frequency
+  hangul syllables have been incorporated into the Unicode-base glyph synopsis
+  PDFs, and are bookmarked under the “Korean” book- mark.
+  * Placeholder glyphs for U+32FF, uni32FF (CID+2184) and uni32FF-V (CID+65359),
+    are included. This character has been reserved for the two-ideograph square
+    ligature that represents the name of Japan’s forthcoming new era which
+    starts on 2019-05-01, and will be the only character added in Unicode
+    Version 12.1.
+  * Like Source Han Serif, the CIDFont and CMap resources do not include XUID
+    arrays.
+  * Like Source Han Serif, there are no mappings for the range U+0000 through
+    U+001F.
+  * Like Source Han Serif, the code points that correspond to Halfwidth Jamo
+    variants map to glyphs that cor- respond to code points in the Hangul
+    Compatibility Jamo block. In other words, the glyphs for half-width jamo
+    have been removed.
+  * Like Source Han Serif, the 'name' table does not includes any Macintosh
+    (PlatformID=1) strings.
+  * Like Source Han Serif, the Regular weight is now style-linked to the Bold
+    weight. This means that the Bold weight may not appear in the font menu,
+    particularly when using applications that support style-linking as a way to
+    make text bold.
+  * Like Source Han Serif, the 'vert' GPOS feature is included.
+  * Like Source Han Serif, the deprecated 'hngl' (Hangul) GSUB feature is not
+    included in the Korean fonts and font instances.
+- Split HongKong Fonts for NotoSans.
+
google-noto-serif-cjk-fonts
+- use 20201202.2.002 to still have linear increase in versions
+
+feat!: rename noto-*-cjk-fonts -> google-noto-*-cjk-fonts
+- The Noto Coloremoji fonts have already been renamed by now
+- The other Noto fonts will be renamed once upstream finishes migrating them to the new website
+  * https://github.com/notofonts/notofonts.github.io
+  fix: move zh_MO obsoletes and provides to Hong Kong TC fonts
+- Macau is physically and culturally closer to Hong Kong than Taiwan
+
+- Move google-noto-serif-cjk-fonts into its own repository again
+
+- Update version to 2.001
+- Follow upstream versioning: use version numbers instead of dates
+
+- Fix the source URL to be properly downloadable
+
+- Update version to 2.002(20201202)
+  * The copyright year was changed from “2014–2019” to “2014–2020.”
+  * Addressed Issue #207 including glyph changes to U+4E08 and U+5C83.
+    Extension G encodings were added for U+30729, U+30EDD, U+30EDE,
+    and U+3106C and the previous GSUB rules were removed.
+  * Updated Korean glyph for U+58C4 as reported in Source Han Serif Issue #87
+  * Addressed Issue #204 for U+50E7, U+89E6, U+8FD0, U+9EA4, U+25C4A
+  * Mapped HK U+5C13 尓 to JP glyph
+  * Fixed U+21B9 as reported in Issue #260
+  * Changed Korean mapping for U+51A4 as reported in Issue #202
+  * The weights for Kanbun glyphs U+3191–U+319F have been adjusted
+    as mentioned in the table at the beginning of Issue #205.
+  * Fixed Korean IVS mapping for U+8ACB as reported in Issue #276
+
+- Update version to 2.001(20190410)
+  * A second flavor of Traditional Chinese, for Hong Kong and supporting the
+    HKSCS-2016 standard, was add- ed, which increased the total number of font
+    resources by 16, from 72 to 88.
+  * 155 new mappings have been added to the CMap resources. 66 are from BMP code
+    points, 22 are from Plane 1 code points, and the remaining 67 are from
+    Plane 2 code points. Among the 67 new Plane 2 code points, 57 are from
+    Extension B, two are from Extension C, three are from Extension E, and the
+    remaining five are from Extension F.
+  * As a result of removing approximately 1,750 glyphs in order to make room for
+    approximately 1,750 new glyphs, the CID assignments of the glyphs
+    necessarily—and drastically—changed. The CID assignments of exactly 200
+    glyphs are unchanged from Version 1.004: 0–107, 2570–2633, 47223–47232,
+    47262–47272, 47281–47286, and 65484.
+  * The Traditional Chinese form of the Radical #162 čžś component was improved.
+  * The URO is complete up through U+9FEF (Unicode Version 11.0).
+  * The glyphs for some of the kana were tweaked.
+  * The glyphs and support for bopomofo, along with their tone marks, were
+    improved. This involved adding the 'GDEF' (Glyph Definition) table, the
+    'mark' (Mark Positioning) GPOS feature, and the 'ruby' (Ruby Nota- tion
+    Forms) GSUB feature.
+  * The language and script declarations in the 'locl' and 'vert' GSUB features
+    were improved.
+  * The 13-page glyph synopsis PDFs for the 500 pre-composed high-frequency
+  hangul syllables have been incorporated into the Unicode-base glyph synopsis
+  PDFs, and are bookmarked under the “Korean” book- mark.
+  * Placeholder glyphs for U+32FF, uni32FF (CID+2184) and uni32FF-V (CID+65359),
+    are included. This character has been reserved for the two-ideograph square
+    ligature that represents the name of Japan’s forthcoming new era which
+    starts on 2019-05-01, and will be the only character added in Unicode
+    Version 12.1.
+  * Like Source Han Serif, the CIDFont and CMap resources do not include XUID
+    arrays.
+  * Like Source Han Serif, there are no mappings for the range U+0000 through
+    U+001F.
+  * Like Source Han Serif, the code points that correspond to Halfwidth Jamo
+    variants map to glyphs that cor- respond to code points in the Hangul
+    Compatibility Jamo block. In other words, the glyphs for half-width jamo
+    have been removed.
+  * Like Source Han Serif, the 'name' table does not includes any Macintosh
+    (PlatformID=1) strings.
+  * Like Source Han Serif, the Regular weight is now style-linked to the Bold
+    weight. This means that the Bold weight may not appear in the font menu,
+    particularly when using applications that support style-linking as a way to
+    make text bold.
+  * Like Source Han Serif, the 'vert' GPOS feature is included.
+  * Like Source Han Serif, the deprecated 'hngl' (Hangul) GSUB feature is not
+    included in the Korean fonts and font instances.
+- Split HongKong Fonts for NotoSans.
+
gpg2
-- Security fix [CVE-2022-34903, bsc#1201225]
-  - Vulnerable to status injection
-  - Added patch gnupg-CVE-2022-34903.patch
-
-- gnupg-detect_FIPS_mode.patch: use AES as default cipher instead
-  of 3DES if we are in FIPS mode. (bsc#1196125)
-
-- Update gpg2 for SLE15-SP3 [jsc#SLE-17559, bsc#1182572]
-- Remove patches fixed upstream:
-  * gnupg-gpg-agent-ssh-agent.patch
-  * gnupg-2.2.22-fix-segv-import-keys.patch
-  * gnupg-Allow-redirection-from-https-to-http-for-CRLs.patch
-  * gnupg-CRL-fetching-via-https.patch
-  * gnupg-CVE-2018-1000858.patch
-  * gnupg-CVE-2018-12020.patch
-  * gnupg-CVE-2019-13050_0_of_5.patch
-  * gnupg-CVE-2019-13050_1_of_5.patch
-  * gnupg-CVE-2019-13050_2_of_5.patch
-  * gnupg-CVE-2019-13050_3_of_5.patch
-  * gnupg-CVE-2019-13050_4_of_5.patch
-  * gnupg-CVE-2019-13050_5_of_5.patch
-  * gnupg-CVE-2019-14855.patch
-- Update gpg2.keyring
+- Fix the build in SLE and Leap by adding an exclude in the files
+  section for the dirmngr's systemd user units. [jsc#PED-7093]
+
+- Do not pull revision info from GIT when autoconf is run. This
+  removes the -unknown suffix after the version number.
+  * Add gnupg-nobetasuffix.patch [bsc#1216334]
+
+- Fix Emacs EasyPG behavior when parsing output:
+  * gpg: Report BEGIN_* status before examining the input.
+  * Upstream task: https://dev.gnupg.org/T6481
+  * Add gnupg-Report-BEGIN_-status-before-examining-the-input.patch
+
+- Install the internal executables in the /usr/libexec dir instead
+  of /usr/lib64. These files are keyboxd, scdaemon, gpg-auth
+  gpg-check-pattern, gpg-pair-tool, gpg-preset-passphrase,
+  gpg-protect-tool, gpg-wks-client, dirmngr_ldap and tpm2daemon.
+
+- Provide the systemd-user files since they have been removed
+  upstream since version 2.4.1. [bsc#1201564]
+  * Add gpg2-systemd-user.tar.xz
+
+- Install the systemd user units in the _userunitdir [bsc#1201564]
+  * Note that, there is no activation by default.
+  * Rework excludes in the spec's files section.
+
+- Revert back to use the IBM TPM Software stack.
+
+- Update to 2.4.3:
+  * gpg: Set default expiration date to 3 years. [T2701]
+  * gpg: Add --list-filter properties "key_expires" and
+    "key_expires_d". [T6529]
+  * gpg: Emit status line and proper diagnostics for write errors. [T6528]
+  * gpg: Make progress work for large files on Windows. [T6534]
+  * gpg: New option --no-compress as alias for -z0.
+  * gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534]
+  * gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0]
+  * gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
+  * gpgtar: New option --no-compress.
+  * dirmngr: Extend the AD_QUERY command. [rG207c99567c]
+  * dirmngr: Disable the HTTP redirect rewriting. [T6477]
+  * dirmngr: New option --compatibility-flags. [rGbf04b07327]
+  * dirmngr: New option --ignore-crl-extensions. [T6545]
+  * wkd: Use export-clean for gpg-wks-client's --mirror and --create
+    commands. [rG2c7f7a5a27]
+  * wkd: Make --add-revocs the default in gpg-wks-client. New option
+  - -no-add-revocs. [rG10c937ee68]
+  * scd: Make signing work for Nexus cards. [rGb83d86b988]
+  * scd: Fix authentication with Administration Key for PIV. [rG25b59cf6ce]
+
+- Update to 2.4.2:
+  * gpg: Print a warning if no more encryption subkeys are left over
+    after changing the expiration date.  [rGef2c3d50fa]
+  * gpg: Fix searching for the ADSK key when adding an ADSK.  [T6504]
+  * gpgsm: Speed up key listings on Windows.  [rG08ff55bd44]
+  * gpgsm: Reduce the number of "failed to open policy file"
+    diagnostics.  [rG68613a6a9d]
+  * agent: Make updating of private key files more robust and track
+    display S/N.  [T6135]
+  * keyboxd: Avoid longish delays on Windows when listing keys.
+    [rG6944aefa3c]
+  * gpgtar: Emit extra status lines to help GPGME.  [T6497]
+  * w32: Avoid using the VirtualStore.  [T6403]
+  * Rebase gnupg-add_legacy_FIPS_mode_option.patch
+
+- Update to 2.4.1:
+  * If the ~/.gnupg directory does not exist, the keyboxd is now
+    automagically enabled. [rGd9e7488b17]
+  * gpg: New option --add-desig-revoker. [rG3d094e2bcf]
+  * gpg: New option --assert-signer. [rGc9e95b8dee]
+  * gpg: New command --quick-add-adsk and other ADSK features.
+    [T6395, https://gnupg.org/blog/20230321-adsk.html]
+  * gpg: New list-option "show-unusable-sigs". Also show "[self-signature]"
+    instead of the user-id in key signature listings. [rG103acfe9ca]
+  * gpg: For symmetric encryption the default S2K hash is now SHA256. [T6367]
+  * gpg: Detect already compressed data also when using a pipe. Also
+    detect JPEG and PNG file formats. [T6332]
+  * gpg: New subcommand "openpgp" for --card-edit. [T6462]
+  * gpgsm: Verification of detached signatures does now strip trailing
+    zeroes from the input if --assume-binary is used. [rG2a13f7f9dc]
+  * gpgsm: Non-armored detached signature are now created without
+    using indefinite form length octets. This improves compatibility
+    with some PDF signature verification software. [rG8996b0b655]
+  * gpgtar: Emit progress status lines in create mode. [T6363]
+  * dirmngr: The LDAP modifyTimestamp is now returned by some
+    keyserver commands. [rG56d309133f]
+  * ssh: Allow specification of the order keys are presented to ssh.
+    See the man page entry for --enable-ssh-support. [T5996, T6212]
+  * gpg: Make list-options "show-sig-subpackets" work again.
+    Fixes regression in 2.4.0. [rG5a223303d7]
+  * gpg: Fix the keytocard command for Yubikeys. [T6378]
+  * gpg: Do not continue an export after a cancel for the primary key. [T6093]
+  * gpg: Replace the --override-compliance-check hack by a real fix. [T5655]
+  * gpgtar: Fix decryption with input taken from stdin. [T6355]
+  * Rebase patches:
+  - gnupg-revert-rfc4880bis.patch
+  - gnupg-add_legacy_FIPS_mode_option.patch
+  * Remove patch fixed upstream:
+  - gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch
+
+- Temporarily revert back to the pre-2.4 default for key generation.
+  The new rfc4880bis has been set as the default in 2.4 version and
+  might create incompatible keys. Note that, rfc4880bis can still
+  be used with the option flag --rfc4880bis as in previous versions.
+  * More info in the gnupg-devel ML:
+    https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html
+  * Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9
+  * Add gnupg-revert-rfc4880bis.patch
+
+- Allow 8192 bit RSA keys in keygen UI when large_rsa is set
+  * Add gnupg-allow-large-rsa.patch
+
+- Fix the regression test suite fails with the IBM TPM Software
+  stack. Builds fine using the Intel TPM; use the swtpm and
+  tpm2-0-tss-devel packages instead of ibmswtpm2 and ibmtss-devel.
+
+- Fix broken GPGME QT tests: Upstram dev task dev.gnupg.org/T6313
+  * The original patch has been modified to expand the changes
+    also to the tests/gpgme/Makefile.in file.
+  * Add gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch
+
+- Updated to require libgpg-error-devel >= 1.46
+- Rebased patches:
+  * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
+  * gnupg-add_legacy_FIPS_mode_option.patch
+- GnuPG 2.4.0:
+  * common: Fix translations in --help for gpgrt < 1.47.
+  * gpg: Do not continue the export after a cancel for the primary key.
+  * gpg: Replace use of PRIu64 in log_debug.
+  * Update NEWS for 2.4.0.
+  * tests: Fix make check with GPGME.
+  * agent: Allow arguments to "scd serialno" in restricted mode.
+  * scd:p15: Skip deleted records.
+  * build: Remove Windows CE support.
+  * wkd: Do not send/install/mirror expired user ids.
+  * gpgsm: Print the revocation time also with --verify.
+  * gpgsm: Fix "problem re-searching certificate" case.
+  * gpgsm: Print revocation date and reason in cert listings.
+  * gpgsm: Silence the "non-critical certificate policy not allowed".
+  * gpgsm: Always use the chain model if the root-CA requests this.
+  * gpg: New export option "mode1003".
+  * gpg: Remove a mostly duplicated function.
+  * tests: Simplify fake-pinentry to use the option only.
+  * tests: Fix fake-pinentry for Windows.
+  * tests: Fix make check-all.
+  * agent: Fix import of protected v5 keys.
+  * gpgsm: Change default algo to AES-256.
+  * tests: Put a workaround for semihosted environment.
+  * tests: More fix for semihosted environment.
+  * tests: Support semihosted environment.
+  * tests: Fix tests under cms.
+  * tests,w32: Fix for semihosted environment.
+  * w32: Fix for tests on semihosted environment.
+  * w32: Fix gnupg_unsetenv.
+  * wkd: New option --add-revocs and some fixes.
+  * wkd: Make use of --debug extprog.
+  * gpg: New export-filter export-revocs.
+  * gpg: Fix double-free in gpg --card-edit.
+  * gpg: Make --require-compliance work with out --status-fd.
+  * gpg: New option --list-filter.
+  * dirmngr: Silence ocsp debug output.
+  * tests: Fix to support --enable-all-tests and variants.
+  * tests:w32: Fix for non-dot file name for Windows.
+  * tests:gpgscm:w32: Fix for GetTempPath.
+  * tests: Keep .log files in objdir.
+  * tests: Use 233 for invalid value of FD.
+  * w32: Fix gnupg_tmpfile for possible failure.
+  * scd: Redact --debug cardio output of a VERIFY APDU.
+  * common: Remove Windows CE support in common.
+  * gpgsm: Fix colon outout of ECC encryption certificates.
+  * scd:nks: Fix ECC signing if key not given by keygrip.
+  * dirmngr: Fix verification of ECDSA signed CRLs.
+  * agent: Allow trustlist on Windows in Unicode homedirs.
+  * gpg: Fix verification of cleartext signatures with overlong lines.
+  * gpg: Move w32_system function.
+  * gpg: New option --quick-update-pref.
+  * gpg: New list-options show-pref and show-pref-verbose.
+  * tests: Add tests to check that OCB is only used for capable keys.
+  * gpg: Make --list-packets work w/o --no-armor for plain OCB packets.
+  * tests: Add symmetric decryption tests.
+  * tests: Add tr:assert-same function.
+  * agent: Avoid blanks in the ssh key's comment.
+  * build: Update m4 files.
+  * gpg: Merge --rfc4880bis features into --gnupg.
+  * gpg: Allow only OCB for AEAD encryption.
+  * gpg: New option --compatibility-flags.
+  * gpgsm: Also announce AES256-CBC in signatures.
+  * gpg: Fix trusted introducer for user-ids with only the mbox.
+  * gpg: Import stray revocation certificates.
+  * agent: Automatically convert to extended key format by KEYATTR.
+  * card: New commands "gpg" and "gpgsm".
+  * card: Also show fingerprints of known X.509 certificates.
+  * scd:nks: Support non-ESIGN signing with the Signature Card v2.
+  * gpgsm: Allow ECC encryption keys with just keyAgreement specified.
+  * gpgsm: Use macro constants for cert_usage_p.
+  * build: Update gpg-error.m4.
+  * agent,common,dirmngr,tests,tools: Remove spawn PREEXEC argument.
+  * gpg: Move NETLIBS after GPG_ERROR_LIBS.
+  * gpg: Use GCRY_KDF_ONESTEP_KDF with newer libgcrypt in future.
+  * common,w32: Fix struct stat on Windows.
+  * agent,w32: Support Win32-OpenSSH emulation by gpg-agent.
+  * common: Don't use FD2INT for POSIX-only code.
+  * dirmngr: Fix build with no LDAP support.
+
+- GnuPG 2.3.8:
+  * gpg: Do not consider unknown public keys as non-compliant while
+    decrypting.
+  * gpg: Avoid to emit a compliance mode line if Libgcrypt is
+    non-compliant.
+  * gpg: Improve --edit-key setpref command to ease c+p.
+  * gpg: Emit an ERROR status if --quick-set-primary-uid fails and
+    allow to pass the user ID by hash.
+  * gpg: Actually show symmetric+pubkey encrypted data as de-vs
+    compliant.  Add extra compliance checks for symkey_enc packets.
+  * gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit
+    preference.
+  * gpgsm: Fix reporting of bad passphrase error during PKCS#11
+    import.
+  * agent: Fix a regression in "READKEY --format=ssh".
+  * agent: New option --need-attr for KEYINFO.
+  * agent: New attribute "Remote-list" for use by KEYINFO.
+  * scd: Fix problem with Yubikey 5.4 firmware.
+  * dirmngr: Fix CRL Distribution Point fallback to other schemes.
+  * dirmngr: New LDAP server flag "areconly" (A-record-only).
+  * dirmngr: Fix upload of multiple keys for an LDAP server specified
+    using the colon format.
+  * dirmngr: Use LDAP schema v2 when a Base DN is specified.
+  * dirmngr: Avoid caching expired certificates.
+  * wkd: Fix path traversal attack in gpg-wks-server. Add the mail
+    address to the pending request data.
+  * wkd: New command --mirror for gpg-wks-client.
+  * gpg-auth: New tool for authentication.
+  * New common.conf option no-autostart.
+  * Silence warnings from AllowSetForegroundWindow unless
+    GNUPG_EXEC_DEBUG_FLAGS is used.
+  * Rebase gnupg-detect_FIPS_mode.patch
+  * Remove patch upstream:
+  - gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
+
+- Fix YubiKey 5 Nano support (boo#1202201), add
+  gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
+
+- GnuPG 2.3.7:
+  * CVE-2022-34903: garbled status messages could trick gpgme and
+    other parsers to accept faked status lines [boo#1201225]
+  * A number of bug fixes to the gpg command line interface
+  * gpgsm gained a number of new options and got some rework on
+    the PKCS#12 parser to support DFN issues keys
+  * The gpg agent got some added options and UI tweaks
+  * smart card support got a number of bug fixes, and improved
+    support for Technology Nexus cards and Yubikey
+  * The Telesec ESIGN application is now supported
+
+- added tpm support, added a new subpackage gpg2-tpm
+
+- GnuPG 2.3.6:
+  * Up to five times faster verification of detached signatures,
+    doubled detached signing speed, threefold decryption speedup
+    for large files, nearly double the AES256.OCB encryption speed
+  * Add support for GeNUA cards
+  * Added and improved options for crypto options, and all-around
+    bug fixes
+
+- GnuPG 2.3.4:
+  * gpg: New option --min-rsa-length
+  * gpg: New option --forbid-gen-key
+  * gpg: New option --override-compliance-check
+  * gpgconf: New command --show-configs
+  * agent,dirmngr,keyboxd: New option --steal-socket
+  * gpg: Fix printing of binary notations
+  * gpg: Remove stale ultimately trusted keys from the trustdb
+  * gpg: Fix indentation of --print-mds and --print-md sha512
+  * gpg: Emit gpg 2.2 compatible Ed25519 signature
+  * gpgsm: Detect circular chains in --list-chain
+  * dirmngr: Make reading resolv.conf more robust
+  * dirmngr: Ask keyservers to provide the key fingerprints
+  * gpgconf: Allow changing gpg's deprecated keyserver option
+  * gpg-wks-server: Fix created file permissions
+  * scd: Support longer data for ssh-agent authentication with
+    openpgp cards
+  * scd: Modify DEVINFO behavior to support looping forever
+  * Silence warning about the rootdir under Unices w/o a mounted
+    /proc file system
+  * Fix possible build problems about missing include files
+
+- GnuPG 2.3.3:
+  * agent: Fix segv in GET_PASSPHRASE (regression)
+  * dirmngr: Fix Let's Encrypt certificate chain validation
+  * gpg: Change default and maximum AEAD chunk size to 4 MiB
+  * gpg: Print a warning when importing a bad cv25519 secret key
+  * gpg: Fix --list-packets for undecryptable AEAD packets
+  * gpg: Verify backsigs for v5 keys correctly
+  * keyboxd: Fix checksum computation for no UBID entry on disk
+  * keyboxd: Fix "invalid object" error with cv448 keys
+  * dirmngr: New option --ignore-cert
+  * agent: Fix calibrate_get_time use of clock_gettime
+  * Support a gpgconf.ctl file under Unix and use this for the
+    regression tests
+
+- GnuPG 2.3.2:
+  * gpg: Allow fingerprint based lookup with --locate-external-key.
+  * gpg: Allow decryption w/o public key but with correct card inserted.
+  * gpg: Auto import keys specified with --trusted-keys.
+  * gpg: Do not use import-clean for LDAP keyserver imports.
+  * gpg: Fix mailbox based search via AKL keyserver method.
+  * gpg: Fix memory corruption with --clearsign introduced with 2.3.1.
+  * gpg: Use a more descriptive prompt for symmetric decryption.
+  * gpg: Improve speed of secret key listing.
+  * gpg: Support keygrip search with traditional keyring.
+  * gpg: Let --fetch-key return an exit code on failure.
+  * gpg: Emit the NO_SECKEY status again for decryption.
+  * gpgsm: Support decryption of password based encryption (pwri).
+  * gpgsm: Support AES-GCM decryption.
+  * gpgsm: Let --dump-cert --show-cert also print an OpenPGP fingerprint.
+  * gpgsm: Fix finding of issuer in use-keyboxd mode.
+  * gpgsm: New option --ldapserver as an alias for --keyserver.
+  * agent: Use SHA-256 for SSH fingerprint by default.
+  * agent: Fix calling handle_pincache_put.
+  * agent: Fix importing protected secret key.
+  * agent: Fix a regression in agent_get_shadow_info_type.
+  * agent: Add translatable text for Caps Lock hint.
+  * agent: New option --pinentry-formatted-passphrase.
+  * agent: Add checkpin inquiry for pinentry.
+  * agent: New option --check-sym-passphrase-pattern.
+  * agent: Use the sysconfdir for a pattern file.
+  * agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pinentry.
+  * dirmngr: LDAP search by a mailbox now ignores revoked keys.
+  * dirmngr: For KS_SEARCH return the fingerprint also with LDAP.
+  * dirmngr: Allow for non-URL specified ldap keyservers.
+  * dirmngr: New option --ldapserver.
+  * dirmngr: Fix regression in KS_GET for mail address pattern.
+  * card: New option --shadow for the list command.
+  * tests: Make sure the built keyboxd is used.
+  * scd: Fix computing shared secrets for 512 bit curves.
+  * scd: Fix unblock PIN by a Reset Code with KDF.
+  * scd: Fix PC/SC removed card problem.
+  * scd: Recover the partial match for PORTSTR for PC/SC.
+  * scd: Make sure to release the PC/SC context.
+  * scd: Fix zero-byte handling in ECC.
+  * scd: Fix serial number detection for Yubikey 5.
+  * scd: Add basic support for AET JCOP cards.
+  * scd: Detect external interference when --pcsc-shared is in use.
+  * scd: Fix access to the list of cards.
+  * gpgconf: Do not list a disabled tpm2d.
+  * gpgconf: Make runtime changes with different homedir work.
+  * keyboxd: Fix searching for exact mail adddress.
+  * keyboxd: Fix searching with multiple patterns.
+  * tools: Extend gpg-check-pattern.
+  * wkd: Fix client issue with leading or trailing spaces in user-ids.
+  * Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry.
+  * Change the default keyserver to keyserver.ubuntu.com. This is a
+    temporary change due to the shutdown of the SKS keyserver pools.
+
+- GnuPG 2.3.1:
+  * The new configuration file common.conf is now used to enable
+    the use of the key database daemon with "use-keyboxd". Using
+    this option in gpg.conf and gpgsm.conf is supported for a
+    transitional period. See doc/example/common.conf for more.
+  * gpg: Force version 5 key creation for ed448 and cv448 algorithms.
+  * gpg: By default do not use the self-sigs-only option when
+    importing from an LDAP keyserver.
+  * gpg: Lookup a missing public key of the active card via LDAP.
+  * gpgsm: New command --show-certs.
+  * scd: Fix CCID driver for SCM SPR332/SPR532.
+  * scd: Further improvements for PKCS#15 cards.
+  * New configure option --with-tss to allow the selection of the
+    TSS library.
+- Rebase patches:
+  * gnupg-add_legacy_FIPS_mode_option.patch
+  * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
+  * gnupg-dont-fail-with-seahorse-agent.patch
+  * gnupg-set_umask_before_open_outfile.patch
+
+- GnuPG 2.3.0:
+  * A new experimental key database daemon is provided.  To enable
+    it put "use-keyboxd" into gpg.conf and gpgsm.conf.  Keys are stored
+    in a SQLite database and make key lookup much faster.
+  * New tool gpg-card as a flexible frontend for all types of
+    supported smartcards.
+  * New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and
+    gpg-connect-agent.
+  * The gpg-wks-client tool is now installed under bin; a wrapper for
+    its old location at libexec is also installed.
+  * tpm2d: New daemon to physically bind keys to the local machine.
+  * gpg: Switch to ed25519/cv25519 as default public key algorithms.
+  * gpg: Verification results now depend on the --sender option and
+    the signer's UID subpacket.
+  * gpg: Do not use any 64-bit block size cipher algorithm for
+    encryption.  Use AES as last resort cipher preference instead of
+    3DES.  This can be reverted using --allow-old-cipher-algos.
+  * gpg: Support AEAD encryption mode using OCB or EAX.
+  * gpg: Support v5 keys and signatures.
+  * gpg: Support curve X448 (ed448, cv448).
+  * gpg: Allow use of group names in key listings.
+  * gpg: New option --full-timestrings to print date and time.
+  * gpg: New option --force-sign-key.
+  * gpg: New option --no-auto-trust-new-key.
+  * gpg: The legacy key discovery method PKA is no longer supported.
+    The command --print-pka-records and the PKA related import and
+    export options have been removed.
+  * gpg: Support export of Ed448 Secure Shell keys.
+  * gpgsm: Add basic ECC support.
+  * gpgsm: Support creation of EdDSA certificates.  [#4888]
+  * agent: Allow the use of "Label:" in a key file to customize the
+    pinentry prompt.
+  * agent: Support ssh-agent extensions for environment variables.
+    With a patched version of OpenSSH this avoids the need for the
+    "updatestartuptty" kludge.
+  * scd: Improve support for multiple card readers and tokens.
+  * scd: Support PIV cards.
+  * scd: Support for Rohde&Schwarz Cybersecurity cards.
+  * scd: Support Telesec Signature Cards v2.0
+  * scd: Support multiple application on certain smartcard.
+  * scd: New option --application-priority.
+  * scd: New option --pcsc-shared; see man page for important notes.
+  * dirmngr: Support a gpgNtds parameter in LDAP keyserver URLs.
+  * The symcryptrun tool, a wrapper for the now obsolete external
+    Chiasmus tool, has been removed.
+  * Full Unicode support for the command line.
+- dropped legacy commands: gpg-zip
+
+- Remove the "files-are-digests" option from the openSUSE package.
+  This feature was not upstream and only used in the OBS signing
+  daemon. The recommended upstream feature for separating the data
+  to be signed from the private keys is gpg agent forwarding,
+  available from 2.1. Drop gnupg-2.2.8-files-are-digests.patch
-- Fix segv importing certain keys (e.g. ed25519). [bsc#1176034]
-- Add gnupg-2.2.22-fix-segv-import-keys.patch
-
-- Fix warning: agent returned different signature type ssh-rsa
-  * The gpg-agent's ssh-agent does not handle flags in signing
-    requests properly [bsc#1161268, bsc#1172308]
-  * Add gnupg-gpg-agent-ssh-agent.patch
-
-- Security fix: [bsc#1157900, CVE-2019-14855, jsc#SLE-16534]
-  * Web of Trust forgeries using collisions in SHA-1 signatures
-  * Ignore all SHA-1 signatures in 3rd party key signatures.
-  * Forbid the creation of SHA-1 third-party key signatures.
-  * Add option --allow-weak-key-signatures
-- Add gnupg-CVE-2019-14855.patch
-
-- Remove self-buildrequire [bsc#1152755]
-
-- Security fix: [bsc#1141093, CVE-2019-13050]
-  * Denial of service attacks via big keys
-  * Added patches:
-  - gnupg-CVE-2019-13050_0_of_5.patch
-  - gnupg-CVE-2019-13050_1_of_5.patch
-  - gnupg-CVE-2019-13050_2_of_5.patch
-  - gnupg-CVE-2019-13050_3_of_5.patch
-  - gnupg-CVE-2019-13050_4_of_5.patch
-  - gnupg-CVE-2019-13050_5_of_5.patch
-
-- Allow coredumps in X11 desktop sessions (bsc#1124847)
-  gpg-agent unconditionally disables coredumps, which is not
-  supposed to happen in the code path that does just exec(argv[])
-  * Added gnupg-gpg-agent-ulimit.patch
-
+- Allow coredumps in X11 desktop sessions (bsc#1124847)
+  gpg-agent unconditionally disables coredumps, which is not
+  supposed to happen in the code path that does just exec(argv[])
+  gnupg-gpg-agent-ulimit.patch
+
-- Security fix: [bsc#1120346, CVE-2018-1000858]
-  * Cross Site Request Forgery (CSRF) vulnerability in dirmngr that
-    can result in Attacker controlled CSRF.
-  * Added patches:
-  - gnupg-CRL-fetching-via-https.patch
-  - gnupg-Allow-redirection-from-https-to-http-for-CRLs.patch
-  - gnupg-CVE-2018-1000858.patch
-
-- Added gnupg-CVE-2018-12020.patch: Sanitize the diagnostic output of the
-  original file name in verbose mode (bsc#1096745, CVE-2018-12020).
-
gpgme
-- Update to 1.16.0 in SLE-15-SP4: [jsc#SLE-20014, jsc#SLE-21114]
-  * Remove gpgme-test-json.patch fixed upstream
+- Update to 1.23.0:
+  * Support GPGME_ENCRYPT_ALWAYS_TRUST also for S/MIME. [T6559]
+  * New keylist mode GPGME_KEYLIST_MODE_WITH_V5FPR. [T6705]
+  * New key capability flags has_*. [T6748]
+  * gpgme-tool: Support use of Windows HANDLE. [T6634]
+  * qt: Support refreshing keys via WKD. [T6672]
+  * qt: Handle cancel in changeexpiryjob. [T6754]
+  * Remove patches fixed upstream:
+  - gpgme-qt-tests-Fix-build-in-source-directory.patch
+  - gpgme-build-Suggest-out-of-source-build.patch
+
+- Use GCC 12 for building the Qt6 library on Leap 15. The
+  default compiler is too old.
+- Use '%{without xxx}' rather than '!%{with xxx}' in spec file
+
+- Use GCC 12 for building the Qt6 library. The default compiler
+  is too old.
+- Use '%{without xxx}' rather than '!%{with xxx}' in spec file
+
+- Fix builds with qt and qt6 [T6673]:
+  * qt,tests: Fix build in source directory. Include Qt binding
+    sources before C++ binding sources and C sources. This fixes
+    the problem that the debug.h in the C sources was found before
+    the one in the Qt bindings.
+  * build: Suggest out-of-source build. Suggest to run configure
+    from a build subdirectory.
+  * Add patches:
+  - gpgme-qt-tests-Fix-build-in-source-directory.patch
+  - gpgme-build-Suggest-out-of-source-build.patch
+
+- Update to 1.22.0:
+  * Prevent wrong plaintext when verifying clearsigned signature.
+  * Return bad data error instead of general error on unexpected data.
+  * Take care of offline mode for all operations of gpgsm engine.
+  * Prepare the use of the forthcoming libassuan version 3.
+  * New configure option --with-libtool-modification.
+  * cpp: Expose gpgme_decrypt_result_t.is_mime.
+  * qt: Clean up after failure or cancel of sign/encrypt archive operation.
+  * qt: Add setInputEncoding to QGpgMe::EncryptJob.
+  * qt: Make toLogString helper public.
+  * Interface changes relative to the 1.21.0 release:
+  - qt: EncryptJob::setInputEncoding           NEW.
+  - qt: DecryptionResult::isMime               NEW.
+  - qt: toLogString                            NEW.
+
+- Run testsuite in qemu build
+
+- Update to 1.21.0
+  * Extended gpgme_op_encrypt, gpgme_op_encrypt_sign, and gpgme_op_sign
+    to allow writing the output directly to a file. [T6530]
+  * Extended gpgme_op_decrypt and gpgme_op_verify to allow reading the
+    input data directly from files. [T6530]
+  * For key signing and uid revoking allow an empty user id. [rMfbc3963d62]
+  * Pass an input-size-hint also to the gpgsm engine. [T6534]
+  * qt: Allow writing the created archives directly to a file. [T6530]
+  * qt: Allow reading the signed/encrypted archive to decrypt
+    or verify directly from a file. [T6530]
+  * qt: Qt Jobs working with QIODeviceDataProvider now properly
+    handle input-size hints and progress for files larger.
+    2^32 bytes in 32 bit builds. [T6534]
+  * cpp: Error::isCanceled now also returns true for error code
+    GPG_ERR_FULLY_CANCELED. [T6510]
+  * python: Fix wrong use of write. [T6501]
+  * Interface changes relative to the 1.20.0 release:
+  - cpp: Data::setFlag                            NEW.
+  - cpp: Data::setSizeHint                        NEW.
+  - qt: Job::startIt                              NEW.
+  - qt: DecryptVerifyArchiveJob::setInputFile     NEW.
+  - qt: DecryptVerifyArchiveJob::inputFile        NEW.
+  - qt: EncryptArchiveJob::setRecipients          NEW.
+  - qt: EncryptArchiveJob::recipients             NEW.
+  - qt: EncryptArchiveJob::setInputPaths          NEW.
+  - qt: EncryptArchiveJob::inputPaths             NEW.
+  - qt: EncryptArchiveJob::setOutputFile          NEW.
+  - qt: EncryptArchiveJob::outputFile             NEW.
+  - qt: EncryptArchiveJob::setEncryptionFlags     NEW.
+  - qt: EncryptArchiveJob::encryptionFlags        NEW.
+  - qt: SignArchiveJob::setSigners                NEW.
+  - qt: SignArchiveJob::signers                   NEW.
+  - qt: SignArchiveJob::setInputPaths             NEW.
+  - qt: SignArchiveJob::inputPaths                NEW.
+  - qt: SignArchiveJob::setOutputFile             NEW.
+  - qt: SignArchiveJob::outputFile                NEW.
+  - qt: SignEncryptArchiveJob::setSigners         NEW.
+  - qt: SignEncryptArchiveJob::signers            NEW.
+  - qt: SignEncryptArchiveJob::setRecipients      NEW.
+  - qt: SignEncryptArchiveJob::recipients         NEW.
+  - qt: SignEncryptArchiveJob::setInputPaths      NEW.
+  - qt: SignEncryptArchiveJob::inputPaths         NEW.
+  - qt: SignEncryptArchiveJob::setOutputFile      NEW.
+  - qt: SignEncryptArchiveJob::outputFile         NEW.
+  - qt: SignEncryptArchiveJob::setEncryptionFlags NEW.
+  - qt: SignEncryptArchiveJob::encryptionFlags    NEW.
+
+- Update to 1.20.0:
+  * On Windows, the gettext functions provided by gpgrt are switched
+    into utf8 mode, so that all localized texts returned by GpgME or
+    gpgrt, e.g. the texts for error codes are now UTF-8 encoded. [T5960]
+  * Key::canSign now returns false for OpenPGP keys without signing
+    (sub)key. [T6456]
+  * The new macOS Homebrew location is now by default supported. [T6440]
+  * Fix regression in 1.19.0.
+  * Fix invocation of gpgtar on Windows.
+  * Interface changes relative to the 1.19.0 release:
+  - gpgme_subkey_t              EXTENDED: New field 'can_renc'.
+  - gpgme_subkey_t              EXTENDED: New field 'can_timestamp'.
+  - gpgme_subkey_t              EXTENDED: New field 'is_group_owned'.
+  - cpp: Subkey::canRenc        NEW.
+  - cpp: Subkey::canTimestamp   NEW.
+  - cpp: Subkey::isGroupOwned   NEW.
+  - cpp: Key::canReallySign     DEPRECATED.
+  * Release-info: https://dev.gnupg.org/T6463
+
+- Add a Qt6 flavor to build Qt6 bindings
+- Use %ldconfig_scriptlets
+
+- Update to 1.19.0:
+  * New context flag "no-auto-check-trustdb". [T6261]
+  * Optionally, build QGpgME for Qt 6
+  * Support component "gpgtar-name" in gpgme_get_dirinfo. [T6342]
+  * Extended gpgme_op_encrypt*, gpgme_op_encrypt_sign*, and
+    gpgme_op_sign* to allow creating an encrypted and/or signed
+    archive. [T6342]
+  * Extended gpgme_op_decrypt*, gpgme_op_decrypt_verify*,
+    and gpgme_op_verify* to allow extracting an encrypted and/or
+    signed archive. [T6342]
+  * cpp: Handle error when trying to sign expired keys. [T6155]
+  * cpp: Support encryption flags ThrowKeyIds, EncryptWrap, and
+    WantAddress. [T6359]
+  * cpp, qt: Fix building with C++11.  [T6141]
+  * qt: Fix problem with expiration dates after 2038-01-19 on 32-bit
+    systems  when adding an existing subkey to another key. [T6137]
+  * cpp: Allow setting the curve to use when generating ECC keys
+    for smart cards. [T4429]
+  * qt: Extend ListAllKeysJob to allow disabling the automatic
+    trust database check when listing all keys. [T6261]
+  * qt: Allow deferred start of import jobs. [T6323]
+  * qt: Support creating and extracting signed and encrypted
+    archives. [T6342]
+  * Rebase gpgme-suse-nobetasuffix.patch
+  * Remove patches upstream:
+  - gpgme-D546-python310.patch
+  - gpgme-1.18.0-T6137-qt_test.patch
+  - python311.patch
+
+- drop python2 subpackage handling. we do not support python 2.x
+  anymore, and if we would it would happen via singlespec
+
+- Update upstream keyring: https://gnupg.org/signature_key.asc
+
+- add python311.patch to build language bindings for python 3.11
+
+- Add gpgme-suse-nobetasuffix.patch
+  * remove "-unknown" suffix from version string
+  * boo#1205197
+
+- gpgme 1.18.0
+  * New keylist mode to force refresh via external methods
+  * The keylist operations now create an import result to report the
+    result of the locate keylist modes
+  * core: Return BAD_PASSPHRASE error code on symmetric decryption
+    failure
+  * cpp, qt: Do not export internal symbols anymore
+  * cpp, qt: Support revocation of own OpenPGP keys
+  * qt: The file name of (signed and) encrypted data can now be set
+  * cpp, qt: Support setting the primary user ID
+  * python: Fix segv(NULL) when inspecting contect after exeception
+- includes changes from version 1.17.1:
+  * qt: Fix a bug in the ABI compatibility of 1.17.0
+- includes changes from 1.17.0:
+  * New context flag "key-origin"
+  * New context flag "import-filter"
+  * New export mode to export secret subkeys
+  * Detect errors during the export of secret keys
+  * New function gpgme_op_receive_keys to import keys from a keyserver
+    without first running a key listing
+  * Detect bad passphrase error in certificate import
+  * Allow setting --key-origin when importing keys
+  * Support components "keyboxd", "gpg-agent", "scdaemon", "dirmngr",
+    "pinentry", and "socketdir" in gpgme_get_dirinfo
+  * Under Unix use poll(2) instead of select(2), when available.
+  * Fix results returned by gpgme_data_* functions
+  * Support closefrom also for glibc
+    (drop upstream gpgme-use-glibc-closefrom.patch
+  * cpp,qt: Add support for export of secret keys and secret subkeys.
+  * cpp,qt: Support for adding existing subkeys to other keys
+  * qt: Extend ChangeExpiryJob to change expiration of primary key
+    and of subkeys at the same time
+  * qt: Support WKD lookup without implicit import
+  * qt: Allow specifying an import filter when importing keys
+  * qt: Allow retrieving the default value of a config entry
+- drop patches included upstream
+  * gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch
+  * gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch
+- add patches to fix tests:
+  * gpgme-1.18.0-T6137-qt_test.patch
+
+- Add patches to support building bindings packages for
+  Python 3.10
+  * gpgme-D545-python310.patch -- https://dev.gnupg.org/D545
+  * gpgme-D546-python310.patch -- https://dev.gnupg.org/D546
-- Fix t-json test in SP3: https://dev.gnupg.org/T4820 [bsc#1183801]
-  * tests/json: Bravo key does not have secret key material
-  * tests/json: Do not check for keygrip of pubkeys
-  * core: Make sure the keygrip is available in WITH_SECRET mode
-- Add gpgme-test-json.patch
-
gpgme:qt
-- Update to 1.16.0 in SLE-15-SP4: [jsc#SLE-20014, jsc#SLE-21114]
-  * Remove gpgme-test-json.patch fixed upstream
+- Update to 1.23.0:
+  * Support GPGME_ENCRYPT_ALWAYS_TRUST also for S/MIME. [T6559]
+  * New keylist mode GPGME_KEYLIST_MODE_WITH_V5FPR. [T6705]
+  * New key capability flags has_*. [T6748]
+  * gpgme-tool: Support use of Windows HANDLE. [T6634]
+  * qt: Support refreshing keys via WKD. [T6672]
+  * qt: Handle cancel in changeexpiryjob. [T6754]
+  * Remove patches fixed upstream:
+  - gpgme-qt-tests-Fix-build-in-source-directory.patch
+  - gpgme-build-Suggest-out-of-source-build.patch
+
+- Use GCC 12 for building the Qt6 library on Leap 15. The
+  default compiler is too old.
+- Use '%{without xxx}' rather than '!%{with xxx}' in spec file
+
+- Use GCC 12 for building the Qt6 library. The default compiler
+  is too old.
+- Use '%{without xxx}' rather than '!%{with xxx}' in spec file
+
+- Fix builds with qt and qt6 [T6673]:
+  * qt,tests: Fix build in source directory. Include Qt binding
+    sources before C++ binding sources and C sources. This fixes
+    the problem that the debug.h in the C sources was found before
+    the one in the Qt bindings.
+  * build: Suggest out-of-source build. Suggest to run configure
+    from a build subdirectory.
+  * Add patches:
+  - gpgme-qt-tests-Fix-build-in-source-directory.patch
+  - gpgme-build-Suggest-out-of-source-build.patch
+
+- Update to 1.22.0:
+  * Prevent wrong plaintext when verifying clearsigned signature.
+  * Return bad data error instead of general error on unexpected data.
+  * Take care of offline mode for all operations of gpgsm engine.
+  * Prepare the use of the forthcoming libassuan version 3.
+  * New configure option --with-libtool-modification.
+  * cpp: Expose gpgme_decrypt_result_t.is_mime.
+  * qt: Clean up after failure or cancel of sign/encrypt archive operation.
+  * qt: Add setInputEncoding to QGpgMe::EncryptJob.
+  * qt: Make toLogString helper public.
+  * Interface changes relative to the 1.21.0 release:
+  - qt: EncryptJob::setInputEncoding           NEW.
+  - qt: DecryptionResult::isMime               NEW.
+  - qt: toLogString                            NEW.
+
+- Run testsuite in qemu build
+
+- Update to 1.21.0
+  * Extended gpgme_op_encrypt, gpgme_op_encrypt_sign, and gpgme_op_sign
+    to allow writing the output directly to a file. [T6530]
+  * Extended gpgme_op_decrypt and gpgme_op_verify to allow reading the
+    input data directly from files. [T6530]
+  * For key signing and uid revoking allow an empty user id. [rMfbc3963d62]
+  * Pass an input-size-hint also to the gpgsm engine. [T6534]
+  * qt: Allow writing the created archives directly to a file. [T6530]
+  * qt: Allow reading the signed/encrypted archive to decrypt
+    or verify directly from a file. [T6530]
+  * qt: Qt Jobs working with QIODeviceDataProvider now properly
+    handle input-size hints and progress for files larger.
+    2^32 bytes in 32 bit builds. [T6534]
+  * cpp: Error::isCanceled now also returns true for error code
+    GPG_ERR_FULLY_CANCELED. [T6510]
+  * python: Fix wrong use of write. [T6501]
+  * Interface changes relative to the 1.20.0 release:
+  - cpp: Data::setFlag                            NEW.
+  - cpp: Data::setSizeHint                        NEW.
+  - qt: Job::startIt                              NEW.
+  - qt: DecryptVerifyArchiveJob::setInputFile     NEW.
+  - qt: DecryptVerifyArchiveJob::inputFile        NEW.
+  - qt: EncryptArchiveJob::setRecipients          NEW.
+  - qt: EncryptArchiveJob::recipients             NEW.
+  - qt: EncryptArchiveJob::setInputPaths          NEW.
+  - qt: EncryptArchiveJob::inputPaths             NEW.
+  - qt: EncryptArchiveJob::setOutputFile          NEW.
+  - qt: EncryptArchiveJob::outputFile             NEW.
+  - qt: EncryptArchiveJob::setEncryptionFlags     NEW.
+  - qt: EncryptArchiveJob::encryptionFlags        NEW.
+  - qt: SignArchiveJob::setSigners                NEW.
+  - qt: SignArchiveJob::signers                   NEW.
+  - qt: SignArchiveJob::setInputPaths             NEW.
+  - qt: SignArchiveJob::inputPaths                NEW.
+  - qt: SignArchiveJob::setOutputFile             NEW.
+  - qt: SignArchiveJob::outputFile                NEW.
+  - qt: SignEncryptArchiveJob::setSigners         NEW.
+  - qt: SignEncryptArchiveJob::signers            NEW.
+  - qt: SignEncryptArchiveJob::setRecipients      NEW.
+  - qt: SignEncryptArchiveJob::recipients         NEW.
+  - qt: SignEncryptArchiveJob::setInputPaths      NEW.
+  - qt: SignEncryptArchiveJob::inputPaths         NEW.
+  - qt: SignEncryptArchiveJob::setOutputFile      NEW.
+  - qt: SignEncryptArchiveJob::outputFile         NEW.
+  - qt: SignEncryptArchiveJob::setEncryptionFlags NEW.
+  - qt: SignEncryptArchiveJob::encryptionFlags    NEW.
+
+- Update to 1.20.0:
+  * On Windows, the gettext functions provided by gpgrt are switched
+    into utf8 mode, so that all localized texts returned by GpgME or
+    gpgrt, e.g. the texts for error codes are now UTF-8 encoded. [T5960]
+  * Key::canSign now returns false for OpenPGP keys without signing
+    (sub)key. [T6456]
+  * The new macOS Homebrew location is now by default supported. [T6440]
+  * Fix regression in 1.19.0.
+  * Fix invocation of gpgtar on Windows.
+  * Interface changes relative to the 1.19.0 release:
+  - gpgme_subkey_t              EXTENDED: New field 'can_renc'.
+  - gpgme_subkey_t              EXTENDED: New field 'can_timestamp'.
+  - gpgme_subkey_t              EXTENDED: New field 'is_group_owned'.
+  - cpp: Subkey::canRenc        NEW.
+  - cpp: Subkey::canTimestamp   NEW.
+  - cpp: Subkey::isGroupOwned   NEW.
+  - cpp: Key::canReallySign     DEPRECATED.
+  * Release-info: https://dev.gnupg.org/T6463
+
+- Add a Qt6 flavor to build Qt6 bindings
+- Use %ldconfig_scriptlets
+
+- Update to 1.19.0:
+  * New context flag "no-auto-check-trustdb". [T6261]
+  * Optionally, build QGpgME for Qt 6
+  * Support component "gpgtar-name" in gpgme_get_dirinfo. [T6342]
+  * Extended gpgme_op_encrypt*, gpgme_op_encrypt_sign*, and
+    gpgme_op_sign* to allow creating an encrypted and/or signed
+    archive. [T6342]
+  * Extended gpgme_op_decrypt*, gpgme_op_decrypt_verify*,
+    and gpgme_op_verify* to allow extracting an encrypted and/or
+    signed archive. [T6342]
+  * cpp: Handle error when trying to sign expired keys. [T6155]
+  * cpp: Support encryption flags ThrowKeyIds, EncryptWrap, and
+    WantAddress. [T6359]
+  * cpp, qt: Fix building with C++11.  [T6141]
+  * qt: Fix problem with expiration dates after 2038-01-19 on 32-bit
+    systems  when adding an existing subkey to another key. [T6137]
+  * cpp: Allow setting the curve to use when generating ECC keys
+    for smart cards. [T4429]
+  * qt: Extend ListAllKeysJob to allow disabling the automatic
+    trust database check when listing all keys. [T6261]
+  * qt: Allow deferred start of import jobs. [T6323]
+  * qt: Support creating and extracting signed and encrypted
+    archives. [T6342]
+  * Rebase gpgme-suse-nobetasuffix.patch
+  * Remove patches upstream:
+  - gpgme-D546-python310.patch
+  - gpgme-1.18.0-T6137-qt_test.patch
+  - python311.patch
+
+- drop python2 subpackage handling. we do not support python 2.x
+  anymore, and if we would it would happen via singlespec
+
+- Update upstream keyring: https://gnupg.org/signature_key.asc
+
+- add python311.patch to build language bindings for python 3.11
+
+- Add gpgme-suse-nobetasuffix.patch
+  * remove "-unknown" suffix from version string
+  * boo#1205197
+
+- gpgme 1.18.0
+  * New keylist mode to force refresh via external methods
+  * The keylist operations now create an import result to report the
+    result of the locate keylist modes
+  * core: Return BAD_PASSPHRASE error code on symmetric decryption
+    failure
+  * cpp, qt: Do not export internal symbols anymore
+  * cpp, qt: Support revocation of own OpenPGP keys
+  * qt: The file name of (signed and) encrypted data can now be set
+  * cpp, qt: Support setting the primary user ID
+  * python: Fix segv(NULL) when inspecting contect after exeception
+- includes changes from version 1.17.1:
+  * qt: Fix a bug in the ABI compatibility of 1.17.0
+- includes changes from 1.17.0:
+  * New context flag "key-origin"
+  * New context flag "import-filter"
+  * New export mode to export secret subkeys
+  * Detect errors during the export of secret keys
+  * New function gpgme_op_receive_keys to import keys from a keyserver
+    without first running a key listing
+  * Detect bad passphrase error in certificate import
+  * Allow setting --key-origin when importing keys
+  * Support components "keyboxd", "gpg-agent", "scdaemon", "dirmngr",
+    "pinentry", and "socketdir" in gpgme_get_dirinfo
+  * Under Unix use poll(2) instead of select(2), when available.
+  * Fix results returned by gpgme_data_* functions
+  * Support closefrom also for glibc
+    (drop upstream gpgme-use-glibc-closefrom.patch
+  * cpp,qt: Add support for export of secret keys and secret subkeys.
+  * cpp,qt: Support for adding existing subkeys to other keys
+  * qt: Extend ChangeExpiryJob to change expiration of primary key
+    and of subkeys at the same time
+  * qt: Support WKD lookup without implicit import
+  * qt: Allow specifying an import filter when importing keys
+  * qt: Allow retrieving the default value of a config entry
+- drop patches included upstream
+  * gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch
+  * gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch
+- add patches to fix tests:
+  * gpgme-1.18.0-T6137-qt_test.patch
+
+- Add patches to support building bindings packages for
+  Python 3.10
+  * gpgme-D545-python310.patch -- https://dev.gnupg.org/D545
+  * gpgme-D546-python310.patch -- https://dev.gnupg.org/D546
-- Fix t-json test in SP3: https://dev.gnupg.org/T4820 [bsc#1183801]
-  * tests/json: Bravo key does not have secret key material
-  * tests/json: Do not check for keygrip of pubkeys
-  * core: Make sure the keygrip is available in WITH_SECRET mode
-- Add gpgme-test-json.patch
-
grub2
+- Fix reproducible build for grub.xen (bsc#1217619)
+  * 0001-mkstandalone-ensure-stable-timestamps-for-generated-.patch
+  * 0002-mkstandalone-ensure-deterministic-tar-file-creation-.patch
+
+- Fix unattended boot with TPM2 allows downgrading kernel and rootfs, also
+  enhancing the overall security posture (bsc#1216680)
+  * 0001-Improve-TPM-key-protection-on-boot-interruptions.patch
+  * 0002-Restrict-file-access-on-cryptodisk-print.patch
+  * 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch
+  * 0004-Key-revocation-on-out-of-bound-file-access.patch
+
gstreamer-plugins-bad
+- Add gstreamer-plugins-bad-CVE-2023-44429.patch:
+  Backporting 1db83d3f from upstream, Clip tile rows and cols to 64
+  as describe in AV1 specification.
+  (CVE-2023-44429 bsc#1217211)
+
-  from upstream to fix a heap overwrite in PGS subtitle
-  overlay decoder which might trigger a crash or remote code
-  execution (CVE-2023-37329 bsc#1213126).
+  Backport 7ed446dc,0dabf0eb from upstream to fix a heap overwrite
+  in PGS subtitle overlay decoder which might trigger a crash or
+  remote code execution (CVE-2023-37329 bsc#1213126).
-- Add patch to support building with srt 1.3.4 in SLE
-  * fix-build-with-srt-1.3.4.patch
+- Add fix-build-with-srt-1.3.4.patch:
+  To support building with srt 1.3.4 in SLE.
+- Update to version 1.16.3 (bsc#1181255 CVE-2021-3185):
+  - amcvideodec: fix sync meta copying not taking a reference
+  - audiobuffersplit: Perform discont tracking on running time
+  - audiobuffersplit: Specify in the template caps that only interleaved audio is supported
+  - audiobuffersplit: Unset DISCONT flag if not discontinuous
+  - autoconvert: Fix lock-less exchange or free condition
+  - autoconvert: fix compiler warnings with g_atomic on recent GLib versions
+  - avfvideosrc: element requests camera permissions even with capture-screen property is true
+  - codecparsers: h264parser: guard against ref_pic_markings overflow
+  - dtlsconnection: Avoid segmentation fault when no srtp capabilities are negotiated
+  - dtls/connection: fix EOF handling with openssl 1.1.1e
+  - fdkaacdec: add support for mpegversion=2
+  - hls: Check nettle version to ensure AES128 support
+  - ipcpipeline: Rework compiler checks
+  - interlace: Increment phase_index before checking if we're at the end of the phase
+  - lv2: Make it build with -fno-common
+  - h264parser: Do not allocate too large size of memory for registered user data SEI
+  - ladspa: fix unbounded integer properties
+  - modplug: avoid division by zero
+  - msdkdec: Fix GstMsdkContext leak
+  - msdkenc: fix leaks on windows
+  - musepackdec: Don't fail all queries if no sample rate is known yet
+  - openslessink: Allow openslessink to handle 48kHz streams.
+  - opencv: allow compilation against 4.2.x
+  - proxysink: event_function needs to handle the event when it is disconnecetd from proxysrc
+  - vulkan: Drop use of VK_RESULT_BEGIN_RANGE
+  - wasapi: added missing lock release in case of error in gst_wasapi_xxx_reset
+  - wasapi: Fix possible deadlock while downwards state change
+  - waylandsink: Clear window when pipeline is stopped
+  - webrtc: Support non-trickle ICE candidates in the SDP
+  - webrtc: Unmap all non-binary buffers received via the datachannel
+  - meson: build with neon 0.31
+- Drop upstream fixed patch: gstreamer-h264parser-fix-overflow.patch
+
+- Drop gstreamer-plugins-bad-patch-source.sh
+- Drop pre_checkin.sh
haproxy
-- Update HA packages for 15 SP6 (jsc#PED-6161)
+- Update to version 2.8.4+git0.a4ebf9d3b:
+  * [RELEASE] Released version 2.8.4
+  * BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends
+  * BUG/MINOR: stconn/applet: Report send activity only if there was output data
+  * BUG/MINOR: stconn: Use HTX-aware channel's functions to get info on buffer
+  * BUG/MINOR: stconn: Fix streamer detection for HTX streams
+  * MINOR: channel: Add functions to get info on buffers and deal with HTX streams
+  * MINOR: htx: Use a macro for overhead induced by HTX
+  * BUG/MEDIUM: stconn: Update fsb date on partial sends
+  * BUG/MEDIUM: stream: Don't call mux .ctl() callback if not implemented
+  * BUG/MEDIUM: mworker: set the master variable earlier
+  * BUG/MEDIUM: applet: Report a send activity everytime data were sent
+  * BUG/MEDIUM: stconn: Report a send activity everytime data were sent
+  * REGTESTS: http: Improve script testing abortonclose option
+  * BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only
+  * MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads
+  * MINOR: connection: Add a CTL flag to notify mux it should wait for reads again
+  * BUG/MINOR: stconn: Handle abortonclose if backend connection was already set up
+  * BUG/MEDIUM: connection: report connection errors even when no mux is installed
+  * DOC: quic: Wrong syntax for "quic-cc-algo" keyword.
+  * BUG/MINOR: sink: don't learn srv port from srv addr
+  * BUG/MEDIUM: applet: Remove appctx from buffer wait list on release
+  * DOC: config: use the word 'backend' instead of 'proxy' in 'track' description
+  * BUG/MINOR: quic: fix retry token check inconsistency
+  * DOC: management: -q is quiet all the time
+  * BUG/MEDIUM: stconn: Don't update stream expiration date if already expired
+  * BUG/MEDIUM: quic: Avoid some crashes upon TX packet allocation failures
+  * BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets
+  * BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree
+  * BUG/MINOR: quic: idle timer task requeued in the past
+  * BUG/MEDIUM: pool: fix releasable pool calculation when overloaded
+  * BUG/MEDIUM: freq-ctr: Don't report overshoot for long inactivity period
+  * BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive timeouts
+  * BUG/MINOR: stick-table/cli: Check for invalid ipv4 key
+  * BUG/MEDIUM: quic: fix sslconns on quic_conn alloc failure
+  * BUG/MEDIUM: quic: fix actconn on quic_conn alloc failure
+  * CLEANUP: htx: Properly indent htx_reserve_max_data() function
+  * BUG/MINOR: stconn: Sanitize report for read activity
+  * BUG/MEDIUM: Don't apply a max value on room_needed in sc_need_room()
+  * BUG/MEDIUM: stconn: Don't report rcv/snd expiration date if SC cannot epxire
+  * BUG/MEDIUM: pattern: don't trim pools under lock in pat_ref_purge_range()
+  * BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure
+  * BUG/MINOR: stktable: missing free in parse_stick_table()
+  * BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check failure
+  * BUG/MEDIUM: ssl: segfault when cipher is NULL
+  * BUG/MINOR: mux-quic: fix early close if unset client timeout
+  * BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA
+  * MEDIUM: quic: count quic_conn for global sslconns
+  * MEDIUM: quic: count quic_conn instance for maxconn
+  * MINOR: frontend: implement a dedicated actconn increment function
+  * BUG/MINOR: ssl: use a thread-safe sslconns increment
+  * BUG/MINOR: quic: do not consider idle timeout on CLOSING state
+  * BUG/MEDIUM: server: "proto" not working for dynamic servers
+  * MINOR: connection: add conn_pr_mode_to_proto_mode() helper func
+  * DEBUG: mux-h2/flags: fix list of h2c flags used by the flags decoder
+  * MINOR: lua: Add flags to configure logging behaviour
+  * BUG/MINOR: ssl: load correctly @system-ca when ca-base is define
+  * DOC: internal: filters: fix reference to entities.pdf
+  * BUG/MINOR: mux-h2: update tracked counters with req cnt/req err
+  * BUG/MINOR: mux-h2: commit the current stream ID even on reject
+  * BUG/MEDIUM: peers: Fix synchro for huge number of tables
+  * BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task
+  * BUG/MINOR: trace: fix trace parser error reporting
+  * BUG/MINOR: mux-h2: fix http-request and http-keep-alive timeouts again
+  * BUG/MEDIUM: mux-h2: Don't report an error on shutr if a shutw is pending
+  * BUG/MINOR: mux-h2: make up other blocked streams upon removal from list
+  * BUG/MINOR: mux-h1: Send a 400-bad-request on shutdown before the first request
+  * BUG/MEDIUM: quic-conn: free unsent frames on retransmit to prevent crash
+  * BUG/MINOR: mux-quic: fix free on qcs-new fail alloc
+  * BUG/MINOR: h3: strengthen host/authority header parsing
+  * BUG/MINOR: mux-quic: support initial 0 max-stream-data
+  * BUG/MEDIUM: mux-quic: fix RESET_STREAM on send-only stream
+  * BUG/MINOR: quic: reject packet with no frame
+  * BUG/MINOR: quic: Avoid crashing with unsupported cryptographic algos
+  * BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room()
+  * BUG/MINOR: hq-interop: simplify parser requirement
+  * BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set
+  * BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set
+  * BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried
+  * BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only
+  * MINOR: hlua: Test the hlua struct first when the lua socket is connecting
+  * MINOR: hlua: Save the lua socket's server in its context
+  * MINOR: hlua: Save the lua socket's timeout in its context
+  * MINOR: hlua: Don't preform operations on a not connected socket
+  * MINOR: hlua: Set context's appctx when the lua socket is created
+  * BUG/MEDIUM: http-ana: Try to handle response before handling server abort
+  * BUG/MEDIUM: quic_conn: let the scheduler kill the task when needed
+  * BUG/MEDIUM: actions: always apply a longest match on prefix lookup
+  * BUG/MINOR: mux-quic: remove full demux flag on ncbuf release
+  * BUG/MEDIUM: server/cli: don't delete a dynamic server that has streams
+  * MINOR: pattern: fix pat_{parse,match}_ip() function comments
+  * BUG/MINOR: server: add missing free for server->rdr_pfx
+  * BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers
+  * BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API
+  * BUG/MEDIUM: master/cli: Pin the master CLI on the first thread of the group 1
+  * BUG/MINOR: promex: fix backend_agg_check_status
+  * BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records
+  * BUG/MINOR: hlua/init: coroutine may not resume itself
+  * BUG/MEDIUM: hlua: don't pass stale nargs argument to lua_resume()
+  * CI: musl: drop shopt in workflow invocation
+  * CI: musl: highlight section if there are coredumps
+  * Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token"
+  * BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread
+  * MINOR: hlua: add hlua_stream_ctx_prepare helper function
+  * BUILD: quic: fix build on centos 8 and USE_QUIC_OPENSSL_COMPAT
+  * BUG/MINOR: quic: ssl_quic_initial_ctx() uses error count not error code
+  * BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind
+  * BUILD: Makefile: add USE_QUIC_OPENSSL_COMPAT to make help
+  * MINOR: quic+openssl_compat: Emit an alert for "allow-0rtt" option
+  * MINOR: quic+openssl_compat: Do not start without "limited-quic"
+  * MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without "limited-quic"
+  * BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels
+  * DOC: quic: Add "limited-quic" new tuning setting
+  * MINOR: quic: Add "limited-quic" new tuning setting
+  * MINOR: quic: SSL context initialization with QUIC OpenSSL wrapper.
+  * MINOR: quic: Add a quic_openssl_compat struct to quic_conn struct
+  * MINOR: quic: Call the keylog callback for QUIC openssl wrapper from SSL_CTX_keylog()
+  * MINOR: quic: Initialize TLS contexts for QUIC openssl wrapper
+  * MINOR: quic: Export some KDF functions (QUIC-TLS)
+  * MINOR: quic: Add a compilation option for the QUIC OpenSSL wrapper
+  * MINOR: quic: Do not enable 0RTT with SSL_set_quic_early_data_enabled()
+  * MINOR: quic: Set the QUIC connection as extra data before calling SSL_set_quic_method()
+  * MINOR: quic: Do not enable O-RTT with USE_QUIC_OPENSSL_COMPAT
+  * MINOR: quic: Include QUIC opensssl wrapper header from TLS stacks compatibility header
+  * MINOR: quic: QUIC openssl wrapper implementation
+  * BUG/MINOR: quic: Wrong cluster secret initialization
+  * BUG/MINOR: quic: Leak of frames to send.
+  * BUILD: bug: make BUG_ON() void to avoid a rare warning
+
+- Update to version 2.8.3+git0.86e043add:
+  * [RELEASE] Released version 2.8.3
+  * CI: Update to actions/checkout@v4
+  * MEDIUM: capabilities: enable support for Linux capabilities
+  * BUG/MINOR: hlua/action: incorrect message on E_YIELD error
+  * BUG/MINOR: ring/cli: Don't expect input data when showing events
+  * BUG/MINOR: applet: Always expect data when CLI is waiting for a new command
+  * NUG/MEDIUM: stconn: Always update stream's expiration date after I/O
+  * BUG/MEDIUM: stconn/stream: Forward shutdown on write timeout
+  * BUG/MEDIUM: applet: Report an error if applet request more room on aborted SC
+  * BUG/MEDIUM: stconn: Report read activity when a stream is attached to front SC
+  * BUG/MEDIUM: applet: Fix API for function to push new data in channels buffer
+  * BUG/MINOR: quic: Wrong RTT computation (srtt and rrt_var)
+  * BUG/MINOR: quic: Wrong RTT adjusments
+  * MINOR: httpclient: allow to configure the timeout.connect
+  * MINOR: httpclient: allow to configure the retries
+  * DOC: configuration: update examples for req.ver
+  * BUG/MINOR: stream: further protect stream_dump() against incomplete sessions
+  * BUG/MEDIUM: h1-htx: Ensure chunked parsing with full output buffer
+  * BUG/MAJOR: quic: Really ignore malformed ACK frames.
+  * BUG/MINOR: quic: Possible skipped RTT sampling
+  * BUG/MEDIUM: stconn: Don't block sends if there is a pending shutdown
+  * BUG/MEDIUM: stconn: Wake applets on sending path if there is a pending shutdown
+  * BUG/MINOR: stconn: Don't report blocked sends during connection establishment
+  * BUG/MEDIUM: stconn: Update stream expiration date on blocked sends
+  * DEBUG: applet: Properly report opposite SC expiration dates in traces
+  * BUG/MINOR: checks: do not queue/wake a bounced check
+  * DOC: config: mention uid dependency on the tune.quic.socket-owner option
+  * BUG/MINOR: stream: protect stream_dump() against incomplete streams
+  * BUG/MINOR: ssl/cli: can't find ".crt" files when replacing a certificate
+  * BUILD: import: guard plock.h against multiple inclusion
+  * BUG/MINOR: ssl_sock: fix possible memory leak on OOM
+  * DOC: lua: fix core.register_action typo
+  * BUG/MINOR: hlua_fcn: potentially unsafe stktable_data_ptr usage
+  * CI: fedora: fix "dnf" invocation syntax
+  * IMPORT: xxhash: update xxHash to version 0.8.2
+  * MINOR: atomic: make sure to always relax after a failed CAS
+  * MINOR: threads: inline the wait function for pthread_rwlock emulation
+  * IMPORT: plock: also support inlining the int code
+  * BUILD: Makefile: add the USE_QUIC option to make help
+  * DOC: jwt: Add explicit list of supported algorithms
+  * REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (3)
+  * SCRIPTS: git-show-backports: automatic ref and base detection with -m
+  * DOC: typo: fix sc-set-gpt references
+  * BUG/MINOR: stktable: allow sc-add-gpc from tcp-request connection
+  * BUG/MINOR: stktable: allow sc-set-gpt(0) from tcp-request connection
+  * DEV: flags/show-sess-to-flags: properly decode fd.state
+  * BUG/MINOR: hlua: fix invalid use of lua_pop on error paths
+  * BUG/MEDIUM: quic: fix tasklet_wakeup loop on connection closing
+  * CI: get rid of travis-ci wrapper for Coverity scan
+  * CI: do not use "groupinstall" for Fedora Rawhide builds
+- drop 0001-IMPORT-xxhash-update-xxHash-to-version-0.8.2.patch:
+  part of the version update
+
+- Apply upstream patch for the ppc64le issue:
+  Add patch:
+  0001-IMPORT-xxhash-update-xxHash-to-version-0.8.2.patch
+  Remove patch:
+  fix-invalid-parameter-combination-for-AltiVec-intrinsic-__builtin_vec_ld.patch
+
+- Build error on ppc64le: include/import/xxhash.h:4148:9: error: invalid parameter combination for AltiVec intrinsic __builtin_vec_ld
+  Add patch:
+  fix-invalid-parameter-combination-for-AltiVec-intrinsic-__builtin_vec_ld.patch
+
+
+- Update to version 2.8.1+git0.a90123aa8:
+  * [RELEASE] Released version 2.8.1
+
+- Refreshed patches to apply cleanly again:
+  haproxy-1.6.0-makefile_lib.patch
+  haproxy-1.6.0-sec-options.patch
+- Updated series file: removed outdated patches
+
+- Update to version 2.8.0+git0.fdd8154ed:
+  https://www.mail-archive.com/haproxy@formilux.org/msg43600.html
+
+- Update to version 2.7.8+git0.58c657f26:
+  * [RELEASE] Released version 2.7.8
+
+- Add handling for the new startup logs in /dev/shm in the apparmor
+  profile
+
+- Update to version 2.7.7+git0.feedf1414:
+  * [RELEASE] Released version 2.7.7
+
+- Update to version 2.7.6+git0.4dadaaafb:
+  * [RELEASE] Released version 2.7.6
+
+- Update to version 2.7.5+git0.8d230219e:
+  * [RELEASE] Released version 2.7.5
+
+- switch to autopatch to simplify patch handling
+
+- Update to version 2.7.4+git0.d28541d1f:
+  * [RELEASE] Released version 2.7.4
+
+- Update to version 2.7.3+git0.1065b1000: (boo#1208132 CVE-2023-25725)
+  * [RELEASE] Released version 2.7.3
+
+- Update to version 2.7.2+git0.7e295dd2c:
+  * [RELEASE] Released version 2.7.2
+
+- Update to version 2.7.1+git0.3e4af0ed7:
+  * [RELEASE] Released version 2.7.1
+
+- Update to version 2.7.0+git0.437fd289f:
+  https://www.haproxy.com/blog/announcing-haproxy-2-7/
+  https://www.mail-archive.com/haproxy@formilux.org/msg42914.html
+
+- reenable the pcre jit after the last change
+
+- Switch from unmaintained pcre 8.45 to pcre2 10
+
+- Update to version 2.6.6+git0.274d1a4df:
+
+- Update to version 2.6.5+git0.987a4e248:
+
+- Update to version 2.6.4+git0.2a2078cba:
+  * [RELEASE] Released version 2.6.4
+
+- Update to version 2.6.3+git0.76f187b36:
+  * [RELEASE] Released version 2.6.3
+
+- Update to version 2.6.2+git0.16a3646fd:
+  * [RELEASE] Released version 2.6.2
+- drop lua54.patch (upstream)
+
+- Update to version 2.6.1+git0.f6ca66d44:
+  * [RELEASE] Released version 2.6.1
+
+- Update to version 2.6.0+git0.a1efc048b:
+  https://www.mail-archive.com/haproxy@formilux.org/msg42371.html
+- refreshed patches
+  - haproxy-1.6.0-makefile_lib.patch
+  - haproxy-1.6.0-sec-options.patch
+  - haproxy-1.6.0_config_haproxy_user.patch
+  - lua54.patch
+
+- Update to version 2.5.7+git0.2ef551d02:
+  * [RELEASE] Released version 2.5.7
+
+- Update to version 2.5.6+git0.ba44b4312:
+
+- Update to version 2.5.5+git0.384c5c59a:
+
+- Update to version 2.5.4+git0.e55ab4208:
+  * [RELEASE] Released version 2.5.4
+
+- apparmor: profile now needs access to /sys/devices/system/node/
+
+- Update to version 2.5.3+git0.abf078b15:
+
+- Update to version 2.5.2+git0.042feec44: (CVE-2022-0711 boo#1196408)
+  * [RELEASE] Released version 2.5.2
+
+- Add now working CONFIG parameter to sysusers generator
+
+- Update to version 2.5.1+git0.86b093a51:
+  * [RELEASE] Released version 2.5.1
-- Rename patch to stay sync with Factory:
-  haproxy-2.4.22-sec-options.patch -> haproxy-1.6.0-sec-options.patch
-- Add patch to fix build on ppc64le:
-  fix-invalid-parameter-combination-for-AltiVec-intrinsic-__builtin_vec_ld.patch
-- Updated series file: removed outdated patches
-- Add handling for the new startup logs in /dev/shm in the apparmor
-  profile
-- apparmor: profile now needs access to /sys/devices/system/node/
-- switch to autopatch to simplify patch handling
-- reenable the pcre jit after the last change
-- Add now working CONFIG parameter to sysusers generator
-- ECO: Maint: Update haproxy to latest maintenance release for all SLE15 (jsc#PED-3821)
-- rebase and rename haproxy-1.6.0-sec-options.patch -> haproxy-2.4.22-sec-options.patch
-- remove patches covered by new release:
+- Update to version 2.5.0+git0.f2e0833f1:
+  https://www.mail-archive.com/haproxy@formilux.org/msg41508.html
+- refreshed patches to apply cleanly again
+  haproxy-1.6.0-sec-options.patch
+  haproxy-1.6.0_config_haproxy_user.patch
-  0001-BUG-MAJOR-http-htx-prevent-unbounded-loop-in-http_ma.patch
-  0001-BUG-MEDIUM-mux-h2-Refuse-interim-responses-with-end-.patch
-  0001-output-buffer-is-not-zero-initialized.path
-  2.0-2.5-BUG-CRITICAL-http-properly-reject-empty-http-header-.patch
-- Update to version 2.4.22+git0.f8e3218e2:
-  * [RELEASE] Released version 2.4.22
-  * BUG/CRITICAL: http: properly reject empty http header field names
-  * CI: github: don't warn on deprecated openssl functions on windows
-  * BUG/MEDIUM: stconn: Schedule a shutw on shutr if data must be sent first
-  * DOC: proxy-protocol: fix wrong byte in provided example
-  * DOC: config: 'http-send-name-header' option may be used in default section
-  * DOC: config: fix option spop-check proxy compatibility
-  * BUG/MEDIUM: cache: use the correct time reference when comparing dates
-  * BUG/MEDIUM: stick-table: do not leave entries in end of window during purge
-  * BUG/MINOR: ssl/crt-list: warn when a line is malformated
-  * BUG/MEDIUM: ssl: wrong eviction from the session cache tree
-  * BUG/MINOR: fcgi-app: prevent 'use-fcgi-app' in default section
-  * [RELEASE] Released version 2.4.21
-  * BUG/MINOR: sink: free the forwarding task on exit
-  * BUILD: hpack: include global.h for the trash that is needed in debug mode
-  * BUG/MINOR: mux-h2: add missing traces on failed headers decoding
-  * BUG/MINOR: listener: close tiny race between resume_listener() and stopping
-  * DOC: config: fix "Address formats" chapter syntax
-  * BUG/MINOR: mux-fcgi: Correctly set pathinfo
-  * DOC: config: fix aliases for protocol prefixes "udp4@" and "udp6@"
-  * DOC: config: fix wrong section number for "protocol prefixes"
-  * BUG/MINOR: listeners: fix suspend/resume of inherited FDs
-  * BUG/MINOR: http-ana: make set-status also update txn->status
-  * BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in HTTP_MSG_ERROR state
-  * BUG/MINOR: http-ana: Report SF_FINST_R flag on error waiting the request body
-  * BUG/MINOR: promex: Don't forget to consume the request on error
-  * BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action
-  * BUG/MINOR: h1-htx: Remove flags about protocol upgrade on non-101 responses
-  * CLEANUP: htx: fix a typo in an error message of http_str_to_htx
-  * BUG/MINOR: http: Memory leak of http redirect rules' format string
-  * REGTEST: fix the race conditions in hmac.vtc
-  * REGTEST: fix the race conditions in digest.vtc
-  * REGTEST: fix the race conditions in json_query.vtc
-  * BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
-  * BUG/MINOR: http-fetch: Only fill txn status during prefetch if not already set
-  * BUILD: makefile: sort the features list
-  * BUILD: makefile: build the features list dynamically
-  * BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats
-  * BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set
-  * BUG/MINOR: ssl: Fix memory leak of find_chain in ssl_sock_load_cert_chain
-  * LICENSE: wurfl: clarify the dummy library license.
-  * BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task timeout
-  * REGTESTS: startup: check maxconn computation
-  * REGTESTS: fix the race conditions in iff.vtc
-  * BUG/MAJOR: fcgi: Fix uninitialized reserved bytes
-  * DOC: promex: Add missing backend metrics
-  * MINOR: promex: introduce haproxy_backend_agg_check_status
-  * BUG/MINOR: promex: create haproxy_backend_agg_server_status
-  * BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers
-  * BUG/MINOR: ssl: Fix potential overflow
-  * BUG/MEDIUM: ssl: Verify error codes can exceed 63
-  * BUG/MINOR: resolvers: Don't wait periodic resolution on healthcheck failure
-  * BUILD: peers: peers-t.h depends on stick-table-t.h
-  * CI: github: change "ubuntu-latest" to "ubuntu-20.04"
-  * BUG/MEDIIM: stconn: Flush output data before forwarding close to write side
-  * BUG/MINOR: http-htx: Don't consider an URI as normalized after a set-uri action
-  * [RELEASE] Released version 2.4.20
-  * Revert "CI: determine actual OpenSSL version dynamically"
-  * Revert "CI: switch to the "latest" LibreSSL"
-  * SCRIPTS: announce-release: add a link to the data plane API
-  * DOC: config: clarify the -m dir and -m dom pattern matching methods
-  * DOC: config: clarify the fact that "retries" is not just for connections
-  * DOC: config: explain how default matching method for ACL works
-  * DOC: config: mention that a single monitor-uri rule is supported
-  * DOC: config: clarify the fact that SNI should not be used in HTTP scenarios
-  * DOC: config: provide some configuration hints for "http-reuse"
-  * Revert "BUG/MINOR: http-htx: Don't consider an URI as normalized after a set-uri action"
-  * BUG/MINOR: mux-h1: Fix handling of 408-Request-Time-Out
-  * BUILD: http-htx: Silent build error about a possible NULL start-line
-  * BUG/MINOR: http-htx: Don't consider an URI as normalized after a set-uri action
-  * BUG/MINOR: log: fix parse_log_message rfc5424 size check
-  * BUG/MINOR: cfgparse-listen: fix ebpt_next_dup pointer dereference on proxy "from" inheritance
-  * BUILD: listener: fix build warning on global_listener_rwlock without threads
-  * BUG/MINOR: server/idle: at least use atomic stores when updating max_used_conns
-  * BUILD: peers: Remove unused variables
-  * BUG/MEDIUM: peers: messages about unkown tables not correctly ignored
-  * BUG/MINOR: ssl: don't initialize the keylog callback when not required
-  * BUG/MINOR: http_ana/txn: don't re-initialize txn and req var lists
-  * BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task
-  * BUG/MINOR: pool/cli: use ullong to report total pool usage in bytes
-  * BUG/MEDIUM: ring: fix creation of server in uninitialized ring
-  * DOC: config: fix alphabetical ordering of global section
-  * REG-TESTS: cache: Remove T-E header for 304-Not-Modified responses
-  * BUG/MINOR: mux-h1: Do not send a last null chunk on body-less answers
-  * BUG/MEDIUM: mux-fcgi: Avoid value length overflow when it doesn't fit at once
-  * BUG/MINOR: mux-fcgi: Be sure to send empty STDING record in case of zero-copy
-  * BUG/MINOR: resolvers: Set port before IP address when processing SRV records
-  * BUG/MINOR: http-htx: Fix error handling during parsing http replies
-  * BUG/MEDIUM: wdt/clock: properly handle early task hangs
-  * CI: emit the compiler's version in the build reports
-  * CI: switch to the "latest" LibreSSL
-  * BUG/MINOR: ssl: ocsp structure not freed properly in case of error
-  * BUG/MINOR: ssl: Memory leak of AUTHORITY_KEYID struct when loading issuer
-  * CI: add monthly gcc cross compile jobs
-  * BUG/MINOR: log: fixing bug in tcp syslog_io_handler Octet-Counting
-  * BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task
-  * BUG/MAJOR: stick-table: don't process store-response rules for applets
-  * DOC: management: add forgotten "show startup-logs"
-  * BUG/MINOR: stick-table: Use server_id instead of std_t_sint in process_store_rules()
-  * CI: SSL: temporarily stick to LibreSSL=3.5.3
-  * CI: SSL: use proper version generating when "latest" semantic is used
-  * BUG/MINOR: sink: Set default connect/server timeout for implicit ring buffers
-  * BUG/MINOR: sink: Only use backend capability for the sink proxies
-  * BUG/MEDIUM: compression: handle rewrite errors when updating response headers
-  * BUG/MINOR: ring: Properly parse connect timeout
-  * BUG/MINOR: log: Preserve message facility when the log target is a ring buffer
-  * CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in workflow definition
-  * CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in matrix.py
-  * BUG/MINOR: server: make sure "show servers state" hides private bits
-  * BUG/MAJOR: stick-tables: do not try to index a server name for applets
-  * DOC: configuration: missing 'if' in tcp-request content example
-  * BUG/MINOR: backend: only enforce turn-around state when not redispatching
-  * BUG/MINOR: smtpchk: SMTP Service check should gracefully close SMTP transaction
-  * MINOR: smtpchk: Update expect rule to fully match replies to EHLO commands
-  * BUG/MINOR: mux-h1: Account consumed output data on synchronous connection error
-  * BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os
-  * BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth()
-  * BUILD: h1: silence an initiialized warning with gcc-4.7 and -Os
-  * BUG/MEDIUM: lua: handle stick table implicit arguments right.
-  * BUG/MEDIUM: lua: Don't crash in hlua_lua2arg_check on failure
-  * DOC: config: Fix pgsql-check documentation to make user param mandatory
-  * BUG/MINOR: checks: update pgsql regex on auth packet
-  * [RELEASE] Released version 2.4.19
-  * BUG/MEDIUM: resolvers: Remove aborted resolutions from query_ids tree
-  * REGTESTS: 4be_1srv_smtpchk_httpchk_layer47errors: Return valid SMTP replies
-  * BUG/MINOR: log: improper behavior when escaping log data
-  * SCRIPTS: announce-release: update some URLs to https
-  * BUILD: fd: fix a build warning on the DWCAS
-  * BUG/MEDIUM: captures: free() an error capture out of the proxy lock
-  * DOC: fix TOC in starter guide for subsection 3.3.8. Statistics
-  * REGTESTS: ssl/log: test the log-forward with SSL
-  * BUG/MEDIUM: sink: bad init sequence on tcp sink from a ring.
-  * REGTESTS: log: test the log-forward feature
-  * REGTESTS: healthcheckmail: Relax matching on the healthcheck log message
-  * BUG/MINOR: stats: fixing stat shows disabled frontend status as 'OPEN'
-  * MINOR: listener: small API change
-  * BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK
-  * CI: cirrus-ci: bump FreeBSD image to 13-1
-  * BUG/MINOR: signals/poller: ensure wakeup from signals
-  * BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals
-  * BUG/MINOR: task: always reset a new tasklet's call date
-  * BUG/MINOR: h1: Support headers case adjustment for TCP proxies
-  * BUILD: makefile: enable crypt(3) for NetBSD
-  * BUG/MINOR: regex: Properly handle PCRE2 lib compiled without JIT support
-  * BUG/MINOR: mux-fcgi: fix the "show fd" dest buffer for the subscriber
-  * BUG/MINOR: mux-h1: fix the "show fd" dest buffer for the subscriber
-  * BUG/MINOR: mux-h2: fix the "show fd" dest buffer for the subscriber
-  * BUG/MEDIUM: mux-h1: always use RST to kill idle connections in pools
-  * REGTESTS: http_request_buffer: Add a barrier to not mix up log messages
-  * BUG/MEDIUM: mux-h1: do not refrain from signaling errors after end of input
-  * BUG/MINOR: tcpcheck: Disable QUICKACK for default tcp-check (with no rule)
-  * BUG/MINOR: hlua: Rely on CF_EOI to detect end of message in HTTP applets
-  * BUG/MEDIUM: peers: Don't start resync on reload if local peer is not up-to-date
-  * BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress
-  * BUG/MEDIUM: peers: Add connect and server timeut to peers proxy
-  * BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode
-  * DOC: configuration: do-resolve doesn't work with a port in the string
-  * REGTESTS: Fix prometheus script to perform HTTP health-checks
-  * BUG/MINOR: tcpcheck: Disable QUICKACK only if data should be sent after connect
-  * BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config()
-  * BUG/MAJOR: mworker: fix infinite loop on master with no proxies.
-  * BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized
-  * BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle
-  * BUG/MEDIUM: http-ana: fix crash or wrong header deletion by http-restrict-req-hdr-names
-  * BUILD: http: silence an uninitialized warning affecting gcc-5
-  * BUG/MEDIUM: ring: fix too lax 'size' parser
-  * BUILD: debug: silence warning on gcc-5
-  * BUG/MEDIUM: task: relax one thread consistency check in task_unlink_wq()
-  * BUG/MEDIUM: poller: use fd_delete() to release the poller pipes
-  * BUILD: cfgparse: always defined _GNU_SOURCE for sched.h and crypt.h
-  * BUG/MINOR: sink: fix a race condition between the writer and the reader
-  * BUG/MINOR: ring/cli: fix a race condition between the writer and the reader
-  * BUG/MEDIUM: proxy: Perform a custom copy for default server settings
-  * REORG: server: Export srv_settings_cpy() function
-  * MINOR: server: Constify source server to copy its settings
-  * BUG/MEDIUM: dns: Properly initialize new DNS session
-  * BUG/MINOR: peers: Use right channel flag to consider the peer as connected
-  * BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload
-  * MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer
-  * BUG/MEDIUM: pattern: only visit equivalent nodes when skipping versions
-  * MINOR: ebtree: add ebmb_lookup_shorter() to pursue lookups
-  * MINOR: http-htx: Use new HTTP functions for the scheme based normalization
-  * BUG/MEDIUM: h1: Improve authority validation for CONNCET request
-  * MINOR: http: Add function to detect default port
-  * MINOR: http: Add function to get port part of a host
-  * BUG/MEDIUM: mworker: use default maxconn in wait mode
-  * [RELEASE] Released version 2.4.18
-  * BUG/MINOR: sockpair: wrong return value for fd_send_uxst()
-  * BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible
-  * BUILD: add detection for unsupported compiler models
-  * BUG/MEDIUM: mworker: proc_self incorrectly set crashes upon reload
-  * REGTESTS: Fix some scripts to be compatible with 2.4 and prior
-  * BUG/MINOR: tools: fix statistical_prng_range()'s output range
-  * BUG/MEDIUM: tools: avoid calling dlsym() in static builds (try 2)
-  * BUILD: makefile: Fix install(1) handling for OpenBSD/NetBSD/Solaris/AIX
-  * BUG/MEDIUM: tools: avoid calling dlsym() in static builds
-  * MEDIUM: mworker: set the iocb of the socketpair without using fd_insert()
-  * BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send
-  * BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL state
-  * BUG/MINOR: mux-h1: Be sure to commit htx changes in the demux buffer
-  * REGTEESTS: filters: Fix CONNECT request in random-forwarding script
-  * BUG/MEDIUM: http-fetch: Don't fetch the method if there is no stream
-  * BUG/MINOR: http-htx: Fix scheme based normalization for URIs wih userinfo
-  * BUG/MINOR: peers: fix possible NULL dereferences at config parsing
-  * BUG/MINOR: http-act: Properly generate 103 responses when several rules are used
-  * BUG/MINOR: http-check: Preserve headers if not redefined by an implicit rule
-  * BUG/MINOR: peers/config: always fill the bind_conf's argument
-  * MINOR: fd: Add BUG_ON checks on fd_insert()
-  * CI: re-enable gcc asan builds
-  * BUILD: Makefile: Add Lua 5.4 autodetect
-  * BUG/MEDIUM: ssl/fd: unexpected fd close using async engine
-  * MINOR: fd: add a new FD_DISOWN flag to prevent from closing a deleted FD
-  * BUG/MINOR: http-fetch: Use integer value when possible in "method" sample fetch
-  * BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created
-  * BUG/MINOR: ssl: Do not look for key in extra files if already in pem
-  * MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames
-  * BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list
-  * BUG/MINOR: tcp-rules: Make action call final on read error and delay expiration
-  * BUG/MINOR: cli/stats: add missing trailing LF after "show info json"
-  * BUG/MINOR: server: do not enable DNS resolution on disabled proxies
-  * BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs
-  * REGTESTS: healthcheckmail: Relax health-check failure condition
-  * REGTESTS: healthcheckmail: Update the test to be functionnal again
-  * BUG/MINOR: checks: Properly handle email alerts in trace messages
-  * BUG/MINOR: trace: Test server existence for health-checks to get proxy
-  * BUG/MEDIUM: mailers: Set the object type for check attached to an email alert
-  * BUILD: compiler: implement unreachable for older compilers too
-  * REGTESTS: restrict_req_hdr_names: Extend supported versions
-  * REGTESTS: http_abortonclose: Extend supported versions
-  * BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O handler
-  * BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield
-  * REGTESTS: http_request_buffer: Increase client timeout to wait "slow" clients
-  * REGTESTS: abortonclose: Add a barrier to not mix up log messages
-  * MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs
-  * BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer cases
-  * BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases
-  * BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry
-  * BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified
-  * BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry fails
-  * DOC: intro: adjust the numbering of paragrams to keep the output ordered
-  * DOC: peers: fix port number and addresses on new peers section format
-  * DOC: peers: clarify when entry expiration date is renewed.
-  * DOC: peers: indicate that some server settings are not usable
-  * SCRIPTS: make publish-release try to launch make-releases-json
-  * SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs
-  * REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (2)
-  * BUG/MEDIUM: sample: Fix adjusting size in word converter
-  * BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section
-  * BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections
-  * BUG/MEDIUM: resolvers: Don't defer resolutions release in deinit function
-  * BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols
-  * BUG/MEDIUM: tools: Fix `inet_ntop` usage in sa2str
-  * CI: determine actual OpenSSL version dynamically
-  * BUILD/MINOR: cpuset fix build for FreeBSD 13.1
-  * BUG/MINOR: peers: fix error reporting of "bind" lines
-  * BUG/MINOR: cfgparse: abort earlier in case of allocation error
-  * BUG/MINOR: check: Reinit the buffer wait list at the end of a check
-  * BUG/MEDIUM: config: Reset outline buffer size on realloc error in readcfgfile()
-  * REGTESTS: abortonclose: Fix some race conditions
-  * BUG/MINOR: ssl: Fix crash when no private key is found in pem
-  * MINOR: tools: add get_exec_path implementation for solaris based systems.
-  * BUILD: fix build warning on solaris based systems with __maybe_unused.
-  * MEDIUM: http-ana: Add a proxy option to restrict chars in request header names
-  * CI: determine actual LibreSSL version dynamically
-  * [RELEASE] Released version 2.4.17
-  * CLEANUP: mux-h1: Fix comments and error messages for global options
-  * BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized
-  * BUG/MINOR: conn_stream: do not confirm a connection from the frontend path
-  * BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).
-  * DOC: install: update gcc version requirements
-  * BUG/MEDIUM: ssl: fix the gcc-12 broken fix :-(
-  * BUILD: listener: shut report of possible null-deref in listener_accept()
-  * BUILD: debug: work around gcc-12 excessive -Warray-bounds warnings
-  * BUILD: ssl: work around bogus warning in gcc 12's -Wformat-truncation
-  * CI: dynamically determine actual version of h2spec
-  * DOC: fix typo "ant" for "and" in INSTALL
-  * BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s init
-  * BUG/MINOR: map/cli: protect the backref list during "show map" errors
-  * BUG/MEDIUM: cli: make "show cli sockets" really yield
-  * BUG/MEDIUM: resolvers: make "show resolvers" properly yield
-  * BUG/MINOR: tcp/http: release the expr of set-{src,dst}[-port]
-  * DOC: config: Update doc for PR/PH session states to warn about rewrite failures
-  * MINOR: mux-h2: report a trace event when failing to create a new stream
-  * BUG/MINOR: mux-h2: mark the stream as open before processing it not after
-  * BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket
-  * BUG/MEDIUM: mux-h1: Be able to handle trailers when C-L header was specified
-  * BUG/MEDIUM: mux-fcgi: Be sure to never set EOM flag on an empty HTX message
-  * SCRIPTS: announce-release: add URL of dev packages
-  * CI: github actions: update LibreSSL to 3.5.2
-  * [RELEASE] Released version 2.4.16
-  * BUILD: opentracing: Fix OT build due to misuse of var_clear()
-  * BUILD: proto_uxst: do not set unused flag
-  * BUILD: sockpair: do not set unused flag
-  * BUILD: fd: remove unused variable totlen in fd_write_frag_line()
-  * CLEANUP: acl: Remove unused variable when releasing an acl expression
-  * BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all()
-  * BUG/MINOR: resolvers: Fix memory leak in resolvers_deinit()
-  * BUILD: compiler: properly distinguish weak and global symbols
-  * REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc
-  * MEDIUM: queue: use tasklet_instant_wakeup() to wake tasks
-  * MINOR: task: add a new task_instant_wakeup() function
-  * BUG/MINOR: rules: Fix check_capture() function to use the right rule arguments
-  * DOC: remove my name from the config doc
-  * BUG/MAJOR: connection: Never remove connection from idle lists outside the lock
-  * BUG/MINOR: cache: Disable cache if applet creation fails
-  * SCRIPTS: announce-release: add shortened links to pending issues
-  * DOC: lua: update a few doc URLs
-  * SCRIPTS: announce-release: update the doc's URL
-  * BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags
-  * BUG/MEDIUM: fcgi-app: Use http_msg flags to know if C-L header can be added
-  * BUG/MEDIUM: stream: do not abort connection setup too early
-  * BUILD: compiler: use a more portable set of asm(".weak") statements
-  * BUILD: sched: workaround crazy and dangerous warning in Clang 14
-  * BUG/MEDIUM: mux-h1: Don't request more room on partial trailers
-  * BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive
-  * BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side
-  * BUILD: debug: mark the __start_mem_stats/__stop_mem_stats symbols as weak
-  * BUG/MINOR: cache: do not display expired entries in "show cache"
-  * BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent
-  * CI: cirrus: switch to FreeBSD-13.0
-  * CI: Update to actions/cache@v3
-  * CI: Update to actions/checkout@v3
-  * DEBUG: opentracing: show return values of all functions in the debug output
-  * CLEANUP: opentracing: added variable to store variable length
-  * CLEANUP: opentracing: added flt_ot_smp_init() function
-  * CLEANUP: opentracing: removed unused function flt_ot_var_get()
-  * CLEANUP: opentracing: removed unused function flt_ot_var_unset()
-  * DOC: opentracing: corrected comments in function descriptions
-  * EXAMPLES: opentracing: refined shell scripts for testing filter performance
-  * BUG/MINOR: opentracing: setting the return value in function flt_ot_var_set()
-  * BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid
-  * BUG/MEDIUM: http-conv: Fix url_enc() to not crush const samples
-  * BUG/MEDIUM: mux-h1: Set outgoing message to DONE when payload length is reached
-  * BUG/MEDIUM: promex: Be sure to never set EOM flag on an empty HTX message
-  * BUG/MEDIUM: hlua: Don't set EOM flag on an empty HTX message in HTTP applet
-  * BUG/MEDIUM: stats: Be sure to never set EOM flag on an empty HTX message
-  * BUG/MINOR: fcgi-app: Don't add C-L header on response to HEAD requests
-  * CI: github actions: update OpenSSL to 3.0.2
-  * BUG/MAJOR: mux_pt: always report the connection error to the conn_stream
-  * BUG/MINOR: cli/stream: fix "shutdown session" to iterate over all threads
-  * BUG/MINOR: samples: add missing context names for sample fetch functions
-  * DOC: reflect H2 timeout changes
-  * BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts
-  * MEDIUM: mux-h2: slightly relax timeout management rules
-  * BUG/MEDIUM: stream-int: do not rely on the connection error once established
-  * BUG/MEDIUM: mux-h1: Properly detect full buffer cases during message parsing
-  * BUG/MEDIUM: mux-fcgi: Properly handle return value of headers/trailers parsing
-  * BUG/MINOR: tools: url2sa reads too far when no port nor path
-  * DOC: config: Explictly add supported MQTT versions
-  * MEDIUM: mqtt: support mqtt_is_valid and mqtt_field_value converters for MQTTv3.1
-  * BUG/MEDIUM: trace: avoid race condition when retrieving session from conn->owner
-  * BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf
-  * CI: github actions: switch to LibreSSL-3.5.1
-  * BUG/MINOR: server/ssl: free the SNI sample expression
-  * BUG/MINOR: tools: fix url2sa return value with IPv4
-  * [RELEASE] Released version 2.4.15
-  * BUILD: tree-wide: mark a few numeric constants as explicitly long long
-  * DOC: Fix usage/examples of deprecated ACLs
-  * BUG/MINOR: stream: make the call_rate only count the no-progress calls
-  * BUG/MINOR: session: fix theoretical risk of memleak in session_accept_fd()
-  * BUG/MAJOR: mux-pt: Always destroy the backend connection on detach
-  * DEBUG: stream: Fix stream trace message to print response buffer state
-  * DEBUG: stream: Add the missing descriptions for stream trace events
-  * BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing
-  * DEBUG: cache: Update underlying buffer when loading HTX message in cache applet
-  * BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request
-  * BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request
-  * BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request
-  * BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request
-  * BUG/MINOR: cli: shows correct mode in "show sess"
-  * BUG/MINOR: add missing modes in proxy_mode_str()
-  * BUILD: pools: fix backport of no-memory-trimming on non-linux OS
-  * MINOR: pools: add a new global option "no-memory-trimming"
-  * BUG/MEDIUM: pools: fix ha_free() on area in the process of being freed
-  * BUG/MINOR: pool: always align pool_heads to 64 bytes
-  * REGTESTS: fix the race conditions in secure_memcmp.vtc
-  * REGTESTS: fix the race conditions in normalize_uri.vtc
-  * BUG/MEDIUM: htx: Fix a possible null derefs in htx_xfer_blks()
-  * CI: github actions: use cache for SSL libs
-  * CI: github actions: use cache for OpenTracing
-  * CI: github actions: add OpenTracing builds
-  * CI: github actions: add the output of $CC -dM -E-
-  * [RELEASE] Released version 2.4.14
-  * BUG/MEDIUM: stream: Abort processing if response buffer allocation fails
-  * CI: github: enable pool debugging by default
-  * REGTESTS: fix the race conditions in 40be_2srv_odd_health_checks
-  * BUG/MINOR: proxy: preset the error message pointer to NULL in parse_new_proxy()
-  * BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer
-  * BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer
-  * BUG/MEDIUM: htx: Be sure to have a buffer to perform a raw copy of a message
-  * BUG/MINOR: tools: url2sa reads ipv4 too far
-  * BUG/MINOR: mailers: negotiate SMTP, not ESMTP
-  * CI: github actions: update OpenSSL to 3.0.1
-  * CI: github: switch to OpenSSL 3.0.0
-  * CI: github actions: relax OpenSSL-3.0.0 version comparision
-  * CI: github actions: -Wno-deprecated-declarations with OpenSSL 3.0.0
-  * CI: github actions: add OpenSSL-3.0.0 builds
-  * BUILD: adopt script/build-ssl.sh for OpenSSL-3.0.0beta2
-  * BUILD: fix compilation for OpenSSL-3.0.0-alpha17
-  * CI: ssl: keep the old method for ancient OpenSSL versions
-  * CI: ssl: do not needlessly build the OpenSSL docs
-  * CI: ssl: enable parallel builds for OpenSSL on Linux
-  * BUG/MAJOR: compiler: relax alignment constraints on certain structures
-  * BUG/MEDIUM: fd: always align fdtab[] to 64 bytes
-  * BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names
-  * BUG/MINOR: sink: Use the right field in appctx context in release callback
-  * BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload
-  * BUG/MEDIUM: mworker: close unused transferred FDs on load failure
-  * MINOR: sock: move the unused socket cleaning code into its own function
-  * [RELEASE] Released version 2.4.13
-  * BUG/MINOR: mux-h2: update the session's idle delay before creating the stream
-  * BUG/MEDIUM: h2/hpack: fix emission of HPACK DTSU after settings change
-  * REGTESTS: peers: leave a bit more time to peers to synchronize
-  * BUG/MAJOR: spoe: properly detach all agents when releasing the applet
-  * BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies
-  * BUG/MEDIUM: listener: read-lock the listener during accept()
-  * MINOR: listener: replace the listener's spinlock with an rwlock
-  * BUG/MINOR: mworker: does not erase the pidfile upon reload
-  * BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks
-  * DEBUG: pools: replace the link pointer with the caller's address on pool_free()
-  * DEBUG: pools: let's add reverse mapping from cache heads to thread and pool
-  * DEBUG: pools: add extra sanity checks when picking objects from a local cache
-  * BUG/MINOR: pools: always flush pools about to be destroyed
-  * BUG/MEDIUM: mworker: don't lose the stats socket on failed reload
-  * DEBUG: pools: add new build option DEBUG_POOL_INTEGRITY
-  * BUILD: debug/cli: condition test of O_ASYNC to its existence
-  * DEBUG: cli: add a new "debug dev fd" expert command
-  * MEDIUM: h2/hpack: emit a Dynamic Table Size Update after settings change
-  * BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them
-  * BUG/MEDIUM: mcli: do not try to parse empty buffers
-  * BUG/MEDIUM: cli: Never wait for more data on client shutdown
-  * BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands
-  * MINOR: channel: add new function co_getdelim() to support multiple delimiters
-  * MEDIUM: cli: yield between each pipelined command
-  * BUG/MEDIUM: server: avoid changing healthcheck ctx with set server ssl
-  * BUILD/MINOR: fix solaris build with clang.
-  * BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer
-  * BUG/MEDIUM: connection: properly leave stopping list on error
-  * [RELEASE] Released version 2.4.12
-  * BUG/MAJOR: mux-h1: Don't decrement .curr_len for unsent data
-  * BUG/MEDIUM: mworker: don't use _getsocks in wait mode
-  * [RELEASE] Released version 2.4.11
-  * BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry
-  * BUG/MINOR: cli: fix _getsocks with musl libc
-  * BUILD/MINOR: tools: solaris build fix on dladdr.
-  * BUILD/MINOR: cpuset FreeBSD 14 build fix.
-  * BUG/MEDIUM: ssl: free the ckch instance linked to a server
-  * BUG/MINOR: ssl: free the fields in srv->ssl_ctx
-  * MINOR: debug: add support for -dL to dump library names at boot
-  * MINOR: debug: add ability to dump loaded shared libraries
-  * MINOR: compat: detect support for dl_iterate_phdr()
-  * BUG/MINOR: mux-h1: Fix splicing for messages with unknown length
-  * BUG/MEDIUM: mux-h1: Fix splicing by properly detecting end of message
-  * BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning
-  * MINOR: proxy: add option idle-close-on-response
-  * REGTESTS: ssl: fix ssl_default_server.vtc
-  * BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server
-  * DOC: fix misspelled keyword "resolve_retries" in resolvers
-  * BUILD: ssl: unbreak the build with newer libressl
-  * BUILD: cli: clear a maybe-unused  warning on some older compilers
-  * BUG/MINOR: pools: don't mark ourselves as harmless in DEBUG_UAF mode
-  * BUG/MEDIUM: backend: fix possible sockaddr leak on redispatch
-  * [RELEASE] Released version 2.4.10
-  * BUG/MINOR: backend: restore the SF_SRV_REUSED flag original purpose
-  * BUG/MINOR: backend: do not set sni on connection reuse
-  * MINOR: pools: work around possibly slow malloc_trim() during gc
-  * BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode
-  * DOC: config: retry-on list is space-delimited
-  * DOC: config: Specify %Ta is only available in HTTP mode
-  * DOC: spoe: Clarify use of the event directive in spoe-message section
-  * BUG/MINOR: cli/server: Don't crash when a server is added with a custom id
-  * IMPORT: slz: use the correct CRC32 instruction when running in 32-bit mode
-  * BUILD: tree-wide: avoid warnings caused by redundant checks of obj_types
-  * MINOR: cli: "show version" displays the current process version
-  * CI: Github Actions: temporarily disable BoringSSL builds
-  * BUILD: bug: Fix error when compiling with -DDEBUG_STRICT_NOCRASH
-  * MINOR: mux-h1: Improve H1 traces by adding info about http parsers
-  * BUG/MAJOR: segfault using multiple log forward sections.
-  * BUG/MEDIUM: resolvers: Detach query item on response error
-  * BUG/MINOR: server: Don't rely on last default-server to init server SSL context
-  * BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time
-  * BUILD/MINOR: server: fix compilation without SSL
-  * [RELEASE] Released version 2.4.9
-  * BUG/MINOR: cache: Fix loop on cache entries in "show cache"
-  * MINOR: promex: backend aggregated server check status
-  * MINOR: server: add ws keyword
-  * MEDIUM: server/backend: implement websocket protocol selection
-  * MINOR: connection: add alternative mux_ops param for conn_install_mux_be
-  * MINOR: connection: implement function to update ALPN
-  * MINOR: stream/mux: implement websocket stream flag
-  * BUG/MINOR: ssl: make SSL counters atomic
-  * MINOR: shctx: add a few BUG_ON() for consistency checks
-  * BUG/MINOR: shctx: do not look for available blocks when the first one is enough
-  * BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found
-  * BUG/MEDIUM: cache/cli: make "show cache" thread-safe
-  * BUG/MEDIUM: mux-h2: always process a pending shut read
-  * BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found
-  * CLEANUP: ssl: fix wrong #else commentary
-  * BUG/MINOR: ssl: free correctly the sni in the backend SSL cache
-  * BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3
-  * BUILD: makefile: simplify detection of libatomic
-  * BUG/MEDIUM: mux-h1: Handle delayed silent shut in h1_process() to release H1C
-  * BUG/MINOR: stick-table/cli: Check for invalid ipv6 key
-  * BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent
-  * BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value
-  * BUG/MINOR: mworker: doesn't launch the program postparser
-  * BUG/MEDIUM: conn-stream: Don't reset CS flags on close
-  * MINOR: mux-h1: Slightly Improve H1 traces
-  * DOC: lua: Be explicit with the Reply object limits
-  * Revert "BUG/MINOR: http-ana: Don't eval front after-response rules if stopped on back"
-  * BUG/MINOR: http-ana: Apply stop to the current section for http-response rules
-  * DOC: config: Fix typo in ssl_fc_unique_id description
-  * BUG/MINOR: cache: properly ignore unparsable max-age in quotes
-  * BUG/MINOR: resolvers: throw log message if trash not large enough for query
-  * BUG/MINOR: resolvers: fix sent messages were counted twice
-  * BUG/MEDIUM: mux-h2: reject upgrade if no RFC8441 support
-  * MINOR: mux-h2: add trace on extended connect usage
-  * MINOR: mux-h2: perform a full cycle shutdown+drain on close
-  * MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close
-
-- VUL-0: serious vulnerability in the HTTP/1 parser (bsc#1208132)
-  o Apply upstream patch:
-    2.0-2.5-BUG-CRITICAL-http-properly-reject-empty-http-header-.patch
-- The output buffer is not zero-initialized. If we don't clear reserved
-  bytes, fcgi requests sent to backend will leak sensitive data.
-  o Apply proposed patch:
-    0001-output-buffer-is-not-zero-initialized.path
-
-- VUL-0: CVE-2023-0056: haproxy: segfault DoS (bsc#1207181)
-  o Apply upstream patch:
-    0001-BUG-MEDIUM-mux-h2-Refuse-interim-responses-with-end-.patch
-
-- (bsc#1196408) VUL-0: CVE-2022-0711: haproxy: Denial of service via set-cookie2 header
-  o Apply upstream patch:
-    0001-BUG-MAJOR-http-htx-prevent-unbounded-loop-in-http_ma.patch
haveged
+- Remove haveged-switch-root.service because it's implemented incorrectly and
+  neither upstream don't know how to fix it (#77). On the other hand, without
+  this service haveged will be started from scratch after switch root so it's
+  hopefully no big deal. Also remove patch for bsc#1203079 as it's considered
+  as a security threat because of creating fixed name file in world-writable
+  directory. [jsc#PED-6184, bsc#1206699]
+  * Remove
+  - haveged-switch-root.service
+  - haveged-switch-root.patch
+
hcode
+- fix build: strcasestr now comes with string.h
+
hplip
-- hppsfilter: booklet printing: change insecure fixed /tmp file paths
-  (bsc#1214399)
-  * add hppsfilter-booklet-printing-change-insecure-fixed-tm.patch
-
-- Update to hplip 3.23.8 (jsc#PED-5846)
+- Update to hplip 3.23.8
hwloc
+- Update to version 2.9.3:
+  * Handle Linux glibc allocation errors in binding routines (CVE-2022-47022).
+  * Fix hwloc-calc when searching objects on heterogeneous memory platforms,
+  * Fix hwloc_get_next_child() when there are some memory-side caches.
+  * Don't crash if the topology is empty because Linux cgroups are wrong.
+  * Improve some hwloc-bind warnings in case of command-line parsing errors.
+  * Many documentation improvements all over the place, including:
+    + hwloc_topology_restrict() and hwloc_topology_insert_group() may reorder
+    children, causing the logical indexes of objects to change.
+- update to 2.9.2:
+  * Don't forget L3i when defining filters for multiple levels of
+    caches with hwloc_topology_set_cache/icache_types_filter().
+  * Fix object total_memory after hwloc_topology_insert_group_object().
+  * Fix the (non-yet) exporting in synthetic description for
+    complex memory hierarchies with memory-side caches, etc.
+  * Fix some default size attributes when building synthetic
+    topologies.
+  * Fix size units in hwloc-annotate.
+  * Improve bitmap reallocation error management in many functions.
+  * Documentation improvements
+- update to 2.9.1:
+  * Fix a failed assertion in hwloc_topology_restrict() when some
+    NUMA nodes are removed because of
+    HWLOC_RESTRICT_FLAG_REMOVE_CPULESS but no PUs are.
+  * Mark HPE Cray Slingshot NICs with subtype "Slingshot".
+
hylafax+
+- Remove stray pseudo comment (from Bjørn Lie)
+
+- Add tiff.patch to unbreak build
+
ibmswtpm2
+- Update to version 164-2020-192.2
+  * Implement the RSA 5 primes optimization.
+  * Check command size for int32 overflow.
+  * Add support for OpenSSL 3.1.x
+  * Do not accept a NULL signKey in TPM2_CertifyX509
+  * Add Nuvoton to gcc makefile
+- New project URL - move to github
+- Drop usptreamed ibmswtpm2-OpenSSL-3.1.patch
+
+- Add support for OpenSSL 3.1.x
+  * Add ibmswtpm2-OpenSSL-3.1.patch
+
+- update to 1682:
+  * tpm: Fix cast in BnSetBit.
+  * tpm2: Fix size check in CryptSecretDecrypt
+  * tpm: Port Windows code for OpenSSL 3.0
+  * tpm: Update to openssl 3.0.2
+  * tpm: Add command and handle tracing
+  * tpm: Update for openssl 3.0.1
+  * tpm: Add ECC encrypt and decrypt commands
+  * Fix compilation on RISC-V
+  * PlatformSvc: return error on control socket failure
+  * main: set a return code if StartTcpServer fails
+  * tpm: Add all updates to TPM specification 164.
+- drop ibmswtpm2-fix-ppc32.patch (upstream)
+- makefile.patch: refresh
+
+- Fix ppc32 build.
+  + ibmswtpm2-fix-ppc32.patch
+
ibmtss
+- Update to 2.1.1:
+  * Add man page for tpmproxy.
+- Update to 2.1.0:
+  * Parse new IMA event log template data fields.
+  * Add option to verify IMA template data
+  * Correct minor regression test script typos.
+- Update to 2.0.0
+  * Expand TPMU_SENSITIVE_COMPOSITE to handle HW TPMs that return 5
+    RSA primes.  This is an ABI (not API) break.
+  * Add support for TPM2_ECC_Encrypt and TPM2_ECC_Decrypt
+  * Add more EFI event log handlers and event tracing.
+  * SW TPM test CA now uses SHA-256, not the deprecated SHA-1.
+  * Port tpmproxy for TPM 2.0 to Linux and Windows.
+  * Add many new EK root certificates.
+  * Remove OpenSSL functions deprecated in 3.x.
+  * Fix TSS bug when using encrypt and decrypt in a PWAP session.
+  * Add build flag to suppress SHA-1.
+- Remove patches fixed upstream:
+  * ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch
+  * ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch
+  * ibmtss-utils-Remove-unused-variables-from-certifyx509.patch
+  * ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch
+  * ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch
+  * ibmtss-openssl3-deprecation.patch
+
+- Build with OpenSSL 3.0 deprecated functions until fixed upstream
+  in the next version update [bsc#1205042]
+  * ibmtss-openssl3-deprecation.patch
+- Add upstream patches to fix build with OpenSSL 3.0
+  * ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch
+  * ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch
+  * ibmtss-utils-Remove-unused-variables-from-certifyx509.patch
+  * ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch
+  * ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch
+
ibsim
+- Update to 0.12
+  - Increase LFT size to 48K
+  - Support NDR when parsing enhance ibnetdiscover
+  - Enable IsLinkSpeedNDRSupported bit in PortInfo
+  - Assume QDR speed when port speed is 0
+
icu73_2
+- icu4c-73_c-ICU-22512-Fix-broken-TestHebrewCalendarInTemporalLeapYear.patch
+  Fix testsuite issue in hebrew calendar (bsc#1217479)
+
installation-images:openSUSE
+- merge gh#openSUSE/installation-images#676
+- include complete system-role-common-criteria package
+  (bsc#1217968)
+- 16.59.4
+
ipmitool
+- bsc#1216556 L3: ipmitool: Unsupported LAN Parameter
+    lookup error SLE15 SP4+
+  Fix regression introduced by 351dad24a26f56580ba6
+  lan: Add processing of get/set specific CCs:
+  https://github.com/ipmitool/ipmitool/pull/388
+  https://github.com/ipmitool/ipmitool/pull/389
+  Be aware: Even the pullrequest is open for a while, this patch is not
+  integrated in latest mainstream master branch.
+  A    lanp-Fix-error-response-from-Unsupported-Parameter-lookup.patch.txt
+
jackson-annotations
+- Update to 2.15.2
+  * no subsantial changes from 2.15.0
+  * 2.15.0 (23-Apr-2023)
+    + #211: Add 'JsonFormat.Feature's:
+    READ_UNKNOWN_ENUM_VALUES_AS_NULL,
+    READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE
+    + #214: Add NOTICE file with copyright information
+    + #221: Add
+    'JsonFormat.Feature.READ_DATE_TIMESTAMPS_AS_NANOSECONDS'
+  * 2.14.0 (05-Nov-2022)
+    + #204: Allow explicit 'JsonSubTypes' repeated names check
+
+- Update to 2.13.3
+  * no substantial changes, just version allignment to other
+    jackson packages
+
-    [#141]: Add `JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES`
-    [#159]: Add `JsonFormat.Shape.BINARY`
+    [#141]: Add 'JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES'
+    [#159]: Add 'JsonFormat.Shape.BINARY'
jackson-bom
+- Update to version 2.15.2
+  * 2.15.2 (30-May-2023)
+    + No changes since 2.15.1
+  * 2.15.1 (16-May-2023)
+    + #63: Update 'de.jjohannes:gradle-module-metadata-maven-plugin'
+    to 0.4.0
+    + Add override for 'version.plugin.moditect' to be '1.0.0.Final'
+    until upgraded in 'oss-parent'/51
+  * 2.15.0 (23-Apr-2023)
+    + #56: Change defaults for Felix OSGi Bundle plug-in to fix
+    timestamps for Reproducible Builds
+    + Add version for 'jackson-datatype-hibernate6'
+    + Add version for 'jackson-module-jsonSchema-jakarta'
+  * 2.14.0 (05-Nov-2022)
+    + #52: Gradle reports incorrect jackson-bom dependency version
+
+- Update to version 2.13.3
+  * 2.13.3 (14-May-2022)
+    + No changes since 2.13.2
+  * 2.13.2 (06-Mar-2022)
+    + #46: 'module-info.java' is in 'META-INF/versions/11' instead
+    of 'META-INF/versions/9'
+  * 2.13.1 (19-Dec-2021)
+    + No changes since 2.13.0
+
jackson-core
+- Update to 2.15.2
+  * 2.15.2 (30-May-2023)
+    + #1019: Allow override of 'StreamReadContraints' default with
+    'overrideDefaultStreamReadConstraints()'
+    + #1027: Extra module-info.class in 2.15.1
+    + #1028: Wrong checksums in 'module.json' (2.15.0, 2.15.1)
+    + #1032: 'LICENSE' missing from 2.15.1 jar
+  * 2.15.1 (16-May-2023))
+    + #999: Gradle metadata for 'jackson-core' '2.15.0' adds
+    dependency on 'ch.randelshofer:fastdoubleparser'
+    + #1003: Add FastDoubleParser section to 'NOTICE'
+    + #1014: Increase default max allowed String value length from
+    5 megs to 20 megs
+    + #1023: Problem with 'FilteringGeneratorDelegate' wrt
+    'TokenFilter.Inclusion.INCLUDE_NON_NULL'
+  * 2.15.0 (23-Apr-2023)
+    + #827: Add numeric value size limits via
+    'StreamReadConstraints' (fixes 'sonatype-2022-6438')
+    + #844: Add SLSA provenance via build script
+    + #851: Add 'StreamReadFeature.USE_FAST_BIG_DECIMAL_PARSER' to
+    enable faster 'BigDecimal', 'BigInteger' parsing
+    + #863: Add 'StreamReadConstraints' limit for longest textual
+    value to allow (default: 5M)
+    + #865: Optimize parsing 19 digit longs
+    + #898: Possible flaw in 'TokenFilterContext#skipParentChecks()'
+    + #902: Add 'Object JsonParser.getNumberValueDeferred()' method
+    to allow for deferred decoding in some cases
+    + #921: Add 'JsonFactory.Feature.CHARSET_DETECTION' to disable
+    charset detection
+    + #948: Use 'StreamConstraintsException' in name canonicalizers
+    + #962: Offer a way to directly set 'StreamReadConstraints' via
+    'JsonFactory' (not just Builder)
+    + #965: 2.15.0-rc1 missing Gradle module metadata marker in
+    pom.xml
+    + #968: Prevent inefficient internal conversion from
+    'BigDecimal' to 'BigInteger' wrt ultra-large scale
+    + #984: Add 'JsonGenerator.copyCurrentEventExact' as alternative
+    to 'copyCurrentEvent()'
+  * 2.14.3 (05-May-2023)
+    + #909: Revert schubfach changes in #854
+    + #912: Optional padding Base64Variant still throws exception on
+    missing padding character
+    + #967: Address performance issue with 'BigDecimalParser'
+    + #990: Backport removal of BigDecimal to BigInt conversion
+    (#987)
+    + #1004: FastDoubleParser license
+    + #1012: Got 'NegativeArraySizeException' when calling
+    'writeValueAsString()'
+  * 2.14.2 (28-Jan-2023)
+    + #854: Backport schubfach changes from v2.15#8
+    + #882: Allow TokenFIlter to skip last elements in arrays
+    + #886: Avoid instance creations in fast parser code
+    + #890: 'FilteringGeneratorDelegate' does not create new
+    'filterContext' if 'tokenFilter' is null
+  * 2.14.0 (05-Nov-2022)
+    + #478: Provide implementation of async JSON parser fed by
+    'ByteBufferFeeder'
+    + #577: Allow use of faster floating-point number parsing with
+    'StreamReadFeature.USE_FAST_DOUBLE_PARSER'
+    + #684: Add "JsonPointer#appendProperty" and
+    "JsonPointer#appendIndex"
+    + #715: Allow TokenFilters to keep empty arrays and objects
+    + #717: Hex capitalization for JsonWriter should be configurable
+    (add 'JsonWriteFeature.WRITE_HEX_UPPER_CASE')
+    + #733: Add 'StreamReadCapability.EXACT_FLOATS' to indicate
+    whether parser reports exact floating-point values or not
+    + #736: 'JsonPointer' quadratic memory use: OOME on deep inputs
+    + #745: Change minimum Java version to 8
+    + #749: Allow use of faster floating-point number serialization
+    ('StreamWriteFeature.USE_FAST_DOUBLE_WRITER')
+    + #751: Remove workaround for old issue with a particular double
+    + #753: Add 'NumberInput.parseFloat()'
+    + #757: Update ParserBase to support floats directly
+    + #759: JsonGenerator to provide current value to the context
+    before starting objects
+    + #762: Make 'JsonPointer' 'java.io.Serializable'
+    + #763: 'JsonFactory.createParser()' with 'File' may leak
+    'InputStream's
+    + #764: 'JsonFactory.createGenerator()' with 'File' may leak
+    'OutputStream's
+    + #773: Add option to accept non-standard trailing decimal point
+    ('JsonReadFeature.ALLOW_TRAILING_DECIMAL_POINT_FOR_NUMBERS')
+    + #774: Add a feature to allow leading plus sign
+    ('JsonReadFeature.ALLOW_LEADING_PLUS_SIGN_FOR_NUMBERS')
+    + #788: 'JsonPointer.empty()' should NOT indicate match of a
+    property with key of ""
+    + #798: Avoid copy when parsing 'BigDecimal'
+    + #811: Add explicit bounds checks for 'JsonGenerator' methods
+    that take 'byte[]'/'char[]'/String-with-offsets input
+    + #812: Add explicit bounds checks for
+    'JsonFactory.createParser()' methods that take
+    'byte[]'/'char[]'-with-offsets input
+    + #814: Use 'BigDecimalParser' for BigInteger parsing very long
+    numbers
+    + #818: Calling 'JsonPointer.compile(...)' on very deeply nested
+    expression throws 'StackOverflowError'
+    + #828: Make 'BigInteger' parsing lazy
+    + #830: Make 'BigDecimal' parsing lazy
+    + #834: ReaderBaseJsonParser._verifyRootSpace() can cause buffer
+    boundary failure
+- Added patch:
+  * 0001-Remove-ch.randelshofer.fastdoubleparser.patch
+    + we don't have 'ch.randelshofer:fastdoubleparser'
+
+- Update to 2.13.3
+  * 2.13.3 (14-May-2022)
+    + #744: Limit size of exception message in BigDecimalParser
+  * 2.13.2 (06-Mar-2022)
+    + #732: Update Maven wrapper
+    + #739: 'JsonLocation' in 2.13 only uses identity comparison
+    for "content reference"
+  * 2.13.1 (19-Dec-2021)
+    + #713: Incorrect parsing of single-quoted surrounded String
+    values containing double quotes
+
jackson-databind
+- Update to 2.15.2
+  * 2.15.2 (30-May-2023)
+    + #3938: Record setter not included from interface
+    (2.15 regression)
+  * 2.15.1 (16-May-2023)
+    + #3882: Error in creating nested 'ArrayNode's with
+    'JsonNode.withArray()'
+    + #3894: Only avoid Records fields detection for deserialization
+    + #3895: 2.15.0 breaking behaviour change for records and Getter
+    Visibility
+    + #3897: 2.15.0 breaks deserialization when POJO/Record only has
+    a single field and is marked 'Access.WRITE_ONLY'
+    + #3913: Issue with deserialization when there are unexpected
+    properties (due to null 'StreamReadConstraints')
+    + #3914: Fix TypeId serialization for
+    'JsonTypeInfo.Id.DEDUCTION', native type ids
+  * 2.15.0 (23-Apr-2023)
+    + #2536: Add 'EnumFeature.READ_ENUM_KEYS_USING_INDEX' to work
+    with existing "WRITE_ENUM_KEYS_USING_INDEX"#
+    + #2667: Add '@EnumNaming', 'EnumNamingStrategy' to allow use of
+    naming strategies for Enums
+    + #2968: Deserialization of '@JsonTypeInfo' annotated type fails
+    with missing type id even for explicit concrete subtypes
+    + #2974: Null coercion with '@JsonSetter' does not work with
+    'java.lang.Record'
+    + #2992: Properties naming strategy do not work with Record
+    + #3053: Allow serializing enums to lowercase
+    ('EnumFeature.WRITE_ENUMS_TO_LOWERCASE')
+    + #3180: Support '@JsonCreator' annotation on record classes
+    + #3262: InvalidDefinitionException when calling
+    mapper.createObjectNode().putPOJO
+    + #3297: '@JsonDeserialize(converter = ...)' does not work with
+    Records
+    + #3342: 'JsonTypeInfo.As.EXTERNAL_PROPERTY' does not work with
+    record wrappers
+    + #3352: Do not require the usage of opens in a modular app when
+    using records
+    + #3566: Cannot use both 'JsonCreator.Mode.DELEGATING' and
+    'JsonCreator.Mode.PROPERTIES' static creator factory methods
+    for Enums
+    + #3637: Add enum features into '@JsonFormat.Feature'
+    + #3638: Case-insensitive and number-based enum deserialization
+    are (unnecessarily) mutually exclusive
+    + #3651: Deprecate "exact values" setting from 'JsonNodeFactory',
+    replace with
+    'JsonNodeFeature.STRIP_TRAILING_BIGDECIMAL_ZEROES'
+    + #3654: Infer '@JsonCreator(mode = Mode.DELEGATING)' from use
+    of '@JsonValue')
+    + #3676: Allow use of '@JsonCreator(mode = Mode.PROPERTIES)'
+    creator for POJOs with"empty String" coercion
+    + #3680: Timestamp in classes inside jar showing 02/01/1980
+    + #3682: Transient 'Field's are not ignored as Mutators if there
+    is visible Getter
+    + #3690: Incorrect target type for arrays when disabling
+    coercion
+    + #3708: Seems like 'java.nio.file.Path' is safe for Android API
+    level 26
+    + #3730: Add support in 'TokenBuffer' for lazily decoded (big)
+    numbers
+    + #3736: Try to avoid auto-detecting Fields for Record types
+    + #3742: schemaType of 'LongSerializer' is wrong
+    + #3745: Deprecate classes in package
+    'com.fasterxml.jackson.databind.jsonschema'
+    + #3748: 'DelegatingDeserializer' missing override of
+    'getAbsentValue()' (and couple of other methods)
+    + #3771: Classloader leak: DEFAULT_ANNOTATION_INTROSPECTOR holds
+    annotation reference
+    + #3791: Flush readonly map together with shared on
+    'SerializerCache.flush()'
+    + #3796: Enum Deserialisation Failing with Polymorphic type
+    validator
+    + #3809: Add Stream-friendly alternative to
+    'ObjectNode.fields()': 'Set<Map.Entry<String, JsonNode>>
+    properties()'
+    + #3814: Enhance 'StdNodeBasedDeserializer' to support
+    'readerForUpdating'
+    + #3816: TokenBuffer does not implement writeString(Reader
+    reader, int len)
+    + #3819: Add convenience method
+    'SimpleBeanPropertyFilter.filterOutAll()' as counterpart of
+    'serializeAll()'
+    + #3836: 'Optional<Boolean>' is not recognized as boolean field
+    + #3853: Add 'MapperFeature.REQUIRE_TYPE_ID_FOR_SUBTYPES' to
+    enable/disable strict subtype Type Id handling
+    + #3876: 'TypeFactory' cache performance degradation with
+    'constructSpecializedType()'
+  * 2.14.3 (05-May-2023)
+    + #3784: 'PrimitiveArrayDeserializers$ByteDeser.deserialize'
+    ignores 'DeserializationProblemHandler' for invalid Base64
+    content
+    + #3837: Set transformer factory attributes to improve
+    protection against XXE
+  * 2.14.2 (28-Jan-2023)
+    + #1751: '@JsonTypeInfo' does not work if the Type Id is an
+    Integer value
+    + #3063: '@JsonValue' fails for Java Record
+    + #3699: Allow custom 'JsonNode' implementations
+    + #3711: Enum polymorphism not working correctly with DEDUCTION
+    + #3741: 'StdDelegatingDeserializer' ignores 'nullValue' of
+    '_delegateDeserializer'.
+  * 2.14.1 (21-Nov-2022)
+    + #3655: 'Enum' values can not be read from single-element array
+    even with 'DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS'
+    + #3665: 'ObjectMapper' default heap consumption increased
+    significantly from 2.13.x to 2.14.0
+  * 2.14.0 (05-Nov-2022)
+    + #1980: Add method(s) in 'JsonNode' that works like combination
+    of 'at()' and 'with()': 'withObject(...)' and 'withArray(...)'
+    + #2541: Cannot merge polymorphic objects
+    + #3013: Allow disabling Integer to String coercion via
+    'CoercionConfig'
+    + #3212: Add method 'ObjectMapper.copyWith(JsonFactory)'
+    + #3311: Add serializer-cache size limit to avoid Metaspace
+    issues from caching Serializers
+    + #3338: 'configOverride.setMergeable(false)' not supported by
+    'ArrayNode'
+    + #3357: '@JsonIgnore' does not if together with '@JsonProperty'
+    or '@JsonFormat'
+    + #3373: Change 'TypeSerializerBase' to skip
+    'generator.writeTypePrefix()' for 'null' typeId
+    + #3394: Allow use of 'JsonNode' field for '@JsonAnySetter'
+    + #3405: Create DataTypeFeature abstraction (for JSTEP-7) with
+    placeholder features
+    + #3417: Allow (de)serializing records using
+    Bean(De)SerializerModifier even when reflection is unavailable
+    + #3419: Improve performance of 'UnresolvedForwardReference' for
+    forward reference resolution
+    + #3421: Implement 'JsonNodeFeature.READ_NULL_PROPERTIES' to
+    allow skipping of JSON 'null' values on reading
+    + #3443: Do not strip generic type from 'Class<C>' when
+    resolving 'JavaType'
+    + #3447: Deeply nested JsonNode throws StackOverflowError for
+    toString()
+    + #3475: Support use of fast double parse
+    + #3476: Implement 'JsonNodeFeature.WRITE_NULL_PROPERTIES' to
+    allow skipping JSON 'null' values on writing
+    + #3481: Filter method only got called once if the field is null
+    when using '@JsonInclude(value = JsonInclude.Include.CUSTOM,
+    valueFilter = SomeFieldFilter.class)'
+    + #3484: Update 'MapDeserializer' to support
+    'StreamReadCapability.DUPLICATE_PROPERTIES'
+    + #3497: Deserialization of Throwables with
+    PropertyNamingStrategy does not work
+    + #3500: Add optional explicit 'JsonSubTypes' repeated names
+    check
+    + #3503: 'StdDeserializer' coerces ints to floats even if
+    configured to fail
+    + #3505: Fix deduction deserializer with
+    DefaultTypeResolverBuilder
+    + #3528: 'TokenBuffer' defaults for parser/stream-read features
+    neither passed from parser nor use real defaults
+    + #3530: Change LRUMap to just evict one entry when maxEntries
+    reached
+    + #3533: Deserialize missing value of 'EXTERNAL_PROPERTY' type
+    using custom 'NullValueProvider'
+    + #3535: Replace 'JsonNode.with()' with 'JsonNode.withObject()'
+    + #3559: Support 'null'-valued 'Map' fields with "any setter"
+    + #3568: Change 'JsonNode.with(String)' and 'withArray(String)'
+    to consider argument as 'JsonPointer' if valid expression
+    + #3590: Add check in primitive value deserializers to avoid
+    deep wrapper array nesting wrt 'UNWRAP_SINGLE_VALUE_ARRAYS'
+    [CVE-2022-42003, bsc#1204370]
+    + #3609: Allow non-boolean return type for "is-getters" with
+    'MapperFeature.ALLOW_IS_GETTERS_FOR_NON_BOOLEAN'
+    + #3613: Implement 'float' and 'boolean' to 'String' coercion
+    config
+    + #3624: Legacy 'ALLOW_COERCION_OF_SCALARS' interacts poorly
+    with Integer to Float coercion
+    + #3633: Expose 'translate()' method of standard
+    'PropertyNamingStrategy' implementations
+  * 2.13.5 (23-Jan-2023)
+    + #3659: Improve testing (likely via CI) to try to ensure
+    compatibility with specific Android SDKs
+    + #3661: Jackson 2.13 uses Class.getTypeName() that is only
+    available on Android SDK 26 (with fix works on ASDK 24)
+
jackson-dataformats-binary
+- Version update to 2.15.2
+  * 2.15.2 (30-May-2023)
+    + #379: (avro) 'logback-test.xml' in wrong place
+    (avro/src/main/resources)
+  * 2.15.0 (23-Apr-2023)
+    + #347: (cbor) Add support for CBOR stringref extension
+    ('CBORGenerator.Feature.STRINGREF')
+    + #356: (cbor) Add 'CBORGenerat.Feature.WRITE_MINIMAL_DOUBLES'
+    for writing 'double's as 'float's if safe to do so
+    + #373: (cbor) Remove optimized 'CBORParser.nextTextValue()'
+    implementation
+  * 2.14.3 (05-May-2023)
+    + #354: (all) Missing license file in Maven package for newer
+    versions
+    + #366: 'CBORGenerator.writeRawUTF8String()' seems to ignore
+    offset
+  * 2.14.1 (21-Nov-2022)
+    + #342: (smile) Possible performance improvement on jdk9+ for
+    Smile decoding
+  * 2.14.0 (05-Nov-2022)
+    + #301: (cbor, smile) Missing configuration methods for
+    format-specific parser/generator features
+    + #310: (avro) Avro schema generation: allow override namespace
+    with new '@AvroNamespace' annotation
+    + #311: (ion) 'IonObjectMapper' does not throw JacksonException
+    for some invalid Ion
+    + #312: (cbor, smile) Short NUL-only keys incorrectly detected
+    as duplicates
+    + #325: (ion) Ensure 'IonReader' instances created within
+    'IonFactory' are always resource-managed
+    + #338: Use passed "current value" in 'writeStartObject()'
+    overload
+    + #341: (ion) Update to Amazon Ion 1.9.5
+
+- Version update to 2.13.3
+  * 2.13.3 (14-May-2022)
+    + #317: (ion) IonValueDeserializer does not handle getNullValue
+    correctly for a missing property
+  * 2.13.2 (06-Mar-2022)
+    + No changes since 2.13.1
+  * 2.13.1 (19-Dec-2021)
+    + #302: (ion) 'IllegalArgumentException' in
+    'IonParser.getEmbeddedObject()'
+
jackson-modules-base
+- Version upgrade to 2.15.2
+  * 2.15.2 (30-May-2023)
+    + #207: Mr Bean exposing 'Asm' as Maven dependency despite
+    shading
+    + (afterburner, mrbean) 'org.ow2.asm:asm' updated to 9.5
+    (from 9.4)
+  * 2.15.1 (16-May-2023)
+    + #204: (afterburner, mrbean) Gradle metadata for
+    'jackson-core' '2.15.0' adds dependency on shaded
+    'org.ow2.asm:asm'
+  * 2.15.0 (23-Apr-2023)
+    + #190: Filter annotated by JsonInclude.Include.CUSTOM does not
+    get called if property is null with Afterburner/Blackbird
+    module registered
+  * 2.14.3 (05-May-2023)
+    + #198: fix failing tests in java17 CI run
+    + #199: jaxb and jakarta-xmlbind put module-info in versions/11
+    + Fix Gradle Module Metadata for Afterburner, Blackbird
+  * 2.14.0 (05-Nov-2022)
+    + #138: (blackbird) Blackbird doesn't work on Java 15+
+    + #187: Remove stack trace from Blackbirds warnings wrt missing
+    'MethodHandles.lookup()' (on Java 8)
+    + Asm version from 9.0 to 9.4
+
jackson-parent
+- Upgrade to 2.15
+  * 2.15 (23-Apr-2023)
+    + Upgrade to oss-parent 50 (many plugin version updates)
+    + Remove settings for 'org.eclipse.m2e:lifecycle-mapping'
+  * 2.14 (05-Nov-2022)
+    + Upgrade to oss-parent 48 (Reproducible Builds, many plugin
+    version updates)
+
java-21-openjdk
+- Modified patch:
+  * fips.patch
+    + use the system crypto-policies provided configuration file
+    by default (bsc#1218061)
+
jbigkit
+- security update
+- added patches
+  fix CVE-2022-1210 [bsc#1198146], Malicious file leads to a denial of service in TIFF File Handler
+  + jbigkit-CVE-2022-1210.patch
+
jeos-firstboot
+- Update to version 1.2.0.9:
+  * Add KeyringMode=shared
+
+- Update to version 1.2.0.7:
+  * Don't pass --setup-machine-id to systemd-firstboot
+
+- Update to version 1.2.0.6:
+  * Change EULA/license dialog button label to "Continue" (bsc#1210279)
+- Only build the rpiwifi package on SLE/Leap 15 (bsc#1207419)
+- Add an explicit dependency on nmtui
+
kbuild
+- Add byacc to BuildRequires fixes problems with bison 3.7 (bsc#1175268)
+
+- update to svn3427:
+  * 3 years of changes, see http://trac.netlabs.org/kbuild/timeline
+- remove patches:
+  gcc10-fno-common-fix.patch, glob-interface.patch,
+  use-alloca.patch, kbuild-gcc7.patch, kbuild-glob.patch,
+  strsignal.patch: upstream or obsolete
+
+- strsignal.patch: use strsignal instead of sys_siglist (bsc#1175268)
+
+- Add gcc10-fno-common-fix.patch in order to fix boo#1160274.
+
+- Modernise spec file
+
+- Returned changelist back to a %doc.
+
+- Changed spec file to require readline-devel, not a specific libreadline version.
+  Thanks to Jan Engelhardt <jengelh@inai.de> for suggestion.
+
+- Add libreadline6 to the BuildRequires list.
+- Changed %doc to %license for COPYING as directed by osc.
+
-- Update to version 0.1.9998svn2720:
-  + VirtualBox-4.3.6 requires revision 2689 or later
-- Dropped patches:
-  + warnings.diff (obsolete)
-  + glibc-2.10.diff (solved differently upstream)
-  + kbuild-func_missing_args.diff (obsolete)
-- Rebased patches:
-  + kbuild-pthread.diff (only offset)
-  + kbuild-timestamps.diff (only offset)
-  + kbuild-armv7l.diff (only offset)
-  + kbuild-dummy_noreturn.diff (manually)
-- Add patches:
-  + kbuild-glob.patch: Include local glob implementation
-  + kbuild-kmk-makefile-am.patch: Fix wrong file list
-
-- added patches:
-  * ppc64le.patch
-- Make ppc64le architecture known
-
kdump
+- upgrade to version 2.0.0
+  * add support for riscv64 (bsc#1204214)
+  * mkdumprd: fix the check for updated SSH keys
+  * prefer by-path and device-mapper aliases (bsc#1217617)
+  * udev: don't reload kdump if kernel handles hotplug (jsc#PED-5077)
+
kernel-firmware
+- Update to version 20231214 (git commit b80907ec3a81):
+  * qcom: Add Audio firmware for SM8650 QRD
+  * qcom: Add Audio firmware for SM8550 QRD
+  * Add rdfind for deb/rpm build jobs
+  * wfx: update to firmware 3.17
+  * wfx: fix broken firmware
+
+- Update to version 20231205 (git commit bfc33c1e308e):
+  * linux-firmware: Update AMD cpu microcode
+  * cxgb4: Update firmware to revision 1.27.5.0
+  * linux-firmware: add firmware for en8811h 2.5G ethernet phy
+  * s5p-mfc: Add MFC v12 Firmware
+  * qcom: update qrb4210 firmware
+  * qcom: update qcm2290 firmware
+  * qcom: update qcm2290/qrb4210 WiFi firmware file
+  * qcom: update Venus firmware file for v6.0
+
+- Update to version 20231128 (git commit d9f6088f7e91):
+  * Add a COPYOPTS variable
+  * rtl_bt: Update RTL8852A BT USB firmware to 0xDFC8_145F
+
+- Update to version 20231127 (git commit 4124f8f928d5):
+  * Make rdfind optional
+  * ice: update ice DDP wireless_edge package to 1.3.13.0
+  * linux-firmware: update firmware for mediatek bluetooth chip (MT7922)
+  * linux-firmware: update firmware for mediatek bluetooth chip (MT7921)
+  * linux-firmware: update firmware for MT7922 WiFi device
+  * linux-firmware: update firmware for MT7921 WiFi device
+  * Makefile, copy-firmware: Use portable "command -v" to detect installed programs
+  * amdgpu: update DMCUB firmware to 0.0.194.0 for DCN321 and DCN32
+  * powervr: add firmware for Imagination Technologies AXE-1-16M GPU
+  * ice: update ice DDP comms package to 1.3.45.0
+  * ice: update ice DDP package to 1.3.35.0
+  * mediatek: Remove an unused packed library
+  * amdgpu: update DMCUB firmware to 0.0.193.0 for DCN31 and DCN314
+- Drop obsoleted copy-file-skip-rdfind.patch; use --ignore-duplicates
+
+- Update to version 20231120 (git commit 9552083a783e):
+  * mediatek: Sync shared memory structure changes
+  * Intel Bluetooth: Update firmware file for Intel Bluetooth BE200
+  * i915: Update MTL DMC to v2.19
+  * Make email replies more resilient
+  * Try both utf-8 and windows-1252 for decoding email
+
+- Update to version 20231116 (git commit 6723a8d90923):
+  * iwlwifi: fix for the new FWs from core83-55 release
+  * Enable deb and rpm builds on tags
+  * linux-firmware: Add firmware for Cirrus CS35L41 on HP G11 Laptops
+  * linux-firmware: Add firmware for Cirrus CS35L41 on 2024 ASUS Zenbook Laptops
+
+- Update to version 20231115 (git commit a07fd0b96b5a):
+  * iwlwifi: add new FWs from core83-55 release
+  * iwlwifi: update cc/Qu/QuZ firmwares for core83-55 release
+  * Add a workaround for gitlab.freedesktop.org pull requests
+  * Add extra debugging output when processing pull requests
+  * Process pull requets directly from mbox
+  * linux-firmware: add firmware for mt7988 internal 2.5G ethernet phy
+  * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX101
+  * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX203
+  * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX211
+  * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX101
+  * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX101
+  * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX203
+  * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX203
+  * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX211
+  * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX211
+  * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX210
+
+- Update to version 20231110 (git commit 74158e7ac86d):
+  * amdgpu: DMCUB updates for various AMDGPU ASICs
+  * Ensure rdfind is installed
+  * Add checks for destination directory being specified
+  * Fix symlink creation for some files
+  * Fix classification of some pull requests
+  * nvidia: add GSP-RM version 535.113.01 firmware images
+- Skip rdfind (not included in our distro as default):
+  copy-file-skip-rdfind.patch
+- Fix make-files.sh to handle symlinked directories
+
-- Update to version 20231019 (git commit d983107a2dfa):
+- Update to version 20231019 (git commit d983107a2dfa)
+  (bsc#1215823, CVE-2023-20592):
+  (bsc#1215831, CVE-2021-26345, CVE-2021-46766, CVE-2021-46774,
+  CVE-2022-23820, CVE-2022-23830, CVE-2023-20519, CVE-2023-20521,
+  CVE-2023-20526, CVE-2023-20533, CVE-2023-20566):
kernel-firmware:uncompressed
+- Update to version 20231214 (git commit b80907ec3a81):
+  * qcom: Add Audio firmware for SM8650 QRD
+  * qcom: Add Audio firmware for SM8550 QRD
+  * Add rdfind for deb/rpm build jobs
+  * wfx: update to firmware 3.17
+  * wfx: fix broken firmware
+
+- Update to version 20231205 (git commit bfc33c1e308e):
+  * linux-firmware: Update AMD cpu microcode
+  * cxgb4: Update firmware to revision 1.27.5.0
+  * linux-firmware: add firmware for en8811h 2.5G ethernet phy
+  * s5p-mfc: Add MFC v12 Firmware
+  * qcom: update qrb4210 firmware
+  * qcom: update qcm2290 firmware
+  * qcom: update qcm2290/qrb4210 WiFi firmware file
+  * qcom: update Venus firmware file for v6.0
+
+- Update to version 20231128 (git commit d9f6088f7e91):
+  * Add a COPYOPTS variable
+  * rtl_bt: Update RTL8852A BT USB firmware to 0xDFC8_145F
+
+- Update to version 20231127 (git commit 4124f8f928d5):
+  * Make rdfind optional
+  * ice: update ice DDP wireless_edge package to 1.3.13.0
+  * linux-firmware: update firmware for mediatek bluetooth chip (MT7922)
+  * linux-firmware: update firmware for mediatek bluetooth chip (MT7921)
+  * linux-firmware: update firmware for MT7922 WiFi device
+  * linux-firmware: update firmware for MT7921 WiFi device
+  * Makefile, copy-firmware: Use portable "command -v" to detect installed programs
+  * amdgpu: update DMCUB firmware to 0.0.194.0 for DCN321 and DCN32
+  * powervr: add firmware for Imagination Technologies AXE-1-16M GPU
+  * ice: update ice DDP comms package to 1.3.45.0
+  * ice: update ice DDP package to 1.3.35.0
+  * mediatek: Remove an unused packed library
+  * amdgpu: update DMCUB firmware to 0.0.193.0 for DCN31 and DCN314
+- Drop obsoleted copy-file-skip-rdfind.patch; use --ignore-duplicates
+
+- Update to version 20231120 (git commit 9552083a783e):
+  * mediatek: Sync shared memory structure changes
+  * Intel Bluetooth: Update firmware file for Intel Bluetooth BE200
+  * i915: Update MTL DMC to v2.19
+  * Make email replies more resilient
+  * Try both utf-8 and windows-1252 for decoding email
+
+- Update to version 20231116 (git commit 6723a8d90923):
+  * iwlwifi: fix for the new FWs from core83-55 release
+  * Enable deb and rpm builds on tags
+  * linux-firmware: Add firmware for Cirrus CS35L41 on HP G11 Laptops
+  * linux-firmware: Add firmware for Cirrus CS35L41 on 2024 ASUS Zenbook Laptops
+
+- Update to version 20231115 (git commit a07fd0b96b5a):
+  * iwlwifi: add new FWs from core83-55 release
+  * iwlwifi: update cc/Qu/QuZ firmwares for core83-55 release
+  * Add a workaround for gitlab.freedesktop.org pull requests
+  * Add extra debugging output when processing pull requests
+  * Process pull requets directly from mbox
+  * linux-firmware: add firmware for mt7988 internal 2.5G ethernet phy
+  * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX101
+  * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX203
+  * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX211
+  * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX101
+  * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX101
+  * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX203
+  * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX203
+  * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX211
+  * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX211
+  * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX210
+
+- Update to version 20231110 (git commit 74158e7ac86d):
+  * amdgpu: DMCUB updates for various AMDGPU ASICs
+  * Ensure rdfind is installed
+  * Add checks for destination directory being specified
+  * Fix symlink creation for some files
+  * Fix classification of some pull requests
+  * nvidia: add GSP-RM version 535.113.01 firmware images
+- Skip rdfind (not included in our distro as default):
+  copy-file-skip-rdfind.patch
+- Fix make-files.sh to handle symlinked directories
+
-- Update to version 20231019 (git commit d983107a2dfa):
+- Update to version 20231019 (git commit d983107a2dfa)
+  (bsc#1215823, CVE-2023-20592):
+  (bsc#1215831, CVE-2021-26345, CVE-2021-46766, CVE-2021-46774,
+  CVE-2022-23820, CVE-2022-23830, CVE-2023-20519, CVE-2023-20521,
+  CVE-2023-20526, CVE-2023-20533, CVE-2023-20566):
knot
+- update to version 3.3.1, see:
+  https://www.knot-dns.cz/2023-09-11-version-331.html
+
krb5
+- Update patch 0007-SELinux-integration.patch for SELinux 3.5
+
libgit2
-- Verify ssh remote host keys (boo#1207364 CVE-2023-22742):
-  0001-ssh-verify-the-remote-s-host-key-against-known_hosts.patch
-  0002-tests-append-the-github.com-ssh-keys-so-we-have-acce.patch
-  0003-tests-move-online-clone-ssh_auth_methods-into-the-ss.patch
-  0004-ssh-look-for-a-key-in-known_hosts-to-set-the-key-typ.patch
-
-- Add patches from upstream v1.3 branch to fix CVE-2022-29187,
-  CVE-2022-24765 (bsc#1201431, bsc#1198234):
-  * 0001-path-refactor-ownership-checks-into-current-user-and.patch
-  * 0002-repo-ensure-that-repo-dir-is-owned-by-current-user.patch
-  * 0003-fs_path-mock-ownership-checks.patch
-  * 0004-repo-test-configuration-ownership-validation.patch
-  * 0005-repo-refactor-global-config-loader-function.patch
-  * 0006-repo-honor-safe.directory-during-ownership-checks.patch
-  * 0007-repo-make-ownership-checks-optional.patch
-  * 0010-revparse-Remove-error-prone-redundant-test.patch
-  * 0014-repo-add-tests-for-bare-repo-permissions.patch
-  * 0015-fs-remove-mock-naming-from-change-ownership-constant.patch
-  * 0016-fs-refactor-file-ownership-checks.patch
-  * 0017-fs-allow-ownership-match-if-user-is-in-admin-group.patch
-  * 0018-repo-allow-admin-owned-configs-by-admin-users.patch
-  * 0019-repo-validate-gitdir-and-gitlink-ownership.patch
-  * 0020-repo-allow-users-running-with-sudo-to-access-their-r.patch
+- update to 1.7.1:
+  * proxy: Return an error for invalid proxy URLs instead of crashing
+  * ssh: fix known_hosts leak in _git_ssh_setup_conn
+  * repository: make cleanup safe for re-use with grafts
+  * fix: Add missing include for oidarray
+  * Revert "CMake: Search for ssh2 instead of libssh2."
+
+- update to 1.7.0:
+  * supports shallow clone and shallow repositories
+  * Simplify custom pluggable allocator (breaking change)
+  * repo: honor environment variables for more scenarios
+  * Introduce timeouts on sockets
+  * some performance improvements and bug fixes
+
+- Update to 1.6.4:
+  * config: return GIT_ENOTFOUND for missing programdata
+- move experimental cli into libgit2-tools as intended
+
+- Update to 1.6.3:
+  * odb: restore git_odb_open by @ethomson in #6520
+  * Ensure that git_index_add_all handles ignored directories by @ethomson in #6521
+  * pack: use 64 bits for the number of objects by @carlosmn in #6530
+- Drop restore-git-odb-open.patch
+
+- Add restore-git-odb-open.patch, some code was removed by error
+  upstream and they fix it after the release.
+  gh#libgit2/libgit2@e1e0d77c6f15
+
+- libgit2 1.6.2:
+  * Support the notion of a home directory separately from global
+    configuration directory
+  * stash: partial stash specific files
+  * push: revpars refspec source, so user can push things that are
+    not refs
+  * Support OpenSSL 3
+  * Many bug fixes
+- Not enabled: experimental SHA256 support for bare repositories
+
+- update to 1.5.2:
+  * Improve SSH key handling functionality: examine all keys in
+    known_hosts files for matches, to support remote hosts with
+    multiple key types
+
+- update to 1.5.1:
+  * This is a security release to address CVE-2023-22742: when compiled
+    using the optional, included libssh2 backend, libgit2 fails to verify
+    SSH keys by default. boo#1207364
+  * When using an SSH remote with the optional, included libssh2 backend,
+    libgit2 does not perform certificate checking by default. Prior versions
+    of libgit2 require the caller to set the `certificate_check` field of
+    libgit2's `git_remote_callbacks` structure - if a certificate check
+    callback is not set, libgit2 does not perform any certificate checking.
+    This means that by default - without configuring a certificate check
+    callback, clients will not perform validation on the server SSH keys and
+    may be subject to a man-in-the-middle attack.
+
+- Drop baselibs.conf: there is no known consumer of the -32bit
+  package.
+
+- update to 1.5.0:
+  * add the basis for an experimental CLI
+  * continue prepare for SHA256 support
+  * add a benchmarking utility
+
+- update to 1.4.4 (bsc#1198234)
+  * Compatibility with git's changes to address CVE-2022-29187. As
+    a follow up to CVE 2022-24765, now not only is the working
+    directory of a non-bare repository examined for its ownership,
+    but the .git directory and the .git file (if present) are also
+    examined for their ownership [boo#1201431]
+  * A fix for compatibility with git's (new) behavior for
+    CVE 2022-24765 allows users on POSIX systems to access a git
+    repository that is owned by them when they are running in sudo
+- enable reproducible builds
+
+- update to 1.4.3:
+  * compatibility with git's changes for CVE-2022-24765 boo#1187234
+  * several correctness fixes where invalid input can lead to a
+    crash and denial of service
+
+- update to 1.4.2:
+  * remote: do store the update_tips callback error value
+
+- update to 1.4.1:
+  * improve compatibility with git
+  * some deprecated API, ABI has changed
+  * multiple bug fixes and developer visible changes
+- build with system PCRE2
+- remove http-parser build dependency, bundled lib has fixes
libgpg-error
+- Do not pull revision info from GIT when autoconf is run. This
+  removes the -unknown suffix after the version number.
+  * Add libgpg-error-nobetasuffix.patch [bsc#1216334]
+
+- Update to 1.47:
+  * New error codes for PUKs and reset codes. [T6421]
+  * Avoid segv in logging with improper use of the "socket://".
+  * Fixed translation of argparse's internal option --help.
+  * Interface changes relative to the 1.46 release:
+  - GPG_ERR_SOURCE_TKD             NEW.
+  - GPG_ERR_BAD_PUK                NEW.
+  - GPG_ERR_NO_RESET_CODE          NEW.
+  - GPG_ERR_BAD_RESET_CODE         NEW.
+  - GPGRT_SPAWN_KEEP_STDIN         NEW.
+  - GPGRT_SPAWN_KEEP_STDOUT        NEW.
+  - GPGRT_SPAWN_KEEP_STDERR        NEW.
+  - GPGRT_SPAWN_INHERIT_FILE       NEW.
+  * Release-info: https://dev.gnupg.org/T6231
+
+- Update to 1.46:
+  * Support for bidirectional pipes under Windows.
+  * REG_DWORD types are now support in the Windows Registry.
+  * Added ES_SYSHD_SOCK support for gpgrt_sysopen under Windows.
+  * Fixed gpgrt_log_get_fd for the file case.
+  * Avoids header problem with C11 and "noreturn".
+  * The gpg-error-config command is not installed by default, because
+    it is now replaced by use of pkg-config/gpgrt-config with
+    gpg-error.pc.  Supply --enable-install-gpg-error-config configure
+    option, if it's really needed.
+  * Fixed support of posix-lock for FreeBSD.
+  * Build fixes for some Mingw tool chain versions.
+  * Removed remaining support for WindowsCE.
+  * Updated config.guess, config.sub, and config.rpath.
+  * gpg-error-config is now only installed when enabled.
+  * System paths are now stripped from --cflags --and --libs.
+
+- update to 1.45:
+  * gpgrt_access and gpgrt_mkdir now support file names longer than
+    MAX_PATH
+
+- Update to 1.44:
+  * Fix dependency to gpg-error-config-test.sh.
+  * Run the posix locking test only on supported platforms.
+  * Detect Linux systems using musl.
+  * Fix gpg-error-config-test for PKG_CONFIG_LIBDIR.
+  * Fix returning of option attributes for options with args.
+  * Add Turkish translations.
+
+- Update to 1.43:
+  * Fix for building against GNU libc 2.34.
+  * Fix gpgrt-config problems.
+  * Fix gpgrt_free for legacy platforms.
+  * Fix truncation of error message in the middle of a character.
+  * Fix the --disable-threads configure options.
+  * Improve lock-obj generation for cross-builds.
+  * Improve cross-builds.
+  * Improve gpgrt_wait_processes.
+
libiio
+- Update to version 0.25
+  * tests: Standardize programs error codes when scanning
+  * Make sure we print out LOG_LEVEL during Cmake
+  * debug.h: Update log macros
+  * iiod: fix the printing of IP addresses inside iiod
+  * iiod: remove test code that slipped in
+  * dnssd: windows: Greatly enhance code
+  * dns-sd: Remove duplicates before probing URIs
+  * CI: add next_stable branch to CI triggers
+  * serial: Pass port name/description as context attributes [ #926 ]
+  * CMake: Bump minimal required version to 3.10
+
libksba
-- Security fix: [bsc#1206579, CVE-2022-47629]
-  * Integer overflow in the CRL signature parser.
-  * Add libksba-CVE-2022-47629.patch
-
-- Security fix: [bsc#1204357, CVE-2022-3515]
-  * Detect a possible overflow directly in the TLV parser.
-  * Add libksba-CVE-2022-3515.patch
+- Do not pull revision info from GIT when autoconf is run. This
+  removes the -unknown suffix after the version number.
+  * Run autoreconf for the added patch and add the build
+    dependecies on autoconf, automake and libtool.
+  * Add libksba-nobetasuffix.patch [bsc#1216334]
+
+- Update to 1.6.4:
+  * Correctly detect CMS write errors. [rK9ced7706f2]
+  * Release-info: https://dev.gnupg.org/T6543
+
+- update to 1.6.3 (bsc#1206579, CVE-2022-47629):
+  * Fix another integer overflow in the CRL parser.
+  Release-info: https://dev.gnupg.org/T6304
+
+- libksba 1.6.2: [bsc#1204357, CVE-2022-3515]
+  * Fix integer overflow in the CRL parser.
+
+- libksba 1.6.1:
+  * Allow an OCSP server not to return the sent nonce
+- fix rpmlint warnings
+
+- libksba 1.6.0:
+  * Limited support for the Authenticated-Enveloped-Data
+    content type.
+  * Support password based decryption.
+  * Silence warnings from static analyzers.
+  * Interface changes relative to the 1.5.0 release:
+  - KSBA_CT_AUTHENVELOPED_DATA       NEW.
+
+- libksba 1.5.1:
+  * Support Brainpool curves specified by ECDomainParameters
+
+- libksba 1.5.0:
+  * ksba_cms_identify now identifies OpenPGP keyblock content
+  * Supports TR-03111 plain format ECDSA signature verification
+  * Fixes a CMS signed data parser bug exhibited by a somewhat
+  strange CMS message
+- remove deprecated texinfo macros and update signing keyring
+
+- libksba 1.4.0:
+  * Supports ECDSA and EdDSA certificate creation and parsing.
+  * Supports ECDH enveloped data.
+  * Supports ECDSA and EdDSA signed data.
+  * Supports rsaPSS signature verification.
+  * Supports standard file descriptors in ksba_reader_read.
+  * Allows for optional elements in keyinfo objects.
+  * Fixes error detection in the CMS parser.
+  * Fixes memory leak in ksba_cms_identify.
+  * New constants KSBA_VERSION and KSBA_VERSION_NUMBER.
+  * New API to make creation of DER objects easy.
+  * Interface changes relative to the 1.3.5 release:
+  KSBA_VERSION                     NEW.
+  KSBA_VERSION_NUMBER              NEW.
+  KSBA_CT_SPC_IND_DATA_CTX         NEW.
+  KSBA_CLASS_*                     NEW.
+  KSBA_TYPE_*                      NEW.
+  ksba_der_t                       NEW.
+  ksba_der_release                 NEW.
+  ksba_der_builder_new             NEW.
+  ksba_der_builder_reset           NEW.
+  ksba_der_add_ptr                 NEW.
+  ksba_der_add_val                 NEW.
+  ksba_der_add_int                 NEW.
+  ksba_der_add_oid                 NEW.
+  ksba_der_add_bts                 NEW.
+  ksba_der_add_der                 NEW.
+  ksba_der_add_tag                 NEW.
+  ksba_der_add_end                 NEW.
+  ksba_der_builder_get             NEW.
-- libksba 1.3.1:
-  * Fixed memory leak in CRL parsing
-  * Build fixes for ppc64el
-
-- Use URL for source
-
libmicrohttpd
-- Apply patch for bsc#1208745 CVE-2023-27371
-  fix parser bug that could be used to crash servers using the MHD_PostProcessor
-  * fix-parser-bug-MHD_PostProcessor.patch
+- libmicrohttpd 0.9.77:
+  * improvements for Digest and Basic authorizations
+  * fix efficiency for TLS upgraded connections
+  * fix processing of folded headers in requests
+  * fix functionality with blocking sockets
+- update upstream signing key
+
+- libmicrohttpd 0.9.76
+  * CVE-2023-27371: Fix potential DoS vector in MHD_PostProcessor
+    (boo#1208745)
+
+- libmicrohttpd 0.9.75:
+  * fixes for where "monotonic" clock may jump back
+
+- libmicrohttpd 0.9.74:
+  * new experimental implementation of WebSockets disabled by default
+  * improved compliance with the RFC HTTP specifications
+  * new implementation of reply header forming
+  * new implementation of request chunked encoding parsing
+  * new automatic error replies
+  * Keep-alive header is omitted by default for HTTP/1.1 connections.
+    Use of header can be enforced by response flag.
+  * Chunked encoding is used for HTTP/1.1 non-keep-alive connections
+    for responses with unknown size. Previously MHD used "indication
+    of the end of the response by closing connection" in such cases,
+    however it is not correct for HTTP/1.1 connections as per HTTP
+    RFC.
+  * As required by HTTP RFC, use HTTP/1.1 version instead of HTTP/1.0
+    in reply headers when client is HTTP/1.0 . HTTP/1.0 version can
+    be enforced by response flag.
+  * User response headers are used in replies in the same order as
+    was added by application.
+  * Allowed tab characters in response header values.
+  * All custom "Connection:" response headers are automatically
+    combined into single "Connection:" header.
+  * "keep-alive" token silently dropped from custom "Connection:"
+    response header. "Keep-alive" cannot be enforced and used
+    automatically if possible.
+  * Allow tab character in custom response header value.
+  * Disallow space character in custom response header value.
+  * Do not allow responses with 1xx codes for HTTP/1.0 requests.
+  * Detected and reported incorrect "Upgrade" responses.
+
+- libmicrohttpd 0.9.73:
+  * new function for vector-backed responses
+  * compatibility with autoconf 2.70+
+  * Implement ALPN support
+
+- libmicrohttpd 0.9.72:
+  * improved performance with stay-alive HTTP and HTTPS connections
+  * bug fixes
+- remove deprecated texinfo macros
+
+- libmicrohttpd 0.9.71:
+  * Fix buffer overflow issue in URL parser [boo#1173718]
+  * Fixed PostProcessor bug
+  * Documentation and example fixes
+
+- Update to 0.9.70:
+  * Fixed 100-continue handling for PATCH method
+  * Fixed FTBFS from wrong #endif position for certain builds
+  * Fixed connection overflow issue when combining
+    MHD_USE_NO_LISTEN_SOCKET with MHD_USE_THREAD_PER_CONNECTION
+  * Updated m4 script to fix FTBFS when using
+  - Werror=unused-but-set-parameter
+  * Adding fix for urlencoding of keys without values in
+    post-processor logic.
+  * Adding patch from Ethan Tuttle with test case for urlencoding
+    in post-processor for keys without values.
+
+- update to 0.9.69:
+  * If application suspends a connection before we could send
+    100 CONTINUE, give application another shot at queuing a reply
+    before the upload begins.
+
+- update to 0.9.68:
+  * Fix regression where MHD would fail to return an empty response
+    when used with HTTPS.
+  * Introduce MHD_RF_INSANITY_HEADER_CONTENT_LENGTH
+- drop libmicrohttpd-0.9.67-fix-nonvoid-return.patch, in release
+
+- update to 0.9.67:
+  * improvements that eliminate system and C library calls
+- drop libmicrohttpd-0.9.66-fix-gnutls-dependency.patch, upstream
+- add libmicrohttpd-0.9.67-fix-nonvoid-return.patch from upstream
+
+- fix build with SLE 12 with older GnuTLS:
+  * libmicrohttpd-0.9.66-fix-gnutls-dependency.patch
+
+- update to 0.9.66:
+  * Fix issue with discarding unhandled upload data discovered
+  * Fix hanging situation with large transmission over upgraded
+    (i.e. Web socket) connection with epoll() and HTTPS enabled
+  * Add MHD_OPTION_HTTPS_CERT_CALLBACK2 to allow OCSP stapling
+    and MHD_FEATURE_HTTPS_CERT_CALLBACK2 to check for
+- clean up build dependency list
+
+- Update to versin 0.9.65:
+  * Many fixes and improvements for connection-specific memory pool
+  * Better handled connection's memory shortage situations:
+    + error response could be sent to client even if all buffer
+    space was used;
+    + if buffer space become low when receiving, do not allocate
+    last buffer space and use small receive blocks instead.
+  * Improved sending speed by using all available buffer space for
+    sending.
+
+- Update to version 0.9.64:
+  * Updated HTTP headers, methods and status codes from registries,
+  * Added scripts to import new headers, methods and status codes
+    from registries.
+  * Reodered includes in microhttpd.h
+  * Fixed compiler warnings
+  * Updated and fixed libcurl tests.
+  * Added checks for too long TLS parameters strings.
+  * Spelling fixes.
+  * Fixed example for non-64bits platforms.
+  * Optimized and improved processing speed by using precalculated and
+    already calculated lengths of strings.
+  * Store connection's keys and values with sizes;
+  * Speedup keys search be comparing key length first;
+  * Added functions for working with keys and values with binary zeros;
+  * Fixed test_postprocessor_amp to fail on problems.
+  * Reverted change of MHD_KeyValueIterator, implemented
+    MHD_KeyValueIteratorN with sizes for connection's key and value to
+    get keys and values with binary zeros.
+  * Fixed signed/unsigned comparison in example
+    http_chunked_compression.c.
+  * Bit manipulations moved to separate header file.
+  * Improved shell compatibility for 'bootstrap', removed bash-ism.
+  * Adding additional "value_length" argument to MHD_KeyValueIterator
+    callback to support binary zeros in values.  This is done in a
+    backwards-compatible way, but may require adding a cast to
+    existing code to avoid a compiler warning.
+  * Added example for how to compress a chunked HTTP response.
+
+- Update to version 0.9.63:
+  * Extended test_get to test URI logging and query string parsing
+    to avoid regression fixed in previous patch in the future.
+  * Preliminary patch for the raw query string issue, to be tested.
+  * Added minimal example for how to compress HTTP response.
+  * Check for GNUTLS_E_AGAIN instead of GNUTLS_E_INTERRUPTED when
+    giving up on a TLS connection. -LM/CG
+  * Fix connection timeout logic if in thread-per-connection mode the
+    working thread takes longer than the timeout to queue the response.
+  * Add logic to avoid VLA arrays with compilers that do not support them.
+  * Fixed missing WSA_FLAG_OVERLAPPED which can cause W32 to block on
+    socket races when using threadpool. (See very detailed description
+    of the issue in the libmicrohttpd mailinglist post of today.)
+  * Added test for RFC 7616 and documented new API.
+- Update to version 0.9.62:
+  * Added test for RFC 7616 and documented new API.
+  * Adding support for RFC 7616, experimental, needs
+    testing and documentation still!
+  * Add option to build MHD without any threads
+    and MHD_FEATURE_THREADS to test for it.
+  * Renamed all occurrences from _model(s)_ to _mode(s)_.
+  * Optimized the function MHD_create_response_from_callback() for
+    Windows by increasing its internal buffer size and allowed to
+    customize it via macro MHD_FD_BLOCK_SIZE.
+  * Referenced the gnutls_load_file() function in the HTTPs examples.
+  * Fix regression causing URLs to be unescaped twice.
+
+- Update to version 0.9.61:
+  * parse arguments with (properly) escaped URLs correctly. Replace
+    sprintf with snprintf in testcases.
+  * Fix build issue with GnuTLS < 3.0.
+  * Add MHD_create_response_from_buffer_with_free_callback.
+- Update to version 0.9.60:
+  * gettext updated to 0.19.8
+  * can use epoll() without listen socket now
+  * in thread-per-connection mode, socket closure is now
+    communicated in a timely fashion to the application
+  * added MHD_RF_HTTP_VERSION_1_0_RESPONSE option
+  * preventing bogus transfer-encoding values
+  * Added MHD_OPTION_GNUTLS_PSK_CRED_HANDLER
+  * allow digest authentication with hashed password
+  * ensure request completed callback is called from correct thread
+    and also for upgraded connections
+
+- Update to version 0.9.59:
+  * Fix masking operation.
+  * Fix deadlock when failing to prepare chunked response
+  * Fix __clang_major__ related warnings for non-clang compilers.
+  * Fixed tests on platforms with huge number of CPUs.
+  * Doxygen configuration was updated.
+  * Various doxygen fixes.
+- Update to version 0.9.58:
+  * Fixed HTTPS tests on modern platforms.
+  * Minor documentation installation fixes.
+  * Tolerate AF_UNIX when trying to determine our binding port
+    from socket.  Use `sockaddr_storage` instead of trying to
+    guess the sockaddr type before calling getsockname().
libnvme
+- Update to version 1.6+5.g68c6ffb:
+  * avoid stack corruption by unaligned DMA to user space buffers
+    (bsc#1216344, gh#linux-nvme/libnvme#727)
+
libpsm2
+- Update to 12.0.1
+  - Fix memory leak in psmi_shm_create
+
libpulp
+- Update package with libpulp-0.3.1:
+  * Add timestamp information on `ulp patches`.
+
libpwquality
+- Update to version 1.4.5:
+  + Minor bug fixes and documentation enhancements.
+  + Updated translations.
+
libqb
-- log: Fix potential overflow with long log messages (CVE-2023-39976, bsc#1214066)
-  * bsc#1214066-0001-fix-potential-overflow-with-long-log-messages.patch
+- Update to version 2.0.8+20230721.002171b (v2.0.8):
+- log: fix potential overflow with long log messages (gh#ClusterLabs/libqb#490, CVE-2023-39976, bsc#1214066)
+
+- Update to version 2.0.7+20230607.06c8641 (v2.0.7):
+- blackbox: fix potential overlow/memory corruption (gh#ClusterLabs/libqb#486)
+- tests: allow -j to work (gh#ClusterLabs/libqb#485)
+- strlcpy: avoid compiler warning from strncpy (gh#ClusterLabs/libqb#473)
+- timer: Move state check to before time check (gh#ClusterLabs/libqb#479)
+- ipc: Retry receiving credentials if the the message is short (gh#ClusterLabs/libqb#476, rh#2111711)
+- lib: Fix some small bugs spotted by newest covscan (gh#ClusterLabs/libqb#471)
+- doxygen2man: Fix function parameter alignment (gh#ClusterLabs/libqb#468)
libqt5-qtbase
+- buildrequire pkconfig(icu-i18n) instead of libicu-devel to get
+  prefered libicuu
+
+- Add patch from upstream that fixes a buffer overflow in
+  QXmlStreamReader (bsc#1214327, CVE-2023-37369):
+  * CVE-2023-37369-qtbase-5.15.diff
+
libraw
-- security update
-- added patches
-  fix CVE-2021-32142 [bsc#1208470], Buffer Overflow in the LibRaw_buffer_datastream:gets function
-  + libraw-CVE-2021-32142.patch
+- update to 0.21.1:
+  * fixed typo in panasonic metadata parser
+  * Multiple fixes inspired by oss-fuzz project
+  * Phase One/Leaf IIQ-S v2 support
+  * Canon CR3 filmrolls
+  * Canon CRM (movie) files
+  * Tiled bit-packed (and 16-bit unpacked) DNGs
+  * (non-standard) Deflate-compressed integer DNG files are allowed
+  * Canon EOS R3, R7 and R10
+  * Fujifilm X-H2S, X-T30 II
+  * OM System OM-1
+  * Leica M11
+  * Sony A7-IV (ILCE-7M4)
+  * DJI Mavic 3
+  * Nikon Z9: standard compression formats only
+
+- Update to 0.21.0:
+  * Camera format support:
+    + Phase One/Leaf IIQ-S v2 support
+    + Canon CR3 filmrolls/RawBurst
+    + Canon CRM (movie) files
+    + Tiled bit-packed (and 16-bit unpacked) DNGs
+    + (non-standard) Deflate-compressed integer DNG files are allowed
+  * Camera support:
+    + Canon EOS R3, R7 and R10
+    + Fujifilm X-H2S, X-T30 II
+    + OM System OM-1
+    + Leica M11
+    + Sony A7-IV (ILCE-7M4)
+    + DJI Mavic 3
+    + Nikon Z9: standard compression formats only
+  * Multiple (resultion) thumbnails support
+  * Misc:
+    + Nikon makernotes: read NEFCompression tag for HE/HE* files
+    + Nikon orientation tag: more fixed offsets for known cameras
+    + Adobe DNG SDK 1.6 support (meaning, just an additional patch for GPR SDK)
+  * Bugs fixed:
+    + Fixed possible out-of-buffer read in Nikon orientation tag parser
+    + Out-of-range read-only array access in postprocessing if output_color is set to 0 (raw color)
+    + Minolta Z2 was not recognized correctly on 32-bit systems
+    + Fixed possible buffer overflow in Kodak C330 decoder
+    + dcraw_process(): check for buffer allocation results to avoid NULL deref
+    + Multiple bugfixes inspired by oss-fuzz project
-    CVE-2018-5819
+    CVE-2018-5819,CVE-2021-32142
-    bsc#1120515,bsc#1120516,bsc#1120517,bsc#1120519)
+    bsc#1120515,bsc#1120516,bsc#1120517,bsc#1120519,bsc#1208470)
libreoffice
+- Fix CVE-2023-6186, deny arbitrary script execution for link targets,
+  bsc#1217578
+  * CVE-2023-6186-1.patch
+  * CVE-2023-6186-2.patch
+  * CVE-2023-6186-3.patch
+  * CVE-2023-6186-4.patch
+  * CVE-2023-6186-5.patch
+- Fix CVE-2023-6185, improper input validation enabling arbitrary
+  Gstreamer pipeline injection, bsc#1217577
+  * CVE-2023-6185.patch
+
libsass
+- security update:
+  * CVE-2022-43357 [bsc#1214573]:
+    Fix stack overflow in Sass:CompoundSelector:has_real_parent_ref()
+  * CVE-2022-43358 [bsc#1214575]:
+    Fix stack overflow in Sass:ComplexSelector:has_placeholde()
+  * CVE-2022-26592 [bsc#1214576]:
+    Fix stack overflow in CompoundSelector:has_real_parent_ref function()
+    + libsass-CVE-2022-43357,CVE-2022-43358,CVE-2022-26592.patch
+
libselinux
+- Repair initrd libselinux check in selinux-ready
+
+- Do not BuildRequire swig and ruby-devel in the main build phase:
+  those are only needed for the bindings.
+
+- (bsc#1212618) Divide libselinux and libselinux-bindings again.
+  libselinux itself is in Ring0 so it has to have absolutely
+  minimal dependencies, so it is better to separate
+  libselinux-bindings into a separate pacakge.
+
+- Fix python packaging by setting the name to a fixed value
+
+- Remove separate libselinux-bindings SPEC file (bsc#1212618).
+
+- Add explicit BuildRequires for python3-pip and python3-wheel on
+  15.5, currently the macros don't do the right thing
+
+- allow building this with different python versions, to make this
+  usable for the new sle15 macro (using python3.11)
+
+- Add python-wheel build dependency to build correctly with latest
+  python-pip version.
+
+- Add _multibuild to define additional spec files as additional
+  flavors.
+  Eliminates the need for source package links in OBS.
+
+- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
+  of LTO
+
+- Enable LTO as it works fine now.
+
+- Update to version 3.5:
+  * check for truncations
+  * avoid newline in avc message
+  * bail out on path truncations
+  * add getpidprevcon to gather the previous context before the last
+    exec of a given process
+  * Workaround for heap overhead of pcre
+  * fix memory leaks on the audit2why module init
+  * ignore invalid class name lookup
+- Drop restorecon_pin_file.patch, is upstream
+- Refreshed python3.8-compat.patch
+- Added additional developer key (Jason Zaman)
+
+- Fixed initrd check in selinux-ready (bnc#1186127)
+
+- Added restorecon_pin_file.patch. Fixes issus when running
+  fixfiles/restorecon
+
+- Update to version 3.4:
+  * Use PCRE2 by default
+  * Make selinux_log() and is_context_customizable() thread-safe
+  * Prevent leakeing file descriptors
+  * Correctly hash specfiles larger than 4G
+- Refreshed skip_cycles.patch
+
+- Add Requires for exact libselinux1 version for selinux-tools
+- Simplyfied check for correct boot paramaters in selinux-ready
+  (bsc#1195361)
+
+- Update to version 3.3:
+  * Lots of smaller issues fixed found by fuzzing
+
+- Add missing libselinux-utils Provides to selinux-tools so that
+  %selinux_requires works
+
+- Remove Recommends for selinux-autorelabel. It's better to have this
+  in the policy package itself (bsc#1181837)
+
+- Switch to pcre2:
+  + Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+  + Pass USE_PCRE2=y to make.
+  + Replace pkgconfig(libpcre) Requires in -devel static with
+    pkgconfig(libpcre2-8).
+
+- Update to version 3.2:
+  * Use mmap()'ed kernel status page instead of netlink by default.
+    See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
+  * New log callback levels for enforcing and policy load notices -
+    SELINUX_POLICYLOAD, SELINUX_SETENFORCE
+  * Changed userspace AVC setenforce and policy load messages to audit
+    format.
+
+- Add Recommends: selinux-autorelabel, which is very important
+  for healthy use of the SELinux on the system (/.autorelabel
+  mechanism) (bsc#1181837).
+
+- install to /usr (boo#1029961)
+
+  * Refreshed python3.8-compat.patch
+- Added swig4_moduleimport.patch to prevent import errors due to
+  SWIG 4
+
+- Add python3.8-compat.patch which makes build possible even with
+  Python 3.8, which doesn’t automatically adds -lpython<ver>
+
+- Disable LTO (boo#1133244).
+
+- Updated spec file to use python3. Added python3.patch to fix
+  build
+
+- Update libselinux-2.2-ruby.patch: use RbConfig instead of
+  deprecated Config.
+
libsemanage
+- Remove build counter syncing for real
+
+- Add _multibuild to define additional spec files as additional
+  flavors.
+  Eliminates the need for source package links in OBS.
+
+- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
+  of LTO
+
+- Enable LTO now (boo#1138812).
+
+- Update to version 3.5
+  * Allow user to set SYSCONFDIR
+  * always write kernel policy when check_ext_changes is specified
+- Added additional developer key (Jason Zaman)
+
+- Update to version 3.4
+  * Optionally rebuild policy when modules are changed externally
+  * Fix USE_AFTER_FREE (CWE-672) in semanage_direct_get_module_info()
+  * Allow spaces in user/group names
+
+- Drop Buildrequires for libustr-devel, not needed anymore
+
+- Update to version 3.3
+  * Fixed use-after-free in parse_module_store()
+  * Fixed use_after_free in semanage_direct_write_langext()
+
+- Link to correct so version
+- Minor spec file cleanups
+
+- Move configuration file to separate libsemanage-conf package to allow
+  for parallel installation in future versions
+
+- Update to version 3.2
+  * dropped old and deprecated symbols and functions
+    libsemanage version was bumped to libsemanage.so.2
+  * libsemanage tries to sync data to prevent empty files in SELinux module
+    store
+
libsepol
+- Enable LTO now (boo#1138813).
+
+- Update to version 3.5
+  * Stricter policy validation
+  * do not write empty class definitions to allow simpler round-trip tests
+  * reject attributes in type av rules for kernel policies
+- Added additional developer key (Jason Zaman)
+
+- Update to version 3.4
+  * Add 'ioctl_skip_cloexec' policy capability
+  * Add sepol_av_perm_to_string
+  * Add policy utilities
+  * Support IPv4/IPv6 address embedding
+  * Hardened/added many validations
+  * Add support for file types in writing out policy.conf
+  * Allow optional file type in genfscon rules
+
+- Update to version 3.3
+  * Dropped CVE-2021-36085.patch, CVE-2021-36086.patch, CVE-2021-36087.patch
+    are all included
+  * Lot of smaller fixes identified by fuzzing
+
+- Fix heap-based buffer over-read in ebitmap_match_any (CVE-2021-36087, 1187928.
+  Added CVE-2021-36087.patch
+
+- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965).
+  Added CVE-2021-36085.patch
+- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964).
+  Added CVE-2021-36086.patch
+
+- Update to version 3.2
+  * more space-efficient form of storing filename transitions in the binary
+    policy and reduced the size of the binary policy
+  * dropped old and deprecated symbols and functions. Version was bumped to
+    libsepol.so.2
+
+- install to /usr (boo#1029961)
+
libssh2_org
+- Security fix: [bsc#1218127, CVE-2023-48795]
+  * Add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack"
+  * Add libssh2_org-CVE-2023-48795.patch
+
libstorage-ng
+- merge gh#openSUSE/libstorage-ng#968
+- make more use of new SystemCmd interface
+- 4.5.161
+
+- merge gh#openSUSE/libstorage-ng#967
+- block more udev by-id links (bsc#1217459)
+- adapted testsuite
+- 4.5.160
+
+- Translated using Weblate (Portuguese (Brazil)) (bsc#1149754)
+- 4.5.159
+
+- merge gh#openSUSE/libstorage-ng#966
+- fixed build with libxml 2.12.0
+- 4.5.158
+
+- merge gh#openSUSE/libstorage-ng#965
+- refactored class SystemCmd
+- fixed passing huge amount of data to stdin
+- coding style
+- 4.5.157
+
+- merge gh#openSUSE/libstorage-ng#964
+- extended testsuite
+- 4.5.156
+
+- merge gh#openSUSE/libstorage-ng#963
+- extended testsuite
+- 4.5.155
+
+- merge gh#openSUSE/libstorage-ng#962
+- improved error reporting in SystemCmd
+- 4.5.154
+
+- merge gh#openSUSE/libstorage-ng#961
+- added testcase
+- 4.5.153
+
+- merge gh#openSUSE/libstorage-ng#960
+- make more use of new SystemCmd interface
+- added const
+- 4.5.152
+
+- merge gh#openSUSE/libstorage-ng#959
+- removed unused function
+
+- merge gh#openSUSE/libstorage-ng#958
+- make more use of new SystemCmd interface
+- prefer make_unique over new
+- fixed compound action generation for removing btrfs qgroup
+  relations
+
libtirpc
+- fix sed parsing for libtirpc.pc.in in specfile (boo#1216862)
+
linuxptp
+- Update to version 4.1:
+  * Version 4.1
+  * phc2sys: Fix -n option with -w.
+  * phc2sys: Avoid segfault with default UDS address.
+  * phc2sys: Improve logging with single domain.
+  * ptp4l man: Add description for setting kthreads priorities
+  * sk: don't report random errno on timeout
+  * phc_ctl: explicitly check for adjust_phase definition
+  * raw: Fix PRP trailer detection
+  * remove C99 style loop variable declarations
+  * phc2sys: Add multi-domain synchronization.
+  * phc2sys: Shallow do_loop().
+  * phc2sys: Create pmc agent after processing options.
+  * phc2sys: Rename phc2sys_private to domain.
+  * Use the 802.1AS peer delay computation when transportSpecific is 1
+  * Resolve false hybrid_e2e warning
+  * Fix SERVO_LOCKED_STABLE behavior.
+  * Version 4.0
+  * clock: Fix summary interval in free-running mode.
+  * Avoid switching PHC when phc_index is negative
+  * ts2phc: Fix memory leak on initial error path.
+  * power profile: Fix regression in the default configuration file.
+  * msg: append TLV onto all PTP event messages
+  * Fix detection of VLAN over bond support in case the driver does not support SIOCGHWTSTAMP ioctl.
+  * Clear pending errors on sockets.
+  * ntpshm: Invalidate SHM data before releasing the servo
+  * lstab: Update leapfile validity
+  * port: Don't switch to PHC with SW timestamping.
+  * ts2phc: Fix potential null-pointer dereference
+  * ts2phc: Prevent reporting poll error when received termination signal
+  * Set controlField to zero in message headers
+  * tz2alt: Add tz2alt to .gitignore
+  * Introduce a time zone helper program.
+  * pmc: Convert internal helper function into global method.
+  * Implement the ALTERNATE_TIME_OFFSET_ENABLE management message.
+  * Add the ALTERNATE_TIME_OFFSET_NAME management message.
+  * Add the ALTERNATE_TIME_OFFSET_PROPERTIES management message.
+  * Prepare clock based storage of up to four time zones.
+  * tlv: Encode and decode alternate time offset indicator TLVs.
+  * Add a custom management message for power profile settings.
+  * Introduce the power profile.
+  * tlv: Encode and decode power profile TLVs.
+  * Accept the full range for domainNumber.
+  * man pages: Bump date.
+  * Alphabetize configuration options in the ts2phc man page.
+  * Alphabetize configuration options in the pmc man page.
+  * Alphabetize configuration options in the phc2sys man page.
+  * Remove stray copy/pasteo from the phc2sys man page.
+  * Alphabetize configuration options in the ptp4l man page.
+  * ts2phc: reset servo if failed to discipline clock
+  * phc2sys: reset servo if failed to discipline clock
+  * ptp4l: reset servo if failed to discipline clock
+  * clockadj: return error if failed to adjust clock
+  * unicast: Avoid undefined integer shifts.
+  * ts2phc: Fix generic pps source when tai offset is not set in OS
+  * lstab: move update_leapsecond_table function to lstab
+  * lstab: Add LSTAB_EXPIRED result
+  * timemaster: Use refclock_sock servo with chrony.
+  * timemaster: Replace shm_segment with refclock_id.
+  * Add refclock_sock servo.
+  * Remove obsolete statement in ptp4l man page.
+  * Fix up alphetical order in port_private header file.
+  * port: start sync rx timer on grant
+  * raw: Use BPF filter based on tcpdump syntax.
+  * Fix SERVO_JUMP docstring comment
+  * Improve efficiency of nullf servo synchronization
+  * clock: Fix stale clock parent pid usage after best master change
+  * adding delay asymmetry calculation
+  * organization TLV support for interface rate
+  * adding speed field information for interface
+  * function to support get interface speed via ethtool
+  * unicast_client: cancel sync/delay_response on UC_EV_UNSELECTED event
+  * unicast_client: fix checkpatch ERROR: trailing whitespace
+  * unicast_client: stop sending abnormal contract cancel requests
+  * Don't re-arm fault clearing timer on unrelated netlink events
+  * port: Avoid faults with vclocks and PHC from command line.
+  * makefile: use conditional assignment for KBUILD_OUTPUT
+  * servo: stop rounding initial frequency to nearest ppb
+  * The PortId is defined as a couple of ClockId (an 8-bytes opaque) and the PortNumber (UInterger16).
+  * config: Fix -Wformat-truncation warnings.
+  * unciast_client: trigger BMCA upon CANCEL receive
+  * ptp4l: Add profile_id configuration support for G.8275.1 and G.8275.2.
+  * config: allow fractional freq_est_interval
+  * Added support for Standard Baudrates supported by GNSS receivers
+  * Extend clockcheck to check for changes in frequency.
+  * Don't accept errors in clockadj_get_freq().
+  * Drop support for old kernels returning zero frequency.
+  * phc2sys: Add clocks after processing configuration.
+  * ts2phc: Use system time as the default ToD source
+  * ts2phc: Add option to specify the ToD source in the config file
+  * ts2phc: Rename pps_sink to tod_sink in main()
+  * port: don't clear fault if link is down
+  * sk: Handle EINTR when waiting for transmit timestamp.
+  * ts2phc: Update default lstab expiry date
+  * phc2sys: Update TAI to UTC offset in manual
+  * Strip Parallel Redundancy Protocol (PRP) trailer
+  * ts2phc_phc_pps_source: make use of new kernel API for perout waveform
+  * ts2phc: allow PHC PPS sources to be synchronized
+  * ts2phc: reconfigure sync direction by subscribing to ptp4l port events
+  * ts2phc: split PPS sink poll from servo loop
+  * ts2phc_slave: print offset to the source clock
+  * ts2phc: instantiate a pmc agent
+  * util: import port_state_normalize() logic from phc2sys
+  * ts2phc: instantiate a full clock structure for every PPS source of the PHC kind
+  * ts2phc: instantiate a full clock structure for every PPS sink
+  * ts2phc: create a private data structure
+  * phc2sys: Add support for free-running mode
+  * G.8275.2 support for delay_mechanism NO_MECHANISM
+  * port: Disable PHC switch with vclocks.
+  * unicast: Update announce timer when renew
+  * phc2sys: Allow multiple sink clocks
+  * Add new ptp capability.
+  * Add new management TLVs to pmc.8
+  * ptp4l: add VLAN over bond support
+  * port: refactor port_link_status
+  * ptp4l: init iface->ts_label when interface created
+  * phc2sys: Don't exit when reading of PHC fails with EBUSY.
+  * sysoff: Retry on EBUSY when probing supported ioctls.
+  * sysoff: Change log level of ioctl error messages.
+  * sysoff: Change sysoff_measure() to return errno.
+  * clockadj: Change clockadj_compare() to return errno.
+  * ts2phc: rename "master" to "source"
+  * ts2phc: rename "slave clocks" to "PPS sinks"
+  * ts2phc: rename source code files ("master" to "source", "slave" to "sink")
+  * pmc_agent: make pmc_agent_query_port_properties take an enum port_state argument
+  * UDS: allow specifying different file mode for the read-only socket.
+  * UDS: added option to set file mode for the created socket.
+  * Fix management TLV print.
+  * Add new managements TLVs get size.
+  * port: cancel unicast transmission when closing port.
+  * port: unicast client - do not add master to foreign master table if not in the unicast master table.
+  * unicast: Add support to send CANCEL_UNICAST_TRANSMISSION TLVs.
+  * unicast: Add support to check if message was received from an entry in the unicast master table.
+  * TLV management messages need to be aligned to 16 bits.
+  * Fix the descriptions of "G.8275.portDS.localPriority" and "G.8275.defaultDS.localPriority" in ptp4l man page.
+  * timemaster: Add support for virtual clocks.
+  * phc2sys: Use PHC index from PORT_HWCLOCK_NP.
+  * tlv: Add PORT_HWCLOCK_NP.
+  * port: Check for virtual clocks.
+  * config: Add port-specific phc_index option.
+  * Add support for binding sockets to virtual clocks.
+  * rtnl: Add function to detect virtual clocks.
+  * rtnl: Fix rtnl_rtattr_parse() to process max attribute.
+  * phc_ctl: replace calculate_offset with clockadj_compare
+  * phc2sys: move read_phc into clock_adj.c
+  * Add UNICAST_MASTER_TABLE_NP management TLV
+  * pmc: Initialize reserved field in management_tlv_datum.
+  * Check 'print_log' before arguments are evaluated, not after.
+  * Add PORT_SERVICE_STATS_NP management TLV
+  * util: attempt to resolve symlinks to the PHC device in posix_clock_open
+  * util: fix dangling file descriptors on the error path of posix_clock_open
+  * Maintain one Sync sequence counter per destination address.
+  * Maintain one Announce sequence counter per destination address.
+  * clock: Split update of leap status from clock_time_properties().
+  * Delay Response Timeout Feature addition for PTP4L
+  * clock: Notify servo about leap second on UTC hardware clock.
+  * clock: Clear leap flags after leap second.
+  * clock: Print info message when leap flags change.
+  * clock: Accept new UTC offset after leap second.
+  * lstab: update expiration to 28 December 2021
+  * lstab: Close file after reading.
+  * Fix quoting in ptp4l man page.
+  * config: Add workaround for glibc getopt_long().
+  * Rename management ID macros.
+  * clockcheck: Increase minimum interval.
+  * port: Don't renew raw transport.
+  * port: Don't check timestamps from non-slave ports.
+  * clock: Reset clock check on best clock/port change.
+  * clock: Reset state when switching port with same best clock.
+  * Increase the default tx_timestamp_timeout to 10
+  * ts2phc: Add serial baudrate option
+  * ts2phc: Update leapfile documentation
+  * ts2phc: Close socket on peer shutdown
+  * ts2phc: Fix uninitialized variable in nmea_scan_rmc
+  * tc: Fix length of follow-up message of one-step sync.
+  * Validate the messageLength field of incoming messages.
+  * Log optimization for ptp4l in jbod and client only mode (clientOnly=1 and boundary_clock_jbod=1)
+  * Log optimization for ptp4l in jbod and client only mode (clientOnly=1 and boundary_clock_jbod=1)
+  * Add master only management TLV
+  * Set domainNumber for telecom examples
+  * Fix SLAVE_ONLY TLV
+  * Prevent client ports getting stuck in the UNCALIBRATED state.
+  * tlv: Fix coding style.
+  * Ensure TLV_PORT_STATS_NP statistics uses little endian.
+  * Revert "phc2sys: Expand the validation of the PPS mode."
+  * Avoid undefined integer operations.
+  * pmc: Fix printed totalCorrectionField.
+  * Avoid unaligned pointers to packed members.
+  * Revert "phc2sys: Ensure PHC source when using PPS mode."
+  * phc_ctl: Fix incorrect memset in do_cmp()
+  * Fix --initial_delay for automotive profile
+  * Update man page to reflect the new serverOnly option.
+  * Convert the example configuration files over to the new serverOnly option.
+  * Deprecate the masterOnly option in favor of serverOnly.
+  * Bump to IEEE 1588-2019 version
+  * Clock Class Threshold Feature addition for PTP4L
+  * sk: Don't return error for zero-length messages.
+  * clock: Introduce step_window to free run x Sync events after a clock step.
+  * timemaster: Set uds_ro_address for ptp4l instances.
+  * clock: Add read-only UDS port for monitoring.
+  * clock: Rename UDS variables to read-write.
+  * clock: Don't allow COMMAND action on non-UDS port.
+  * port: Ignore non-management messages on UDS port.
+  * port: Don't assume transport from port number.
+  * Implement push notification for TIME_STATUS_NP
+  * tlv: Fix byte reordering in ScaledNs
+  * Improve port-related log messages.
+  * port: Cache display name for logs.
+  * Update man pages to reflect the new clientOnly option.
+  * Convert the example configuration files over to the new clientOnly option.
+  * Deprecate the slaveOnly option in favor of clientOnly.
+  * Check for deprecated "long" options on the command line.
+  * lstab: Bring expiration up to date.
+  * util: add SIGHUP handling
+  * port: Fix link down/up to continue using phc_index set from command line -p option.
+  * ts2phc: Convert usage message to time source/sink terminology.
+  * ptp4l: Convert usage messages to client/server terminology.
+  * phc2sys: Convert usage messages to time source/sink terminology.
+  * ts2phc: Convert man page to source/sink terminology.
+  * ptp4l: Convert man page to client/server terminology.
+  * phc2sys: Convert man page to client/server terminology.
+  * phc2sys: Convert man page to source/sink terminology.
+  * phc2sys: Update man page to reflect the new restriction on the PPS mode.
+  * phc2sys: Ensure PHC source when using PPS mode.
+  * phc2sys: fix BC sync fault when port in uncalibrated state
+  * phc2sys: add dbg print for clock state change events
+  * Update the unicast subscriptions when the GM changes.
+  * phc2sys: Fix regression in the automatic mode.
+  * pmc_agent: Remove an obsolete method.
+  * phc2sys: Simplify the main loop.
+  * pmc_agent: Let the update method poll for push events.
+  * phc2sys: Move static configuration to its own subroutine.
+  * phc2sys: Replace yet another magical test with a proper test.
+  * phc2sys: Replace magical test with a proper test.
+  * phc2sys: Expand the validation of the PPS mode.
+  * phc2sys: Validate the PPS mode right away.
+  * phc2sys: Replace hard coded tests with a readable helper function.
+  * phc2sys: Rename PMC agent pointer from node to agent.
+  * phc2sys: Don't duplicate the command line arguments.
+  * pmc_agent: Simplify the method that gets of the number of local ports.
+  * pmc_agent: Generalize the method that queries the local clock identity.
+  * pmc_agent: Convert the method that queries the port properties.
+  * pmc_agent: Convert the method that queries TAI-UTC offset into the canonical form.
+  * phc2sys: Fix null pointer de-reference in manual mode.
+  * rtnl: Fix trivial spelling error in the name of a helper function.
+  * Update the description of the time_stamping configuration option.
+  * Avoid setting clock frequency when free running.
+  * pmc_agent: Rename the update method and attempt to document it.
+  * pmc_agent: Perform time comparison using positive logic.
+  * pmc_agent: Remove bogus comparison between last update and now.
+  * pmc_agent: Simplify logic in update method.
+  * pmc_agent: Simplify the update method.
+  * pmc_agent: Convert the subscribe method into the canonical form.
+  * Introduce error codes for the run_pmc method.
+  * Clarify the documentation of the management TLV ID helper function.
+  * Find a better home for the management TLV data helper function.
+  * Find a better home for the management TLV ID helper function.
+  * pmc_agent: Hide the implementation.
+  * pmc_agent: Rename pmc_node to something more descriptive.
+  * Introduce the PMC agent module.
+  * phc2sys: break out pmc code into pmc_common.c
+  * phc2sys: make PMC functions non-static
+  * phc2sys: extract PMC functionality into a smaller struct pmc_node
+  * phc2sys: break long lines in the PTP management message accessors
+  * phc2sys: Postpone adding of servo to clock.
+  * phc2sys: Remove superfluous code.
+  * missing.h: uclic-ng has clock_nanosleep support since v1.0.31
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * phc2sys.service
+  * ptp4l.service
+
lsof
+- lsof 4.99.0:
+  * Do not hard-code fd numbers in epoll test
+  * --with-selinux configure option.
+  * Improve performance by using closefrom()
+  * Introduce liblsof for programmatic access over spawning lsof
+    in a subprocess
+- build with libtirpc
+- switch to upstream tarball again as it dropped proprietary code
+
+- Repacked tarball to remove proprietary code in dialects/uw/uw7/sys/fs
+
+- lsof 4.98.0:
+  * Fix two potential null pointer access bug when gethostbyname2()
+    returns an empty address list
+  * Fix handling of empty command name
+  * Add -H switch to print human readable size, e.g. 123.4K
+
+- update to 4.97.0:
+  * Remove support because the os is no longer updated for
+    more than 10 years
+  * Remove support because the os is no longer updated
+    for more than 20 years
+  * Add experimental build system based on Autotools
+  * Fixed LTsock testing on darwin
+  * Remove NEW and OLD folders
+  * Fix FreeBSD testcases
+  * Rewrite documentation and publish at https://lsof.readthedocs.io/
+
+- update to 4.96.5:
+  * Avoid C89-only constructs is Configure
+- drop format.patch, now upstream
+
+- format.patch: Use correct scanf/printf format for uint64_t
+- Build with %{optflags}
+
+- update to 4.96.4
+  * fix hash functions used for finding local tcp/udp IPCs
+  * Show copyright notice in --version output.
+  * Avoid some easy collissions for udp/udp6 sockets when hashing
+  * Changing the number of ipcbuckets to 4096
+  * obtain correct information of memory-mapped file.
+- drop remove-hostname.patch now upstream
+
+- Update remove-hostname.patch with the upstream version
+
+- Fix hostname in reproducible builds, bsc#1199709
+  * remove-hostname.patch
+
+- update to 4.95.0:
+  * Update perl scripts for the past few decades of progress
+  * Drop LSOF_CCDATE across all dialects to ensure reproducible builds
+  * Fix FD field description.
+  * Adjust alignment of buffer passed to stat().
+  * Clean up source code and documents.
+  - remove trailing whitespace,
+  - fix some issues in scripts found through shellcheck, and
+  - fix spelling
+  * man page: fix hyphen issues
+  * Fix broken LSOF_CFLAGS_OVERRIDE.
+  * [linux] Remove sysvlegacy function.
+  * [linux] use close_range instead of calling close repeatedly
+  * Add -Q option for adjusting exit status when failed to find a
+    search item (#129)
+- drop lsof-no-build-date-etc.patch (obsolete)
+
+- Update to 4.94.0:
+  * Fix various bugs
+  * Display more information for eventfd and other objects
+- Remove lsof-glibc-linux-5.0.patch as it has been fixed upstream
+- Remove lsof_4.81-include.patch as it is not needed anymore
+- Remove lsof_4.81-perl.patch as this change is now done inside the spec file
+- Remove lsof_4.81-fmt.patch as it is not needed anymore
+
+- update to 4.93.2:
+  The maintainership is switched from Vic to lsof-org
+  Made FreeBSD 13 adjustment.
+  Fix a typo causing a build error.
+  Fix a potential memory leak.
+  [linux] use tirpc for rpc if libc doesn't provide rpc.h.
+  Fix a typo in man page.
+  fix memory leaks detected by valgrind about unix endpoint
+    information.
+  Update the description about -fg and -fG options on linux.
+  Fix a broken symbolic link.
+  Update the version number embedded in lsof executable.
+- lsof-no-build-date-etc.patch: refreshed against newer base
+
+- Add lsof-glibc-linux-5.0.patch: Fix build with
+  linux-glibc-devel-5.0 by including sysmacros.h as needed (bsc#1181571)
+
-- license update: Zlib
-  lsof license is most similar to Zlib (also use SPDX format)
-
-- repack the tarball to remove legally problematic files
-  (bnc#705143)
-
-- change perl reference to /usr/bin/perl which actually exists
-
-- perl4 refference causes missing perl4 dependency
-
-- portability fixes (by Pascal)
-
-- Do not include build host specific information including
-  date and compilation time to make build-compare happy
-
-- update to lsof 4.84
-  * corrects a man page nroff command error
-  * recognizes FreeBSD 7.3
-  * adds improved task support, initially for Linux
-
-- update to lsof 4.83
-  * corrects an over-zealous test that causes lsof to produce no
-    ouput when the HASSECURITY and HASNOSOCKSECURITTY have been
-    specified at lsof build time
-  * fixes a typo with the LINUX_HASSELUNIX Configure variable
-  * accepts LSOF_RANLIB from the environment
-  * added Linux test for __UCLIBC__
-
-- fix 64bit issue (gcc 4.5)
-
-- enable parallel build
-
lvm2
+- Update lvm2 from LVM2.2.03.16 to LVM2.2.03.22 (jsc#PED-6339)
+  * 2.03.22:
+  * Fix pv_major/pv_minor report field types so they are integers, not strings.
+  * Add lvmdevices --delnotfound to delete entries for missing devices.
+  * Always use cachepool name for metadata backup LV for lvconvert --repair.
+  * Make metadata backup LVs read-only after pool's lvconvert --repair.
+  * Handle 'lvextend --usepolicies' for pools for all activation variants.
+  * Fix memleak in vgchange autoactivation setup.
+  * Support conversion from thick to fully provisioned thin LV.
+  * Cache/Thin-pool can use error and zero volumes for testing.
+  * Individual thin volume can be cached, but cannot take snapshot.
+  * internal support for handling error and zero target (for testing).
+  * COW above trimmed maximal size is does not return error.
+  * Add lvm.conf thin_restore and cache_restore settings.
+  * Handle multiple mounts while resizing volume with a FS.
+  * Handle leading/trailing spaces in sys_wwid and sys_serial used by deivce_id.
+  * Fix failing -S|--select for non-reporting cmds if using LV info/status fields.
+  * Allow snapshots of raid+integrity LV.
+  * Fix multisegment RAID1 allocator to prevent using single disk for more legs.
+  * 2.03.21:
+  * Allow (write)cache over raid+integrity LV.
+  * 2.03.20:
+  * Fix segfault if using -S|--select with log/report_command_log=1 setting.
+  * 2.03.19:
+  * Do not reset SYSTEMD_READY variable in udev for PVs on MD and loop devices.
+  * Ensure udev is processing origin LV before its thick snapshots LVs.
+  * 2.03.18:
+  * Fix warning for thin pool overprovisioning on lvextend.
+  * Add support for writecache metadata_only and pause_writeback settings.
+  * Fix missing error messages in lvmdbusd.
+  * 2.03.17:
+  * Add new options (--fs, --fsmode) for FS handling when resizing LVs (btrfs is unsupported).
+  * Fix 'lvremove -S|--select LV' to not also remove its historical LV right away.
+  * Fix lv_active field type to binary so --select and --binary applies properly.
+  * Error out in lvm shell if using a cmd argument not supported in the shell.
+  * Fix lvm shell's lastlog command to report previous pre-command failures.
+  * Add --valuesonly option to lvmconfig to print only values without keys.
+  * Add json_std output format for more JSON standard compliant version of output.
+  * Fix many corner cases in device_id, including handling of S/N duplicates.
+  * Fix various issues in lvmdbusd.
+- device-mapper version upgrade to 1.02.196
+  * Improve parallel creation of /dev/mapper/control device node.
+  * Import previous ID_FS_* udev records in 13-dm-disk.rules for suspended DM dev.
+  * Remove NAME="mapper/control" rule from 10-dm.rules to avoid udev warnings.
+  * Improve 'dmsetup create' without given table line with new kernels.
+  * Add DM_REPORT_GROUP_JSON_STD for more JSON standard compliant output format.
+- Drop patches that have been merged into upstream
+  - 0001-devices-file-move-clean-up-after-command-is-run.patch
+  - 0002-devices-file-fail-if-devicesfile-filename-doesn-t-ex.patch
+  - 0003-filter-mpath-handle-other-wwid-types-in-blacklist.patch
+  - 0004-filter-mpath-get-wwids-from-sysfs-vpd_pg83.patch
+  - 0005-pvdisplay-restore-reportformat-option.patch
+  - 0006-exit-with-error-when-devicesfile-name-doesn-t-exist.patch
+  - 0007-report-fix-pe_start-column-type-from-NUM-to-SIZ.patch
+  - 0008-_vg_read_raw_area-fix-segfault-caused-by-using-null-.patch
+  - 0009-mm-remove-libaio-from-being-skipped.patch
+  - 0010-dmsetup-check-also-for-ouf-of-range-value.patch
+  - 0011-devices-drop-double-from-sysfs-path.patch
+  - 0012-devices-file-fix-pvcreate-uuid-matching-pvid-entry-w.patch
+  - 0013-vgimportdevices-change-result-when-devices-are-not-a.patch
+  - 0014-vgimportdevices-fix-locking-when-creating-devices-fi.patch
+  - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch
+  - bug-1212613_apply-multipath_component_detection-0-to-duplicate-P.patch
+- Add upstream patch
+  + 0001-lvconvert-swapmetadata-fix-lvmlockd-locking.patch
+  + 0002-lvconvert-fix-ret-values-fro-integrity-remove.patch
+  + 0003-lvconvert-fix-regresion-from-integrity-check.patch
+  + 0004-gcc-cleanup-warnings.patch
+  + 0005-lvmlockd-fix-thick-to-thin-lv-conversion.patch
+  + 0006-lvmlockd-let-lockd_init_lv_args-set-lock_args.patch
+  + 0007-lvmlockd-fix-lvconvert-to-thin-pool.patch
+  + 0008-lvconvert-run-error-path-code-only-for-shared-VG.patch
+  + 0009-vgchange-acquire-an-exclusive-VG-lock-for-refresh.patch
+  + 0010-lvmlockd-client-mutex-ordering.patch
+  + 0011-filesystem-move-stat-after-open-check.patch
+  + 0012-tests-check-for-writecache.patch
+  + 0013-lvresize-fix-32-bit-overflow-in-size-calculation.patch
+  + 0014-gcc-fix-warnings-for-x32-architecture.patch
+  + 0015-gcc-warning-missing-braces-around-initializer.patch
+  + 0016-test-improve-aux-teardown.patch
+  + 0017-tests-aux-try-with-extra-sleep.patch
+  + 0018-tests-aux-using-singl-lvmconf-call.patch
+  + 0019-tests-missing-to-check-for-writecache-support.patch
+  + 0020-tests-pvmove-large-disk-area.patch
+  + 0021-tests-enforce-full-fs-check.patch
+  + 0022-tests-update-for-work-in-fake-dev-environment.patch
+  + 0023-tests-skip-test-when-lvmdbusd-runs-on-the-system.patch
+  + 0024-tests-better-slowdown.patch
+- Update patch
+  - bug-1037309_Makefile-skip-compliling-daemons-lvmlockd-directory.patch
+  - bug-1184124-link-tests-as-PIE.patch
+  - bug-1184687_Add-nolvm-for-kernel-cmdline.patch
+  - fate-31841-03_tests-new-test-suite-of-fsadm-for-btrfs.patch
+- Rename & Update patch
+  - bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch
+  + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-rules.patch
+- update lvm2.spec
+  - change upstream_device_mapper_version to 1.02.196
+  - change device_mapper_version to %{lvm2_version}_1.02.196
+  - add config item "-with-libexecdir=%{_libexecdir}" to fix libexec path since commit a2d33cdf
+  - add new binary "%{_libexecdir}/lvresize_fs_helper" to lvm2 package
+
lvm2:devicemapper
+- Update lvm2 from LVM2.2.03.16 to LVM2.2.03.22 (jsc#PED-6339)
+  * 2.03.22:
+  * Fix pv_major/pv_minor report field types so they are integers, not strings.
+  * Add lvmdevices --delnotfound to delete entries for missing devices.
+  * Always use cachepool name for metadata backup LV for lvconvert --repair.
+  * Make metadata backup LVs read-only after pool's lvconvert --repair.
+  * Handle 'lvextend --usepolicies' for pools for all activation variants.
+  * Fix memleak in vgchange autoactivation setup.
+  * Support conversion from thick to fully provisioned thin LV.
+  * Cache/Thin-pool can use error and zero volumes for testing.
+  * Individual thin volume can be cached, but cannot take snapshot.
+  * internal support for handling error and zero target (for testing).
+  * COW above trimmed maximal size is does not return error.
+  * Add lvm.conf thin_restore and cache_restore settings.
+  * Handle multiple mounts while resizing volume with a FS.
+  * Handle leading/trailing spaces in sys_wwid and sys_serial used by deivce_id.
+  * Fix failing -S|--select for non-reporting cmds if using LV info/status fields.
+  * Allow snapshots of raid+integrity LV.
+  * Fix multisegment RAID1 allocator to prevent using single disk for more legs.
+  * 2.03.21:
+  * Allow (write)cache over raid+integrity LV.
+  * 2.03.20:
+  * Fix segfault if using -S|--select with log/report_command_log=1 setting.
+  * 2.03.19:
+  * Do not reset SYSTEMD_READY variable in udev for PVs on MD and loop devices.
+  * Ensure udev is processing origin LV before its thick snapshots LVs.
+  * 2.03.18:
+  * Fix warning for thin pool overprovisioning on lvextend.
+  * Add support for writecache metadata_only and pause_writeback settings.
+  * Fix missing error messages in lvmdbusd.
+  * 2.03.17:
+  * Add new options (--fs, --fsmode) for FS handling when resizing LVs (btrfs is unsupported).
+  * Fix 'lvremove -S|--select LV' to not also remove its historical LV right away.
+  * Fix lv_active field type to binary so --select and --binary applies properly.
+  * Error out in lvm shell if using a cmd argument not supported in the shell.
+  * Fix lvm shell's lastlog command to report previous pre-command failures.
+  * Add --valuesonly option to lvmconfig to print only values without keys.
+  * Add json_std output format for more JSON standard compliant version of output.
+  * Fix many corner cases in device_id, including handling of S/N duplicates.
+  * Fix various issues in lvmdbusd.
+- device-mapper version upgrade to 1.02.196
+  * Improve parallel creation of /dev/mapper/control device node.
+  * Import previous ID_FS_* udev records in 13-dm-disk.rules for suspended DM dev.
+  * Remove NAME="mapper/control" rule from 10-dm.rules to avoid udev warnings.
+  * Improve 'dmsetup create' without given table line with new kernels.
+  * Add DM_REPORT_GROUP_JSON_STD for more JSON standard compliant output format.
+- Drop patches that have been merged into upstream
+  - 0001-devices-file-move-clean-up-after-command-is-run.patch
+  - 0002-devices-file-fail-if-devicesfile-filename-doesn-t-ex.patch
+  - 0003-filter-mpath-handle-other-wwid-types-in-blacklist.patch
+  - 0004-filter-mpath-get-wwids-from-sysfs-vpd_pg83.patch
+  - 0005-pvdisplay-restore-reportformat-option.patch
+  - 0006-exit-with-error-when-devicesfile-name-doesn-t-exist.patch
+  - 0007-report-fix-pe_start-column-type-from-NUM-to-SIZ.patch
+  - 0008-_vg_read_raw_area-fix-segfault-caused-by-using-null-.patch
+  - 0009-mm-remove-libaio-from-being-skipped.patch
+  - 0010-dmsetup-check-also-for-ouf-of-range-value.patch
+  - 0011-devices-drop-double-from-sysfs-path.patch
+  - 0012-devices-file-fix-pvcreate-uuid-matching-pvid-entry-w.patch
+  - 0013-vgimportdevices-change-result-when-devices-are-not-a.patch
+  - 0014-vgimportdevices-fix-locking-when-creating-devices-fi.patch
+  - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch
+  - bug-1212613_apply-multipath_component_detection-0-to-duplicate-P.patch
+- Add upstream patch
+  + 0001-lvconvert-swapmetadata-fix-lvmlockd-locking.patch
+  + 0002-lvconvert-fix-ret-values-fro-integrity-remove.patch
+  + 0003-lvconvert-fix-regresion-from-integrity-check.patch
+  + 0004-gcc-cleanup-warnings.patch
+  + 0005-lvmlockd-fix-thick-to-thin-lv-conversion.patch
+  + 0006-lvmlockd-let-lockd_init_lv_args-set-lock_args.patch
+  + 0007-lvmlockd-fix-lvconvert-to-thin-pool.patch
+  + 0008-lvconvert-run-error-path-code-only-for-shared-VG.patch
+  + 0009-vgchange-acquire-an-exclusive-VG-lock-for-refresh.patch
+  + 0010-lvmlockd-client-mutex-ordering.patch
+  + 0011-filesystem-move-stat-after-open-check.patch
+  + 0012-tests-check-for-writecache.patch
+  + 0013-lvresize-fix-32-bit-overflow-in-size-calculation.patch
+  + 0014-gcc-fix-warnings-for-x32-architecture.patch
+  + 0015-gcc-warning-missing-braces-around-initializer.patch
+  + 0016-test-improve-aux-teardown.patch
+  + 0017-tests-aux-try-with-extra-sleep.patch
+  + 0018-tests-aux-using-singl-lvmconf-call.patch
+  + 0019-tests-missing-to-check-for-writecache-support.patch
+  + 0020-tests-pvmove-large-disk-area.patch
+  + 0021-tests-enforce-full-fs-check.patch
+  + 0022-tests-update-for-work-in-fake-dev-environment.patch
+  + 0023-tests-skip-test-when-lvmdbusd-runs-on-the-system.patch
+  + 0024-tests-better-slowdown.patch
+- Update patch
+  - bug-1037309_Makefile-skip-compliling-daemons-lvmlockd-directory.patch
+  - bug-1184124-link-tests-as-PIE.patch
+  - bug-1184687_Add-nolvm-for-kernel-cmdline.patch
+  - fate-31841-03_tests-new-test-suite-of-fsadm-for-btrfs.patch
+- Rename & Update patch
+  - bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch
+  + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-rules.patch
+- update lvm2.spec
+  - change upstream_device_mapper_version to 1.02.196
+  - change device_mapper_version to %{lvm2_version}_1.02.196
+  - add config item "-with-libexecdir=%{_libexecdir}" to fix libexec path since commit a2d33cdf
+  - add new binary "%{_libexecdir}/lvresize_fs_helper" to lvm2 package
+
lvm2:lockd
+- Update lvm2 from LVM2.2.03.16 to LVM2.2.03.22 (jsc#PED-6339)
+  * 2.03.22:
+  * Fix pv_major/pv_minor report field types so they are integers, not strings.
+  * Add lvmdevices --delnotfound to delete entries for missing devices.
+  * Always use cachepool name for metadata backup LV for lvconvert --repair.
+  * Make metadata backup LVs read-only after pool's lvconvert --repair.
+  * Handle 'lvextend --usepolicies' for pools for all activation variants.
+  * Fix memleak in vgchange autoactivation setup.
+  * Support conversion from thick to fully provisioned thin LV.
+  * Cache/Thin-pool can use error and zero volumes for testing.
+  * Individual thin volume can be cached, but cannot take snapshot.
+  * internal support for handling error and zero target (for testing).
+  * COW above trimmed maximal size is does not return error.
+  * Add lvm.conf thin_restore and cache_restore settings.
+  * Handle multiple mounts while resizing volume with a FS.
+  * Handle leading/trailing spaces in sys_wwid and sys_serial used by deivce_id.
+  * Fix failing -S|--select for non-reporting cmds if using LV info/status fields.
+  * Allow snapshots of raid+integrity LV.
+  * Fix multisegment RAID1 allocator to prevent using single disk for more legs.
+  * 2.03.21:
+  * Allow (write)cache over raid+integrity LV.
+  * 2.03.20:
+  * Fix segfault if using -S|--select with log/report_command_log=1 setting.
+  * 2.03.19:
+  * Do not reset SYSTEMD_READY variable in udev for PVs on MD and loop devices.
+  * Ensure udev is processing origin LV before its thick snapshots LVs.
+  * 2.03.18:
+  * Fix warning for thin pool overprovisioning on lvextend.
+  * Add support for writecache metadata_only and pause_writeback settings.
+  * Fix missing error messages in lvmdbusd.
+  * 2.03.17:
+  * Add new options (--fs, --fsmode) for FS handling when resizing LVs (btrfs is unsupported).
+  * Fix 'lvremove -S|--select LV' to not also remove its historical LV right away.
+  * Fix lv_active field type to binary so --select and --binary applies properly.
+  * Error out in lvm shell if using a cmd argument not supported in the shell.
+  * Fix lvm shell's lastlog command to report previous pre-command failures.
+  * Add --valuesonly option to lvmconfig to print only values without keys.
+  * Add json_std output format for more JSON standard compliant version of output.
+  * Fix many corner cases in device_id, including handling of S/N duplicates.
+  * Fix various issues in lvmdbusd.
+- device-mapper version upgrade to 1.02.196
+  * Improve parallel creation of /dev/mapper/control device node.
+  * Import previous ID_FS_* udev records in 13-dm-disk.rules for suspended DM dev.
+  * Remove NAME="mapper/control" rule from 10-dm.rules to avoid udev warnings.
+  * Improve 'dmsetup create' without given table line with new kernels.
+  * Add DM_REPORT_GROUP_JSON_STD for more JSON standard compliant output format.
+- Drop patches that have been merged into upstream
+  - 0001-devices-file-move-clean-up-after-command-is-run.patch
+  - 0002-devices-file-fail-if-devicesfile-filename-doesn-t-ex.patch
+  - 0003-filter-mpath-handle-other-wwid-types-in-blacklist.patch
+  - 0004-filter-mpath-get-wwids-from-sysfs-vpd_pg83.patch
+  - 0005-pvdisplay-restore-reportformat-option.patch
+  - 0006-exit-with-error-when-devicesfile-name-doesn-t-exist.patch
+  - 0007-report-fix-pe_start-column-type-from-NUM-to-SIZ.patch
+  - 0008-_vg_read_raw_area-fix-segfault-caused-by-using-null-.patch
+  - 0009-mm-remove-libaio-from-being-skipped.patch
+  - 0010-dmsetup-check-also-for-ouf-of-range-value.patch
+  - 0011-devices-drop-double-from-sysfs-path.patch
+  - 0012-devices-file-fix-pvcreate-uuid-matching-pvid-entry-w.patch
+  - 0013-vgimportdevices-change-result-when-devices-are-not-a.patch
+  - 0014-vgimportdevices-fix-locking-when-creating-devices-fi.patch
+  - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch
+  - bug-1212613_apply-multipath_component_detection-0-to-duplicate-P.patch
+- Add upstream patch
+  + 0001-lvconvert-swapmetadata-fix-lvmlockd-locking.patch
+  + 0002-lvconvert-fix-ret-values-fro-integrity-remove.patch
+  + 0003-lvconvert-fix-regresion-from-integrity-check.patch
+  + 0004-gcc-cleanup-warnings.patch
+  + 0005-lvmlockd-fix-thick-to-thin-lv-conversion.patch
+  + 0006-lvmlockd-let-lockd_init_lv_args-set-lock_args.patch
+  + 0007-lvmlockd-fix-lvconvert-to-thin-pool.patch
+  + 0008-lvconvert-run-error-path-code-only-for-shared-VG.patch
+  + 0009-vgchange-acquire-an-exclusive-VG-lock-for-refresh.patch
+  + 0010-lvmlockd-client-mutex-ordering.patch
+  + 0011-filesystem-move-stat-after-open-check.patch
+  + 0012-tests-check-for-writecache.patch
+  + 0013-lvresize-fix-32-bit-overflow-in-size-calculation.patch
+  + 0014-gcc-fix-warnings-for-x32-architecture.patch
+  + 0015-gcc-warning-missing-braces-around-initializer.patch
+  + 0016-test-improve-aux-teardown.patch
+  + 0017-tests-aux-try-with-extra-sleep.patch
+  + 0018-tests-aux-using-singl-lvmconf-call.patch
+  + 0019-tests-missing-to-check-for-writecache-support.patch
+  + 0020-tests-pvmove-large-disk-area.patch
+  + 0021-tests-enforce-full-fs-check.patch
+  + 0022-tests-update-for-work-in-fake-dev-environment.patch
+  + 0023-tests-skip-test-when-lvmdbusd-runs-on-the-system.patch
+  + 0024-tests-better-slowdown.patch
+- Update patch
+  - bug-1037309_Makefile-skip-compliling-daemons-lvmlockd-directory.patch
+  - bug-1184124-link-tests-as-PIE.patch
+  - bug-1184687_Add-nolvm-for-kernel-cmdline.patch
+  - fate-31841-03_tests-new-test-suite-of-fsadm-for-btrfs.patch
+- Rename & Update patch
+  - bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch
+  + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-rules.patch
+- update lvm2.spec
+  - change upstream_device_mapper_version to 1.02.196
+  - change device_mapper_version to %{lvm2_version}_1.02.196
+  - add config item "-with-libexecdir=%{_libexecdir}" to fix libexec path since commit a2d33cdf
+  - add new binary "%{_libexecdir}/lvresize_fs_helper" to lvm2 package
+
mariadb-connector-c
+- Update to release 3.1.22:
+  * https://mariadb.com/kb/en/mariadb-connector-c-3-1-22-release-notes/
+
mcstrans
+- Update to version 3.5
+  * preserve runtime directory
+- Refreshed harden_mcstrans.service.patch
+- Added additional developer key (Jason Zaman)
+
+- Update to version 3.4
+  * Port to PCRE2
+- Dropped patches
+  * add_includes.patch: Upstream
+  * mcstrans-writepid.patch: Upstream
+
+- Finish UsrMerge (bsc#1191075)
+
+- Update to version 3.3
+  * No user-visible changes
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_mcstrans.service.patch
+
+- Update to version 3.2
+  * No user-visible changes, only version bump.
+
mpich:gnu-hpc
+- Update to 4.1.2
+  - Update UCX module to includes fixes for building with GCC 13
+  - Update libfabric module to 1.18.0 with additional fixes for building
+    with recent versions of LLVM/Clang
+  - Fix compiler wrapper scripts to be compatible with CUDA memory hooks
+  - Fix MPIX_WAITALL_ENQUEUE to make a copy of the input request array
+  - Fix bug in MPI_ALLREDUCE that could result in ranks receiving
+    different floating point values
+  - Fix potential deadlock when progressing RMA windows
+  - Fix potential crash in MPI_REDUCE with non-zero root and MPI_IN_PLACE
+  - Fix potential crash during probe with libfabric CXI provider
+  - Fix MPI_PARRIVED when the partitioned request is inactive
+  - Fix potential bug when an attribute delete callback deletes another
+    attribute on the same object
+  - Fix build issue in ROMIO Lustre driver
+  - Improve Fortran 2008 binding support detection during configure
+  - Report an error if collective tuning json file fails to open
+  - Several fixes for testsuite programs and build configuration
+  - Update embedded UCX module to 1.13.1. Fixes a build issue with
+    binutils >= 2.39.
+  - Update yaksa module. Support explicit NVCC setting by the user. Fixes
+    a build issue when there is no libtool available in PATH.
+  - Fix ch4:ucx initialization when configured with
+  - -enable-ch4-vci-method=implicit.
+  - Fix potential error handler leak during MPI_SESSION_FINALIZE
+  - Fix value of MPI_UNDEFINED in mpif.h binding
+  - Fix MPI_IALLTOALLW with MPI_IN_PLACE
+  - Fix send attribute handling in IPC path
+  - Fix a bug in persistent MPI_ALLGATHER
+  - Fix tests for use with non-MPICH libraries
+  - Add missing MPI_T_ERR_NOT_ACCESSIBLE error code
+  - Fix manpages for MPIX functions
+  - Thread-cs in ch4 changed to per-vci.
+  - Testsuite (test/mpi) is configured separately from mpich configure.
+  - Added options in autogen to accelerate CI builds, including using pre-built
+    sub-modules. Added -yaksa-depth option to generate shallower yaksa pup code
+    for faster build and smaller binaries.
+  - Support singleton init using hydra.
+  - Generate mpi.mod Fortran interfaces using Python 3. For many compilers,
+    including gfortran, flags such as -fallow-mismatched-args is no longer
+    necessary.
+  - Fixed message queue debugger interface in ch4.
+  - PMI (src/pmi) is refactored as a subdir and can be separately distributed.
+  - Added MPIX_Comm_get_failed.
+  - Experimental MPIX stream API to enable explicit thread contexts.
+  - Experimental MPIX gpu enqueue API. It currently only supports CUDA streams.
+  - Delays GPU resource allocation in yaksa.
+  - CH3 nemesis ofi netmod is removed.
+  - New collective algorithms. All collective algorithms are listed in
+    src/mpi/coll/coll_algorithms.txt
+  - Removed hydra2. We will port unique features of hydra2, including
+    tree-launching, to hydra in the future release.
+  - Added in-repository wiki documentation.
+  - Added stream workq to support optimizations for enqueue operations.
+  - Better support for large count APIs by eliminating type conversion issues.
+  - Hydra now uses libpmi (src/pmi) for handling PMI messages.
+  - Many bug fixes and enhancements.
+- Refresh autogen-only-deal-with-json-yaksa-if-enabled.patch
+
mpich:gnu-hpc-ofi
+- Update to 4.1.2
+  - Update UCX module to includes fixes for building with GCC 13
+  - Update libfabric module to 1.18.0 with additional fixes for building
+    with recent versions of LLVM/Clang
+  - Fix compiler wrapper scripts to be compatible with CUDA memory hooks
+  - Fix MPIX_WAITALL_ENQUEUE to make a copy of the input request array
+  - Fix bug in MPI_ALLREDUCE that could result in ranks receiving
+    different floating point values
+  - Fix potential deadlock when progressing RMA windows
+  - Fix potential crash in MPI_REDUCE with non-zero root and MPI_IN_PLACE
+  - Fix potential crash during probe with libfabric CXI provider
+  - Fix MPI_PARRIVED when the partitioned request is inactive
+  - Fix potential bug when an attribute delete callback deletes another
+    attribute on the same object
+  - Fix build issue in ROMIO Lustre driver
+  - Improve Fortran 2008 binding support detection during configure
+  - Report an error if collective tuning json file fails to open
+  - Several fixes for testsuite programs and build configuration
+  - Update embedded UCX module to 1.13.1. Fixes a build issue with
+    binutils >= 2.39.
+  - Update yaksa module. Support explicit NVCC setting by the user. Fixes
+    a build issue when there is no libtool available in PATH.
+  - Fix ch4:ucx initialization when configured with
+  - -enable-ch4-vci-method=implicit.
+  - Fix potential error handler leak during MPI_SESSION_FINALIZE
+  - Fix value of MPI_UNDEFINED in mpif.h binding
+  - Fix MPI_IALLTOALLW with MPI_IN_PLACE
+  - Fix send attribute handling in IPC path
+  - Fix a bug in persistent MPI_ALLGATHER
+  - Fix tests for use with non-MPICH libraries
+  - Add missing MPI_T_ERR_NOT_ACCESSIBLE error code
+  - Fix manpages for MPIX functions
+  - Thread-cs in ch4 changed to per-vci.
+  - Testsuite (test/mpi) is configured separately from mpich configure.
+  - Added options in autogen to accelerate CI builds, including using pre-built
+    sub-modules. Added -yaksa-depth option to generate shallower yaksa pup code
+    for faster build and smaller binaries.
+  - Support singleton init using hydra.
+  - Generate mpi.mod Fortran interfaces using Python 3. For many compilers,
+    including gfortran, flags such as -fallow-mismatched-args is no longer
+    necessary.
+  - Fixed message queue debugger interface in ch4.
+  - PMI (src/pmi) is refactored as a subdir and can be separately distributed.
+  - Added MPIX_Comm_get_failed.
+  - Experimental MPIX stream API to enable explicit thread contexts.
+  - Experimental MPIX gpu enqueue API. It currently only supports CUDA streams.
+  - Delays GPU resource allocation in yaksa.
+  - CH3 nemesis ofi netmod is removed.
+  - New collective algorithms. All collective algorithms are listed in
+    src/mpi/coll/coll_algorithms.txt
+  - Removed hydra2. We will port unique features of hydra2, including
+    tree-launching, to hydra in the future release.
+  - Added in-repository wiki documentation.
+  - Added stream workq to support optimizations for enqueue operations.
+  - Better support for large count APIs by eliminating type conversion issues.
+  - Hydra now uses libpmi (src/pmi) for handling PMI messages.
+  - Many bug fixes and enhancements.
+- Refresh autogen-only-deal-with-json-yaksa-if-enabled.patch
+
mpich:ofi
+- Update to 4.1.2
+  - Update UCX module to includes fixes for building with GCC 13
+  - Update libfabric module to 1.18.0 with additional fixes for building
+    with recent versions of LLVM/Clang
+  - Fix compiler wrapper scripts to be compatible with CUDA memory hooks
+  - Fix MPIX_WAITALL_ENQUEUE to make a copy of the input request array
+  - Fix bug in MPI_ALLREDUCE that could result in ranks receiving
+    different floating point values
+  - Fix potential deadlock when progressing RMA windows
+  - Fix potential crash in MPI_REDUCE with non-zero root and MPI_IN_PLACE
+  - Fix potential crash during probe with libfabric CXI provider
+  - Fix MPI_PARRIVED when the partitioned request is inactive
+  - Fix potential bug when an attribute delete callback deletes another
+    attribute on the same object
+  - Fix build issue in ROMIO Lustre driver
+  - Improve Fortran 2008 binding support detection during configure
+  - Report an error if collective tuning json file fails to open
+  - Several fixes for testsuite programs and build configuration
+  - Update embedded UCX module to 1.13.1. Fixes a build issue with
+    binutils >= 2.39.
+  - Update yaksa module. Support explicit NVCC setting by the user. Fixes
+    a build issue when there is no libtool available in PATH.
+  - Fix ch4:ucx initialization when configured with
+  - -enable-ch4-vci-method=implicit.
+  - Fix potential error handler leak during MPI_SESSION_FINALIZE
+  - Fix value of MPI_UNDEFINED in mpif.h binding
+  - Fix MPI_IALLTOALLW with MPI_IN_PLACE
+  - Fix send attribute handling in IPC path
+  - Fix a bug in persistent MPI_ALLGATHER
+  - Fix tests for use with non-MPICH libraries
+  - Add missing MPI_T_ERR_NOT_ACCESSIBLE error code
+  - Fix manpages for MPIX functions
+  - Thread-cs in ch4 changed to per-vci.
+  - Testsuite (test/mpi) is configured separately from mpich configure.
+  - Added options in autogen to accelerate CI builds, including using pre-built
+    sub-modules. Added -yaksa-depth option to generate shallower yaksa pup code
+    for faster build and smaller binaries.
+  - Support singleton init using hydra.
+  - Generate mpi.mod Fortran interfaces using Python 3. For many compilers,
+    including gfortran, flags such as -fallow-mismatched-args is no longer
+    necessary.
+  - Fixed message queue debugger interface in ch4.
+  - PMI (src/pmi) is refactored as a subdir and can be separately distributed.
+  - Added MPIX_Comm_get_failed.
+  - Experimental MPIX stream API to enable explicit thread contexts.
+  - Experimental MPIX gpu enqueue API. It currently only supports CUDA streams.
+  - Delays GPU resource allocation in yaksa.
+  - CH3 nemesis ofi netmod is removed.
+  - New collective algorithms. All collective algorithms are listed in
+    src/mpi/coll/coll_algorithms.txt
+  - Removed hydra2. We will port unique features of hydra2, including
+    tree-launching, to hydra in the future release.
+  - Added in-repository wiki documentation.
+  - Added stream workq to support optimizations for enqueue operations.
+  - Better support for large count APIs by eliminating type conversion issues.
+  - Hydra now uses libpmi (src/pmi) for handling PMI messages.
+  - Many bug fixes and enhancements.
+- Refresh autogen-only-deal-with-json-yaksa-if-enabled.patch
+
mpich:standard
+- Update to 4.1.2
+  - Update UCX module to includes fixes for building with GCC 13
+  - Update libfabric module to 1.18.0 with additional fixes for building
+    with recent versions of LLVM/Clang
+  - Fix compiler wrapper scripts to be compatible with CUDA memory hooks
+  - Fix MPIX_WAITALL_ENQUEUE to make a copy of the input request array
+  - Fix bug in MPI_ALLREDUCE that could result in ranks receiving
+    different floating point values
+  - Fix potential deadlock when progressing RMA windows
+  - Fix potential crash in MPI_REDUCE with non-zero root and MPI_IN_PLACE
+  - Fix potential crash during probe with libfabric CXI provider
+  - Fix MPI_PARRIVED when the partitioned request is inactive
+  - Fix potential bug when an attribute delete callback deletes another
+    attribute on the same object
+  - Fix build issue in ROMIO Lustre driver
+  - Improve Fortran 2008 binding support detection during configure
+  - Report an error if collective tuning json file fails to open
+  - Several fixes for testsuite programs and build configuration
+  - Update embedded UCX module to 1.13.1. Fixes a build issue with
+    binutils >= 2.39.
+  - Update yaksa module. Support explicit NVCC setting by the user. Fixes
+    a build issue when there is no libtool available in PATH.
+  - Fix ch4:ucx initialization when configured with
+  - -enable-ch4-vci-method=implicit.
+  - Fix potential error handler leak during MPI_SESSION_FINALIZE
+  - Fix value of MPI_UNDEFINED in mpif.h binding
+  - Fix MPI_IALLTOALLW with MPI_IN_PLACE
+  - Fix send attribute handling in IPC path
+  - Fix a bug in persistent MPI_ALLGATHER
+  - Fix tests for use with non-MPICH libraries
+  - Add missing MPI_T_ERR_NOT_ACCESSIBLE error code
+  - Fix manpages for MPIX functions
+  - Thread-cs in ch4 changed to per-vci.
+  - Testsuite (test/mpi) is configured separately from mpich configure.
+  - Added options in autogen to accelerate CI builds, including using pre-built
+    sub-modules. Added -yaksa-depth option to generate shallower yaksa pup code
+    for faster build and smaller binaries.
+  - Support singleton init using hydra.
+  - Generate mpi.mod Fortran interfaces using Python 3. For many compilers,
+    including gfortran, flags such as -fallow-mismatched-args is no longer
+    necessary.
+  - Fixed message queue debugger interface in ch4.
+  - PMI (src/pmi) is refactored as a subdir and can be separately distributed.
+  - Added MPIX_Comm_get_failed.
+  - Experimental MPIX stream API to enable explicit thread contexts.
+  - Experimental MPIX gpu enqueue API. It currently only supports CUDA streams.
+  - Delays GPU resource allocation in yaksa.
+  - CH3 nemesis ofi netmod is removed.
+  - New collective algorithms. All collective algorithms are listed in
+    src/mpi/coll/coll_algorithms.txt
+  - Removed hydra2. We will port unique features of hydra2, including
+    tree-launching, to hydra in the future release.
+  - Added in-repository wiki documentation.
+  - Added stream workq to support optimizations for enqueue operations.
+  - Better support for large count APIs by eliminating type conversion issues.
+  - Hydra now uses libpmi (src/pmi) for handling PMI messages.
+  - Many bug fixes and enhancements.
+- Refresh autogen-only-deal-with-json-yaksa-if-enabled.patch
+
mvapich2:gnu-hpc
+- Add mvapich2-openpa-add-memory-barriers.patch to fix testsuite issue
+  on pcc64 (bsc#1216610, bsc#1216612)
+
mvapich2:gnu-hpc-psm2
+- Add mvapich2-openpa-add-memory-barriers.patch to fix testsuite issue
+  on pcc64 (bsc#1216610, bsc#1216612)
+
mvapich2:psm2
+- Add mvapich2-openpa-add-memory-barriers.patch to fix testsuite issue
+  on pcc64 (bsc#1216610, bsc#1216612)
+
mvapich2:standard
+- Add mvapich2-openpa-add-memory-barriers.patch to fix testsuite issue
+  on pcc64 (bsc#1216610, bsc#1216612)
+
ncurses
+- Add patch bsc1218014-cve-2023-50495.patch
+  * Fix CVE-2023-50495: segmentation fault via _nc_wrap_entry()
+
+- Add patch boo1201384.patch
+  * Do not fully reset serial lines
+
obs-service-recompress
+- update to version 0.5.2:
+  * zstd compression with rsyncable and higher compression
+
+- disable zstd on RHEL, the package is not available on OBS
+
+- use filebased requires on gzip so that zstd can supplement it as
+  well
+
+- Fixed checking for zstd support on different distributions
+
+- Update to version 0.5.1:
+  * Use at least 2 threads for xz compression
+
+- Update to version 0.5.0:
+  * do not follow symlinks (issue 9)
+  * add license file
+  * compression using # of core threads for zstd and xz
+  * Add support for keeping of original file
+  * use --threads=0
+
+- Update to version 0.4.0+git20200123.696d003:
+  * run test suite during build
+
+- Update to version 0.4.0+git20200123.946b23f:
+  * add zstd compression support
+
-- Update to version 0.3.1:
-  + debian: use install-file to simplify rules-file
-  + Initial debianization
-  + - avoid problematic quoting
-  + Fix typo
-
-- Update to version 0.3.1:
-  + Fix diffing uncompressed files
-
-- Update to version 0.3:
-  + Don't overwrite identical files
-
-- Move service to github.com/openSUSE/obs-service-recompress
-- Add _service file to update package from there
-- Drop local sources and use tarball from source services
-
-- Display message on successful (re)compression.
-
-- always remove uncompressed files
-- fix rpmlint warnings
-
openssh
+- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795).
+  This mitigates a prefix truncation attack that could be used to
+  undermine channel security.
+
+- Enhanced SELinux functionality. Added
+  * openssh-7.8p1-role-mls.patch
+    Proper handling of MLS systems and basis for other SELinux
+    improvements
+  * openssh-6.6p1-privsep-selinux.patch
+    Properly set contexts during privilege separation
+  * openssh-6.6p1-keycat.patch
+    Add ssh-keycat command to allow retrival of authorized_keys
+    on MLS setups with polyinstantiation
+  * openssh-6.6.1p1-selinux-contexts.patch
+    Additional changes to set the proper context during privilege
+    separation
+  * openssh-7.6p1-cleanup-selinux.patch
+    Various changes and putting the pieces together
+  For now we don't ship the ssh-keycat command, but we need the patch
+  for the other SELinux infrastructure
+  This change fixes issues like bsc#1214788, where the ssh daemon
+  needs to act on behalf of a user and needs a proper context for this
+
openvpn
+- update to 2.6.8: (jsc#PED-5763 bsc#1217073)
+  * SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF
+    state - the new sanity check function introduced in 2.6.7 sometimes
+    tried to use a NULL pointer after an unsuccessful TLS handshake
+  * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
+    use a send buffer after it has been free()d in some circumstances,
+    causing some free()d memory to be sent to the peer. All configurations
+    using TLS (e.g. not using --secret) are affected by this issue.
+  * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
+    restore --fragment configuration in some circumstances, leading to a
+    division by zero when --fragment is used. On platforms where division
+    by zero is fatal, this will cause an OpenVPN crash.
+  * DCO: warn if DATA_V1 packets are sent by the other side - this a hard
+    incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4
+    server, and the only fix is to use --disable-dco.
+  * Remove OpenSSL Engine method for loading a key. This had to be removed
+    because the original author did not agree to relicensing the code with
+    the new linking exception added. This was a somewhat obsolete feature
+    anyway as it only worked with OpenSSL 1.x, which is end-of-support.
+  * add warning if p2p NCP client connects to a p2mp server - this is a
+    combination that used to work without cipher negotiation (pre 2.6 on
+    both ends), but would fail in non-obvious ways with 2.6 to 2.6.
+  * add warning to --show-groups that not all supported groups are listed
+    (this is due the internal enumeration in OpenSSL being a bit weird,
+    omitting X448 and X25519 curves).
+  * --dns: remove support for exclude-domains argument (this was a new 2.6
+    option, with no backend support implemented yet on any platform, and it
+    turns out that no platform supported it at all - so remove option again)
+  * warn user if INFO control message too long, do not forward to management
+    client (safeguard against protocol-violating server implementations)
+  * DCO-WIN: get and log driver version (for easier debugging).
+  * print "peer temporary key details" in TLS handshake
+  * log OpenSSL errors on failure to set certificate, for example if the
+    algorithms used are in acceptable to OpenSSL (misleading message would be
+    printed in cryptoapi / pkcs11 scenarios)
+  * add CMake build system for MinGW and MSVC builds
+  * remove old MSVC build system
+  * improve cmocka unit test building for Windows
+
p11-kit
+- Ensure that programs using <p11-kit/pkcs11x.h> can be compiled
+  with CRYPTOKI_GNU. Fixes GnuTLS builds. [jsc#PED-6705]
+  * Add p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch
+
-- new version 0.20.3
-  * Fix problems reinitializing managed modules after fork
-  * Fix bad bookeeping when fail initializing one of the modules
-  * Fix case where module would be unloaded while in use [#74919]
-  * Remove assertions when module used before initialized [#74919]
-  * Fix handling of mmap failure and mapping empty files [#74773]
-  * Stable p11_kit_be_quiet() and p11_kit_be_loud() functions
-  * Require automake 1.12 or later
-  * Build fixes for Windows [#76594 #74149]
-- apply patches to avoid errors from certificates with invalid public key
-  (fdo#82328, bnc#890908,
-  trust-Dont-use-invalid-public-keys-for-looking-up-.patch,
-  trust-Print-label-of-certificate-when-complaining-.patch)
-
pacemaker
+- Update to version 2.1.6+20231205.0f6fbd59f:
+- scheduler: log reason for recheck time updates
+- scheduler: update recheck time for node-pending-timeout
+
+- Update to version 2.1.6+20231204.e1a1bd808:
+- tools: Fix a regression in tool XML output. (clbz#5529)
+
+- Update to version 2.1.6+20231122.7534cc50a (Pacemaker-2.1.7-rc2):
+- rpm: require minimum libxml2 version of 2.6.0
+- libcrmcommon: Write crm_verify detailed messages to XML
+- libcrmcommon: Use const for xmlCtxtGetLastError() (CLBZ#5530)
+- libcrmcommon: Drop deprecated libxml2 symbols (CLBZ#5530)
+- sysconfig: Use CRM_DAEMON_USER and CRM_DAEMON_GROUP
+- sysconfig: Fix defaults for dh_min_bits/dh_max_bits
+- sysconfig: Document PCMK_stderr
+- pacemakerd: Mark PCMK_shutdown_delay as deprecated
+- sysconfig: Document PCMK_cluster_type
+- sysconfig: Document PCMK_remote_pid1
+- sysconfig: Document PCMK_node_action_limit
+- sysconfig: Mark PCMK_cib_timeout as deprecated
+- controld/schedullerd: Change the default value of node-pending-timeout to 0.
+- controld: Adding default value for node-pending-timeout.
+- crm_resource: make --wait wait for pending actions in CIB
+
+- Update to version 2.1.6+20231031.d0ef74d64 (Pacemaker-2.1.7-rc1):
+- attrd: revert faulty T138 fix
+- controller: bail if CIB modify fails within transaction
+- scheduler: don't show pending nodes as having "<3.15.1" feature set
+
+- Update to version 2.1.6+20231030.66cc0f083:
+- scheduler: *really* ignore monitors for invalid roles
+- scheduler: avoid double free with disabled recurring actions
+- scheduler: use node when unpacking failure handling for history entries
+- scheduler: check for migration actions more accurately
+- attrd: avoid regression by reverting 58400e27
+- libcrmcommon: fix readable interval string
+- attrd: restore standalone operation for regression testing
+- all: avoid "data set" or "working set" in messages
+- cts-lab: work around issues with Reattach test
+- scheduler: improve node comparison trace messages
+- fencer: compare node name case-insensitively
+- attrd: Use CIB transaction in attrd_write_attribute()
+- attrd: NULL-check the_cib earlier in attrd_write_attribute()
+- attrd, controller: Ignore CIB diff if client is safe
+- based: Make CIB transactions backward compatible
+- libcrmcommon: Bump feature set for CIB transactions
+- Rebase:
+  * bug-812269_pacemaker-fencing-device-register-messages.patch
+  * bug-995365_pacemaker-cts-restart-systemd-journald.patch
+
+- Update to version 2.1.6+20231009.5a44f03e4:
+- controller: don't fence leaving nodes for node-pending-timeout
+
+- Update to version 2.1.6+20231004.92cc36b15:
+- crm_resource: move/ban fall back to old Promoted equivalent
+- libcrmcommon: Ignore text nodes when creating XML patchset
+
+- Update to version 2.1.6+20231003.0f5df886a:
+- scheduler: compare join state case-sensitively
+- scheduler: validate "terminate" node attribute better
+- controller,scheduler: allow disabling node-pending-timeout
+
+- Update to version 2.1.6+20231003.c3e159b4d:
+- libcrmcommon: Improve error log in pcmk__xml2text()
+- scheduler: correct meta-attribute name in message
+- scheduler: correct message about only-if-unmigratable inputs
+- crm_resource: report error when trying to restart unmanaged resources
+- scheduler: properly sort rule-based blocks when overwriting values
+- scheduler: properly evaluate rules in action meta-attributes
+
+- Update to version 2.1.6+20230905.dc65dc35f:
+- libcrmcommon: Fix error logging in mainloop_add_ipc_server_with_prio.
+- fencer: sleep 1s between reconnects
+- attrd: Don't write attributes for a CIB replace that we requested
+- controller: Drop CIB replace call recording and forgetting
+- attrd: Ignore CIB diff notification if shutdown was requested
+- controller: improve another shutdown message
+- attrd: avoid race condition at writer election
+- controller: improve disconnection messages
+- agents: HealthCPU - fix the validation of input
+- based: improve request processing messages
+- agents: avoid deprecated attrd_updater option in ocf:pacemaker:ping
+- tools: make crm_node -R use transaction for CIB changes
+- agents: HealthCPU - Add the parameter of attrd_delay and fix attrd_updter command
+- tools: improve how crm_node -R purges node from fencer
+- tools: improve how crm_node -R purges node from CIB
+- tools: crm_node shouldn't try to purge nodes from pacemakerd
+- controller: improve logs when processing messages
+
+- Update to version 2.1.6+20230821.d00694366:
+- libcrmcommon: fix unit tests on 32-bit hosts with large files (CLBZ#5526)
+- libcrmcommon: Use the new bz2-related error code.
+- libcrmcommon, daemons: Use the new network-related return codes.
+- tools: improve attrd_updater -U help
+- attrd: improve disconnection messages
+- attrd: avoid race condition when shutting down
+- controller: improve messages for resource history updates
+- controller: guard lrm_state_table usage with NULL check
+- controller: don't try to execute agent action at shutdown
+- scheduler: make validate_on_fail() replace value
+- scheduler: compare action names case-sensitively in validate_on_fail()
+- schemas: Add a new schema for crm_node.
+- tools: Convert crm_node -l/-p to formatted output.
+- tools: Convert crm_node -i to formatted output.
+- tools: Convert crm_node -q to use formatted output.
+- tools: Convert crm_node -n/-N to use formatted output.
+- libcrmcommon: Bump feature set for crm_node formatted output
+- libpacemaker: Change the type of the node_id argument.
+- libcrmcommon: wait for reply from appropriate controller commands
+- daemons: Disable sync points in certain circumstances.
+- tools: Fix a bug in clone resource description display (rh#2106642)
+- tools: The dampen parameter is disabled when setting values with attrd_updater.
+- libcrmcommon: fix regression in XML logging
+- build: No longer try to package the cts python directory.
+- libpe_status: compare action names case-sensitively
+- Rebase:
+  * bug-806256_pacemaker-log-level-notice.patch
+  * bug-943295_pacemaker-lrmd-log-notice.patch
+  * bug-995365_pacemaker-cts-restart-systemd-journald.patch
+
+- Update to version 2.1.6+20230711.ecd2395f8:
-  * bsc#1213125-0001-Fix-controller-do-not-check-whether-watchdog-fencing.patch
+- Update to version 2.1.6+20230710.a6d9205af:
+- various: compare XML element names case-sensitively
+- libpacemaker: Honor role-based colocations for bundles
+- libpacemaker: Anti-colocations affect scores when roles match
+- libpacemaker: Don't shuffle clone instances unnecessarily (rh#1931023)
+- rpm: allow passing custom rpmbuild options (CLBZ#5520)
+- libcrmcommon: improve IPC connection logging and retries
+- libcrmcommon: wait 500ms before IPC connection retry
+- various: use pcmk__connect_generic_ipc() instead of crm_ipc_connect()
+- various: use pcmk__ipc_fd() instead of crm_ipc_get_fd()
+- libcrmcommon: implement is_ipc_provider_expected() as series of fallbacks
+- libcrmcommon: fix is_ipc_provider_expected() with HAVE_GETPEERUCRED
+- libcrmcommon: fix is_ipc_provider_expected() with HAVE_SOCKPEERCRED
+- libcrmcommon: don't set libqb object context
+- scheduler: continue with non-sequential set members after error
+- scheduler: improve colocation unpacking messages (and comments)
+- CIB: be more strict about ignoring colocation elements without an ID
+- scheduler: consider explicit colocations with group members
+- scheduler: improve logs when unpacking colocation sets
+- CIB: deprecate "ordering" attribute of "resource_set"
+- scheduler: improve error-checking when creating colocations
+
+- Update to version 2.1.6+20230629.1c619c29a:
+- libpacemaker: Respect clone-node-max for cloned groups
+- libpacemaker: Log which resource we're adding colocations for
+- scheduler: distinguish unrunnable from migration unrunnable in displays
+- scheduler: check pointer for NULL *before* dereferencing it
+- scheduler: compare strings case-sensitively where appropriate
+- scheduler: assert on invalid usage of assignment methods
+- rpm: enforce libcmocka-devel version dependency
+
+- Update to version 2.1.6+20230615.16fc250dc:
+- controller: Replace node state atomically at DC join ack step (rh#2000595, CLBZ#5306)
+- libpacemaker: Get container attr from assigned node, if any
+- Rebase:
+  * bug-806256_pacemaker-log-level-notice.patch
+
+- Update to version 2.1.6+20230614.36c04fbf9:
+- libpacemaker: use "Assignment" instead of "Allocation"
+- libpacemaker: avoid "weight" in log messages
+- libpacemaker: use "assignment" terminology consistently
+- INSTALL: Add libcmocka version dependency (CLBZ#5518)
+- scheduler: improve a couple of bundle messages
+- scheduler: compare anti-colocation dependent negative preferences against stickiness
+
+- Enable crypto-policies support: [bsc#1211301]
+  * Honor the system-wide crypto-policies, via package-build-time
+    configurable "pcmk_gnutls_priorities" defaulting to @SYSTEM.
+
+- Update to version 2.1.6+20230612.dcecc9db0:
-  * bsc#1198767-0006-Fix-controller-update-node-state-correctly-based-on-.patch
-  * bsc#1198767-0005-Refactor-libcrmcluster-internal-functions-for-gettin.patch
-  * bsc#1198767-0004-Refactor-libcrmcluster-ability-to-search-for-a-node-.patch
+- controller: trigger a new transition if a pending node has reached `node-pending-timeout`
+- controller: pass abort_timer to the timeout function abort_timer_popped()
+- controller: read `node-pending-timeout` cluster option
+- cts-scheduler: add regression test for fencing a pending node that has reached `node-pending-timeout`
+- scheduler: fence a pending node that has reached `node-pending-timeout`
+- scheduler: add `node-pending-timeout` cluster option
+- scheduler: ability to determine node status from `in_ccm` and `crmd` fields of `node_state` based on timestamps
+- controller: record the timestamps of a node becoming a cluster member and online in CPG in CIB `node_state`
+- libcrmcluster: add ability to record the timestamps of a node becoming a cluster member and online in CPG
+- libcrmcommon: bump feature set to 3.18.0 for handling node pending timeout
-  * bsc#1198767-0003-Test-cts-scheduler-update-regression-test-about-not-.patch
-  * bsc#1198767-0002-Fix-scheduler-Do-not-fence-a-pending-node-that-doesn.patch
-  * bsc#1198767-0001-Test-cts-scheduler-add-regression-test-about-a-pendi.patch
+
+- Update to version 2.1.6+20230612.e6e89f803:
+- libcib: Support transactions for CIB file clients
+- libcrmcommon: replace_xml_node() segfaults when doc is shared
+- libcib: Allow multiple cib_file clients simultaneously
+- crm_verify: Add --quiet option to crm_verify
+- based: Support CIB transactions
+
+- Update to version 2.1.6+20230607.730523cd1:
+- libcrmservice: Fix an error when coverage is enabled.
+- scheduler: revert recently introduced regression
+- cts: self.rsh returns a tuple, not a single value.
+- xml: Improve efficiency of attribute value obtainment
+- based: NULL-check digest strings in cib_process_command()
+- based: Fix use-after-free in cib_process_command()
+- based: Fix bad sync check in sync_our_cib()
+- scheduler: skip non-exclusive nodes correctly for clones
+- scheduler: order clone instances properly
+
+- Update to version 2.1.6+20230524.f1298840d:
+- libcrmcommon: Fix Coverity false positive pcmk__file_contents()
+- libcrmcommon: NULL-check argument to pcmk__mark_xml_created()
+- controller: When a remote node starts, apply any start state.
+- liblrmd: Save a remote node's requested start state
+- daemons: Add start state to LRMD handshake XML
+- Rebase:
+  * bug-995365_pacemaker-cts-restart-systemd-journald.patch
+- Update to version 2.1.6+20230524.6fdc9deea (Pacemaker-2.1.6):
+- scheduler: ensure earlier group member starts happen after later member stops
+
+- Update to version 2.1.5+20230502.802a72226 (Pacemaker-2.1.6-rc2):
+- scheduler: consider mandatory colocations before optional
+- Update to version 2.1.5+20230501.832463d94:
-  * bsc#1210857-0001-Low-daemons-pacemakerd-S-should-wait-for-shutdown-be.patch
+- Update to version 2.1.5+20230501.b049bbeea:
+- scheduler: deprecate support for Nagios resources (jsc#PED-3877, jsc#PED-4446)
+- scheduler: deprecate "moon" in date_spec elements in rules
+- daemons: Preserve transient attrs when possible
+- daemons: Sync remote connection info with new controllers.
+- daemons: Record the node hosting a remote connection resource.
+- daemons: Add node hosting connection resource to state XML.
+- daemons: Broadcast remote node state changes to all controllers
+- daemons: Add daemon uptime to execd XML replies.
+
+- Update to version 2.1.5+20230424.6127934e3:
-  * bsc#1210074-0011-Fix-fencer-fencing-timeout-sent-to-peer-takes-no-del.patch
-  * bsc#1210074-0010-Fix-libpacemaker-initial-timeout-for-fencing-callbac.patch
-  * bsc#1210074-0009-Log-controller-use-target-terminology-consistently.patch
-  * bsc#1210074-0008-Log-controller-log-fencing-timeout-consistently-in-s.patch
-  * bsc#1210074-0007-Fix-controller-initial-timeout-for-fencing-callback-.patch
-  * bsc#1210074-0006-Fix-fencer-apply-requested-fencing-delay-only-for-th.patch
-  * bsc#1210074-0005-Fix-fencer-fencing-timeouts-take-any-pcmk_delay_base.patch
-  * bsc#1210074-0004-Fix-fencer-add-correct-values-of-pcmk_delay_base-max.patch
-  * bsc#1210074-0003-Fix-fencer-per-operation-fencing-timeout-takes-any-r.patch
-  * bsc#1210074-0002-Fix-fencer-total-fencing-timeout-takes-any-requested.patch
-  * bsc#1210074-0001-Test-cts-fencing-regression-test-for-fencing-timeout.patch
+- Update to version 2.1.5+20230418.ccc3b3344:
+- python: Default CTS iterations to 1.
+
+- Update to version 2.1.5+20230417.095c09eee (Pacemaker-2.1.6-rc1):
+- NLS: update translations for current code base
+- sysconfig: improve help text
+- sysconfig: overhaul enviroment variable descriptions
+- tools: avoid use-after-free of attribute ID
+- tools: fix use-after-free of attribute set name
+
+- Update to version 2.1.5+20230411.dbe567bfd:
-  * bsc#1209640-0001-Fix-controller-avoid-use-after-free-when-disconnecti.patch
+- Update to version 2.1.5+20230410.97fbe1f31:
+- daemons: Add the default port to pacemaker-remoted help output.
+- controller: Don't use "//" in the fence XML query.
+- scheduler: attenuate chained "with this" colocation scores
+- scheduler: don't add group colocations twice
+- controller: Unlocked lrm_resource should include cleared/expired
+- controller: Ensure we don't ignore relevant CIB replacements
+- based: Use correct local-only diff logic
+- scheduler: make asymmetric ordering handling more efficient
+- scheduler: use correct action when determining order set flags
+- Rebase:
+  * bug-806256_pacemaker-log-level-notice.patch
+  * bug-977201_pacemaker-controld-self-fencing.patch
+
+- Update to version 2.1.5+20230403.7945075ce:
+- tools: Deprecate crm_mon --simple-status
+- tools: crm_mon can use update mode with XML, text, none
+- tools: Last-one-wins for crm_mon --daemonize and --one-shot
+- tools: Fix crm_mon seg fault when curses is missing (CLBZ#5512)
+- tools: Don't ignore invalid format in reconcile_output_formats
+- tools: Case-sensitive comparisons in reconcile_output_format()
+- tools: Implement --output-as=none in crm_mon.c
+
+- Update to version 2.1.5+20230328.76c42a514:
+- python: Disable the too-many-statements warning from pylint.
+- scheduler: NULL-check when adding colocations to list
+- scheduler: always add clone constraints to instances' lists
+- scheduler: avoid trace log and method call if not needed
+- scheduler: always add group's own "this with" colocations
+- scheduler: always add group's own "with this" colocations
+- scheduler: add "group with" colocations to later members independent of assignment
+- scheduler: always add "group with" colocations to first member
+- scheduler: always add "with group" colocations to last member
-  * 0001-Fix-controller-Delay-join-finalization-if-a-transiti.patch
+- Update to version 2.1.5+20230323.ee1bc67ff:
+- crm_resource: Add the --element option for delete & set
-  * 0001-Fix-extra-resources-SysInfo.in-This-calculation-of-c.patch
+- Rebase:
+  * bug-995365_pacemaker-cts-restart-systemd-journald.patch
+- Update to version 2.1.5+20230320.22590c566:
-  * bsc#1209586-0001-Fix-libcrmcommon-allow-crm_attribute-to-try-OCF_RESO.patch
+- libcrmcommon, libpe_status: New enabled meta attr for alerts
+- scheduler: message now applies to all nodes
-  * 0001-Low-libcrmcommon-avoid-libqb-assertion.patch
-
+- tools: Formatted output in crm_shadow
+- schemas: New diff and any-element schemas
+- schemas: New crm_shadow and instruction schemas
+
+- Update to version 2.1.5+20230314.692147cd3:
+- tools: Don't teardown on unsuccessful crm_shadow --delete
+- tools: Don't print teardown message for crm_shadow --commit
+- libcib: Don't unset env var in cib_new_no_shadow()
+- scheduler: avoid displaying failed operations as pending (bsc#1206263)
-  * Drop obsolete bsc#1206263-0004-Fix-libpacemaker-ensure-any-pending-recurring-monito.patch
-  * 0001-Test-cts-regression-reflect-any-test-failures-again-.patch
+- alerts: make alert_snmp.sh.sample compatible with SNMPv3
-  * bsc#1208868-0001-Fix-tool-update-crm_mon-synopsis.patch
+- Update to version 2.1.5+20230309.a4b0ea1b5:
+- controller: compare recordable actions case-sensitively
-  * CLBZ#5509-0001-Fix-libcrmcommon-Don-t-parse-INFINITY-as-a-list-of-c.patch
-  * 0001-Fix-tools-crm_shadow-commit-now-works-with-CIB_file.patch
+- scheduler: expired results shouldn't affect state
+- scheduler: avoid remap log if not remapped
+- scheduler: always treat degraded results as success
-  * 0003-Fix-watchdog-fencing-correctly-derive-timeout-with-t.patch
-  * 0002-Refactor-watchdog-fencing-convenience-function-pcmk_.patch
-  * 0001-Fix-watchdog-fencing-terminate-dangling-timer-before.patch
+- scheduler: ensure resource history entries have an XML ID
+- crm_resource: Add the --element option for --get-parameter
-  * 0001-Low-libcrmcommon-Fix-problems-with-pcmk__output_and_.patch
+- libcrmcommon: Fix memleak in pcmk__output_xml_add_node_copy()
+- Rebase:
+  * bug-806256_pacemaker-log-level-notice.patch
+  * pacemaker-cts-StartCmd.patch
+- Update to version 2.1.5+20230220.c4f6c191a:
-  * 0001-High-libcrmcommon-Fix-handling-node-NULL-in-pcmk__at.patch
-  * rh#2166967-0002-Fix-fencer-Avoid-double-source-remove-of-op_timer_to.patch
+- Rebase:
+  * bug-806256_pacemaker-log-level-notice.patch
+- Update to version 2.1.5+20230216.ed8bc68bc:
+- scheduler: count only containers' active nodes for bundles
+
+- Update to version 2.1.5+20230208.231b58a40:
+- cts: Add a basic cts-attrd program.
+- daemons: Modify a couple log messages for testing.
+- daemons: Add a -l argument to pacemaker-attrd.
+- daemons: Skip connecting to the CIB in attrd standalone mode.
+- daemons: Add some additional errors for when startup fails.
+- daemons: Add a standalone argument for attrd.
-  * rh#2166967-0001-Fix-fencer-Prevent-double-g_source_remove-of-op_time.patch
+- tools: Don't allow use of --name and --pattern at the same time.
+- tools: Add sync point support to crm_attribute.
+- tools: Add pattern support to attrd_updater.
-  * bsc#1182313-0005-Test-scheduler-update-expected-output-for-migration-.patch
-  * bsc#1182313-0004-Fix-scheduler-handle-cleaned-migrate_from-history-co.patch
-  * bsc#1182313-0003-Test-scheduler-add-regression-test-for-migration-int.patch
-  * bsc#1182313-0002-Low-scheduler-unknown_on_node-should-ignore-pending-.patch
-  * bsc#1182313-0001-Refactor-scheduler-improve-xpath-efficiency-when-unp.patch
+- daemons: Fix pointer management in attrd_client_update.
+- scheduler: improve migration history validation
+
+- Update to version 2.1.5+20230201.11c15a89f:
+- crm_mon: Display the descriptions in crm_mon output
+- libcrmcommon: parse_op_key() can now handle confirmed notifications
+- xml: change resources-related schemas and bump PCMK__API_VERSION
+- crm_resouce: Add the description to the XML output of crm_resource --list
+- python: Disable a couple more pylint warnings.
+- scheduler: correctly choose container vs inside resource for interleaving
+- scheduler: ignore node when getting resource inside container
+- Update to version 2.1.5+20230125.95bb4788a:
-  * bsc#1207319-0002-Fix-libpacemaker-avoid-assertion-failure-if-a-node_s.patch
-  * bsc#1207319-0001-Refactor-libpacemaker-unify-bailing-out-in-pcmk__inj.patch
+- Update to version 2.1.5+20230124.a29e52df9:
-  * 0001-High-executor-fix-regression-in-remote-node-shutdown.patch
+- scheduler: avoid memory leak when finding compatible instance
+- Update to version 2.1.5+20230123.f414133a7:
+- libcrmcommon: avoid infinite regression when logging v1 patchsets
+- controller: clear last failure from CIB even if executor state unavailable
+- scheduler: downgrade message about instance where it shouldn't be
+- controller: use %u with g_hash_table_size()
+- fenced: use enum fenced_target_by consistently
+- scheduler: update Chinese translation
+
+- Update to version 2.1.5+20230117.dd503ddbb:
+- libcrmcommon: bump feature set for crm_attribute --pattern with -v/-D and permanent attributes
+- resource agents: add depth="0" to validate-all metadata
+
+- Update to version 2.1.5+20230111.39e62b78e:
+- rpm: Add a python3-pacemaker subpackage.
+- python: Add a private pacemaker._cts module.
+- python: Add the pacemaker.buildoptions module.
+- python: Add the pacemaker.exitstatus module.
+- python: Add the very beginnings of a pacemaker python library.
+
+- Update to version 2.1.5+20230110.292d6bf6b:
+- libpe_status: clarify more pointer arguments
+- libcrmcommon: Improve prefix spacing in XML logging functions
+
+- Update to version 2.1.5+20221220.51cc0bfbc:
+- scheduler: order cloned fence device probes same as other clones
+- libcrmcommon: Remove colon and space from log line after prefix
+- libcrmcommon: Avoid out-of-bounds string access in log_data_element
+- libcrmcommon: Don't use aliases in XML logging functions
+- libcrmcommon: pcmk__output_xml_add_node() -> *_copy()
+- libcrmcommon: Assert on failed copy in copy_xml()
+- tools: Allow patterns for permanent attribute in crm_attribute.
+
+- Update to version 2.1.5+20221212.b4db7685a:
-  * bsc#1206263-0006-Test-cts-scheduler-update-test-for-preventing-inacti.patch
-  * bsc#1206263-0005-Fix-scheduler-prevent-inactive-instances-from-starti.patch
-  * bsc#1206263-0004-Fix-libpacemaker-ensure-any-pending-recurring-monito.patch
-  * bsc#1206263-0003-Test-cts-scheduler-update-test-for-preventing-a-left.patch
-  * bsc#1206263-0002-Fix-scheduler-prevent-a-leftover-pending-monitor-fro.patch
-  * bsc#1206263-0001-Test-cts-scheduler-add-test-for-preventing-a-leftove.patch
+
+- Update to version 2.1.5+20221212.074e9c860:
+- tools: Support setting transient utilization attrs from crm_attribute.
+- scheduler: Unpack transient utilization attributes.
+- daemons: Add support for transient utilization attributes.
+- libcrmcommon: Add a block attr to an IPC update request.
+- tools: Add a -z option to attrd_updater.
+
+- Update to version 2.1.5+20221208.cd0f91f51:
+- libcrmcommon: Warn if deprecated command line formats are used.
+- controller: Don't nack joining node due to old CIB
+- based: Successful CIB schema upgrade should always force a write
+- based: Don't write to disk if CIB replace failed
+- tools: Fix trivial memory leak in cibadmin
+- based: Fix double free() in pacemaker-based.c
+- libpe_status: avoid memory leak on regular expression error
+- controller: Avoid election storm due to incompatible CIB
+- libpacemaker: don't regfree() if regcomp() failed
+- libpe_status: don't try to use compiled expression if regcomp() failed
+- libcrmcommon: don't regfree() if regcomp() failed
+- controller: Avoid error if a join request is received after fencing
+- controller: Don't double-increment failcount for simulated failures
+- daemons, tools: Unregister formats before exiting
+- scheduler: Advertise metadata option in scheduler help output
+- fencer: Use formatted output in pacemaker-fenced
+- fencer: Correct refresh logic in update_cib_cache_cb()
+- controller: Reduce CIB deletions during reprobe
+- controller: Don't reprobe remotes when target is only cluster node
+- add zh_cn translation for error (#2957)
+- tools: Validate scope in cibadmin.c
+- tools: Add status as valid cibadmin scope
+- tools: Fix action danger check in cibadmin
+- libcrmcommon: Null-check return value of pcmk__uid2username()
+- daemons: Support cluster-wide sync points for multi IPC messages.
+- tools: Fix scope/xpath parsing in cibadmin
+- libcrmcommon: Bump feature set for daemon formatted output
+- executor: Use formatted output in pacemaker-execd
+- pacemaker-based: Use formatted output in pacemaker-based
+- controller: Use formatted output in pacemaker-controld
+- controller: Node exits fatally in response to join nack
+- libcrmcommon: Retry pcmk_connect_ipc() if EAGAIN
+- controller: Remove CRM_CHECK in update_dc for no current DC
+- Pacemaker Explained: Clarify resource maintenance mode (CLBZ#5382)
+- libpe_status: Node maintenance mode sets resource maintenance flag
+- libpe_status: crm_mon shows "maintenance" for rsc maint meta
+- schemas: resources schema supports maintenance attribute
+- daemons: Check for NULL in attrd_do_not_expect_from_peer.
+- tools: crm_mon fencing history is now in high resolution
+- libpe_status: Use correct guint format specifier for failed action
+- add zh_CN translation for pacemaker-schedulerd libexec
+- daemons: Handle crm_ipc_new returning a NULL.
+- tools: crm_mon now shows last_update origin
+- schema: Add update origin to crm_mon output
+- tools: crm_mon --daemonize should update when disconnected
+- tools: Improve log messages in crm_mon.c
+- tools: Remove an output format-based sleep() call from crm_mon
+- tools: Include Pacemaker status in crm_mon output
+- libcib: Preserve return code in cib__signon_query()
+- libpacemaker: Use correct pcmkd state format in XML message
+- daemons: Avoid infinite confirm loops in attrd.
+- daemons: Handle an attrd client timing out.
+- attrd: Fix removing clients from the waitlist when they disconnect.
+- daemons: Handle cluster-wide sync points in attrd.
+- daemons: Keep track of #attrd-protocol from each peer.
+- daemons: Respond to received attrd confirmation requests.
+- libpacemaker: Show pcmkd status if we can't get native CIB
+- libpacemaker: Check conn status in pcmk__get_fencing_history()
+- libcib: Allow cib client reuse in cib__signon_query()
+- tools: Add --wait=cluster option to attrd_updater.
+- libpacemaker: Improve invalid reply type logging in cluster queries
+- includes: Bump CRM_FEATURE_SET for local sync points.
+- daemons: Add support for local sync points on clearing failures.
+- daemons: If a client disconnects, remove it from the waitlist.
+- daemons: Add support for local sync points on updates.
+- tools: Add --wait= parameter to attrd_updater.
+- Rebase:
+  * bug-806256_pacemaker-log-level-notice.patch
-- attrd: don't start a new election when receiving a client update
+- attrd: don't start a new election when receiving a client update (bsc#1215446)
perl-Cpanel-JSON-XS
+- updated to 4.37
+  see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes
+  4.37 2023-07-04 (rurban)
+  - Fix NAN/INF for AIX (Tux: AIX-5.3, tested by XSven on AIX-7.3) GH #165
+  - Fix empty string result in object stringification (PR #221 jixam)
+  - Allow \' in strings when allow_singlequote is enabled (PR #217 warpspin)
+
perl-Mojolicious
+- updated to 9.35
+  see /usr/share/doc/packages/perl-Mojolicious/Changes
+  9.35  2023-10-27
+  - Added EXPERIMENTAL support for persistent cookies in Netscape format.
+  - Added EXPERIMENTAL file attribute to Mojo::UserAgent::CookieJar.
+  - Added EXPERIMENTAL load, save and to_string methods to Mojo::UserAgent::CookieJar.
+  - Fixed error reporting when loading applicartions with syntax errors. (haarg)
+  - Fixed absolute URL support in url_for_file and url_for_asset methods. (rawleyfowler)
+
plocate
+- Add Provides/Obsoletes mlocate for Tumbleweed only
+  * Since CtLG Leap have try to make SLE compatible as much as possible,
+    SLE's default locate system is mlocate and it should not be replaced
+    by other locate service by default. plocate be an option.
+
policycoreutils
+- Re-add "Obsoletes: policycoreutils-python <= 2.6" to avoid file
+  conflicts with /usr/share/bash-completion/completions/setsebool
+  of older policycoreutils-python-2.6
+
+- Only recommend policycoreutils-devel. The requires causes build issues
+  and this can be used with a policy from a different source
+- Required fixed python3-selinux, not version dependend sub-packages
+
+- Recommend setools-console as these cli tools compliment policycoreutils
+  for analysis and debugging of policy issues
+
+- Add requires for policycoreutils-devel for selinux-policy-devel as
+  policycoreutils-devel requires this
+
+- Adjust python requirement for newer SLES versions
+
+- Add Leap compatibility symlinks between /usr/sbin and /sbin (bsc#1210482)
+- Refresh GPG keyring
+
+- Add python-wheel build dependency to build correctly with latest
+  python-pip version.
+
+- Update to version 3.5
+  * fixfiles: Unmount temporary bind mounts on SIGINT
+  * Lots of smaller changes
+- Refreshed get_os_version.patch
+- Drop chcat_handle_missing_translations.patch, is upstream
+- Add additional BuildRequires for python
+- Added additional developer key (Jason Zaman)
+- Add requires for python3-distro for the devel package
+
+- Use %_pam_vendordir
+
+- Error in spec file: No "config" tag in "/usr/ should be used.
+
+- Migration PAM settings to /usr/etc: Saving user changed
+  configuration files in /etc and restoring them while an RPM
+  update.
+
+- Add recommends for ausearch binary (bsc#1201043)
+
+- Handle missing translations properly in chcat. Added
+  chcat_handle_missing_translations.patch (bsc#1200752)
+
+- Build and package translations for python-utils (boo#1200752).
+
+- Update to version 3.4
+  * fixfiles: Use parallel relabeling
+- Refreshed patches
+  * get_os_version.patch
+  * run_init.pamd.patch
+
+- Fix file list: package ru/man8/sepolgen.8 only in the devel
+  package (was in devel and main).
+
+- finish UsrMerge (bsc#1191089)
+
+- Update to version 3.3
+  * Lots of fuzzing fixes
+  * `fixfiles -C` doesn't exclude /dev and /run anymore
+  Refreshed get_os_version.patch
+
+- Update to version 3.2
+  * Tools using sepolgen, e.g. audit2allow, print extended permissions in
+    hexadecimal
+  * sepolgen sorts extended rules like normal ones
+  * `setfiles` doesn't abort on labeling errors
+- Refreshed get_os_version.patch
+
poppler
-- security update
-- added patches
-  fix CVE-2023-34872 [bsc#1213888], remote denial-of-service in OutlineItem::open in Outline.cc
-  + poppler-CVE-2023-34872.patch
+- Add patch to let it build with the heavily patched tiff 4.0.9
+  we have in SLE 15:
+  * reduce-libtiff-required-version.patch
+
+- version update to 23.10.0
+    core:
+  * cairo: update type 3 fonts for cairo 1.18 api
+  * Fix crash on malformed files
+    build system:
+  * Make a few more dependencies soft-mandatory
+  * Add more supported gnupg releases
+  * Check if linker supports version scripts
+- modified patches
+  % reduce-boost-required-version.patch (refreshed)
+
+- build with gpgmepp for signing documents (bsc#1215632)
+
+- Update to version 23.09.0:
+  * core:
+  - Add Android-specific font matching functionality
+  - Fix digital signatures for NeedAppearance=true
+  - Forms: Don't look up same glyph multiple times
+  - Provide the key location for certificates you can sign with
+  - Add ToUnicode support for similarequal
+  - Fix crash on malformed files
+  * qt5:
+  - Provide the key location for certificates you can sign with
+  - Allow to force a rasterized overprint preview during PS
+    conversion
+  * qt6:
+  - Provide the key location for certificates you can sign with
+  - Allow to force a rasterized overprint preview during PS
+    conversion
+  * pdfsig:
+  - Provide the key location for certificates you can sign with
+- Changes from version 23.08.0:
+  * core:
+  - Fix GWG 19.2 - DeviceN Overprint (White)
+  - Splash: avoid bogus memory allocation size in
+    doTilingPatternFill
+  - Fix use-of-uninitialized-value in XRef
+  - Fix float-cast-overflow error in Catalog
+  - Cleanup gpgme backend code
+  - Version symbols in poppler core
+  * glib:
+  - Improve poppler_get_available_signing_certificates
+  - Add new members to PopplerCertificateInfo
+  * utils:
+  - pdftotext: small improvement to man page
+- Bump poppler_sover to 131 following upstream changes.
+
+- update to 23.07.0:
+  core:
+  * Fix reading of utf8-with-bom files
+  * Fix crash if CERT_ExtractPublicKey doesn't return a public
+    key
+  * Fix rendering of some malformed documents. Issue #1395
+  * Allow for stream compression and compress font streams in
+    forms Remove method Hints::getPageRanges
+  qt5:
+  * Fix crash when overprint preview is enabled
+  * Don't fail signature basics tests if backend is not
+    configured
+  qt6:
+  * Fix crash when overprint preview is enabled
+  * Don't fail signature basics tests if backend is not
+    configured
+  utils:
+  * pdfsig: Allow showung and selecting signature backend
+  * pdfsig: Describe signature dump format in manual page
+
+- update to 23.06.0 (bsc#1212255):
+  * CairoOutputDev: Fix crash when doing type3 rendering
+  * Fix crash with unknown signature hashing algorithms
+  * Add gpgme backend for signature handling
+  * FontInfo: Make it return proper information about font
+    substitution
+  * FontInfo: Try harder to get Type 3 font name
+  * Store embedded fonts widths table in a more effective manner
+  * Skip font lookup for nonprintable characters
+  * Fix crash on malformed files
+  * Add API to allow selecting signature backend (nss or gpgme)
+  * Convert embedded files to bytearray a bit smarter
+
+- update to 23.05.0:
+  * Fix crash when filling some forms
+  * Set SigFlags when signing unsigned signature
+  * Add some infrastructure code to support multiple signing
+    backends
+  * Fix potential stack overflow in PostScriptFunction::parseCode
+  * Fix some minor uninitialised memory reads
+
+- update to 23.04.0:
+  * Fix memory issue when signing fails. Issue #1372
+  * Internal improvements of signature related code
+  * CairoOutputDev: improve type3 font rendering
+  * Fix memory leak in
+    GlobalParams::findSystemFontFileForFamilyAndStyle
+  * pdftocairo: Fix crash in some special situations
+  * pdfsig: allow holes in -dump signature list
+  * pdfsig: Support --help
+
+- update to 23.03.0:
+  core:
+  * PngWriter: Fix potential uninitialized memory use
+
+- Update to version 23.02.0:
+  + core:
+  * CairoOutputDev:
+    . Fix rendering of color type 3 fonts
+    . Add handling matte entry
+  * Fix segfault on wrong nssdir
+  * Fix "NSS could not shutdown"
+  + utils: pdfsig: Point out supports PKCS#11 URIs as nickname
postfix
+- (bsc#1218304) VUL-0: postfix: new SMTP smuggling attack
+  (bsc#1218314) SMTP Smuggling - Spoofing E-Mails Worldwide
+  Apply patch containing the feature smtpd_forbid_unauth_pipelining
+  as default yes.
+  add patch:
+    postfix-3.7-patch06
+- Security: the Postfix SMTP server optionally disconnects remote
+  SMTP clients that violate RFC 2920 (or 5321) command pipelining
+  constraints. The server replies with "554 5.5.0 Error: SMTP protocol
+  synchronization" and logs the unexpected remote SMTP client input.
+  Specify "smtpd_forbid_unauth_pipelining = yes" to enable.
+- Workaround to limit collateral damage from OS distributions that
+  crank up security to 11, increasing the number of plaintext email
+  deliveries. This introduces basic OpenSSL configuration file support,
+  with two new parameters "tls_config_file" and "tls_config_name".
+  Details are in the postconf(5) manpage under "tls_config_file" and
+  "tls_config_name".
+
postfix-bdb
+- (bsc#1218304) VUL-0: postfix: new SMTP smuggling attack
+  (bsc#1218314) SMTP Smuggling - Spoofing E-Mails Worldwide
+  Apply patch containing the feature smtpd_forbid_unauth_pipelining
+  as default yes.
+  add patch:
+    postfix-3.7-patch06
+- Security: the Postfix SMTP server optionally disconnects remote
+  SMTP clients that violate RFC 2920 (or 5321) command pipelining
+  constraints. The server replies with "554 5.5.0 Error: SMTP protocol
+  synchronization" and logs the unexpected remote SMTP client input.
+  Specify "smtpd_forbid_unauth_pipelining = yes" to enable.
+- Workaround to limit collateral damage from OS distributions that
+  crank up security to 11, increasing the number of plaintext email
+  deliveries. This introduces basic OpenSSL configuration file support,
+  with two new parameters "tls_config_file" and "tls_config_name".
+  Details are in the postconf(5) manpage under "tls_config_file" and
+  "tls_config_name".
+
ppc64-diag
+- Migrate from cron to systemd timers.
+
ppp
+- bsc#1218251, CVE-2022-4603, ppp-CVE-2022-4603.patch: improper
+  validation of array index of the component pppdump.
+
pv
+- disable testsuite for s390x [bsc#1215338]
+- remove _constraints again as it didn't help
+- deleted sources
+  - _constraints (not needed)
+
python-apsw
+- update to 3.44.2.0:
+  * Added `logger` parameter to :func:`apsw.ext.log_sqlite` to
+    use a specific :class:`logging.Logger` (:issue:`493`)
+  * Added :func:`apsw.ext.result_string` to turn an result code
+    into a string, taking into account if it is extended or not.
+  * Provide detail when C implemented objects are printed. For
+    example :class:`connections <Connection>` include the filename.
+  * Added :meth:`URIFilename.parameters` (:issue:`496`)
+  * :class:`URIFilename` are only valid for the duration of the
+    :meth:`VFS.xOpen` call.  If you save and use the object later
+    you will get an exception.  (:issue:`501`)
+
+- update to 3.44.0.0:
+  * Added virtual table :meth:`VTTable.Integrity` support.
+  * On 64 bit platforms with the amalgamation,
+    `SQLITE_MAX_MMAP_SIZE SQLite's default limit is 2GB.
+  * :meth:`Connection.create_aggregate_function` can take a class
+    with step and final methods. (:issue:`421`)
+  * Corrected non :pep:`8` :ref:`compliant names <renaming>`.
+    The old names remain as aliases to the new ones, and your
+    code will not break.
+  * :doc:`Exception <exceptions>` handling has been updated, with
+    multiple exceptions in the same SQLite control flow being
+    chained together.
+
+- Update to 3.43.1.0
+  - All C code calling into Python and all C code called by Python
+    uses vectorcall / fastcall (see PEP 590) which reduces the
+    overhead of passing and receiving positional and keyword
+    arguments. (APSW issue 477 APSW issue 446):
+  * Conversion of arguments from Python values to C values drops
+    generic PyArg_ParseTupleAndKeywords in favour of direct
+    processing which is more efficient and allows better
+    exception messages.
+  * Running speedtest with a VFS that inherits all methods went
+    from being 17% slower than pure SQLite to 2% slower.
+  * A virtual table benchmark takes 35% less time. (Remember that
+    benchmarks are best case!)
+  - The shell JSON output modes have been fixed. Mode 'json'
+    outputs a json array, while mode 'jsonl' does newline delimited
+    json objects, aka json lines. (APSW issue 483)
+- Changes from 3.43.1.0
+  - This is the last version that supports Python 3.6 and
+    Python 3.7 (both end of life). The policy as stated in the
+    about page is that there will be one more APSW release after
+    a Python version goes end of life supporting that Python
+    version. (APSW issue 471)
+  - Added best practice module (APSW issue 460)
+  - apsw.ext.log_sqlite() outputs SQLite warnings at warning level.
+    (APSW issue 472)
+  - sqlite3_stmt_explain is wrapped available as a explain keyword
+    parameter on execute/executemany methods. (APSW issue 474)
+  - Added documentation and helper class for implementing custom
+    pragmas in your own Virtual File System (VFS) (APSW issue 464)
+  - Reduced overhead of the Column method when using
+    apsw.ext.make_virtual_module() (APSW issue 465)
+
+- Update to 3.42.0.1:
+  - Work with SQLite compiled with
+    SQLITE_OMIT_DEPRECATED. Connection.setprofile() was changed
+    from using the deprecated sqlite3_profile to sqlite3_trace_v2
+    giving the same results. When including the amalgamation,
+    SQLITE_OMIT_DEPRECATED is defined. (APSW issue 443)
+  - Shell updates adding various commands to match the SQLite
+    shell, as well as code and documentation improvements. (APSW
+    issue 397)
+  - Added Connection.read() and apsw.ext.dbinfo() to provide
+    information from the database and journal/wal files. The
+    shell command .dbinfo displays it.
+  - Added apsw.vfs_details(). The shell command .vfslist displays
+    it.
+  - Implemented VFS method xCurrentTimeInt64. The default SQLite
+    VFS no longer provide xCurrentTime (floating point version)
+    if SQLITE_OMIT_DEPRECATED is defined, so this is needed for
+    inheritance to work. (APSW issue 451)
+  - Backwards incompatible change: VFS If you override
+    xCurrentTime, then you will need to override
+    xCurrentTimeInt64 in the same way, or exclude
+    xCurrentTimeInt64 in VFS, or use iVersion of 1.
+  - speedtest now shows summary statistics, and improved help
+    text. (APSW issue 444)
+- Clean up the SPEC file, use %pyproject_* macros instead.
+- Make the test suite pass again (gh#rogerbinns/apsw#462).
+
+- Add %{?sle15_python_module_pythons}
+
+- update to 3.42.0.0:
+  * Shell: Errors when SQLite are preparing a statement now show
+    the relevant extract of the query, and where the error was
+    detected.
+  * Shell: Output modes table (ASCII line drawing, lots of
+    sanitization), box (Unicode line drawing) and
+    qbox (box with quoted values) available.
+  * Shell: if started interactively then box is the default mode
+    (list remains the default in non-interactive)
+  * Added :meth:`Connection.pragma` to execute pragmas
+    and get results.
+  * Added :attr:`Cursor.get` returning query results with the
+    least amount of structure.
+  * Fixed execution tracers should return comment text for
+    comment only queries, and add :attr:`Cursor.has_vdbe`.
+  * Ensure that all applicable options are implemented for
+    :func:`apsw.config`, :meth:`Connection.config` and similar.
+  * Added :func:`apsw.sleep`
+  * Strings for :meth:`apsw.VFS.xNextSystemCall` are interned
+  * Detect unbound recursion not handled by CPython, and handle
+    better.
+
+- update to 3.41.2.0:
+  * Fixed :issue:`412` in :meth:`apsw.ext.make_virtual_module`.
+  * Added :meth:`apsw.connections` to get all connections.
+  * :func:`sys.unraisablehook` is called correctly (:issue:`410`)
+  * Be stricter where :class:`bool` values are expected (eg
+  * :meth:`VTTable.BestIndex`), only accepting :class:`int` and
+    :class:`bool`.  Previously you could for example supply
+    strings and lists, which were almost certainly unintended
+    errors.
+
+- update to 3.40.1.0:
+  * Implemented `window functions
+  * Function flags can be specified to
+    Connection.createscalarfunction and
+    Connection.createaggregatefunction
+  * Added apsw.mapping_function_flags
+  * Added Connection.trace_v2` with apsw.mapping_trace_codes
+    and apsw.mapping_statement_status
+  * Ensure all SQLite APIs are wrapped.
+  * When an unraisable exception happens, sqlite3_log is
+    now called so you will have context within SQLite's actions.
+  * sys.unraisablehook now called first, and if it doesn't exist then
+    sys.excepthook as before.
+  * When the wrong type is given for a function argument, the
+    error message now includes the parameter name and function
+    signature.
+  * Let SQLite do size checking instead of APSW for strings and
+    blobs.
+  * Added :meth:`apsw.ext.log_sqlite` which installs a handler
+    that forwards SQLite messages to the logging module
+  * Added set_default_vfs and unregister_vfs taking vfs
+    names.
+
+- update to 3.40.0.0:
+  * Fixed regression in statement cache update (version 3.38.1-r1) where
+    trailing whitespace in queries would be incorrectly treated as
+    incomplete execution (APSW issue 376)
+  * Added Various interesting and useful bits of functionality (APSW issue
+    369)
+  * Added more Pythonic attributes as an alternative to getters and setters,
+    including Connection.in_transaction, Connection.exectrace,
+    Connection.rowtrace, Cursor.exectrace, Cursor.rowtrace,
+    Cursor.connection (APSW issue 371)
+  * Completed: To the extent permitted by CPython APIs every item has the
+    same docstring as this documentation. Every API can use named
+    parameters. The type stubs cover everything including constants. The
+    type stubs also include documentation for everything, which for example
+    Visual Studio Code displays as you type or hover. There is a single
+    source of documentation in the source code, which is then automatically
+    extracted to make this documentation, docstrings, and docstrings in the
+    type stubs.
+  * Example/Tour updated and appearance improved (APSW issue 367).
+  * Added Connection.cache_stats() to provide more information about the
+    statement cache.
+  * Cursor.execute() now uses sqlite_prepare_v3 which allows supplying
+    flags.
+  * Cursor.execute() has a new can_cache parameter to control whether the
+    query can use the statement cache. One example use is with authorizers
+    because they only run during prepare, which doesn’t happen with already
+    cached statements.
+  * (The Cursor.execute() additional parameters are keyword only and also
+    present in Cursor.executemany(), and the corresponding
+    Connection.execute() and Connection.executemany() methods.)
+  * Added Cursor.is_readonly, Cursor.is_explain, and Cursor.expanded_sql.
+  * Updated processing named bindings so that types registered with
+    collections.abc.Mapping (such as collections.UserDict) will also be
+    treated as dictionaries. (APSW issue 373)
+  * Test no longer fails if APSW was compiled without
+    SQLITE_ENABLE_COLUMN_METADATA but sqlite3 was separately compiled with
+    it. APSW should be compiled with the same flags as sqlite3 to match
+    functionality and APIs. (APSW issue 363)
+  * –use-system-sqlite-config setup.py build_ext option added to allow
+    Matching APSW and SQLite options. (APSW issue 364)
+  * Source ▪ Downloads ▪ Changelogs  ▪ Documentation
+  * PyPI now includes Python 3.11 builds.
+  * Instead of using scripts, you can now run several tools directly:
+  * tests: python3 -m apsw.tests [options]
+  * tracer: python3 -m apsw.trace [options]
+  * speed tester: python3 -m apsw.speedtest [options]
+  * shell: python3 -m apsw [options]
+  * The shell class has moved from apsw.Shell to apsw.shell.Shell (APSW
+    issue 356). You can still reference it via the old name (ie existing
+    code will not break, except on Python 3.6).
+  * Shell: On Windows the native console support for colour is now used
+    (previously a third party module was supported).
+  * You can use –definevalues in setup.py build_ext to provide compiler
+    defines used for configuring SQLite. (APSW issue 357)
+  * If SQLITE_ENABLE_COLUMN_METADATA is enabled then Cursor.description_full
+    is available providing all the column metadata available. (APSW issue
+    354)
+  * Connection.cursor_factory attribute is now present and is used when
+    Connection.cursor() is called. Added Connection.execute() and
+    Connection.executemany() which automatically obtain the underlying
+    cursor. See customizing connections and cursors in the Tips. (APSW issue
+    361)
+
python-cryptography
+- Add CVE-2023-49083.patch to fix A null-pointer-dereference and
+  segfault could occur when loading certificates from a PKCS#7 bundle.
+  bsc#1217592
+
python-pip
+- Add CVE-2023-5752-r-param-hg.patch to fix bsc#1217353
+  (CVE-2023-5752) avoiding injection of arbitrary configuration
+  through Mercurial parameter.
+
python-pytest-console-scripts
+- Fix build error for Leap.
+
+- update to 1.4.1:
+  * Dropped support for Python 3.7
+  * Fix loading scripts with non-UTF-8 encodings.
+  * Print output when a subprocess runner with `check=True` fails
+    was missing.
+  * Added type-hinting for all types,
+    `pytest_console_scripts.ScriptRunner`
+    can now be used to hint the `script_runner` fixture.
+  * Added support for the `shell` and `check` keywords for in-
+    process mode.
+  * Passing command arguments in `*args` is now deprecated and
+    will raise warnings.
+  * Dropped support for Python 3.6
+  * Install-time dependencies have been fixed.
+
+- Update to 1.3.1:
+  * Remove use of mock.
+- Drop patch remove-mock.patch, included upstream.
+
+- Update to 1.3:
+  * Add a note on manual result printing to README - #50
+  * Bump Python version to 3.6 - fix #51
+- Add patch remove-mock.patch:
+  * Remove use of mock.
+
+- pytest-runner is not required for build
+
+- version update to 1.2.1
+  * no upstream changelog
+- deleted patches
+  - virtualenv-20.patch (upstreamed)
+
+- do not require pytest-runner for build, it is not needed
+
+- Do not pull in pytest twice
+
+- Add patch to work with python-virtualenv >= 20:
+  * virtualenv-20.patch
+
python-shaptools
+- Create version 0.3.14
+- Make shaptools available for venv-salt-minion (bsc#1212695)
+
python3-cryptography
+- Add CVE-2023-49083.patch to fix A null-pointer-dereference and
+  segfault could occur when loading certificates from a PKCS#7 bundle.
+  bsc#1217592
+
python312
+- Update patch fix_configure_rst.patch
+- Update to 3.12.1 (CVE-2023-6507, bsc#1217939):
+  - Core and Builtins
+  - gh-112125: Fix None.__ne__(None) returning NotImplemented
+    instead of False
+  - gh-112625: Fixes a bug where a bytearray object could be
+    cleared while iterating over an argument in the
+    bytearray.join() method that could result in reading memory
+    after it was freed.
+  - gh-105967: Workaround a bug in Apple’s macOS platform zlib
+    library where zlib.crc32() and binascii.crc32() could produce
+    incorrect results on multi-gigabyte inputs. Including when
+    using zipfile on zips containing large data.
+  - gh-112356: Stopped erroneously deleting a LOAD_NULL bytecode
+    instruction when optimized twice.
+  - gh-111058: Change coro.cr_frame/gen.gi_frame to return None
+    after the coroutine/generator has been closed. This fixes a bug
+    where getcoroutinestate() and getgeneratorstate() return the
+    wrong state for a closed coroutine/generator.
+  - gh-112388: Fix an error that was causing the parser to try to
+    overwrite tokenizer errors. Patch by pablo Galindo
+  - gh-112387: Fix error positions for decoded strings with
+    backwards tokenize errors. Patch by Pablo Galindo
+  - gh-112367: Avoid undefined behaviour when using the perf
+    trampolines by not freeing the code arenas until shutdown.
+    Patch by Pablo Galindo
+  - gh-112243: Don’t include comments in f-string debug
+    expressions. Patch by Pablo Galindo
+  - gh-112266: Change docstrings of __dict__ and __weakref__.
+  - gh-111654: Fix runtime crash when some error happens in opcode
+    LOAD_FROM_DICT_OR_DEREF.
+  - gh-109181: Speed up Traceback object creation by lazily compute
+    the line number. Patch by Pablo Galindo
+  - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
+    codecs read out of bounds
+  - gh-111366: Fix an issue in the codeop that was causing
+    SyntaxError exceptions raised in the presence of invalid syntax
+    to not contain precise error messages. Patch by Pablo Galindo
+  - gh-111380: Fix a bug that was causing SyntaxWarning to appear
+    twice when parsing if invalid syntax is encountered later.
+    Patch by Pablo galindo
+  - gh-94438: Fix a regression that prevented jumping across is
+    None and is not None when debugging. Patch by Savannah
+    Ostrowski.
+  - gh-110938: Fix error messages for indented blocks with
+    functions and classes with generic type parameters. Patch by
+    Pablo Galindo
+  - gh-109894: Fixed crash due to improperly initialized static
+    MemoryError in subinterpreter.
+  - gh-110782: Fix crash when typing.TypeVar is constructed with a
+    keyword argument. Patch by Jelle Zijlstra.
+  - gh-110696: Fix incorrect error message for invalid argument
+    unpacking. Patch by Pablo Galindo
+  - gh-110543: Fix regression in Python 3.12 where
+    types.CodeType.replace() would produce a broken code object if
+    called on a module or class code object that contains a
+    comprehension. Patch by Jelle Zijlstra.
+  - gh-110514: Add PY_THROW to sys.setprofile() events
+  - gh-110455: Guard assert(tstate->thread_id > 0) with #ifndef
+    HAVE_PTHREAD_STUBS. This allows for for pydebug builds to work
+    under WASI which (currently) lacks thread support.
+  - gh-110259: Correctly identify the format spec in f-strings
+    (with single or triple quotes) that have multiple lines in the
+    expression part and include a formatting spec. Patch by Pablo
+    Galindo
+  - gh-110237: Fix missing error checks for calls to PyList_Append
+    in _PyEval_MatchClass.
+  - gh-109889: Fix the compiler’s redundant NOP detection algorithm
+    to skip over NOPs with no line number when looking for the next
+    instruction’s lineno.
+  - gh-109853: sys.path[0] is now set correctly for
+    subinterpreters.
+  - gh-105716: Subinterpreters now correctly handle the case where
+    they have threads running in the background. Before, such
+    threads would interfere with cleaning up and destroying them,
+    as well as prevent running another script.
+  - gh-109793: The main thread no longer exits prematurely when a
+    subinterpreter is cleaned up during runtime finalization. The
+    bug was a problem particularly because, when triggered, the
+    Python process would always return with a 0 exitcode, even if
+    it failed.
+  - gh-109596: Fix some tokens in the grammar that were incorrectly
+    marked as soft keywords. Also fix some repeated rule names and
+    ensure that repeated rules are not allowed. Patch by Pablo
+    Galindo
+  - gh-109351: Fix crash when compiling an invalid AST involving a
+    named (walrus) expression.
+  - gh-109216: Fix possible memory leak in BUILD_MAP.
+  - gh-109207: Fix a SystemError in __repr__ of symtable entry
+    object.
+  - gh-109179: Fix bug where the C traceback display drops notes
+    from SyntaxError.
+  - gh-109052: Use the base opcode when comparing code objects to
+    avoid interference from instrumentation
+  - gh-88943: Improve syntax error for non-ASCII character that
+    follows a numerical literal. It now points on the invalid
+    non-ASCII character, not on the valid numerical literal.
+  - gh-106931: Statically allocated string objects are now interned
+    globally instead of per-interpreter. This fixes a situation
+    where such a string would only be interned in a single
+    interpreter. Normal string objects are unaffected.
+  - Library
+  - gh-79325: Fix an infinite recursion error in
+    tempfile.TemporaryDirectory() cleanup on Windows.
+  - gh-112645: Remove deprecation error on passing onerror to
+    shutil.rmtree().
+  - gh-112618: Fix a caching bug relating to typing.Annotated.
+    Annotated[str, True] is no longer identical to Annotated[str,
+    1].
+  - gh-112334: Fixed a performance regression in 3.12’s subprocess
+    on Linux where it would no longer use the fast-path vfork()
+    system call when it should have due to a logic bug, instead
+    always falling back to the safe but slower fork().
+  - Also fixed a related 3.12 security regression: If a value of
+    extra_groups=[] was passed to subprocess.Popen or related APIs,
+    the underlying setgroups(0, NULL) system call to clear the
+    groups list would not be made in the child process prior to
+    exec(). This has been assigned CVE-2023-6507.
+  - This was identified via code inspection in the process of fixing
+    the first bug.
+  - gh-110190: Fix ctypes structs with array on Arm platform by
+    setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by Diego Russo.
+  - gh-112578: Fix a spurious RuntimeWarning when executing the
+    zipfile module.
+  - gh-112509: Fix edge cases that could cause a key to be present
+    in both the __required_keys__ and __optional_keys__ attributes
+    of a typing.TypedDict. Patch by Jelle Zijlstra.
+  - gh-112414: Fix regression in Python 3.12 where calling repr() on
+    a module that had been imported using a custom loader could fail
+    with AttributeError. Patch by Alex Waygood.
+  - gh-112358: Revert change to struct.Struct initialization that
+    broke some cases of subclassing.
+  - gh-94722: Fix bug where comparison between instances of DocTest
+    fails if one of them has None as its lineno.
+  - gh-112105: Make readline.set_completer_delims() work with
+    libedit
+  - gh-111942: Fix SystemError in the TextIOWrapper constructor with
+    non-encodable “errors” argument in non-debug mode.
+  - gh-109538: Issue warning message instead of having RuntimeError
+    be displayed when event loop has already been closed at
+    StreamWriter.__del__().
+  - gh-111942: Fix crashes in io.TextIOWrapper.reconfigure() when
+    pass invalid arguments, e.g. non-string encoding.
+  - gh-111460: curses: restore wide character support (including
+    curses.unget_wch() and get_wch()) on macOS, which was
+    unavailable due to a regression in Python 3.12.
+  - gh-103791: contextlib.suppress now supports suppressing
+    exceptions raised as part of a BaseExceptionGroup, in addition
+    to the recent support for ExceptionGroup.
+  - gh-111804: Remove posix.fallocate() under WASI as the underlying
+    posix_fallocate() is not available in WASI preview2.
+  - gh-111841: Fix truncating arguments on an embedded null
+    character in os.putenv() and os.unsetenv() on Windows.
+  - gh-111541: Fix doctest for SyntaxError not-builtin subclasses.
+  - gh-110894: Call loop exception handler for exceptions in
+    client_connected_cb of asyncio.start_server() so that
+    applications can handle it. Patch by Kumar Aditya.
+  - gh-111531: Fix reference leaks in bind_class() and bind_all()
+    methods of tkinter widgets.
+  - gh-111356: Added io.text_encoding(), io.DEFAULT_BUFFER_SIZE, and
+    io.IncrementalNewlineDecoder to io.__all__.
+  - gh-111342: Fixed typo in math.sumprod().
+  - gh-68166: Remove mention of not supported “vsapi” element type
+    in tkinter.ttk.Style.element_create(). Add tests for
+    element_create() and other ttk.Style methods. Add examples for
+    element_create() in the documentation.
+  - gh-75666: Fix the behavior of tkinter widget’s unbind() method
+    with two arguments. Previously, widget.unbind(sequence, funcid)
+    destroyed the current binding for sequence, leaving sequence
+    unbound, and deleted the funcid command. Now it removes only
+    funcid from the binding for sequence, keeping other commands,
+    and deletes the funcid command. It leaves sequence unbound only
+    if funcid was the last bound command.
+  - gh-79033: Another attempt at fixing
+    asyncio.Server.wait_closed(). It now blocks until both
+    conditions are true: the server is closed, and there are no more
+    active connections. (This means that in some cases where in
+    3.12.0 this function would incorrectly have returned
+    immediately, it will now block; in particular, when there are no
+    active connections but the server hasn’t been closed yet.)
+  - gh-111295: Fix time not checking for errors when initializing.
+  - gh-111253: Add error checking during _socket module init.
+  - gh-111251: Fix _blake2 not checking for errors when
+    initializing.
+  - gh-111174: Fix crash in io.BytesIO.getbuffer() called repeatedly
+    for empty BytesIO.
+  - gh-111187: Postpone removal version for
+    locale.getdefaultlocale() to Python 3.15.
+  - gh-111159: Fix doctest output comparison for exceptions with
+    notes.
+  - gh-110910: Fix invalid state handling in asyncio.TaskGroup and
+    asyncio.Timeout. They now raise proper RuntimeError if they are
+    improperly used and are left in consistent state after this.
+  - gh-111092: Make turtledemo run without default root enabled.
+  - gh-110488: Fix a couple of issues in
+    pathlib.PurePath.with_name(): a single dot was incorrectly
+    considered a valid name, and in PureWindowsPath, a name with an
+    NTFS alternate data stream, like a:b, was incorrectly considered
+    invalid.
+  - gh-110392: Fix tty.setraw() and tty.setcbreak(): previously they
+    returned partially modified list of the original tty attributes.
+    tty.cfmakeraw() and tty.cfmakecbreak() now make a copy of the
+    list of special characters before modifying it.
+  - gh-110590: Fix a bug in _sre.compile() where TypeError would be
+    overwritten by OverflowError when the code argument was a list
+    of non-ints.
+  - gh-65052: Prevent pdb from crashing when trying to display
+    undisplayable objects
+  - gh-110519: Deprecation warning about non-integer number in
+    gettext now alwais refers to the line in the user code where
+    gettext function or method is used. Previously it could refer to
+    a line in gettext code.
+  - gh-110395: Ensure that select.kqueue() objects correctly appear
+    as closed in forked children, to prevent operations on an
+    invalid file descriptor.
+  - gh-110378: contextmanager() and asynccontextmanager() context
+    managers now close an invalid underlying generator object that
+    yields more then one value.
+  - gh-110365: Fix termios.tcsetattr() bug that was overwritting
+    existing errors during parsing integers from term list.
+  - gh-109653: Fix a Python 3.12 regression in the import time of
+    random. Patch by Alex Waygood.
+  - gh-110196: Add __reduce__ method to IPv6Address in order to keep
+    scope_id
+  - gh-110036: On Windows, multiprocessing Popen.terminate() now
+    catchs PermissionError and get the process exit code. If the
+    process is still running, raise again the PermissionError.
+    Otherwise, the process terminated as expected: store its exit
+    code. Patch by Victor Stinner.
+  - gh-110038: Fixed an issue that caused KqueueSelector.select() to
+    not return all the ready events in some cases when a file
+    descriptor is registered for both read and write.
+  - gh-109631: re functions such as re.findall(), re.split(),
+    re.search() and re.sub() which perform short repeated matches
+    can now be interrupted by user.
+  - gh-109747: Improve errors for unsupported look-behind patterns.
+    Now re.error is raised instead of OverflowError or RuntimeError
+    for too large width of look-behind pattern.
+  - gh-109818: Fix reprlib.recursive_repr() not copying
+    __type_params__ from decorated function.
+  - gh-109047: concurrent.futures: The executor manager thread now
+    catches exceptions when adding an item to the call queue. During
+    Python finalization, creating a new thread can now raise
+    RuntimeError. Catch the exception and call terminate_broken() in
+    this case. Patch by Victor Stinner.
+  - gh-109782: Ensure the signature of os.path.isdir() is identical
+    on all platforms. Patch by Amin Alaee.
+  - gh-109590: shutil.which() will prefer files with an extension in
+    PATHEXT if the given mode includes os.X_OK on win32. If no
+    PATHEXT match is found, a file without an extension in PATHEXT
+    can be returned. This change will have shutil.which() act more
+    similarly to previous behavior in Python 3.11.
+  - gh-109786: Fix possible reference leaks and crash when re-enter
+    the __next__() method of itertools.pairwise.
+  - gh-109593: Avoid deadlocking on a reentrant call to the
+    multiprocessing resource tracker. Such a reentrant call, though
+    unlikely, can happen if a GC pass invokes the finalizer for a
+    multiprocessing object such as SemLock.
+  - gh-109613: Fix os.stat() and os.DirEntry.stat(): check for
+    exceptions. Previously, on Python built in debug mode, these
+    functions could trigger a fatal Python error (and abort the
+    process) when a function succeeded with an exception set. Patch
+    by Victor Stinner.
+  - gh-109375: The pdb alias command now prevents registering
+    aliases without arguments.
+  - gh-107219: Fix a race condition in concurrent.futures. When a
+    process in the process pool was terminated abruptly (while the
+    future was running or pending), close the connection write end.
+    If the call queue is blocked on sending bytes to a worker
+    process, closing the connection write end interrupts the send,
+    so the queue can be closed. Patch by Victor Stinner.
+  - gh-50644: Attempts to pickle or create a shallow or deep copy of
+    codecs streams now raise a TypeError. Previously, copying failed
+    with a RecursionError, while pickling produced wrong results
+    that eventually caused unpickling to fail with a RecursionError.
+  - gh-108987: Fix _thread.start_new_thread() race condition. If a
+    thread is created during Python finalization, the newly spawned
+    thread now exits immediately instead of trying to access freed
+    memory and lead to a crash. Patch by Victor Stinner.
+  - gh-108791: Improved error handling in pdb command line
+    interface, making it produce more concise error messages.
+  - gh-105829: Fix concurrent.futures.ProcessPoolExecutor deadlock
+  - gh-106584: Fix exit code for unittest if all tests are skipped.
+    Patch by Egor Eliseev.
+  - gh-102956: Fix returning of empty byte strings after seek in
+    zipfile module
+  - gh-84867: unittest.TestLoader no longer loads test cases from
+    exact unittest.TestCase and unittest.FunctionTestCase classes.
+  - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup,
+    which now no longer dereferences symlinks when working around
+    file system permission errors.
+  - gh-73561: Omit the interface scope from an IPv6 address when
+    used as Host header by http.client.
+  - gh-86826: zipinfo now supports the full range of values in the
+    TZ string determined by RFC 8536 and detects all invalid
+    formats. Both Python and C implementations now raise exceptions
+    of the same type on invalid data.
+  - bpo-43153: On Windows, tempfile.TemporaryDirectory previously
+    masked a PermissionError with NotADirectoryError during
+    directory cleanup. It now correctly raises PermissionError if
+    errors are not ignored. Patch by Andrei Kulakov and Ken Jin.
+  - bpo-35332: The shutil.rmtree() function now ignores errors when
+    calling os.close() when ignore_errors is True, and os.close() no
+    longer retried after error.
+  - bpo-41422: Fixed memory leaks of pickle.Pickler and
+    pickle.Unpickler involving cyclic references via the internal
+    memo mapping.
+  - bpo-40262: The ssl.SSLSocket.recv_into() method no longer
+    requires the buffer argument to implement __len__ and supports
+    buffers with arbitrary item size.
+  - Documentation
+  - gh-111699: Relocate smtpd deprecation notice to its own section
+    rather than under locale in What’s New in Python 3.12 document
+  - gh-108826: dis module command-line interface is now mentioned in
+    documentation. Test- s
+  - gh-112769: The tests now correctly compare zlib version when
+    zlib.ZLIB_RUNTIME_VERSION contains non-integer suffixes. For
+    example zlib-ng defines the version as 1.3.0.zlib-ng.
+  - gh-110367: Make regrtest --verbose3 option compatible with
+  - -huntrleaks -jN options. The ./python -m test -j1 -R 3:3
+  - -verbose3 command now works as expected. Patch by Victor
+    Stinner.
+  - gh-111165: Remove no longer used functions run_unittest() and
+    run_doctest() from the test.support module.
+  - gh-110932: Fix regrtest if the SOURCE_DATE_EPOCH environment
+    variable is defined: use the variable value as the random seed.
+    Patch by Victor Stinner.
+  - gh-110995: test_gdb: Fix detection of gdb built without Python
+    scripting support. Patch by Victor Stinner.
+  - gh-110918: Test case matching patterns specified by options
+  - -match, --ignore, --matchfile and --ignorefile are now tested
+    in the order of specification, and the last match determines
+    whether the test case be run or ignored.
+  - gh-110647: Fix test_stress_modifying_handlers() of test_signal.
+    Patch by Victor Stinner.
+  - gh-103053: Fix test_tools.test_freeze on FreeBSD: run “make
+    distclean” instead of “make clean” in the copied source
+    directory to remove also the “python” program. Patch by Victor
+    Stinner.
+  - gh-110167: Fix a deadlock in test_socket when server fails with
+    a timeout but the client is still running in its thread. Don’t
+    hold a lock to call cleanup functions in doCleanups(). One of
+    the cleanup function waits until the client completes, whereas
+    the client could deadlock if it called addCleanup() in such
+    situation. Patch by Victor Stinner.
+  - gh-110388: Add tests for tty.
+  - gh-81002: Add tests for termios.
+  - gh-110267: Add tests for pickling and copying PyStructSequence
+    objects. Patched by Xuehai Pan.
+  - gh-110031: Skip test_threading tests using thread+fork if Python
+    is built with Address Sanitizer (ASAN). Patch by Victor Stinner.
+  - gh-110088: Fix test_asyncio timeouts: don’t measure the maximum
+    duration, a test should not measure a CI performance. Only
+    measure the minimum duration when a task has a timeout or delay.
+    Add CLOCK_RES to test_asyncio.utils. Patch by Victor Stinner.
+  - gh-109974: Fix race conditions in test_threading lock tests.
+    Wait until a condition is met rather than using time.sleep()
+    with a hardcoded number of seconds. Patch by Victor Stinner.
+  - gh-110033: Fix test_interprocess_signal() of test_signal. Make
+    sure that the subprocess.Popen object is deleted before the test
+    raising an exception in a signal handler. Otherwise,
+    Popen.__del__() can get the exception which is logged as
+    Exception ignored in: ... and the test fails. Patch by Victor
+    Stinner.
+  - gh-109594: Fix test_timeout() of
+    test_concurrent_futures.test_wait. Remove the future which may
+    or may not complete depending if it takes longer than the
+    timeout ot not. Keep the second future which does not complete
+    before wait() timeout. Patch by Victor Stinner.
+  - gh-109972: Split test_gdb.py file into a test_gdb package made
+    of multiple tests, so tests can now be run in parallel. Patch by
+    Victor Stinner.
+  - gh-103053: Skip test_freeze_simple_script() of
+    test_tools.test_freeze if Python is built with ./configure
+  - -enable-optimizations, which means with Profile Guided
+    Optimization (PGO): it just makes the test too slow. The freeze
+    tool is tested by many other CIs with other (faster) compiler
+    flags. Patch by Victor Stinner.
+  - gh-109580: Skip test_perf_profiler if Python is built with ASAN,
+    MSAN or UBSAN sanitizer. Python does crash randomly in this test
+    on such build. Patch by Victor Stinner.
+  - gh-104736: Fix test_gdb on Python built with LLVM clang 16 on
+    Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt”
+    command output to detect when gdb fails to retrieve the
+    traceback. For example, skip a test if Backtrace stopped: frame
+    did not save the PC is found. Patch by Victor Stinner.
+  - gh-108927: Fixed order dependence in running tests in the same
+    process when a test that has submodules (e.g. test_importlib)
+    follows a test that imports its submodule (e.g.
+    test_importlib.util) and precedes a test (e.g. test_unittest or
+    test_compileall) that uses that submodule.
+  - Build
+  - gh-112088: Add Tools/build/regen-configure.sh script to
+    regenerate the configure with an Ubuntu container image. The
+    quay.io/tiran/cpython_autoconf:271 container image
+    (tiran/cpython_autoconf) is no longer used. Patch by Victor
+    Stinner.
+  - gh-111046: For wasi-threads, memory is now exported to fix
+    compatibility issues with some wasm runtimes.
+  - gh-103053: “make check-clean-src” now also checks if the
+    “python” program is found in the source directory: fail with an
+    error if it does exist. Patch by Victor Stinner.
+  - gh-109191: Fix compile error when building with recent versions
+    of libedit.
+  - IDLE
+  - bpo-35668: Add docstrings to the IDLE debugger module. Fix two
+    bugs: initialize Idb.botframe (should be in Bdb); in
+    Idb.in_rpc_code, check whether prev_frame is None before trying
+    to use it. Greatly expand test_debugger.
+  - C API
+  - gh-106560: Fix redundant declarations in the public C API.
+    Declare PyBool_Type and PyLong_Type only once. Patch by Victor
+    Stinner.
+  - gh-112438: Fix support of format units “es”, “et”, “es#”, and
+    “et#” in nested tuples in PyArg_ParseTuple()-like functions.
+  - gh-109521: PyImport_GetImporter() now sets RuntimeError if it
+    fails to get sys.path_hooks or sys.path_importer_cache or they
+    are not list and dict correspondingly. Previously it could
+    return NULL without setting error in obscure cases, crash or
+    raise SystemError if these attributes have wrong type.
+
python312:base
+- Update patch fix_configure_rst.patch
+- Update to 3.12.1 (CVE-2023-6507, bsc#1217939):
+  - Core and Builtins
+  - gh-112125: Fix None.__ne__(None) returning NotImplemented
+    instead of False
+  - gh-112625: Fixes a bug where a bytearray object could be
+    cleared while iterating over an argument in the
+    bytearray.join() method that could result in reading memory
+    after it was freed.
+  - gh-105967: Workaround a bug in Apple’s macOS platform zlib
+    library where zlib.crc32() and binascii.crc32() could produce
+    incorrect results on multi-gigabyte inputs. Including when
+    using zipfile on zips containing large data.
+  - gh-112356: Stopped erroneously deleting a LOAD_NULL bytecode
+    instruction when optimized twice.
+  - gh-111058: Change coro.cr_frame/gen.gi_frame to return None
+    after the coroutine/generator has been closed. This fixes a bug
+    where getcoroutinestate() and getgeneratorstate() return the
+    wrong state for a closed coroutine/generator.
+  - gh-112388: Fix an error that was causing the parser to try to
+    overwrite tokenizer errors. Patch by pablo Galindo
+  - gh-112387: Fix error positions for decoded strings with
+    backwards tokenize errors. Patch by Pablo Galindo
+  - gh-112367: Avoid undefined behaviour when using the perf
+    trampolines by not freeing the code arenas until shutdown.
+    Patch by Pablo Galindo
+  - gh-112243: Don’t include comments in f-string debug
+    expressions. Patch by Pablo Galindo
+  - gh-112266: Change docstrings of __dict__ and __weakref__.
+  - gh-111654: Fix runtime crash when some error happens in opcode
+    LOAD_FROM_DICT_OR_DEREF.
+  - gh-109181: Speed up Traceback object creation by lazily compute
+    the line number. Patch by Pablo Galindo
+  - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
+    codecs read out of bounds
+  - gh-111366: Fix an issue in the codeop that was causing
+    SyntaxError exceptions raised in the presence of invalid syntax
+    to not contain precise error messages. Patch by Pablo Galindo
+  - gh-111380: Fix a bug that was causing SyntaxWarning to appear
+    twice when parsing if invalid syntax is encountered later.
+    Patch by Pablo galindo
+  - gh-94438: Fix a regression that prevented jumping across is
+    None and is not None when debugging. Patch by Savannah
+    Ostrowski.
+  - gh-110938: Fix error messages for indented blocks with
+    functions and classes with generic type parameters. Patch by
+    Pablo Galindo
+  - gh-109894: Fixed crash due to improperly initialized static
+    MemoryError in subinterpreter.
+  - gh-110782: Fix crash when typing.TypeVar is constructed with a
+    keyword argument. Patch by Jelle Zijlstra.
+  - gh-110696: Fix incorrect error message for invalid argument
+    unpacking. Patch by Pablo Galindo
+  - gh-110543: Fix regression in Python 3.12 where
+    types.CodeType.replace() would produce a broken code object if
+    called on a module or class code object that contains a
+    comprehension. Patch by Jelle Zijlstra.
+  - gh-110514: Add PY_THROW to sys.setprofile() events
+  - gh-110455: Guard assert(tstate->thread_id > 0) with #ifndef
+    HAVE_PTHREAD_STUBS. This allows for for pydebug builds to work
+    under WASI which (currently) lacks thread support.
+  - gh-110259: Correctly identify the format spec in f-strings
+    (with single or triple quotes) that have multiple lines in the
+    expression part and include a formatting spec. Patch by Pablo
+    Galindo
+  - gh-110237: Fix missing error checks for calls to PyList_Append
+    in _PyEval_MatchClass.
+  - gh-109889: Fix the compiler’s redundant NOP detection algorithm
+    to skip over NOPs with no line number when looking for the next
+    instruction’s lineno.
+  - gh-109853: sys.path[0] is now set correctly for
+    subinterpreters.
+  - gh-105716: Subinterpreters now correctly handle the case where
+    they have threads running in the background. Before, such
+    threads would interfere with cleaning up and destroying them,
+    as well as prevent running another script.
+  - gh-109793: The main thread no longer exits prematurely when a
+    subinterpreter is cleaned up during runtime finalization. The
+    bug was a problem particularly because, when triggered, the
+    Python process would always return with a 0 exitcode, even if
+    it failed.
+  - gh-109596: Fix some tokens in the grammar that were incorrectly
+    marked as soft keywords. Also fix some repeated rule names and
+    ensure that repeated rules are not allowed. Patch by Pablo
+    Galindo
+  - gh-109351: Fix crash when compiling an invalid AST involving a
+    named (walrus) expression.
+  - gh-109216: Fix possible memory leak in BUILD_MAP.
+  - gh-109207: Fix a SystemError in __repr__ of symtable entry
+    object.
+  - gh-109179: Fix bug where the C traceback display drops notes
+    from SyntaxError.
+  - gh-109052: Use the base opcode when comparing code objects to
+    avoid interference from instrumentation
+  - gh-88943: Improve syntax error for non-ASCII character that
+    follows a numerical literal. It now points on the invalid
+    non-ASCII character, not on the valid numerical literal.
+  - gh-106931: Statically allocated string objects are now interned
+    globally instead of per-interpreter. This fixes a situation
+    where such a string would only be interned in a single
+    interpreter. Normal string objects are unaffected.
+  - Library
+  - gh-79325: Fix an infinite recursion error in
+    tempfile.TemporaryDirectory() cleanup on Windows.
+  - gh-112645: Remove deprecation error on passing onerror to
+    shutil.rmtree().
+  - gh-112618: Fix a caching bug relating to typing.Annotated.
+    Annotated[str, True] is no longer identical to Annotated[str,
+    1].
+  - gh-112334: Fixed a performance regression in 3.12’s subprocess
+    on Linux where it would no longer use the fast-path vfork()
+    system call when it should have due to a logic bug, instead
+    always falling back to the safe but slower fork().
+  - Also fixed a related 3.12 security regression: If a value of
+    extra_groups=[] was passed to subprocess.Popen or related APIs,
+    the underlying setgroups(0, NULL) system call to clear the
+    groups list would not be made in the child process prior to
+    exec(). This has been assigned CVE-2023-6507.
+  - This was identified via code inspection in the process of fixing
+    the first bug.
+  - gh-110190: Fix ctypes structs with array on Arm platform by
+    setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by Diego Russo.
+  - gh-112578: Fix a spurious RuntimeWarning when executing the
+    zipfile module.
+  - gh-112509: Fix edge cases that could cause a key to be present
+    in both the __required_keys__ and __optional_keys__ attributes
+    of a typing.TypedDict. Patch by Jelle Zijlstra.
+  - gh-112414: Fix regression in Python 3.12 where calling repr() on
+    a module that had been imported using a custom loader could fail
+    with AttributeError. Patch by Alex Waygood.
+  - gh-112358: Revert change to struct.Struct initialization that
+    broke some cases of subclassing.
+  - gh-94722: Fix bug where comparison between instances of DocTest
+    fails if one of them has None as its lineno.
+  - gh-112105: Make readline.set_completer_delims() work with
+    libedit
+  - gh-111942: Fix SystemError in the TextIOWrapper constructor with
+    non-encodable “errors” argument in non-debug mode.
+  - gh-109538: Issue warning message instead of having RuntimeError
+    be displayed when event loop has already been closed at
+    StreamWriter.__del__().
+  - gh-111942: Fix crashes in io.TextIOWrapper.reconfigure() when
+    pass invalid arguments, e.g. non-string encoding.
+  - gh-111460: curses: restore wide character support (including
+    curses.unget_wch() and get_wch()) on macOS, which was
+    unavailable due to a regression in Python 3.12.
+  - gh-103791: contextlib.suppress now supports suppressing
+    exceptions raised as part of a BaseExceptionGroup, in addition
+    to the recent support for ExceptionGroup.
+  - gh-111804: Remove posix.fallocate() under WASI as the underlying
+    posix_fallocate() is not available in WASI preview2.
+  - gh-111841: Fix truncating arguments on an embedded null
+    character in os.putenv() and os.unsetenv() on Windows.
+  - gh-111541: Fix doctest for SyntaxError not-builtin subclasses.
+  - gh-110894: Call loop exception handler for exceptions in
+    client_connected_cb of asyncio.start_server() so that
+    applications can handle it. Patch by Kumar Aditya.
+  - gh-111531: Fix reference leaks in bind_class() and bind_all()
+    methods of tkinter widgets.
+  - gh-111356: Added io.text_encoding(), io.DEFAULT_BUFFER_SIZE, and
+    io.IncrementalNewlineDecoder to io.__all__.
+  - gh-111342: Fixed typo in math.sumprod().
+  - gh-68166: Remove mention of not supported “vsapi” element type
+    in tkinter.ttk.Style.element_create(). Add tests for
+    element_create() and other ttk.Style methods. Add examples for
+    element_create() in the documentation.
+  - gh-75666: Fix the behavior of tkinter widget’s unbind() method
+    with two arguments. Previously, widget.unbind(sequence, funcid)
+    destroyed the current binding for sequence, leaving sequence
+    unbound, and deleted the funcid command. Now it removes only
+    funcid from the binding for sequence, keeping other commands,
+    and deletes the funcid command. It leaves sequence unbound only
+    if funcid was the last bound command.
+  - gh-79033: Another attempt at fixing
+    asyncio.Server.wait_closed(). It now blocks until both
+    conditions are true: the server is closed, and there are no more
+    active connections. (This means that in some cases where in
+    3.12.0 this function would incorrectly have returned
+    immediately, it will now block; in particular, when there are no
+    active connections but the server hasn’t been closed yet.)
+  - gh-111295: Fix time not checking for errors when initializing.
+  - gh-111253: Add error checking during _socket module init.
+  - gh-111251: Fix _blake2 not checking for errors when
+    initializing.
+  - gh-111174: Fix crash in io.BytesIO.getbuffer() called repeatedly
+    for empty BytesIO.
+  - gh-111187: Postpone removal version for
+    locale.getdefaultlocale() to Python 3.15.
+  - gh-111159: Fix doctest output comparison for exceptions with
+    notes.
+  - gh-110910: Fix invalid state handling in asyncio.TaskGroup and
+    asyncio.Timeout. They now raise proper RuntimeError if they are
+    improperly used and are left in consistent state after this.
+  - gh-111092: Make turtledemo run without default root enabled.
+  - gh-110488: Fix a couple of issues in
+    pathlib.PurePath.with_name(): a single dot was incorrectly
+    considered a valid name, and in PureWindowsPath, a name with an
+    NTFS alternate data stream, like a:b, was incorrectly considered
+    invalid.
+  - gh-110392: Fix tty.setraw() and tty.setcbreak(): previously they
+    returned partially modified list of the original tty attributes.
+    tty.cfmakeraw() and tty.cfmakecbreak() now make a copy of the
+    list of special characters before modifying it.
+  - gh-110590: Fix a bug in _sre.compile() where TypeError would be
+    overwritten by OverflowError when the code argument was a list
+    of non-ints.
+  - gh-65052: Prevent pdb from crashing when trying to display
+    undisplayable objects
+  - gh-110519: Deprecation warning about non-integer number in
+    gettext now alwais refers to the line in the user code where
+    gettext function or method is used. Previously it could refer to
+    a line in gettext code.
+  - gh-110395: Ensure that select.kqueue() objects correctly appear
+    as closed in forked children, to prevent operations on an
+    invalid file descriptor.
+  - gh-110378: contextmanager() and asynccontextmanager() context
+    managers now close an invalid underlying generator object that
+    yields more then one value.
+  - gh-110365: Fix termios.tcsetattr() bug that was overwritting
+    existing errors during parsing integers from term list.
+  - gh-109653: Fix a Python 3.12 regression in the import time of
+    random. Patch by Alex Waygood.
+  - gh-110196: Add __reduce__ method to IPv6Address in order to keep
+    scope_id
+  - gh-110036: On Windows, multiprocessing Popen.terminate() now
+    catchs PermissionError and get the process exit code. If the
+    process is still running, raise again the PermissionError.
+    Otherwise, the process terminated as expected: store its exit
+    code. Patch by Victor Stinner.
+  - gh-110038: Fixed an issue that caused KqueueSelector.select() to
+    not return all the ready events in some cases when a file
+    descriptor is registered for both read and write.
+  - gh-109631: re functions such as re.findall(), re.split(),
+    re.search() and re.sub() which perform short repeated matches
+    can now be interrupted by user.
+  - gh-109747: Improve errors for unsupported look-behind patterns.
+    Now re.error is raised instead of OverflowError or RuntimeError
+    for too large width of look-behind pattern.
+  - gh-109818: Fix reprlib.recursive_repr() not copying
+    __type_params__ from decorated function.
+  - gh-109047: concurrent.futures: The executor manager thread now
+    catches exceptions when adding an item to the call queue. During
+    Python finalization, creating a new thread can now raise
+    RuntimeError. Catch the exception and call terminate_broken() in
+    this case. Patch by Victor Stinner.
+  - gh-109782: Ensure the signature of os.path.isdir() is identical
+    on all platforms. Patch by Amin Alaee.
+  - gh-109590: shutil.which() will prefer files with an extension in
+    PATHEXT if the given mode includes os.X_OK on win32. If no
+    PATHEXT match is found, a file without an extension in PATHEXT
+    can be returned. This change will have shutil.which() act more
+    similarly to previous behavior in Python 3.11.
+  - gh-109786: Fix possible reference leaks and crash when re-enter
+    the __next__() method of itertools.pairwise.
+  - gh-109593: Avoid deadlocking on a reentrant call to the
+    multiprocessing resource tracker. Such a reentrant call, though
+    unlikely, can happen if a GC pass invokes the finalizer for a
+    multiprocessing object such as SemLock.
+  - gh-109613: Fix os.stat() and os.DirEntry.stat(): check for
+    exceptions. Previously, on Python built in debug mode, these
+    functions could trigger a fatal Python error (and abort the
+    process) when a function succeeded with an exception set. Patch
+    by Victor Stinner.
+  - gh-109375: The pdb alias command now prevents registering
+    aliases without arguments.
+  - gh-107219: Fix a race condition in concurrent.futures. When a
+    process in the process pool was terminated abruptly (while the
+    future was running or pending), close the connection write end.
+    If the call queue is blocked on sending bytes to a worker
+    process, closing the connection write end interrupts the send,
+    so the queue can be closed. Patch by Victor Stinner.
+  - gh-50644: Attempts to pickle or create a shallow or deep copy of
+    codecs streams now raise a TypeError. Previously, copying failed
+    with a RecursionError, while pickling produced wrong results
+    that eventually caused unpickling to fail with a RecursionError.
+  - gh-108987: Fix _thread.start_new_thread() race condition. If a
+    thread is created during Python finalization, the newly spawned
+    thread now exits immediately instead of trying to access freed
+    memory and lead to a crash. Patch by Victor Stinner.
+  - gh-108791: Improved error handling in pdb command line
+    interface, making it produce more concise error messages.
+  - gh-105829: Fix concurrent.futures.ProcessPoolExecutor deadlock
+  - gh-106584: Fix exit code for unittest if all tests are skipped.
+    Patch by Egor Eliseev.
+  - gh-102956: Fix returning of empty byte strings after seek in
+    zipfile module
+  - gh-84867: unittest.TestLoader no longer loads test cases from
+    exact unittest.TestCase and unittest.FunctionTestCase classes.
+  - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup,
+    which now no longer dereferences symlinks when working around
+    file system permission errors.
+  - gh-73561: Omit the interface scope from an IPv6 address when
+    used as Host header by http.client.
+  - gh-86826: zipinfo now supports the full range of values in the
+    TZ string determined by RFC 8536 and detects all invalid
+    formats. Both Python and C implementations now raise exceptions
+    of the same type on invalid data.
+  - bpo-43153: On Windows, tempfile.TemporaryDirectory previously
+    masked a PermissionError with NotADirectoryError during
+    directory cleanup. It now correctly raises PermissionError if
+    errors are not ignored. Patch by Andrei Kulakov and Ken Jin.
+  - bpo-35332: The shutil.rmtree() function now ignores errors when
+    calling os.close() when ignore_errors is True, and os.close() no
+    longer retried after error.
+  - bpo-41422: Fixed memory leaks of pickle.Pickler and
+    pickle.Unpickler involving cyclic references via the internal
+    memo mapping.
+  - bpo-40262: The ssl.SSLSocket.recv_into() method no longer
+    requires the buffer argument to implement __len__ and supports
+    buffers with arbitrary item size.
+  - Documentation
+  - gh-111699: Relocate smtpd deprecation notice to its own section
+    rather than under locale in What’s New in Python 3.12 document
+  - gh-108826: dis module command-line interface is now mentioned in
+    documentation. Test- s
+  - gh-112769: The tests now correctly compare zlib version when
+    zlib.ZLIB_RUNTIME_VERSION contains non-integer suffixes. For
+    example zlib-ng defines the version as 1.3.0.zlib-ng.
+  - gh-110367: Make regrtest --verbose3 option compatible with
+  - -huntrleaks -jN options. The ./python -m test -j1 -R 3:3
+  - -verbose3 command now works as expected. Patch by Victor
+    Stinner.
+  - gh-111165: Remove no longer used functions run_unittest() and
+    run_doctest() from the test.support module.
+  - gh-110932: Fix regrtest if the SOURCE_DATE_EPOCH environment
+    variable is defined: use the variable value as the random seed.
+    Patch by Victor Stinner.
+  - gh-110995: test_gdb: Fix detection of gdb built without Python
+    scripting support. Patch by Victor Stinner.
+  - gh-110918: Test case matching patterns specified by options
+  - -match, --ignore, --matchfile and --ignorefile are now tested
+    in the order of specification, and the last match determines
+    whether the test case be run or ignored.
+  - gh-110647: Fix test_stress_modifying_handlers() of test_signal.
+    Patch by Victor Stinner.
+  - gh-103053: Fix test_tools.test_freeze on FreeBSD: run “make
+    distclean” instead of “make clean” in the copied source
+    directory to remove also the “python” program. Patch by Victor
+    Stinner.
+  - gh-110167: Fix a deadlock in test_socket when server fails with
+    a timeout but the client is still running in its thread. Don’t
+    hold a lock to call cleanup functions in doCleanups(). One of
+    the cleanup function waits until the client completes, whereas
+    the client could deadlock if it called addCleanup() in such
+    situation. Patch by Victor Stinner.
+  - gh-110388: Add tests for tty.
+  - gh-81002: Add tests for termios.
+  - gh-110267: Add tests for pickling and copying PyStructSequence
+    objects. Patched by Xuehai Pan.
+  - gh-110031: Skip test_threading tests using thread+fork if Python
+    is built with Address Sanitizer (ASAN). Patch by Victor Stinner.
+  - gh-110088: Fix test_asyncio timeouts: don’t measure the maximum
+    duration, a test should not measure a CI performance. Only
+    measure the minimum duration when a task has a timeout or delay.
+    Add CLOCK_RES to test_asyncio.utils. Patch by Victor Stinner.
+  - gh-109974: Fix race conditions in test_threading lock tests.
+    Wait until a condition is met rather than using time.sleep()
+    with a hardcoded number of seconds. Patch by Victor Stinner.
+  - gh-110033: Fix test_interprocess_signal() of test_signal. Make
+    sure that the subprocess.Popen object is deleted before the test
+    raising an exception in a signal handler. Otherwise,
+    Popen.__del__() can get the exception which is logged as
+    Exception ignored in: ... and the test fails. Patch by Victor
+    Stinner.
+  - gh-109594: Fix test_timeout() of
+    test_concurrent_futures.test_wait. Remove the future which may
+    or may not complete depending if it takes longer than the
+    timeout ot not. Keep the second future which does not complete
+    before wait() timeout. Patch by Victor Stinner.
+  - gh-109972: Split test_gdb.py file into a test_gdb package made
+    of multiple tests, so tests can now be run in parallel. Patch by
+    Victor Stinner.
+  - gh-103053: Skip test_freeze_simple_script() of
+    test_tools.test_freeze if Python is built with ./configure
+  - -enable-optimizations, which means with Profile Guided
+    Optimization (PGO): it just makes the test too slow. The freeze
+    tool is tested by many other CIs with other (faster) compiler
+    flags. Patch by Victor Stinner.
+  - gh-109580: Skip test_perf_profiler if Python is built with ASAN,
+    MSAN or UBSAN sanitizer. Python does crash randomly in this test
+    on such build. Patch by Victor Stinner.
+  - gh-104736: Fix test_gdb on Python built with LLVM clang 16 on
+    Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt”
+    command output to detect when gdb fails to retrieve the
+    traceback. For example, skip a test if Backtrace stopped: frame
+    did not save the PC is found. Patch by Victor Stinner.
+  - gh-108927: Fixed order dependence in running tests in the same
+    process when a test that has submodules (e.g. test_importlib)
+    follows a test that imports its submodule (e.g.
+    test_importlib.util) and precedes a test (e.g. test_unittest or
+    test_compileall) that uses that submodule.
+  - Build
+  - gh-112088: Add Tools/build/regen-configure.sh script to
+    regenerate the configure with an Ubuntu container image. The
+    quay.io/tiran/cpython_autoconf:271 container image
+    (tiran/cpython_autoconf) is no longer used. Patch by Victor
+    Stinner.
+  - gh-111046: For wasi-threads, memory is now exported to fix
+    compatibility issues with some wasm runtimes.
+  - gh-103053: “make check-clean-src” now also checks if the
+    “python” program is found in the source directory: fail with an
+    error if it does exist. Patch by Victor Stinner.
+  - gh-109191: Fix compile error when building with recent versions
+    of libedit.
+  - IDLE
+  - bpo-35668: Add docstrings to the IDLE debugger module. Fix two
+    bugs: initialize Idb.botframe (should be in Bdb); in
+    Idb.in_rpc_code, check whether prev_frame is None before trying
+    to use it. Greatly expand test_debugger.
+  - C API
+  - gh-106560: Fix redundant declarations in the public C API.
+    Declare PyBool_Type and PyLong_Type only once. Patch by Victor
+    Stinner.
+  - gh-112438: Fix support of format units “es”, “et”, “es#”, and
+    “et#” in nested tuples in PyArg_ParseTuple()-like functions.
+  - gh-109521: PyImport_GetImporter() now sets RuntimeError if it
+    fails to get sys.path_hooks or sys.path_importer_cache or they
+    are not list and dict correspondingly. Previously it could
+    return NULL without setting error in obscure cases, crash or
+    raise SystemError if these attributes have wrong type.
+
python312:doc
+- Update patch fix_configure_rst.patch
+- Update to 3.12.1 (CVE-2023-6507, bsc#1217939):
+  - Core and Builtins
+  - gh-112125: Fix None.__ne__(None) returning NotImplemented
+    instead of False
+  - gh-112625: Fixes a bug where a bytearray object could be
+    cleared while iterating over an argument in the
+    bytearray.join() method that could result in reading memory
+    after it was freed.
+  - gh-105967: Workaround a bug in Apple’s macOS platform zlib
+    library where zlib.crc32() and binascii.crc32() could produce
+    incorrect results on multi-gigabyte inputs. Including when
+    using zipfile on zips containing large data.
+  - gh-112356: Stopped erroneously deleting a LOAD_NULL bytecode
+    instruction when optimized twice.
+  - gh-111058: Change coro.cr_frame/gen.gi_frame to return None
+    after the coroutine/generator has been closed. This fixes a bug
+    where getcoroutinestate() and getgeneratorstate() return the
+    wrong state for a closed coroutine/generator.
+  - gh-112388: Fix an error that was causing the parser to try to
+    overwrite tokenizer errors. Patch by pablo Galindo
+  - gh-112387: Fix error positions for decoded strings with
+    backwards tokenize errors. Patch by Pablo Galindo
+  - gh-112367: Avoid undefined behaviour when using the perf
+    trampolines by not freeing the code arenas until shutdown.
+    Patch by Pablo Galindo
+  - gh-112243: Don’t include comments in f-string debug
+    expressions. Patch by Pablo Galindo
+  - gh-112266: Change docstrings of __dict__ and __weakref__.
+  - gh-111654: Fix runtime crash when some error happens in opcode
+    LOAD_FROM_DICT_OR_DEREF.
+  - gh-109181: Speed up Traceback object creation by lazily compute
+    the line number. Patch by Pablo Galindo
+  - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
+    codecs read out of bounds
+  - gh-111366: Fix an issue in the codeop that was causing
+    SyntaxError exceptions raised in the presence of invalid syntax
+    to not contain precise error messages. Patch by Pablo Galindo
+  - gh-111380: Fix a bug that was causing SyntaxWarning to appear
+    twice when parsing if invalid syntax is encountered later.
+    Patch by Pablo galindo
+  - gh-94438: Fix a regression that prevented jumping across is
+    None and is not None when debugging. Patch by Savannah
+    Ostrowski.
+  - gh-110938: Fix error messages for indented blocks with
+    functions and classes with generic type parameters. Patch by
+    Pablo Galindo
+  - gh-109894: Fixed crash due to improperly initialized static
+    MemoryError in subinterpreter.
+  - gh-110782: Fix crash when typing.TypeVar is constructed with a
+    keyword argument. Patch by Jelle Zijlstra.
+  - gh-110696: Fix incorrect error message for invalid argument
+    unpacking. Patch by Pablo Galindo
+  - gh-110543: Fix regression in Python 3.12 where
+    types.CodeType.replace() would produce a broken code object if
+    called on a module or class code object that contains a
+    comprehension. Patch by Jelle Zijlstra.
+  - gh-110514: Add PY_THROW to sys.setprofile() events
+  - gh-110455: Guard assert(tstate->thread_id > 0) with #ifndef
+    HAVE_PTHREAD_STUBS. This allows for for pydebug builds to work
+    under WASI which (currently) lacks thread support.
+  - gh-110259: Correctly identify the format spec in f-strings
+    (with single or triple quotes) that have multiple lines in the
+    expression part and include a formatting spec. Patch by Pablo
+    Galindo
+  - gh-110237: Fix missing error checks for calls to PyList_Append
+    in _PyEval_MatchClass.
+  - gh-109889: Fix the compiler’s redundant NOP detection algorithm
+    to skip over NOPs with no line number when looking for the next
+    instruction’s lineno.
+  - gh-109853: sys.path[0] is now set correctly for
+    subinterpreters.
+  - gh-105716: Subinterpreters now correctly handle the case where
+    they have threads running in the background. Before, such
+    threads would interfere with cleaning up and destroying them,
+    as well as prevent running another script.
+  - gh-109793: The main thread no longer exits prematurely when a
+    subinterpreter is cleaned up during runtime finalization. The
+    bug was a problem particularly because, when triggered, the
+    Python process would always return with a 0 exitcode, even if
+    it failed.
+  - gh-109596: Fix some tokens in the grammar that were incorrectly
+    marked as soft keywords. Also fix some repeated rule names and
+    ensure that repeated rules are not allowed. Patch by Pablo
+    Galindo
+  - gh-109351: Fix crash when compiling an invalid AST involving a
+    named (walrus) expression.
+  - gh-109216: Fix possible memory leak in BUILD_MAP.
+  - gh-109207: Fix a SystemError in __repr__ of symtable entry
+    object.
+  - gh-109179: Fix bug where the C traceback display drops notes
+    from SyntaxError.
+  - gh-109052: Use the base opcode when comparing code objects to
+    avoid interference from instrumentation
+  - gh-88943: Improve syntax error for non-ASCII character that
+    follows a numerical literal. It now points on the invalid
+    non-ASCII character, not on the valid numerical literal.
+  - gh-106931: Statically allocated string objects are now interned
+    globally instead of per-interpreter. This fixes a situation
+    where such a string would only be interned in a single
+    interpreter. Normal string objects are unaffected.
+  - Library
+  - gh-79325: Fix an infinite recursion error in
+    tempfile.TemporaryDirectory() cleanup on Windows.
+  - gh-112645: Remove deprecation error on passing onerror to
+    shutil.rmtree().
+  - gh-112618: Fix a caching bug relating to typing.Annotated.
+    Annotated[str, True] is no longer identical to Annotated[str,
+    1].
+  - gh-112334: Fixed a performance regression in 3.12’s subprocess
+    on Linux where it would no longer use the fast-path vfork()
+    system call when it should have due to a logic bug, instead
+    always falling back to the safe but slower fork().
+  - Also fixed a related 3.12 security regression: If a value of
+    extra_groups=[] was passed to subprocess.Popen or related APIs,
+    the underlying setgroups(0, NULL) system call to clear the
+    groups list would not be made in the child process prior to
+    exec(). This has been assigned CVE-2023-6507.
+  - This was identified via code inspection in the process of fixing
+    the first bug.
+  - gh-110190: Fix ctypes structs with array on Arm platform by
+    setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by Diego Russo.
+  - gh-112578: Fix a spurious RuntimeWarning when executing the
+    zipfile module.
+  - gh-112509: Fix edge cases that could cause a key to be present
+    in both the __required_keys__ and __optional_keys__ attributes
+    of a typing.TypedDict. Patch by Jelle Zijlstra.
+  - gh-112414: Fix regression in Python 3.12 where calling repr() on
+    a module that had been imported using a custom loader could fail
+    with AttributeError. Patch by Alex Waygood.
+  - gh-112358: Revert change to struct.Struct initialization that
+    broke some cases of subclassing.
+  - gh-94722: Fix bug where comparison between instances of DocTest
+    fails if one of them has None as its lineno.
+  - gh-112105: Make readline.set_completer_delims() work with
+    libedit
+  - gh-111942: Fix SystemError in the TextIOWrapper constructor with
+    non-encodable “errors” argument in non-debug mode.
+  - gh-109538: Issue warning message instead of having RuntimeError
+    be displayed when event loop has already been closed at
+    StreamWriter.__del__().
+  - gh-111942: Fix crashes in io.TextIOWrapper.reconfigure() when
+    pass invalid arguments, e.g. non-string encoding.
+  - gh-111460: curses: restore wide character support (including
+    curses.unget_wch() and get_wch()) on macOS, which was
+    unavailable due to a regression in Python 3.12.
+  - gh-103791: contextlib.suppress now supports suppressing
+    exceptions raised as part of a BaseExceptionGroup, in addition
+    to the recent support for ExceptionGroup.
+  - gh-111804: Remove posix.fallocate() under WASI as the underlying
+    posix_fallocate() is not available in WASI preview2.
+  - gh-111841: Fix truncating arguments on an embedded null
+    character in os.putenv() and os.unsetenv() on Windows.
+  - gh-111541: Fix doctest for SyntaxError not-builtin subclasses.
+  - gh-110894: Call loop exception handler for exceptions in
+    client_connected_cb of asyncio.start_server() so that
+    applications can handle it. Patch by Kumar Aditya.
+  - gh-111531: Fix reference leaks in bind_class() and bind_all()
+    methods of tkinter widgets.
+  - gh-111356: Added io.text_encoding(), io.DEFAULT_BUFFER_SIZE, and
+    io.IncrementalNewlineDecoder to io.__all__.
+  - gh-111342: Fixed typo in math.sumprod().
+  - gh-68166: Remove mention of not supported “vsapi” element type
+    in tkinter.ttk.Style.element_create(). Add tests for
+    element_create() and other ttk.Style methods. Add examples for
+    element_create() in the documentation.
+  - gh-75666: Fix the behavior of tkinter widget’s unbind() method
+    with two arguments. Previously, widget.unbind(sequence, funcid)
+    destroyed the current binding for sequence, leaving sequence
+    unbound, and deleted the funcid command. Now it removes only
+    funcid from the binding for sequence, keeping other commands,
+    and deletes the funcid command. It leaves sequence unbound only
+    if funcid was the last bound command.
+  - gh-79033: Another attempt at fixing
+    asyncio.Server.wait_closed(). It now blocks until both
+    conditions are true: the server is closed, and there are no more
+    active connections. (This means that in some cases where in
+    3.12.0 this function would incorrectly have returned
+    immediately, it will now block; in particular, when there are no
+    active connections but the server hasn’t been closed yet.)
+  - gh-111295: Fix time not checking for errors when initializing.
+  - gh-111253: Add error checking during _socket module init.
+  - gh-111251: Fix _blake2 not checking for errors when
+    initializing.
+  - gh-111174: Fix crash in io.BytesIO.getbuffer() called repeatedly
+    for empty BytesIO.
+  - gh-111187: Postpone removal version for
+    locale.getdefaultlocale() to Python 3.15.
+  - gh-111159: Fix doctest output comparison for exceptions with
+    notes.
+  - gh-110910: Fix invalid state handling in asyncio.TaskGroup and
+    asyncio.Timeout. They now raise proper RuntimeError if they are
+    improperly used and are left in consistent state after this.
+  - gh-111092: Make turtledemo run without default root enabled.
+  - gh-110488: Fix a couple of issues in
+    pathlib.PurePath.with_name(): a single dot was incorrectly
+    considered a valid name, and in PureWindowsPath, a name with an
+    NTFS alternate data stream, like a:b, was incorrectly considered
+    invalid.
+  - gh-110392: Fix tty.setraw() and tty.setcbreak(): previously they
+    returned partially modified list of the original tty attributes.
+    tty.cfmakeraw() and tty.cfmakecbreak() now make a copy of the
+    list of special characters before modifying it.
+  - gh-110590: Fix a bug in _sre.compile() where TypeError would be
+    overwritten by OverflowError when the code argument was a list
+    of non-ints.
+  - gh-65052: Prevent pdb from crashing when trying to display
+    undisplayable objects
+  - gh-110519: Deprecation warning about non-integer number in
+    gettext now alwais refers to the line in the user code where
+    gettext function or method is used. Previously it could refer to
+    a line in gettext code.
+  - gh-110395: Ensure that select.kqueue() objects correctly appear
+    as closed in forked children, to prevent operations on an
+    invalid file descriptor.
+  - gh-110378: contextmanager() and asynccontextmanager() context
+    managers now close an invalid underlying generator object that
+    yields more then one value.
+  - gh-110365: Fix termios.tcsetattr() bug that was overwritting
+    existing errors during parsing integers from term list.
+  - gh-109653: Fix a Python 3.12 regression in the import time of
+    random. Patch by Alex Waygood.
+  - gh-110196: Add __reduce__ method to IPv6Address in order to keep
+    scope_id
+  - gh-110036: On Windows, multiprocessing Popen.terminate() now
+    catchs PermissionError and get the process exit code. If the
+    process is still running, raise again the PermissionError.
+    Otherwise, the process terminated as expected: store its exit
+    code. Patch by Victor Stinner.
+  - gh-110038: Fixed an issue that caused KqueueSelector.select() to
+    not return all the ready events in some cases when a file
+    descriptor is registered for both read and write.
+  - gh-109631: re functions such as re.findall(), re.split(),
+    re.search() and re.sub() which perform short repeated matches
+    can now be interrupted by user.
+  - gh-109747: Improve errors for unsupported look-behind patterns.
+    Now re.error is raised instead of OverflowError or RuntimeError
+    for too large width of look-behind pattern.
+  - gh-109818: Fix reprlib.recursive_repr() not copying
+    __type_params__ from decorated function.
+  - gh-109047: concurrent.futures: The executor manager thread now
+    catches exceptions when adding an item to the call queue. During
+    Python finalization, creating a new thread can now raise
+    RuntimeError. Catch the exception and call terminate_broken() in
+    this case. Patch by Victor Stinner.
+  - gh-109782: Ensure the signature of os.path.isdir() is identical
+    on all platforms. Patch by Amin Alaee.
+  - gh-109590: shutil.which() will prefer files with an extension in
+    PATHEXT if the given mode includes os.X_OK on win32. If no
+    PATHEXT match is found, a file without an extension in PATHEXT
+    can be returned. This change will have shutil.which() act more
+    similarly to previous behavior in Python 3.11.
+  - gh-109786: Fix possible reference leaks and crash when re-enter
+    the __next__() method of itertools.pairwise.
+  - gh-109593: Avoid deadlocking on a reentrant call to the
+    multiprocessing resource tracker. Such a reentrant call, though
+    unlikely, can happen if a GC pass invokes the finalizer for a
+    multiprocessing object such as SemLock.
+  - gh-109613: Fix os.stat() and os.DirEntry.stat(): check for
+    exceptions. Previously, on Python built in debug mode, these
+    functions could trigger a fatal Python error (and abort the
+    process) when a function succeeded with an exception set. Patch
+    by Victor Stinner.
+  - gh-109375: The pdb alias command now prevents registering
+    aliases without arguments.
+  - gh-107219: Fix a race condition in concurrent.futures. When a
+    process in the process pool was terminated abruptly (while the
+    future was running or pending), close the connection write end.
+    If the call queue is blocked on sending bytes to a worker
+    process, closing the connection write end interrupts the send,
+    so the queue can be closed. Patch by Victor Stinner.
+  - gh-50644: Attempts to pickle or create a shallow or deep copy of
+    codecs streams now raise a TypeError. Previously, copying failed
+    with a RecursionError, while pickling produced wrong results
+    that eventually caused unpickling to fail with a RecursionError.
+  - gh-108987: Fix _thread.start_new_thread() race condition. If a
+    thread is created during Python finalization, the newly spawned
+    thread now exits immediately instead of trying to access freed
+    memory and lead to a crash. Patch by Victor Stinner.
+  - gh-108791: Improved error handling in pdb command line
+    interface, making it produce more concise error messages.
+  - gh-105829: Fix concurrent.futures.ProcessPoolExecutor deadlock
+  - gh-106584: Fix exit code for unittest if all tests are skipped.
+    Patch by Egor Eliseev.
+  - gh-102956: Fix returning of empty byte strings after seek in
+    zipfile module
+  - gh-84867: unittest.TestLoader no longer loads test cases from
+    exact unittest.TestCase and unittest.FunctionTestCase classes.
+  - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup,
+    which now no longer dereferences symlinks when working around
+    file system permission errors.
+  - gh-73561: Omit the interface scope from an IPv6 address when
+    used as Host header by http.client.
+  - gh-86826: zipinfo now supports the full range of values in the
+    TZ string determined by RFC 8536 and detects all invalid
+    formats. Both Python and C implementations now raise exceptions
+    of the same type on invalid data.
+  - bpo-43153: On Windows, tempfile.TemporaryDirectory previously
+    masked a PermissionError with NotADirectoryError during
+    directory cleanup. It now correctly raises PermissionError if
+    errors are not ignored. Patch by Andrei Kulakov and Ken Jin.
+  - bpo-35332: The shutil.rmtree() function now ignores errors when
+    calling os.close() when ignore_errors is True, and os.close() no
+    longer retried after error.
+  - bpo-41422: Fixed memory leaks of pickle.Pickler and
+    pickle.Unpickler involving cyclic references via the internal
+    memo mapping.
+  - bpo-40262: The ssl.SSLSocket.recv_into() method no longer
+    requires the buffer argument to implement __len__ and supports
+    buffers with arbitrary item size.
+  - Documentation
+  - gh-111699: Relocate smtpd deprecation notice to its own section
+    rather than under locale in What’s New in Python 3.12 document
+  - gh-108826: dis module command-line interface is now mentioned in
+    documentation. Test- s
+  - gh-112769: The tests now correctly compare zlib version when
+    zlib.ZLIB_RUNTIME_VERSION contains non-integer suffixes. For
+    example zlib-ng defines the version as 1.3.0.zlib-ng.
+  - gh-110367: Make regrtest --verbose3 option compatible with
+  - -huntrleaks -jN options. The ./python -m test -j1 -R 3:3
+  - -verbose3 command now works as expected. Patch by Victor
+    Stinner.
+  - gh-111165: Remove no longer used functions run_unittest() and
+    run_doctest() from the test.support module.
+  - gh-110932: Fix regrtest if the SOURCE_DATE_EPOCH environment
+    variable is defined: use the variable value as the random seed.
+    Patch by Victor Stinner.
+  - gh-110995: test_gdb: Fix detection of gdb built without Python
+    scripting support. Patch by Victor Stinner.
+  - gh-110918: Test case matching patterns specified by options
+  - -match, --ignore, --matchfile and --ignorefile are now tested
+    in the order of specification, and the last match determines
+    whether the test case be run or ignored.
+  - gh-110647: Fix test_stress_modifying_handlers() of test_signal.
+    Patch by Victor Stinner.
+  - gh-103053: Fix test_tools.test_freeze on FreeBSD: run “make
+    distclean” instead of “make clean” in the copied source
+    directory to remove also the “python” program. Patch by Victor
+    Stinner.
+  - gh-110167: Fix a deadlock in test_socket when server fails with
+    a timeout but the client is still running in its thread. Don’t
+    hold a lock to call cleanup functions in doCleanups(). One of
+    the cleanup function waits until the client completes, whereas
+    the client could deadlock if it called addCleanup() in such
+    situation. Patch by Victor Stinner.
+  - gh-110388: Add tests for tty.
+  - gh-81002: Add tests for termios.
+  - gh-110267: Add tests for pickling and copying PyStructSequence
+    objects. Patched by Xuehai Pan.
+  - gh-110031: Skip test_threading tests using thread+fork if Python
+    is built with Address Sanitizer (ASAN). Patch by Victor Stinner.
+  - gh-110088: Fix test_asyncio timeouts: don’t measure the maximum
+    duration, a test should not measure a CI performance. Only
+    measure the minimum duration when a task has a timeout or delay.
+    Add CLOCK_RES to test_asyncio.utils. Patch by Victor Stinner.
+  - gh-109974: Fix race conditions in test_threading lock tests.
+    Wait until a condition is met rather than using time.sleep()
+    with a hardcoded number of seconds. Patch by Victor Stinner.
+  - gh-110033: Fix test_interprocess_signal() of test_signal. Make
+    sure that the subprocess.Popen object is deleted before the test
+    raising an exception in a signal handler. Otherwise,
+    Popen.__del__() can get the exception which is logged as
+    Exception ignored in: ... and the test fails. Patch by Victor
+    Stinner.
+  - gh-109594: Fix test_timeout() of
+    test_concurrent_futures.test_wait. Remove the future which may
+    or may not complete depending if it takes longer than the
+    timeout ot not. Keep the second future which does not complete
+    before wait() timeout. Patch by Victor Stinner.
+  - gh-109972: Split test_gdb.py file into a test_gdb package made
+    of multiple tests, so tests can now be run in parallel. Patch by
+    Victor Stinner.
+  - gh-103053: Skip test_freeze_simple_script() of
+    test_tools.test_freeze if Python is built with ./configure
+  - -enable-optimizations, which means with Profile Guided
+    Optimization (PGO): it just makes the test too slow. The freeze
+    tool is tested by many other CIs with other (faster) compiler
+    flags. Patch by Victor Stinner.
+  - gh-109580: Skip test_perf_profiler if Python is built with ASAN,
+    MSAN or UBSAN sanitizer. Python does crash randomly in this test
+    on such build. Patch by Victor Stinner.
+  - gh-104736: Fix test_gdb on Python built with LLVM clang 16 on
+    Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt”
+    command output to detect when gdb fails to retrieve the
+    traceback. For example, skip a test if Backtrace stopped: frame
+    did not save the PC is found. Patch by Victor Stinner.
+  - gh-108927: Fixed order dependence in running tests in the same
+    process when a test that has submodules (e.g. test_importlib)
+    follows a test that imports its submodule (e.g.
+    test_importlib.util) and precedes a test (e.g. test_unittest or
+    test_compileall) that uses that submodule.
+  - Build
+  - gh-112088: Add Tools/build/regen-configure.sh script to
+    regenerate the configure with an Ubuntu container image. The
+    quay.io/tiran/cpython_autoconf:271 container image
+    (tiran/cpython_autoconf) is no longer used. Patch by Victor
+    Stinner.
+  - gh-111046: For wasi-threads, memory is now exported to fix
+    compatibility issues with some wasm runtimes.
+  - gh-103053: “make check-clean-src” now also checks if the
+    “python” program is found in the source directory: fail with an
+    error if it does exist. Patch by Victor Stinner.
+  - gh-109191: Fix compile error when building with recent versions
+    of libedit.
+  - IDLE
+  - bpo-35668: Add docstrings to the IDLE debugger module. Fix two
+    bugs: initialize Idb.botframe (should be in Bdb); in
+    Idb.in_rpc_code, check whether prev_frame is None before trying
+    to use it. Greatly expand test_debugger.
+  - C API
+  - gh-106560: Fix redundant declarations in the public C API.
+    Declare PyBool_Type and PyLong_Type only once. Patch by Victor
+    Stinner.
+  - gh-112438: Fix support of format units “es”, “et”, “es#”, and
+    “et#” in nested tuples in PyArg_ParseTuple()-like functions.
+  - gh-109521: PyImport_GetImporter() now sets RuntimeError if it
+    fails to get sys.path_hooks or sys.path_importer_cache or they
+    are not list and dict correspondingly. Previously it could
+    return NULL without setting error in obscure cases, crash or
+    raise SystemError if these attributes have wrong type.
+
qt6-webengine
+- Build with re2-10 even when re2-11 is available (bsc#1217257).
+  re2-11 pulls in system abseil which is incompatible with bundled abseil
+  causing build failure.
+
qt6-webengine:docs
+- Build with re2-10 even when re2-11 is available (bsc#1217257).
+  re2-11 pulls in system abseil which is incompatible with bundled abseil
+  causing build failure.
+
rabbitmq-server
+- Introduce HTTP request body limit for definition uploads (CVE-2023-46118,
+  bsc#1216582)
+  * fix-CVE-2023-46118-0.patch
+  * fix-CVE-2023-46118-1.patch
+
rasdaemon
+- Update to version 0.8.0.39.git+cfabd93 (jsc#PED-7381):
+  * rasdaemon: ras-mc-ctl: Modify check for HiSilicon KunPeng9xx error fields
+  * rasdaemon: Add Emerald Rapids support
+  * Add a space between "diskerror_event" and "store"
+  * rasdaemon: ras-mc-ctl: Add support to display the THead vendor errors
+  * rasdaemon: add support for THead Yitian non-standard error decoder
+  * rasdaemon: log non_standard_event at just one line
+  * rasdaemon: Fix SMCA bank type decoding
+  * rasdaemon: Identify the DIe Number in multidie system
+  * rasdaemon: Handle reassigned bit definitions for UMC bank
+  * rasdaemon: Add new MA_LLC, USR_DP, and USR_CP bank types.
+  * rasdaemon: Add support for post-processing MCA errors
+  * rasdaemon: Handle reassigned bit definitions for CS SMCA
+  * rasdaemon: Update SMCA bank error descriptions
+  * add ':' before error output
+  * Add label for mainboard: ASUSTeK COMPUTER INC. Model: Z9PH-D16 Series
+  * Add label for mainboard: GIGABYTE model MZ62-HD0-00
+  * Check CPUs online, not configured.
+  * rasdaemon: Add support for the CXL memory module events
+  * rasdaemon: Add support for the CXL dram events
+  * rasdaemon: Add support for the CXL general media events
+  * rasdaemon: Add support for the CXL generic events
+  * rasdaemon: Add support for the CXL overflow events
+  * rasdaemon: Add common function to get timestamp for the event
+  * rasdaemon: Add common function to convert timestamp in the CXL event records to the broken-down time format
+  * rasdaemon: Add support for creating the vendor error tables at startup
+  * rasdaemon: fix issue of signed and unsigned integer comparison and remove redundant header file
+  * rasdaemon: fix return value type issue of read/write function from unistd.h
+  * Rasdaemon: Fix autoreconf build error
+  * ras-events: quit loop in read_ras_event when kbuf data is broken
+
rdma-core
+- Update to v49.0 (jsc#PED-6891, jsc#PED-6864, jsc#PED-6839, jsc#PED-6836,
+    jsc#PED-6828, jsc#PED-6824, jsc#PED-6958, jsc#PED-6943, jsc#PED-6933, jsc#PED-6916)
+  - No release notes available.
+
restorecond
+- Update to version 3.5
+  * Code improvements, no user visible changes
+- Added additional developer key (Jason Zaman)
+
+- Update to version 3.4
+  * Support parallel relabeling
+
+- Claim ownership for %{_sysconfdir}/selinux
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_restorecond.service.patch
+
+- Update to version 3.3
+  * No user visible changes
+
+- Update to version 3.2
+  * Fix a double-close of a file descriptor
+
scap-security-guide
+- ssg-fix-journald.patch: switch buggy journald plugindir remediation
+  to write into journald.conf. (bsc#1217832)
+
secvarctl
+- Update to version 1.0.0~rc3 (jsc#PED-5449):
+  * Guest/verify: fix misbehaviour of verify and write with -p
+  * Guest/generate: trustedcadb variable allow only CA certificates
+  * Guest/Verify: -w option allowed when use -u with -p
+  * guest/generate: fix potential null reference in pk/append special case
+
+- Update to version 1.0.0~rc2+git1.1f96bad:
+  * guest/read: return early if next esd cannot be parsed
+  * guest: Remove x509 SHA GUID functions and macros
+  * guest/generate: change --append option to be a boolean based on presence
+  * guest/read: allow paths with or without a trailing slash
+  * Makefile: Fix installation after source reorganization
+- Remove upstreamed secvarctl-install.patch
+
setools
-- require python3, not python (bsc#1200649)
+- Update to version 4.4.3:
+  * Fix compilation with Cython 3.0.0.
+  * Improve man pages.
+  * Remove neverallow options in sediff.
+  * Add -r option to seinfoflow to get flows into the source type.
+  * Reject a rule with no permissions as invalid policy.
+
+- Add python3-setuptools as a runtime requirement of python3-setools
+  (boo#1213305)
+
+- Update to version 4.4.2:
+  * Make NetworkX optional. sedta and seinfoflow tools, along with the
+    equivalent analyses in apol require NetworkX.
+  * Remove neverallow options in sesearch and apol. These are not usable
+    since they are removed in the final binary policy.
+- Drop make_networkx_optional.patch, now merged upstream
+
+- Update to version 4.4.1:
+  * Replace deprecated NetworkX function use in information flow and domain
+    transition analysis. This function was removed in NetworkX 3.0.
+  * Fix bug in apol copy and cut functions when copying from a tree view.
+  * Fix bug with extended permission set construction when a range includes
+    0x0.
+  * Add sesearch -Sp option for permission subset match.
+  * Fix error in man page description for sesearch -ep option.
+  * Improve output stability in constraint, common, class, role, and user
+    queries.
+  * Updated permission map.
+  * Fix bug in sechecker parsing of multiline values.
+  * Other code cleanups not visible to users.
+
+- Added README.SUSE and drop recommend for python3-networkx altogether
+  (bsc#1202676)
+
+- Add make_networkx_optional.patch to cut down installation requirements
+- Change python3-networkx from require into recommend
+
+- Fix dependency of python3-setools: require python3, not python
+  (which is python2) (bsc#1200649).
+
+- Update to the version 4.4.0:
+  * Added support for old Boolean name substitution in seinfo and sesearch.
+  * Added sechecker tool which is a configuration file driven analysis tool.
+
+- Stay on a single python3 flavor even if there are more than one
+  gh#openSUSE/python-rpm-macros#73
sg3_utils
+- Make sure initrd is rebuilt when sg3_utils is updated
+  (bsc#1215772)
+
+- Update to version 1.47+15.b6898b8:
+  * rescan-scsi-bus.sh: remove /tmp/rescan-scsi-mpath-info.txt
+  (gh#doug-gilbert/sg3_utils#44)
+  * rescan_scsi_bus.sh: fix multipath issue when called with -s and
+  without -u (bsc#1215720, bsc#1216355)
+
spacecmd
+- version 4.3.25-1
+  * Update translation strings
+
spotify-easyrpm
+- spotify now requires libayatana-appindicator3-1 installed to run
+
sssd
-- ldap password policy: return failure if there are no grace logins
-  left; (bsc#1214434); Add patch
-  0006-ldap-return-failure-if-there-are-no-grace-logins-lef.patch
-
-- Fix sssd entering failed state under heavy load by adding
-  watchdog to monitor sbus_call_DBus_Hello_send(); (bsc#1213283);
-  Add patch 0001-sssd-watchdog.patch
-
-- Fix build with MIT 1.20; Add patch
-  0004-BUILD-Accept-krb5-1.20-for-building-the-PAC-plugin.patch
-
-- Fix sdap_access_host No matching host rule found;
-  (bsc#1202559); Add patch
-  0001-Fix-sdap_access_host-No-matching-host-rule-found.patch
-
-- Fix shell command injection in sssctl via the logs-fetch and
-  cache-expire subcommands; (CVE-2021-3621); (bsc#1189492); Add
-  0002-TOOLS-replace-system-with-execvp-to-avoid-execution-.patch
-
-- Add 'ldap_ignore_unreadable_references' parameter to skip
-  unreadable objects referenced by 'member' attributte;
-  (bsc#1190775); (gh#SSSD/sssd#4893); Add patch
-  0001-ldap-ignore-unreadable-references.patch
-
-- Fix 32-bit libraries package. Libraries were moved from sssd to
-  sssd-common to fix bsc#1182058 and baselibs.conf was not updated
-  accordingly; (bsc#1196166);
+- Adapt spec file for SLE 15 SP6/Leap 15.6; (jsc#PED-6714);
+  * Remove package sssd-common, merged into sssd
+  * Continue building deprecated files provider and infopipe
+    responder
+  * Disable selinux and semanage
+  * Provide rcsssd shortcut
+
+- Fix spec file for Leap
+
+- /usr/etc migration, restore /etc/sssd/sssd.conf.rpmsave after
+  update (bsc#1216865)
+- Do not install the KRB5 IDP plugin, it is useless without the
+  OIDC child
+- Drop no longer valid --without-secrets configure switch
+
+- Update to release 2.9.3
+  * The proxy provider is now able to handle certificate mapping
+    and matching rules and users handled by the proxy provider can
+    be configured for local Smartcard authentication. Besides the
+    mapping rule local Smartcard authentication should be enabled
+    with the `local_auth_policy` option in the backend and with
+    `pam_cert_auth` in the PAM responder.
+
+- Offer the sssd.conf template as %doc (for examples, do actually
+  see the "Examples" section of the sssd.conf(5) manpage)
+
+- Update dependencies to require the same subpackages version and
+  release
+- Fix /usr/etc migration fragment in wrong "%pre kcm" instead of
+  "%pre"
+- Move sss_analyze to sssd-tools package
+
+- Default config is unworkable, just stop installing it altogether
+  [boo#1216739]
+
+- Update to release 2.9.2
+  * sssctl cert-show and cert-show cert-eval-rule can now be run as
+    non-root user.
+  * New option local_auth_policy is added to control which offline
+    authentication methods will be enabled by SSSD.
+  * Fix sssd entering failed state under heavy load by adding
+    watchdog to monitor sbus_call_DBus_Hello_send(); (bsc#1213283);
+    Drop SLE patch 0001-sssd-watchdog.patch
+
+- Update to relese 2.9.1
+  * A regression was fixed that prevented autofs lookups to
+    function correctly when cache_first is set to True.
+  * A regression where SSSD failed to properly watch for changes
+    in ``/etc/resolv.conf`` when it was a symbolic link or was a
+    relative path, was fixed.
+  * ldap password policy: return failure if there are no grace logins
+    left; (bsc#1214434); Drop SLE patch
+    0006-ldap-return-failure-if-there-are-no-grace-logins-lef.patch
+
+- Update to release 2.9
+  * The sss_simpleifp library is deprecated (and for openSUSE,
+    already removed)
+  * The "Files provider" (i.e. id_provider = files) is deprecated
+    (and for openSUSE, already removed)
+  * SSSD will no longer warn about changed defaults when using
+    ldap_schema = rfc2307 and default autofs mapping.
+  * New passkey functionality, which will allow the use of FIDO2
+    compliant devices to authenticate a centrally managed user
+    locally.
+  * Add support for ldapi:// URLs to allow connections to local
+    LDAP servers.
+  * NSS IDMAP has two new methods: getsidbyusername and
+    getsidbygroupname.
+
+- Move dbus-1 system.d file to /usr (bsc#1207586)
+
+- Migration of PAM settings to /usr/lib/pam.d.
+
+- Take systemd units off the restart list that have
+  RefuseManualStart=yes [boo#1206592]
+- Add symvers.patch [boo#1206592] [bsc#1182058] [bsc#1196166]
+
+- Update to release 2.8.2
+  * New mapping template for serial number, subject key id, SID,
+    certificate hashes and DN components are added to
+    libsss_certmap.
+
+- Update to release 2.8.1
+  * A regression when running sss_cache when no SSSD domain is
+    enabled would produce a syslog critical message was fixed.
+
+- Update to release 2.8.0
+  * Introduced the dbus function
+    org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value,
+    limit) listing upto limit users matching the filter
+    attr=value.
+  * sssctl is now able to create, list and delete indexes on the
+    local caches. Indexes are useful for the new D-Bus
+    ListByAttr() function.
+  * sssctl is now able to read and set each component's debug
+    level independently.
+  * A number of new configuration options are available,
+    cf. https://sssd.io/release-notes/sssd-2.8.0.html .
+  * Fix sdap_access_host No matching host rule found;
+    (bsc#1202559); Drop SLE patch
+    0001-Fix-sdap_access_host-No-matching-host-rule-found.patch
+  * Accept krb5 1.20 for building the PAC plugin; Drop SLE patch
+    0004-BUILD-Accept-krb5-1.20-for-building-the-PAC-plugin.patch
+
+- Migration to /usr/etc: Saving user changed configuration files
+  in /etc and restoring them while an RPM update.
+
+- Update to release 2.7.4
+  * Lock-free client support will be only built if libc provides
+    pthread_key_create() and pthread_once(). For glibc this means
+    version 2.34+.
+
+- Update to release 2.7.3
+  * All SSSD client libraries (nss, pam, etc) won't serialize
+    requests anymore by default, i.e. requests from multiple
+    threads can be executed in parallel. Old behavior
+    (serialization) can be enabled by setting environment
+    variable "SSS_LOCKFREE" to "NO".
+
+- Removed %config flag for files in /usr directory.
+
+- Moved logrotate files from user-specific directory /etc/logrotate.d
+  to vendor-specific directory /usr/etc/logrotate.d.
+
+- Use pam rpm macros to avoid hardcoding the directory names;
+  (bsc#1191047);
+- Do not take ownership of %_pam_confdir directory, it is owned by
+  pam package
+
+- Update to release 2.7.2
+  * A sssd-2.7.1 regression preventing successful authentication of
+    IPA users was fixed.
+  * Default value of pac_check changed to check_upn,
+    check_upn_dns_info_ex (for AD and IPA provider).
+
+- Update to release 2.7.1
+  * SSSD can now handle multi-valued RDNs if a unique name must
+    be determined with the help of the RDN.
+  * A regression in pam_sss_gss module causing a failure if
+    KRB5CCNAME environment variable was not set was fixed.
+  * New option `implicit_pac_responder` to control if the PAC
+    responder is started for the IPA and AD providers; the
+    default is true.
+  * New option `krb5_check_pac` to control the PAC validation
+    behavior.
+  * Multiple `crl_file` arguments can be used in the
+    `certificate_verification` option.
+
+- Enable subid_sss
+
+- Update to release 2.7.0
+  * Better default for IPA/AD re_expression. Tunning for group
+    names containing '@' is no longer needed.
+  * A new debug level is added to show statistical and
+    performance data.
+  * Added support for anonymous PKINIT to get FAST credentials.
+  * SSSD now correctly falls back to UPN search if the user was
+    not found even with `cache_first = true`.
+  * Add 'ldap_ignore_unreadable_references' parameter to skip
+    unreadable objects referenced by 'member' attributte;
+    (bsc#1190775); (gh#SSSD/sssd#4893); Drop SLE patch
+    0001-ldap-ignore-unreadable-references.patch
+
+- Enable selinux support
+- Update Supplements to new format
-- Update the private ldb modules installation following libldb2
-  changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba
+- Update to release 2.6.3
+  * A regression introduced in sssd-2.6.2 in the IPA provider
+    that prevented users from login was fixed. Access control
+    always denied access because the selinux_child returned an
+    unexpected reply.
+  * A critical regression that prevented authentication of users
+    via AD and IPA providers was fixed. LDAP port was reused for
+    Kerberos communication and this provider would send
+    incomprehensible information to this port.
+  * When authenticating AD users, backtrace was triggered even
+    though everything was working correctly. This was caused by a
+    search in the global catalog. Servers from the global catalog
+    are filtered out of the list before writing the KDC info
+    file. With this fix, SSSD does not attempt to write to the
+    KDC info file when performing a GC lookup.
+
+- Upgrade LDB_DIR shell variable to %ldbdir macro.
-- Update to version 2.5.2; (jsc#SLE-17763);
+- Update to release 2.6.2
+  * Quick log out and log in did not correctly refresh user's
+    initgroups in no_session PAM schema due to lingering systemd
+    processes.
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_sssd-ifp.service.patch
+  * harden_sssd-kcm.service.patch
+
+- Update to release 2.6.1
+  * New infopipe method FindByValidCertificate().
+  * The default value of the "ssh_hash_known_hosts" setting was
+    changed to false for the sake of consistency with OpenSSH
+    that does not hash host names by default.
+
+- Update to release 2.6.0
+  * Support of legacy json format for ccaches was dropped.
+  * Support of long time deprecated secrets responder was dropped.
+  * Support of long time deprecated local provider was dropped.
+  * The sssctl command was vulnerable to shell command injection
+    via the logs-fetch and cache-expire subcommands,
+    which was fixed; (CVE-2021-3621); (bsc#1189492); Drop SLE patch
+    0002-TOOLS-replace-system-with-execvp-to-avoid-execution-.patch
+  * Basic support of user's 'subuid and subgid ranges' for IPA
+    provider and corresponding plugin for shadow-utils were added.
+
+- Update to release 2.5.2; (jsc#SLE-17763);
-- Changes from version 2.5.1
+
+- Update to release 2.5.1
-- Changes from version 2.5.0
+
+- Update to release 2.5.0
-- Changes from version 2.4.2
+
+- Move sssctl command from sssd to sssd-tools package; (bsc#1184289);
+
+- Add missing /var/lib/sss/pubconf/krb5.include.d directory (bsc#1184285).
+
+- Make cifs-idmap plugin (cifs_idmap_sss.so) use update-alternatives
+  mechanism to be able to switch between cifs-utils and sssd;
+  (bsc#1182682).
+
+- Update to release 2.4.2
-- Changes from version 2.4.1
+
+- Pass --with-pid-path=%{_rundir} to configure: adjust rundir
+  according the distro settings, i.e. /run on modern systems.
+  Eliminates a systemd warning like this one in the journal:
+    Feb 12 12:33:32 zeus systemd[1]: /usr/lib/systemd/system/sssd.service:13:
+    PIDFile= references a path below legacy directory /var/run/,
+    updating /var/run/sssd.pid → /run/sssd.pid; please update the unit file accordingly.
+
+- Update to release 2.4.1
-- Changes from version 2.4.0
+  * Create timestamp attribute in cache objects if missing;
+    (bsc#1182637);
+
+- Update to release 2.4.0
-- Changes from version 2.3.1
+
+- Build sssd's KCM.
+
+- Update to release 2.3.1
-- Changes from version 2.3.0
+  * Rotate child debug file descriptors on SIGHUP (bsc#1080156)
+- sssd-wbclient is obsolete and no longer shipped
+
+- Update to release 2.3.0
-- Changes from version 2.2.3
+  * Update samba secrets after changing machine password; (jsc#SLE-11503);
+  * Delete linked local user overrides when deleting a user
+    (bsc#1133168)
+- Drop sssd-gpo_host_security_filter-2.2.2.patch,
+  0001-Resolve-computer-lookup-failure-when-sam-cn.patch,
+  0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged)
+- Drop 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
+  (unapplicable)
+
+- Update to 2.2.3
+  * New features:
-- Changes from version 2.2.2
-  * Removing domain from ad_enabled_domain was not reflected in SSSD’s cache.
-    This has been fixed.
-  * Because of a race condition SSSD could crash during shutdown. The race
-    condition was fixed.
-  * Fixed a bug that limited number of external groups fetched by SSSD
-    to 2000.
-  * pam_sss now properly creates gnome keyring during login.
-  * SSSD with KCM could wrongly pick older ccache instead of the latest one
-    after login. This was fixed.
-- Changes from version 2.2.1
-  * New options were added which allow sssd-kcm to handle bigger data.
-  * SSSD can now automatically refresh cached user data from subdomains
-    in IPA/AD trust.
-  * Fixed issue with SSSD hanging when connecting to non-responsive server
-    with ldaps://.
+  * Fix domain offline after first boot when resolv.conf is a symlink
+    (bsc#1136139)
+- Add 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
+
+- Fix dynamic DNS updates not using FQDN (bsc#1160587); Add
+  0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch
+
+- Remove leftover python2 build dependencies
+- Remove python3-devel BuildRequires in favor of pkgconfig(python3)
+
+- SSSD GPO host entries are ignored if computer cn does not
+  match its samaccountname, add
+  0001-Resolve-computer-lookup-failure-when-sam-cn.patch;
+  (jsc#SLE-9298); (bsc#1160688)
+
+- SSSD should accept host entries from GPO's security filter, add
+  sssd-gpo_host_security_filter-2.2.2.patch; (jsc#SLE-9298)
+
+- Install infopipe dbus service (bsc#1106598)
+- Add systemd service unit files to manage socket or bus activated responders.
+- All responders except infopipe are also managed by a socket unit file.
+- Add missing post and postun hooks for libsss_certmap0 package.
+
+- Update to release 2.2.2
+  * New options were added which allow sssd-kcm to handle bigger
+    data. See manual pages for max_ccaches, max_uid_caches and
+    max_ccache_size.
+  * SSSD can now automatically refresh cached user data from
+    subdomains in IPA/AD trust.
+  * Fixed issue with SSSD hanging when connecting to
+    non-responsive server with ldaps://.
-  * Fixed refression when dyndns_update was set to True and
-    dyndns_refresh_interval was not set or set to 0 then DNS records were
-    not updated at all.
-  * Fixed issue when default_domain_suffix was used with files provider
-    and caused all results from files domain to be fully qualified.
-  * Fixed issue with sudo rules not being visible on OpenLDAP servers
-  * Fixed crash with auth_provider = proxy that prevented logins
-- Changes from version 2.2.0
+
+- Update to new upstream release 2.2.0
-  * The sssctl tool has two new commands, "cert-show" and "cert-map".
-- Changes from version 2.1.0
-  * Any provider can now match and map certificates to user identities.
+  * The sssctl tool has two new commands, "cert-show" and
+    "cert-map".
+  * Added an option to skip GPOs that have groupPolicyContainers,
+    unreadable by SSSD (bsc#1124194) (CVE-2018-16838)
+  * Fix fallback_homedir returning '/' for empty home directories
+    (CVE-2019-3811) (bsc#1121759)
+
+- Create directory to download and cache GPOs (bsc#1132879)
+
+- Update to new upstream release 2.1.0
+  * Any provider can now match and map certificates to user
+    identities.
-  * It is now possible to refresh the KCM configuration without restarting
-    the whole SSSD deamon
-- Changes from version 2.0.0
+  * Fix sss_cache spurious error messages when invoked from shadow-utils;
+    (bsc#1185017);
+  * Fix building with newer samba versions (bsc#1137876)
+  * Fix memory leak in nss netgroup enumeration (bsc#1139247);
+
+- Install systemd service unit file created from source's template
+  (bsc#1120852); (bsc#1185185);
+- Install logrotate configuration (bsc#1004220)
+- Set journald as system logger
+
+- Add krb-noversion.diff so sssd_pac builds even with newer krb.
+
+- Add dependency to adcli for sssd-ad
+    (SLE15: fate#326619, bsc#1109849)
+    (SLE12SP4: fate#326620, bsc#1110121)
+
+- Update to new upstream release 2.0.0
-  * The ldap_groups_use_matching_rule_in_chain and
-    ldap_initgroups_use_matching_rule_in_chain options and the code
-    that evaluated them was removed.
-  * The KCM responder has a new back end to store credential caches
-    in a local database
-- Make cifs-idmap plugin (idmapwb.so) use update-alternatives
-  mechanism to be able to switch between cifs-utils and sssd;
-  (bsc#1182682).
-- Build sssd's KCM
-- Drop obsolete patches:
-  + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
-  + 0002-intg-Do-not-hardcode-nsslibdir.patch
-  + 0003-MONITOR-Do-not-use-two-configuration-databases.patch
-  + 0004-Strip-whitespaces-in-netgroup-triple.patch
-  + 0005-nss-sssd-returns-for-emtpy-home-directories.patch
-  + 0006-Rotate-child-log-files.patch
-  + 0007-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
-  + 0008-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
-  + 0009-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch
-  + 0010-SUDO-Allow-defaults-sudoRole-without-sudoUser-attrib.patch
-  + 0011-GPO-Add-option-ad_gpo_ignore_unreadable.patch
-  + 0012-nss-use-enumeration-context-as-talloc-parent-for-cac.patch
-  + 0013-Revert-LDAP-IPA-add-local-email-address-to-aliases.patch
-  + 0014-util-Remove-the-unused-function-is_email_from_domain.patch
-  + 0015-MONITOR-Propagate-error-when-resolv.conf-does-not-ex.patch
-  + 0016-MONITOR-Add-a-new-option-to-control-resolv.conf-moni.patch
-  + 0017-MONITOR-Resolve-symlinks-setting-the-inotify-watcher.patch
-  + 0018-SYSDB-Delete-linked-local-user-overrides-when-deleti.patch
-  + 0019-winbind-idmap-plugin-support-inferface-version-6.patch
-  + 0020-winbind-idmap-plugin-fix-detection.patch
-  + 0021-nss-imap-add-sss_nss_getsidbyuid-and-sss_nss_getsidb.patch
-  + 0022-cifs-idmap-plugin-use-new-sss_nss_idmap-calls.patch
-  + 0023-winbind-idmap-plugin-use-new-sss_nss_idmap-calls.patch
-  + 0024-libwbclient-sssd-use-new-sss_nss_idmap-calls.patch
-  + 0025-pysss_nss_idmap-add-python-bindings-for-new-sss_nss_.patch
-  + 0026-winbind-idmap-plugin-update-struct-idmap_domain-to-l.patch
-  + 0027-utils-make-N_ELEMENTS-public.patch
-  + 0028-ad-replace-ARRAY_SIZE-with-N_ELEMENTS.patch
-  + sssd-gpo_host_security_filter-1.16.1.patch
-  + 0001-Resolve-computer-lookup-failure-when-sam-cn.patch
-  + 0031-ad-Add-support-for-passing-add-samba-data-to-adcli.patch
-  + 0032-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch
-  + 0033-Fix-build-failure-against-samba-4.12.0rc1.patch
-  + 0034-Use-ndr_pull_steal_switch_value-for-modern-samba-ver.patch
-  + 0035-ad_gpo_ndr.c-refresh-ndr_-methods-from-samba-4.12.patch
-  + 0036-ad_gpo_ndr.c-more-ndr-updates.patch
-  + 0037-UTIL-Fix-compilation-with-curl-7.62.0.patch
-  + 0038-CACHE-Create-timestamp-if-missing.patch
-  + 0039-sss_cache-Do-not-fail-for-missing-domains.patch
-
-- Fix sss_cache spurious error messages when invoked from shadow-utils;
-  (bsc#1185017); Add 0039-sss_cache-Do-not-fail-for-missing-domains.patch
-
-- Use /run instead of /var/run for daemon PID files; (bsc#1185185);
-
-- Create timestamp attribute in cache objects if missing;
-  (bsc#1182637); Add 0038-CACHE-Create-timestamp-if-missing.patch
-
-- Move sssctl command from sssd to sssd-tools package; (bsc#1184289);
-
-- Fix a dependency loop by moving internal libraries to sssd-common
-  package; (bsc#1182058);
-
-- Fix build against samba >= 4.12
-  + 0033-Fix-build-failure-against-samba-4.12.0rc1.patch
-  + 0034-Use-ndr_pull_steal_switch_value-for-modern-samba-ver.patch
-  + 0035-ad_gpo_ndr.c-refresh-ndr_-methods-from-samba-4.12.patch
-  + 0036-ad_gpo_ndr.c-more-ndr-updates.patch
-- Fix build with curl >= 7.62.0
-  + 0037-UTIL-Fix-compilation-with-curl-7.62.0.patch
-
-- Fix dynamic DNS updates not using FQDN (bsc#1160587); Add
-  0032-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch
-
-- Update samba secrets after changing machine password; (jsc#SLE-11503);
-  Add 0031-ad-Add-support-for-passing-add-samba-data-to-adcli.patch
-
-- Install infopipe dbus service (bsc#1106598)
-
-- SSSD GPO host entries are ignored if computer cn does not
-  match it's samaccountname, add
-  0001-Resolve-computer-lookup-failure-when-sam-cn.patch;
-  (jsc#SLE-9298); (bsc#1160688)
+  * Allow defaults sudoRole without sudoUser attribute (bsc#1135247)
-- SSSD should accept host entries from GPO's security filter, add
-  sssd-gpo_host_security_filter-1.16.1.patch; (jsc#SLE-9298)
-
-- Fix building with newer samba versions (bsc#1137876)
-- Added patches:
-  * 0027-utils-make-N_ELEMENTS-public.patch
-  * 0028-ad-replace-ARRAY_SIZE-with-N_ELEMENTS.patch
-
-- Update winbind idmap plugin to support interface version 6
-  (jsc#SLE-9819)
-- Added patches:
-  * 0019-winbind-idmap-plugin-support-inferface-version-6.patch
-  * 0020-winbind-idmap-plugin-fix-detection.patch
-  * 0021-nss-imap-add-sss_nss_getsidbyuid-and-sss_nss_getsidb.patch
-  * 0022-cifs-idmap-plugin-use-new-sss_nss_idmap-calls.patch
-  * 0023-winbind-idmap-plugin-use-new-sss_nss_idmap-calls.patch
-  * 0024-libwbclient-sssd-use-new-sss_nss_idmap-calls.patch
-  * 0025-pysss_nss_idmap-add-python-bindings-for-new-sss_nss_.patch
-  * 0026-winbind-idmap-plugin-update-struct-idmap_domain-to-l.patch
-
-- Delete linked local user overrides when deleting a user
-  (bsc#1133168)
-- Added patches:
-  * 0018-SYSDB-Delete-linked-local-user-overrides-when-deleti.patch
-
-- Fix domain offline after first boot when resolv.conf is a symlink
-  (bsc#1136139)
-- Added patches:
-  * 0015-MONITOR-Propagate-error-when-resolv.conf-does-not-ex.patch
-  * 0016-MONITOR-Add-a-new-option-to-control-resolv.conf-moni.patch
-  * 0017-MONITOR-Resolve-symlinks-setting-the-inotify-watcher.patch
-
-- Fix login not possible when email address is duplicated in ldap
-  attributes (bsc#1149597)
-- Added patches:
-  * 0013-Revert-LDAP-IPA-add-local-email-address-to-aliases.patch
-  * 0014-util-Remove-the-unused-function-is_email_from_domain.patch
-
-- Fix memory leak in nss netgroup enumeration (bsc#1139247);
-- Added patches:
-  * 0012-nss-use-enumeration-context-as-talloc-parent-for-cac.patch
-
-- Allow defaults sudoRole without sudoUser attribute (bsc#1135247)
-- Added an option to skip GPOs that have groupPolicyContainers,
-  unreadable by SSSD (bsc#1124194) (CVE-2018-16838)
-- Added patches:
-  * 0010-SUDO-Allow-defaults-sudoRole-without-sudoUser-attrib.patch
-  * 0011-GPO-Add-option-ad_gpo_ignore_unreadable.patch
-
-- Create directory to download and cache GPOs (bsc#1132879)
-- Add a netgroup counter to struct nss_enum_index (bsc#1132657)
-- Added patches:
-  * 0007-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
-  * 0008-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
-  * 0009-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch
-
-- Rotate child debug file descriptors on SIGHUP (bsc#1080156)
-- Added patches:
-  * 0006-Rotate-child-log-files.patch
+- Update to upstream release 1.16.3
+  * New Features:
+  * kdcinfo files for informing krb5 about discovered KDCs are
+    now also generated for trusted domains in setups that use
+    id_provider=ad and IPA masters in a trust relationship with
+    an AD domain.
+  * The Kerberlos locator plugin can now process multiple
+    address if SSSD generates more than one. A
+  * Bug fixes:
+  * Fixed information leak due to incorrect permissions on
+    /var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377]
+  * Cached password are now stored with a salt. Old ones will be
+    regenerated on next authentication, and the auth server needs
+    to be reachable for that.
+  * The sss_ssh proces leaked file descriptors when converting
+    more than one X.509 certificate to an SSH public key.
+  * The PAC responder is now able to process Domain Local in case
+    the PAC uses SID compression (Windows Server 2012+).
+  * Address the issue that some versions of OpenSSH would close
+    the pipe towards sss_ssh_authorizedkeys when the matching key
+    is found before the rest of the output is read.
+  * User lookups no longer fail if user's e-mail address
+    conflicts with another user's fully qualified name.
+  * The override_shell and override_homedir options are no longer
+    applied to entries from the files domain.
+  * The grace logins with an expired password when authenticating
+    against certain newer versions of the 389DS/RHDS LDAP server
+    did not work.
+  * Fix login not possible when email address is duplicated in ldap
+    attributes (bsc#1149597)
+  * Strip whitespaces in netgroup triples (bsc#1087320)
+- Removed patches that are included upstream now:
+  0001-SUDO-Create-the-socket-with-stricter-permissions.patch,
+  0002-intg-Do-not-hardcode-nsslibdir.patch,
+  0003-Fix-build-for-1-16-2-version.patch
-- Fix fallback_homedir returning '/' for empty home directories
-  (CVE-2019-3811) (bsc#1121759)
-- Install logrotate configuration (bsc#1004220)
-- Strip whitespaces in netgroup triples (bsc#1087320)
-- Align systemd service file with upstream
-  * Run interactive and change service type to notify (bsc#1120852)
-  * Replace deprecated '-f' and use '--logger'
-- Fix sssd not starting in foreground mode (bsc#1125277)
-- Added patches:
-  * 0003-MONITOR-Do-not-use-two-configuration-databases.patch
-  * 0004-Strip-whitespaces-in-netgroup-triple.patch
-  * 0005-nss-sssd-returns-for-emtpy-home-directories.patch
-
-- Added dependency to adcli for sssd-ad (fate#326619, bsc#1109849)
+- Fixed patch name.
+- Update to new minor upstream release 1.16.2
+  New Features:
+  * The smart card authentication, or in more general certificate
+    authentication code now supports OpenSSL in addition to previously
+    supported NSS (#3489). In addition, the SSH responder can now
+    return public SSH keys derived from the public keys stored in a
+    X.509 certificate. Please refer to the ssh_use_certificate_keys
+    option in the man pages.
+  * The files provider now supports mirroring multiple passwd or
+    group files. This enhancement can be used to use the SSSD files
+    provider instead of the nss_altfiles module
+  Bugfixes:
+  * A memory handling issue in the nss_ex interface was fixed. This
+    bug would manifest in IPA environments with a trusted AD domain
+    as a crash of the ns-slapd process, because a ns-slapd plugin
+    loads the nss_ex interface (#3715)
+  * Several fixes for the KCM deamon were merged (see #3687, #3671, #3633)
+  * The ad_site override is now honored in GPO code as well (#3646)
+  * Several potential crashes in the NSS responder’s netgroup code
+    were fixed (#3679, #3731)
+  * A potential crash in the autofs responder’s code was fixed (#3752)
+  * The LDAP provider now supports group renaming (#2653)
+  * The GPO access control code no longer returns an error if one
+    of the relevant GPO rules contained no SIDs at all (#3680)
+  * A memory leak in the IPA provider related to resolving external
+    AD groups was fixed (#3719)
+  * Setups that used multiple domains where one of the domains had
+    its ID space limited using the min_id/max_id options did not
+    resolve requests by ID properly (#3728)
+  * Overriding IDs or names did not work correctly when the domain
+    resolution order was set as well (#3595)
+  * A version mismatch between certain newer Samba versions (e.g.
+    those shipped in RHEL-7.5) and the Winbind interface provided
+    by SSSD was fixed. To further prevent issues like this in the
+    future, the correct interface is now detected at build time (#3741)
+  * The files provider no longer returns a qualified name in case
+    domain resolution order is used (#3743)
+  * A race condition between evaluating IPA group memberships and
+    AD group memberships in setups with IPA-AD trusts that would
+    have manifested as randomly losing IPA group memberships assigned
+    to an AD user was fixed (#3744)
+  * Setting an SELinux login label was broken in setups where the
+    domain resolution order was used (#3740)
+  * SSSD start up issue on systems that use the libldb library
+    with version 1.4.0 or newer was fixed.
+  * Update winbind idmap plugin to support interface version 6
+    (jsc#SLE-9819)
+  * Add a netgroup counter to struct nss_enum_index (bsc#1132657)
+  * Fix sssd not starting in foreground mode (bsc#1125277)
+  Introduce a patch:
+  * Fix build of sssd of 1.16.2 version:
+    0003-Fix-build-for-1-16-2-version.patch
+    (back then called fix-build.patch)
+
thermald
+- Remove use of %with_thermalmonitor where not necessary
+- Check for %is_opensuse instead of %suse_version
+- Remove wrong %config from a data file
+- Package the ThermalMonitor license file
+
+- build ThermalMonitor only if qcustomplot is available
+
+- jsc#PED-5716 Enable support for Thermal Controls on platform
+- Move of dbus config files from /etc to /usr/share
+- Fix wrongly written library name
+  A fix_qcustomplot_name.patch
+- Make use of _service (git scm) service file:
+  A    _service
+  A    _servicedata
+  A    thermal_daemon-2.5.4.0.git+63b290f.obscpio
+  A    thermal_daemon.obsinfo
+- Update to version 2.5.4.0.git+63b290f:
+  * Release 2.5.4
+  * Change the sorting order when min_max_valid
+  * Process case when target matches after init
+  * Remove memset for pid_param_t to 0
+  * Remove check for new_passive < critical
+  * domain_name not set and used in thd_cdev_rapl
+  * build warning, ret is assigned for sysfs write
+  * Remove duplicate type_type == HOT comparison
+
tinyxml
--  Added tinyxml-2.62-fix-infinite-loop.patch to fix an infinite loop
-  for inputs containing the sequence 0xEF0x00 (bsc#1191576) (CVE-2021-42260)
+- avoid assertion on certain malformed input including null-byte
+  (bsc#1218040) (CVE-2023-34194)
+- added tinyxml-null-byte-assert.patch
+
+- Added tinyxml-2.62-fix-infinite-loop.patch to fix an infinite loop
+  for inputs containing the sequence 0xEF0x00 (bsc#1191576)
+  (CVE-2021-42260)
-- Only require autoconf 2.62.
-
tracker-miners
+- Add tracker-miners-CVE-2023-5557.patch: A bug in libcue could
+  lead to possible sandbox escape in tracker-extract, this fixes it
+  by adding seccomp rules and applying it to the whole process
+  (bsc#1216199, glgo#GNOME/tracker-miners!480, CVE-2023-5557).
+- Refresh tracker-miners-drop-syscalls-in-seccomp.patch: The patch
+  context is changed by tracker-miners-CVE-2023-5557.patch.
+
ugrep
-- update to 3.4.6:
+- 4.4.1
+  * ship shell completions (bash,zsh,fish)
+  * option -t (--file-type) now also accepts filename extensions as
+    shortcuts, when unambiguous, for example, the shorter form -tpy
+    for -tpython to select files to search
+  * TUI ALT-SHIFT-% switches between "bool query lines" mode,
+    "bool query files" mode, and bool queries off
+    TUI boolF mode (-%FQ) now applies syntax highlighting
+  * support legacy grep long options without = to bind option
+    arguments
+- add ugrep-4.4.1-remove-shebang-from-bash-completion.patch
+
+- update to 4.3.6:
webkit2gtk3
+- Update to version 2.42.4 (boo#1218032):
+  + Fix incorrect random images incorrectly displayed as
+    backgrounds of <div> elements.
+  + Fix videos displayed aliased after being resized e.g. in
+    YouTube.
+  + Fix several crashes and rendering issues.
+  + Security fixes: CVE-2023-42883.
+
+- Update to version 2.42.3 (boo#1217844):
+  + Fix flickering while playing videos with DMA-BUF sink.
+  + Fix color picker being triggered in the inspector when typing
+    "tan".
+  + Do not special case the "sans" font family name.
+  + Fix build failure with libxml2 version 2.12.0 due to an API
+    change.
+  + Fix several crashes and rendering issues.
+  + Security fixes: CVE-2023-42916, CVE-2023-42917.
+
-  boo#1215868 boo#1215869 boo#1215870):
+  boo#1215868 boo#1215869 boo#1215870 boo#1218033):
-  + Security fixes: CVE-2023-39928, CVE-2023-41074, CVE-2023-32359.
+  + Security fixes: CVE-2023-39928, CVE-2023-41074, CVE-2023-32359,
+    CVE-2023-42890.
whois
+- Fix build on SLE
+  * whois-remove-malloc-attribute.patch
+
+- Update to 5.5.20:
+  * Added the .gn TLD server.
+  * Removed 6 new gTLDs which are no longer active.
+  * Enabled getopt_long(3) support on Solaris.
+- Add rpmlintrc file
+  * whois-rpmlintrc
+
+- update to 5.5.19:
+  * Fix english support for Japanese queries to not add again the
+    /e argument if it had already been provided by the user
+  * Add the .ye and .বাংলা (.xn--54b7fta0cc, Bangladesh) TLD
+    servers
+  * Update the .ba, .bb, .dk, .es, .gt, .jo, .ml, .mo, .pa, .pn,
+    .sv, .uy, .ﺍﻻﺭﺪﻧ (.xn--mgbayh7gpa, Jordan) and .澳門
+    (.xn--mix891f, Macao) TLD servers
+  * Upgrade the TLD URLs to HTTPS whenever possible
+  * Update the charset for whois.jprs.jp
+  * Remove 3 new gTLDs which are no longer active
+  * Remove support for the obsolete as32 dot notation
+
+- update to 5.5.18:
+  * Updated the .ga TLD server. (Closes: #1037288)
+  * Added new recovered IPv4 allocations.
+  * Removed the delegation of 43.0.0.0/8 to JPNIC.
+  * Removed 12 new gTLDs which are no longer active.
+  * Improved the man page source, courtesy of Bjarni Ingi
+    Gislason.
+  * Added the .edu.za SLD server.
+  * Updated the .alt.za SLD server.
+  * Added the -ru and -su NIC handles servers.
+
+- update to 5.5.17:
+  * Added the .cd TLD server.
+  * Updated the -kg NIC handles server name.
+  * Removed 2 new gTLDs which are no longer active.
+
+- update to 5.5.16:
+  * Add bash completion support, courtesy of Ville Skyttä.
+  * Updated the .tr TLD server.
+  * Removed support for -metu NIC handles.
+
+- update to 5.5.15:
+  * Updated the .bd, .nz and .tv TLD servers.
+  * Added the .llyw.cymru, .gov.scot and .gov.wales SLD servers.
+  * Updated the .ac.uk and .gov.uk SLD servers.
+  * Recursion has been enabled for whois.nic.tv.
+  * Updated the list of new gTLDs with four generic TLDs assigned in
+    October 2013 which were missing due to a bug.
+  * Removed 4 new gTLDs which are no longer active.
+  * Added the Georgian translation, contributed by Temuri Doghonadze.
+  * Updated the Finnish translation, contributed by Lauri Nurmi.
+
+- update to 5.5.14:
+  * Added the .bf and .sd TLD servers.
+  * Removed the .gu TLD server.
+  * Updated the .dm, .fj, .mt and .pk TLD servers.
+  * Updated the charset for whois.nic.tr.
+  * Updated the list of new gTLDs.
+  * Removed whois.nic.fr from the list of RIPE-like servers, because it
+    is not one anymore. (Closes: #1021110)
+  * Renamed whois.arnes.si to whois.register.si in the list of RIPE-like
+    servers.
+  * Added the hiding string for whois.auda.org.au.
+
+- update to 5.5.13:
+  * Added the .sd TLD server.
+  * Updated the list of new gTLDs.
+  * Added the Turkish translation, contributed by Oğuz Ersen.
+
+- Update to 5.5.12:
+  * Updated the .pro TLD server, which was totally broken.
+  * Fixed the detection of Japanese locales using $LC_MESSAGES.
+  * Implemented providing partial salt strings to mkpasswd.
+  * Removed 2 new gTLDs which are no longer active.
+  * Updated one or more translations.
+  * Enabled full hardening in debian/rules.
+- Cleanup build requirements for SLE-11
+
+- update to 5.5.11:
+  * Implemented a --no-recursion command line option to disable recursion
+    from registrar to registry servers.
+  * Updated the .pro, .vu and .xxx TLD servers.
+  * Updated the list of new gTLDs.
+  * Removed 7 new gTLDs which are no longer active.
+
wireless-regdb
+- Define %{_firmwaredir} if not defined. This fixes RPM build errors.
+
+- Update to version 20230901:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Update regulatory rules for Australia (AU) for June 2023
+
+- Update to version 20230721:
+  * wireless-regdb: Update regulatory info for TĂźrkiye (TR)
+  * wireless-regdb: Update regulatory rules for Egypt (EG) from March 2022 guidelines
+
+- Update to version 20230601:
+  * wireless-regdb: Update regulatory rules for Philippines (PH)
+
+- Update to version 20230503:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Update regulatory rules for Hong Kong (HK)
+  * wireless-regdb: update regulatory rules for India (IN)
+  * wireless-regdb: Update regulatory rules for Russia (RU). Remove DFS requirement.
+  * Update regulatory info for Russia (RU) on 6GHz
+
+- Update to version 20230213:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Update regulatory info for Russia (RU) on 5GHz
+
+- Update to version 20221205:
+  * wireless-regdb: Update regulatory rules for Japan (JP) on 6GHz
+  * wireless-regdb: Update regulatory rules for Japan (JP) on 5GHz
+
+- Update to version 20221012:
+  * wireless-regdb: update regulatory rules for Switzerland (CH)
+  * wireless-regdb: Update regulatory rules for Brazil (BR)
+
+- Update to version 20220812:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: update 5 GHz rules for PK and add 60 GHz rule
+  * wireless-regdb: add 5 GHz rules for GY
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Unify 6 GHz rules for EU contries
+  * wireless-regdb: Remove AUTO-BW from 6 GHz rules
+  * wireless-regdb: update regulatory rules for Bulgaria (BG) on 6GHz
+  * Regulatory update for 6 GHz operation in FI
+  * Regulatory update for 6 GHz operation in United States (US)
+  * Regulatory update for 6 GHz operation in Canada (CA)
+
+- Update to version 20220606:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Unify 6 GHz rules for EU contries
+  * wireless-regdb: Remove AUTO-BW from 6 GHz rules
+
+- Update to version 20220527:
+  * wireless-regdb: update regulatory rules for Bulgaria (BG) on 6GHz
+  * Regulatory update for 6 GHz operation in FI
+  * Regulatory update for 6 GHz operation in United States (US)
+  * Regulatory update for 6 GHz operation in Canada (CA)
+
+- Update to version 20220408:
+  * wireless-regdb: add db files missing from previous commit
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Update regulatory rules for Australia (AU)
+  * wireless-regdb: add missing spaces for US S1G rules
+
+- Update to version 20220324:
+  * wireless-regdb: Update regulatory rules for Israel (IL)
+
+- Update to version 20220218:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Update regulatory rules for the Netherlands (NL) on 6GHz
+  * wireless-regdb: Update regulatory rules for China (CN)
+  * wireless-regdb: Update regulatory rules for South Korea (KR)
+  * Revert "wireless-regdb: Update regulatory rules for South Korea (KR)"
+  * wireless-regdb: Update regulatory rules for Spain (ES) on 6GHz
+  * wireless-regdb: add 802.11ah bands to world regulatory domain
+  * wireless-regdb: add support for US S1G channels
+  * wireless-regdb: Update regulatory rules for France (FR) on 6 and 60 GHz
+  * wireless-regdb: Update regulatory rules for South Korea (KR)
+
+- Update to version 20220108:
+  * wireless-regdb: Update regulatory rules for Croatia (HR) on 6GHz
+
+- Update to version 20211209:
+  * wireless-regdb: Raise DFS TX power limit to 250 mW (24 dBm) for the US
+
+- Update to version 20210828:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * Update regulatory rules for Ecuador (EC)
+  * wireless-regdb: Update regulatory rules for Norway (NO) on 6 and 60 GHz
+  * wireless-regdb: Update regulatory rules for Germany (DE) on 6GHz
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: reduce bandwidth for 5730-5850 and 5850-5895 MHz in US
+  * wireless-regdb: remove PTMP-ONLY from 5850-5895 MHz for US
+  * wireless-regdb: recent FCC report and order allows 5850-5895 immediately
+  * wireless-regdb: update 5725-5850 MHz rule for GB
+
+- Update to version 20210421:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: re-add source url and info for CU
+
+- Update to version 20210407:
+  * wireless-regdb: Update regulatory rules for Cuba (CU) on 5GHz
+  * wireless-regdb: Do not hardcode 'sforshee' in the certificate commonName
+
+- Update to version 20210129:
+  * wireless-regdb: Update regulatory rules for Ukraine (UA)
+  * wireless-regdb: update CNAF regulation url for ES
+
+- leverage %{_firmwaredir} to install firmware into correct location (boo#1029961)
+
+- Update to version 20201120:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Update regulatory rules for Kazakhstan (KZ)
+  * wireless-regdb: update 5.8 GHz regulatory rule for GB
+  * wireless-regdb: Update regulatory rules for Pakistan (PK) on 5GHz
+  * wireless-regdb: Update regulatory rules for Croatia (HR)
+  * wireless-regdb: restore channel 12 & 13 limitation in the US
+  * wireless-regdb: update regulatory rules for Egypt (EG)
+
+- Fixes for %_libexecdir changing to /usr/libexec
+
+- Update to version 20200429:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: update rules for US on 2.4/5G
+  * GB: Extend to cover DMG channels 5 & 6
+  * wireless-regdb: Update regulatory rules for Singapore (SG)
+  * wireless-regdb: Update regulatory rules for Indonesia (ID)
+
+- Update to version 20191029:
+  * regdb: fix compatibility with python2
+  * wireless-regdb: Update regulatory rules for Russia (RU)
+  * wireless-regdb: Harmonize ranges of CEPT countries (stand of July 2019)
+  * wireless-regdb: Fix ranges of EU countries as they are harmonized since 2014
+  * wireless-regdb: Extend 5470-5725 MHz range to 5730 MHz for Taiwan (TW)
+  * wireless-regdb: Fix overlapping ranges for Switzerland and Liechtenstein
+  * wireless-regdb: update regulatory database based on preceding changes
+- Switch to _service
+- Update project url
+
wireshark
+- Wireshark 3.6.19:
+  * CVE-2023-6175: NetScreen file parser crash (bsc#1217272).
+- Further features, bug fixes and updated protocol support as listed in:
+  https://www.wireshark.org/docs/relnotes/wireshark-3.6.19.html
+
xf86-video-intel
+- n_Mesa-i965-crocus.patch
+  * Mesa's DRI driver is now called "crocus" (previously "i965");
+    fixes hardware OpenGL support when still using "intel" X
+    driver instead of "modesetting" one ... (boo#1214448)
+
xfsprogs
+- update to v6.5.0 (bsc#1217575, bsc#1217576):
+  - libxfs: fix atomic64_t detection on x86_32
+  - libxfs: use XFS_IGET_CREATE when creating new files
+  - libfrog: fix overly sleep workqueues
+  - xfs_db: use directio for device access
+  - libxfs: make platform_set_blocksize optional with directio
+  - mkfs: add a config file for 6.6 LTS kernels
+  - mkfs: enable reverse mapping by default
+  - mkfs: enable large extent counts by default
+  - xfs_db: create unlinked inodes
+  - xfs_db: dump unlinked buckets
+  - xfsprogs: don't allow udisks to automount XFS filesystems with no prompt
+  - xfs_repair: fix repair failure caused by dirty flag being abnormally set on buffer
+- drop:
+  - 0001-repair-shift-inode-back-into-place-if-corrupted-by-b.patch
+  - xfsprogs-mkfs-disable-reflink-support-by-default.patch
+  - xfsprogs-mkfs-don-t-trample-the-gid-set-in-the-protofile.patch
+  - xfsprogs-mkfs-enable-bigtime-by-default.patch
+  - xfsprogs-mkfs-prevent-corruption-of-passed-in-suboption-strin.patch
+  - xfsprogs-mkfs-terminate-getsubopt-arrays-properly.patch
+  - xfsprogs-xfs_repair-ignore-empty-xattr-leaf-blocks.patch
+- mkfs: disable inobtcnt and nrext64 features by default
+  - add xfsprogs-mkfs-disable-inobtcnt-and-nrext64-features-by-defaul.patch
+
xorg-x11-server
+- Add missing fixes on U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+  (bsc#1217765).
+
+- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+  * Out-of-bounds memory write in XKB button actions (CVE-2023-6377,
+    ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765)
+- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+  * Out-of-bounds memory read in RRChangeOutputProperty and
+    RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561,
+    bsc#1217766)
+
xrdp
+- Update xrdp-CVE-2023-42822.patch
+  + fix bsc#1217759: xrdp login screen does not show any text
+
xscreensaver
+- Update xscreensaver-disable-upgrade-nagging-message.patch to
+  cover new messages. (boo#1206345, bsc#1217318)
+
xwayland
+- Add missing fixes on U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+  (bsc#1217765).
+
+- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+  * Out-of-bounds memory write in XKB button actions (CVE-2023-6377,
+    ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765)
+- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+  * Out-of-bounds memory read in RRChangeOutputProperty and
+    RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561,
+    bsc#1217766)
+
yast2-bootloader
-- support 32 bit UEFI firmware on x86_64/i386 architecture (bsc#1208003,
-  jsc#PED-2569)
-- 4.6.3
+- Backport:
+-- support 32 bit UEFI firmware on x86_64/i386 architecture
+  (bsc#1208003, jsc#PED-2569)
+- 4.6.4
-- Persist zfcp.allow_lun_scan kernel option for s390 arch
-  (needed for gh#openSUSE/agama#626).
-- 4.6.2
+- Branch package for SP6 (bsc#1208913)
-- 4.6.1
-
-- Bump version to 4.6.0 (bsc#1208913)
+- 4.5.9
yast2-network
+- Read all the driver modules from hwinfo instead of just the first
+  driver ones (bsc#1217652).
+- 4.6.7
+
yast2-s390
-- Fix detection of the zFCP controller running mode to check
-  whether the controller is doing auto LUN scan (related to
-  gh#openSUSE/agama#634).
-- 4.6.4
+- onpanic: add support for multipathed zfcp-attached SCSI disks
+  (bsc#1020336, also related to bsc#1216257).
+- 4.6.5
-- Add info about allow_lun_scan option (related to
-  gh#openSUSE/agama#626).
-- 4.6.3
-
-- Expose zFCP core functionallity (related to
-  gh#openSUSUE/agama#594)
-- 4.6.2
+- Branch package for SP6 (bsc#1208913)
-- 4.6.1
-
-- Bump version to 4.6.0 (bsc#1208913)
+- 4.5.3
zbar
+- security update:
+  * CVE-2023-40889 [bsc#1214770]
+    Fix heap based buffer overflow in qr_reader_match_centers()
+    + zbar-CVE-2023-40889.patch
+  * CVE-2023-40890 [bsc#1214771]
+    Fix stack based buffer overflow in lookup_sequence()
+    + zbar-CVE-2023-40890.patch
+