Removed rpms
============

 - apache2-mod_php7
 - libpoppler126
 - libqgpgme7
 - libsemanage1
 - libsepol1
 - mlocate
 - mlocate-lang
 - noto-sans-jp-bold-fonts
 - noto-sans-jp-fonts
 - noto-sans-jp-regular-fonts
 - noto-sans-kr-bold-fonts
 - noto-sans-kr-fonts
 - noto-sans-kr-regular-fonts
 - noto-sans-sc-bold-fonts
 - noto-sans-sc-fonts
 - noto-sans-sc-regular-fonts
 - noto-sans-tc-bold-fonts
 - noto-sans-tc-fonts
 - noto-sans-tc-regular-fonts
 - noto-serif-jp-bold-fonts
 - noto-serif-jp-fonts
 - noto-serif-jp-regular-fonts
 - noto-serif-kr-bold-fonts
 - noto-serif-kr-fonts
 - noto-serif-kr-regular-fonts
 - noto-serif-sc-bold-fonts
 - noto-serif-sc-fonts
 - noto-serif-sc-regular-fonts
 - noto-serif-tc-bold-fonts
 - noto-serif-tc-fonts
 - noto-serif-tc-regular-fonts
 - php7
 - php7-cli
 - php7-ctype
 - php7-dom
 - php7-iconv
 - php7-json
 - php7-mysql
 - php7-openssl
 - php7-pdo
 - php7-pgsql
 - php7-sqlite
 - php7-tokenizer
 - php7-xmlreader
 - php7-xmlwriter

Added rpms
==========

 - apache2-mod_php8
 - libpoppler132
 - libqgpgme15
 - libraw23
 - libsemanage-conf
 - libsemanage2
 - libsepol2
 - php8
 - php8-cli
 - php8-ctype
 - php8-dom
 - php8-iconv
 - php8-mysql
 - php8-openssl
 - php8-pdo
 - php8-pgsql
 - php8-sqlite
 - php8-tokenizer
 - php8-xmlreader
 - php8-xmlwriter

Package Source Changes
======================

MozillaFirefox
+- Firefox Extended Support Release 115.6.0 ESR
+  Placeholder changelog-entry (bsc#1217974)
+
-  Placeholder changelog-entry (bsc#1217230)
+  * Fixed: Various security fixes and other quality improvements.
+  MFSA 2023-50 (bsc#1217230)
+  * CVE-2023-6204 (bmo#1841050)
+    Out-of-bound memory access in WebGL2 blitFramebuffer
+  * CVE-2023-6205 (bmo#1854076)
+    Use-after-free in MessagePort::Entangled
+  * CVE-2023-6206 (bmo#1857430)
+    Clickjacking permission prompts using the fullscreen
+    transition
+  * CVE-2023-6207 (bmo#1861344)
+    Use-after-free in ReadableByteStreamQueueEntry::Buffer
+  * CVE-2023-6208 (bmo#1855345)
+    Using Selection API would copy contents into X11 primary
+    selection.
+  * CVE-2023-6209 (bmo#1858570)
+    Incorrect parsing of relative URLs starting with "///"
+  * CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252,
+    bmo#1856072, bmo#1856091, bmo#1859030, bmo#1860943,
+    bmo#1862782)
+    Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5,
+    and Thunderbird 115.5
avahi
+- Add avahi-CVE-2023-38472.patch: Fix reachable assertion in
+  avahi_rdata_parse (bsc#1216853, CVE-2023-38472).
+
curl
+- Fix: libssh: Implement SFTP packet size limit (bsc#1216987)
+  * Add curl-libssh_Implement_SFTP_packet_size_limit.patch
+
freerdp
+- Add freerdp-CVE-2023-39350-to-2023-40589.patch
+  + Multiple CVE fixes
+  * bsc#1214856, CVE-2023-39350
+  * bsc#1214857, CVE-2023-39351
+  * bsc#1214858, CVE-2023-39352
+  * bsc#1214859, CVE-2023-39353
+  * bsc#1214860, CVE-2023-39354
+  * bsc#1214862, CVE-2023-39356
+  * bsc#1214863, CVE-2023-40181
+  * bsc#1214864, CVE-2023-40186
+  * bsc#1214866, CVE-2023-40188
+  * bsc#1214867, CVE-2023-40567
+  * bsc#1214868, CVE-2023-40569
+  * bsc#1214869, CVE-2023-40574
+  * bsc#1214870, CVE-2023-40575
+  * bsc#1214871, CVE-2023-40576
+  * bsc#1214872, CVE-2023-40589
+
ghostscript
+- CVE-2023-46751.patch is derived for Ghostscript-9.52 from
+  https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13
+  (there is no "device initialization redesign" in Ghostscript-9.52)
+  that fixes CVE-2023-46751
+  "dangling pointer in gdev_prn_open_printer_seekable()"
+  see https://bugs.ghostscript.com/show_bug.cgi?id=707264
+  (bsc#1217871)
+
gimp
+- Add gimp-CVE-2023-44442.patch: fix gimp file parsing heap-based
+  buffer overflow (boo#1217161 CVE-2023-44442)
+- Add gimp-CVE-2023-44443-44444.patch: fix gimp file parsing Integer
+  overflow remote code execution vulnerability (boo#1217162
+  CVE-2023-44443) fix gimp file parsing Off-By-One remote code
+  execution vulnerability(boo#1217163 CVE-2023-44444)
+- Add gimp-CVE-2023-44441.patch: fix gimp DDS file parsing heap-based
+  buffer overflow remote code execution vulnerability (boo#1217160
+  CVE-2023-44441)
+
glibc
+- aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr
+  (bsc#1217445, BZ #31113)
+
+- Remove systemd from shadow and gshadow lookups (bsc#1217220)
+
gnome-screenshot
+- Add b60dad3c2536c17bd201f74ad8e40eb74385ed9f.patch: Fix build
+  with meson 0.60 and newer.
+- Replace pkgconfig(appstream-glib) with appstream-glib and
+  desktop-file-utils BuildRequires, and add a check section and run
+  meson_test macro, validate metainfo and desktop file during build
+  via upstream provided automated tests.
+
gnutls
-- FIPS: PBKDF2 additional requirements [bsc#1209001]
-  * Set the minimum output key length to 112 bits (FIPS 140-3 IG D.N)
-  * Set the minimum salt length to 128 bits (SP 800-132 sec. 5.1)
-  * Set the minimum iterations count to 1000 (SP 800-132 sec 5.2)
-  * Set the minimum passlen of 20 characters (SP SP800-132 sec 5)
-  * Add regression tests for the new PBKDF2 requirements.
-  * Add gnutls-FIPS-pbkdf2-additional-requirements.patch
-
-- libgnutls: Increase the limit of TLS PSK usernames from 128 to
-  65535 characters. [bsc#1208237, jsc#PED-1562]
-  * Upstream: https://gitlab.com/gnutls/gnutls/commit/f032324a
-  * Add gnutls-increase-TLS-PSK-username-limit.patch
-
-- FIPS: Fix pct_test() return code in case of error [bsc#1207183]
-  * Rebase with the upstream version: gnutls-FIPS-PCT-DH.patch
+- Fix missing GNUTLS_NO_EXTENSIONS compatibility.
+  * Upstream: gitlab.com/gnutls/gnutls/commit/abfa8634
+  * Add gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch
+
+- tests: Fix the SRP test that fails with SIGPIPE signal return due
+  to a socket being closed before using it.
+  * Add gnutls-srp-test-SIGPIPE.patch
+
+- Update to version 3.8.1:
+  * libgnutls: ClientHello extensions are randomized by default
+    To make fingerprinting harder, TLS extensions in ClientHello
+    messages are shuffled. As this behavior may cause compatibility
+    issue with legacy applications that do not accept the last
+    extension without payload, the behavior can be reverted with the
+    %NO_SHUFFLE_EXTENSIONS priority keyword.
+  * libgnutls: Add support for RFC 9258 external PSK importer.
+    This enables to deploy the same PSK across multiple TLS versions
+    (TLS 1.2 and TLS 1.3) in a secure manner. To use, the application
+    needs to set up a callback that formats the PSK identity using
+    gnutls_psk_format_imported_identity().
+  * libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to
+    %GNUTLS_NO_DEFAULT_EXTENSIONS.
+  * libgnutls: Add additional PBKDF limit checks in FIPS mode as
+    defined in SP 800-132. Minimum salt length is 128 bits and
+    minimum iterations bound is 1000 for PBKDF in FIPS mode.
+  * libgnutls: Add a mechanism to control whether to enforce extended
+    master secret (RFC 7627). FIPS 140-3 mandates the use of TLS
+    session hash (extended master secret, EMS) in TLS 1.2. To enforce
+    this, a new priority keyword %FORCE_SESSION_HASH is added and if
+    it is set and EMS is not set, the peer aborts the connection. This
+    behavior is the default in FIPS mode, though it can be overridden
+    through the configuration file with the "tls-session-hash" option.
+    In either case non-EMS PRF is reported as a non-approved operation
+    through the FIPS service indicator.
+  * New option --attime to specify current time.
+    To make testing with different timestamp to the system easier, the
+    tools doing certificate verification now provide a new option
+  - -attime, which takes an arbitrary time.
+  * API and ABI modifications:
+    gnutls_psk_client_credentials_function3: New typedef
+    gnutls_psk_server_credentials_function3: New typedef
+    gnutls_psk_set_server_credentials_function3: New function
+    gnutls_psk_set_client_credentials_function3: New function
+    gnutls_psk_format_imported_identity: New function
+    GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags
+  * Rebase patches:
+  - gnutls-FIPS-140-3-references.patch
+  - gnutls-FIPS-jitterentropy.patch
+  * Remove patches merged/fixed upstream:
+  - gnutls-FIPS-PCT-DH.patch
+  - gnutls-FIPS-PCT-ECDH.patch
+
+- FIPS: Fix baselibs.conf to mention libgnutls30-hmac [bsc#1211476]
+  Extend also the checks in gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
+
+- FIPS: Skip the fixed HMAC verification for nettle, hogweed and
+  gmp libraries. These calculated HMACs change for every build of
+  each of these packages, we only have to verify that for gnutls.
+  * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476]
+
+- FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116]
+
+- Disable GNULIB's year2038 also for 32-bit arm - boo#1211394
+
+- Temporarily disable GNULIB's year2038 support for 64bit time_t
+  by using the --disable-year2038 flag. This omits support for
+  timestamps past the year 2038:
+  * Fixes the public API on 32-bit architectures avoiding to
+    change the size of time_t as it cannot be changed without
+    breaking the ABI compatibility.
+  * Upstream issue: https://gitlab.com/gnutls/gnutls/-/issues/1466
+
+- Update to 3.8.0: [bsc#1205763, bsc#1209627]
+  * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key
+    exchange. Reported by Hubert Kario (#1050). Fix developed by
+    Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium]
+    [CVE-2023-0361]
+  * libgnutls: C++ library is now header only. All definitions
+    from gnutlsxx.c have been moved into gnutlsxx.h. Users of the
+    C++ interface have two options:
+    1. include gnutlsxx.h in their application and link against
+    the C library. (default)
+    2. include gnutlsxx.h in their application, compile with
+    GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link
+    against the C++ library.
+  * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST
+    priority modifier have been added to allow disabling of the
+    status_request TLS extension in the client side.
+  * libgnutls: TLS heartbeat is disabled by default.
+    The heartbeat extension in TLS (RFC 6520) is not widely used
+    given other implementations dropped support for it. To enable
+    back support for it, supply --enable-heartbeat-support to
+    configure script.
+  * libgnutls: SRP authentication is now disabled by default.
+    It is disabled because the SRP authentication in TLS is not
+    up to date with the latest TLS standards and its ciphersuites
+    are based on the CBC mode and SHA-1. To enable it back, supply
+  - -enable-srp-authentication option to configure script.
+  * libgnutls: All code has been indented using "indent -ppi1 -linux".
+    CI/CD has been adjusted to catch regressions. This is implemented
+    through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s
+    commit-check. You may run devel/indent-gnutls to fix any
+    indentation issues if you make code modifications.
+  * guile: Guile-bindings removed. They have been extracted into a
+    separate project to reduce complexity and to simplify maintenance,
+    see <https://gitlab.com/gnutls/guile/>.
+  * minitasn1: Upgraded to libtasn1 version 4.19.
+  * API and ABI modifications:
+    GNUTLS_NO_STATUS_REQUEST: New flag
+    GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member
+    GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member
+  * Merge gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
+    and gnutls-FIPS-jitterentropy-threadsafe.patch into the main
+    patch gnutls-FIPS-jitterentropy.patch
+  * Rebase gnutls-FIPS-140-3-references.patch
+  * Rebase patches with upstream version:
+  - gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch
+  * Remove patches merged/fixed upstream:
+  - gnutls-FIPS-disable-failing-tests.patch
+  - gnutls-verify-library-HMAC.patch
+  - gnutls_ECDSA_signing.patch
+  - gnutls-Make-XTS-key-check-failure-not-fatal.patch
+  - gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
+  * Update keyring with https://gnutls.org/gnutls-release-keyring.gpg
-- Security Fix: [bsc#1208143, CVE-2023-0361]
-  * Bleichenbacher oracle in TLS RSA key exchange
-  * Add gnutls-CVE-2023-0361.patch
+- Update to 3.7.9: [bsc#1208143, CVE-2023-0361]
+  * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key
+    exchange. [GNUTLS-SA-2020-07-14, CVSS: medium][CVE-2023-0361]
+  * Rebase gnutls-FIPS-140-3-references.patch
-- Fix AVX CPU feature detection for OSXSAVE [bsc#1203299]
-  * Fixes a SIGILL termination at the verzoupper instruction when
-    trying to run GnuTLS on a Linux kernel with the noxsave command
-    line parameter set. Relevant mostly for virutal systems.
-  * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1282
-  * Add gnutls-clear-AVX-bits-if-it-cannot-be-queried-XSAVE.patch
+- switch to pkgconfig(zlib) so that alternative providers can be
+  used
+
+- Verify only the libgnutls library HMAC [bsc#1199881]
+  * Do not use the brp-50-generate-fips-hmac script as this
+    is now calculated with the internal fipshmac tool.
+  * Add gnutls-verify-library-HMAC.patch
+
+- Temporarily revert the jitterentropy patches in s390 and s390x
+  architectures until a fix is provided [bsc#1204937]
+- Disable flaky test that fails in s390x architecture:
+  * Add gnutls-disable-flaky-test-dtls-resume.patch
+
+- Consolidate the FIPS hmac files [bsc#1203245]
+  * Use the gnutls fipshmac tool instead of the brp-check-suse
+    and rename it to reflect on the library version.
+  * Remove not needed gnutls-FIPS-Run-CFB8-without-offset.patch
+- Add a gnutls.rpmlintrc file to remove a hidden-file-or-dir false
+  positive for the FIPS hmac calculation.
+
+- Update to 3.7.8:
+  * libgnutls: In FIPS140 mode, RSA signature verification is an
+    approved operation if the key has modulus with known sizes
+    (1024, 1280, 1536, and 1792 bits), in addition to any modulus
+    sizes larger than 2048 bits, according to SP800-131A rev2.
+  * libgnutls: gnutls_session_channel_binding performs additional
+    checks when GNUTLS_CB_TLS_EXPORTER is requested. According to
+    RFC9622 4.2, the "tls-exporter" channel binding is only usable
+    when the handshake is bound to a unique master secret (i.e.,
+    either TLS 1.3 or extended master secret extension is
+    negotiated). Otherwise the function now returns error.
+  * libgnutls: usage of the following functions, which are designed
+    to loosen restrictions imposed by allowlisting mode of
+    configuration, has been additionally restricted. Invoking
+    them is now only allowed if system-wide TLS priority string
+    has not been initialized yet:
+  - gnutls_digest_set_secure
+  - gnutls_sign_set_secure
+  - gnutls_sign_set_secure_for_certs
+  - gnutls_protocol_set_enabled
+  * Delete gnutls-3.6.6-set_guile_site_dir.patch and use the
+  - -with-guile-extension-dir configure option to properly
+    handle the guile extension directory.
+  * Rebase gnutls-Make-XTS-key-check-failure-not-fatal.patch
+  * Update gnutls.keyring
+  * Add a build depencency on gtk-doc required by autoreconf
-- FIPS: Zeroize the calculated hmac and new_hmac in the
-  check_binary_integrity() function. [bsc#1191021]
-  * Add gnutls-FIPS-Zeroize-check_binary_integrity.patch
+- FIPS: Run the CFB8 cipher selftest without offset [bsc#1203245]
+  * CFB8 list of ciphers: GNUTLS_CIPHER_AES_{128,192,256}_CFB8
+  * Add gnutls-FIPS-Run-CFB8-without-offset.patch
+
+- provide a libgnutls30-hmac-32bit to avoid uninstallable wine
+  when pattern-base-fips is installed [boo#1203353]
-- Security fix: [bsc#1202020, CVE-2022-2509]
-  * Fixed double free during verification of pkcs7 signatures
-  * Add gnutls-CVE-2022-2509.patch
-
-- FIPS:
-  * Modify gnutls-FIPS-force-self-test.patch [bsc#1198979]
-  - gnutls_fips140_run_self_tests now properly releases fips_context
+- Update to 3.7.7: [bsc#1202020, CVE-2022-2509]
+  * libgnutls: Fixed double free during verification of pkcs7
+    signatures. CVE-2022-2509
+  * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument
+    less than or equal to 255 times hash digest size, to comply with
+    RFC 5869 2.3.
+  * libgnutls: Length limit for TLS PSK usernames has been increased
+    from 128 to 65535 characters
+  * libgnutls: AES-GCM encryption function now limits plaintext
+    length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
+  * libgnutls: New block cipher functions have been added to
+    transparently handle padding. gnutls_cipher_encrypt3 and
+    gnutls_cipher_decrypt3 can be used in combination of
+    GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove
+    padding if the length of the original plaintext is not a multiple
+    of the block size.
+  * libgnutls: New function for manual FIPS self-testing.
+  * API and ABI modifications:
+  - gnutls_fips140_run_self_tests: New function
+  - gnutls_cipher_encrypt3: New function
+  - gnutls_cipher_decrypt3: New function
+  - gnutls_cipher_padding_flags_t: New enum
+  * guile: Guile 1.8 is no longer supported
+  * guile: Session record port treats premature termination as EOF Previously,
+    a 'gnutls-error' exception with the 'error/premature-termination' value
+    would be thrown while reading from a session record port when the
+    underlying session was terminated prematurely. This was inconvenient
+    since users of the port may not be prepared to handle such an exception.
+    Reading from the session record port now returns the end-of-file object
+    instead of throwing an exception, just like it would for a proper
+    session termination.
+  * guile: Session record ports can have a 'close' procedure. The
+    'session-record-port' procedure now takes an optional second parameter,
+    and a new 'set-session-record-port-close!' procedure is provided to
+    specify a 'close' procedure for a session record port. This 'close'
+    procedure lets users specify cleanup operations for when the port is
+    closed, such as closing the file descriptor or port that backs the
+    underlying session.
+  * Rebase patches:
+  - gnutls-3.6.6-set_guile_site_dir.patch
+  - gnutls-FIPS-TLS_KDF_selftest.patch
+  - gnutls-FIPS-disable-failing-tests.patch
+  * Remove patch merged upstream:
+  - gnutls-FIPS-PBKDF2-KAT-requirements.patch
+  - https://gitlab.com/gnutls/gnutls/merge_requests/1561
-  * Add gnutls-FIPS-force-self-test.patch [bsc#1198979]
-  - Provides interface for running library self tests on-demand
-  - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598
-
-- FIPS: Make sure zeroization is performed in all API functions
-  * Add gnutls-zeroization-API-functions.patch [bsc#1191021]
-  * Upsream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1573
-
-- FIPS: Add missing requirements for the SLI [bsc#1190698]
-  * Remove 3DES from FIPS approved algorithms:
-  - gnutls-Remove-3DES-from-FIPS-approved-algos.patch
-  - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1570
-  * DRBG service (gnutls_rnd) should be considered approved:
-  - gnutls-Add-missing-FIPS-service-indicator-transitions.patch
-  - gnutls-Add-missing-FIPS-service-indicator-transitions-tests.patch
-  - gnutls-pkcs12-tighten-algorithm-checks-under-FIPS.patch
-  - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1569
-
-- FIPS: Mark AES-GCM as approved in the TLS context [bsc#1194907]
-  * Add gnutls-FIPS-Mark-HKDF-and-AES-GCM-as-approved-when-used-in-TLS.patch
-  * Upstream issue: https://gitlab.com/gnutls/gnutls/issues/1311
+
+- Update to version 3.7.6:
+  * libgnutls: Fixed invalid write when gnutls_realloc_zero() is
+    called with new_size < old_size. This bug caused heap
+    corruption when gnutls_realloc_zero() has been set as gmp
+    reallocfunc.
+  * Remove gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fixed
+    upstream.
+
+- Add gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fix memory
+  corruption in gnutls_realloc_zero (gl#gnutls/gnutls#1367,
+  boo#1199929).
+
+- update to 3.7.5:
+  * add options disable session ticket usage in TLS 1.2 because
+    it does not provide forward secrecy
+  * For TLS 1.3 where session tickets do provide forward secrecy,
+    the PFS priority string now only disables session tickets in
+    TLS 1.2.
+  * Future backward incompatibility: in the next major release of
+    GnuTLS those flag and modifier are planned to be removed
+  * gnutls-cli, gnutls-serv: Channel binding for printing
+    information has been changed from tls-unique to tls-exporter
+    as tls-unique is not supported in TLS 1.3.
+  * Certificate sanity checks has been enhanced to make gnutls
+    more RFC 5280 compliant:
+  * Removed 3DES from FIPS approved algorithms
+  * Optimized support for AES-SIV-CMAC algorithms
+  * libgnutls: HKDF and AES-GCM algorithms are now approved in
+    FIPS-140 mode when used in TLS
+
+- disable kcapi usage for now, as kernel-obs-build not adjusted
+  to contain the algorithms. bsc#1189283
-  * Upstream: https://gitlab.com/gnutls/gnutls/merge_requests/1561
+- Update to 3.7.4:
+  * libgnutls: Added support for certificate compression as defined
+    in RFC8879.
+  * certtool: Added option --compress-cert that allows user to
+    specify compression  methods for certificate compression.
+  * libgnutls: GnuTLS can now be compiled with --enable-strict-x509
+    configure option to enforce stricter certificate sanity checks
+    that are compliant with RFC5280.
+  * libgnutls: Removed IA5String type from DirectoryString within
+    issuer and subject name to make DirectoryString RFC5280 compliant.
+  * libgnutls: Added function to retrieve the name of current
+    ciphersuite from session.
+  * Bump libgnutlsxx soname due to ABI break
+  * API and ABI modifications:
+  - GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
+  - GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
+  - gnutls_compress_certificate_get_selected_method: Added
+  - gnutls_compress_certificate_set_methods: Added
+  * Update gnutls.keyring
+
+- build with lto
+- build with -Wl,-z,now -Wl,-z,relro
+- build without -fanalyzer, which cuts build time in ~ half
+
-  - gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
-- Add crypto-policies support in SLE-15-SP4 [jsc#SLE-20287]
-
-- Account for the libnettle soname bump [jsc#SLE-19765]
+- Add crypto-policies support for Leap and SLE 15.4 [jsc#SLE-20287]
+- Add DANE guards
-- Update to 3.7.2 in SLE-15-SP4: [jsc#SLE-19765, jsc#SLE-18139]
-  - Add gnutls-temporarily_disable_broken_guile_reauth_test.patch
-  - Rebased patches:
-  * disable-psk-file-test.patch
-  * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
-  * gnutls-fips_mode_enabled.patch
-  - Remove patches merged upstream:
-  * gnutls-CVE-2020-11501.patch
-  * gnutls-CVE-2020-13777.patch
-  * gnutls-CVE-2020-24659.patch
-  * gnutls-CVE-2021-20231.patch
-  * gnutls-CVE-2021-20232.patch
-  * gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch
-  * gnutls-fips_XTS_key_check.patch
-  * 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch
-  * 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
-  * 0003-x509-trigger-fallback-verification-path-when-cert-is.patch
-  * 0004-tests-add-test-case-for-certificate-chain-supersedin.patch
-  * 0001-Add-Full-Public-Key-Check-for-DH.patch
-  * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch
-  * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch
-  * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch
-  * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch
-  * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch
-  * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch
-  * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch
-  * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch
-  * 0001-dh-check-validity-of-Z-before-export.patch
-  * 0002-ecdh-check-validity-of-P-before-export.patch
-  * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch
-  * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch
-  * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch
-  * 0001-Vendor-in-XTS-functionality-from-Nettle.patch
-  * 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch
-  * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
-  * gnutls-3.6.7-fix-FTBFS-2024.patch
-  * gnutls-3.6.7-reproducible-date.patch
+- Remove gnutls-temporarily_disable_broken_guile_reauth_test.patch
+  since its already working.
-- Add gnutls-3.6.7-fix-FTBFS-2024.patch to let tests pass after 2024 (boo#1186579)
-- Add gnutls-3.6.7-reproducible-date.patch to override build date (boo#1047218)
+- Rework the crypto-policies dependencies in libraries [bsc#1186385]
+
+- Compute the FIPS hmac file without re-defining the
+  __os_install_post macro, use the brp-50-generate-fips-hmac
+  script instead. [bsc#1184555]
-- Security fix: [bsc#1183456, CVE-2021-20232]
-  * A use after free issue in client_send_params
-    in lib/ext/pre_shared_key.c may lead to memory
-    corruption and other potential consequences.
-- Add gnutls-CVE-2021-20232.patch
-
-- Security fix: [bsc#1183457, CVE-2021-20231]
-  * A use after free issue in client sending key_share extension
-    may lead to memory corruption and other consequences.
-- Add gnutls-CVE-2021-20231.patch
+- Require the main package in devel and lib packages as the default
+  priorities are now set via crypto-policies. [bsc#1183082]
-    verification
+  verification
+- Add version guards for the crypto-policies package
-- Avoid spurious audit messages about incompatible signature algorithms
-  (bsc#1172695)
-  * add 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch
+- Require the crypto-policies package [bsc#1180051]
-- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
-  * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
-- FIPS: Add TLS KDF selftest (bsc#1176671)
-  * add gnutls-FIPS-TLS_KDF_selftest.patch
-
-- Escape rpm command %%expand when used in comment.
+- Use the centralized crypto policy profile (jsc#SLE-15832)
-
-- Fix heap buffer overflow in handshake with no_renegotiation alert sent
-  * CVE-2020-24659 (bsc#1176181)
-- add gnutls-CVE-2020-24659.patch
-
-- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
-- add patches
-  * 0001-Add-Full-Public-Key-Check-for-DH.patch
-  * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch
-  * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch
-  * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch
-  * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch
-  * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch
-  * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch
-  * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch
-  * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch
-  * 0001-dh-check-validity-of-Z-before-export.patch
-  * 0002-ecdh-check-validity-of-P-before-export.patch
-  * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch
-  * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch
-  * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch
-- drop obsolete gnutls-3.6.7-fips_DH_ECDH_key_tests.patch
+- Escape rpm command %%expand when used in comment.
-- GNUTLS-SA-2020-06-03 (Fixed insecure session ticket key construction)
-  The TLS server would not bind the session ticket encryption key with a
-  value supplied by the application until the initial key rotation, allowing
-  attacker to bypass authentication in TLS 1.3 and recover previous
-  conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777)
-  * add patches:
-    + gnutls-CVE-2020-13777.patch
-- Fixed handling of certificate chain with cross-signed intermediate
-  CA certificates (#1008). (bsc#1172461)
-  * add patches:
-    +  0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch
-    +  0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
-    +  0003-x509-trigger-fallback-verification-path-when-cert-is.patch
-    +  0004-tests-add-test-case-for-certificate-chain-supersedin.patch
-
-- Add RSA 4096 key generation support in FIPS mode (bsc#1171422)
-  * add gnutls-3.6.7-fips-rsa-4096.patch
-
-- Don't check for /etc/system-fips which we don't have (bsc#1169992)
-  * add gnutls-fips_mode_enabled.patch
-
-- Backport AES XTS support (bsc#1168835)
-  * add 0001-Vendor-in-XTS-functionality-from-Nettle.patch
-  * add gnutls-fips_XTS_key_check.patch
-
-  * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support)
+  * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3
+  support)
-- Fix zero random value in DTLS client hello
-  (CVE-2020-11501, bsc#1168345)
-  * add gnutls-CVE-2020-11501.patch
-
-  * update baselibs.conf
-
-- bsc#1166881 - FIPS: gnutls: cfb8 decryption issue
-  * No longer truncate output IV if input is shorter than block size.
-  * Added gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch
-
-- bsc#1155327 jira#SLE-9518 - FIPS: add DH key test
-  * Added Diffie Hellman public key verification test.
-  * gnutls-3.6.7-fips_DH_ECDH_key_tests.patch
-- Explicitly require libnettle 3.4.1 (bsc#1134856)
-  * The RSA decryption code was rewritten in GnuTLS 3.6.5 in order
-    to fix CVE-2018-16868, the new implementation makes use of a new
-    rsa_sec_decrypt() function introduced in libnettle 3.4.1
-  * libnettle was recently updated to the 3.4.1 version but we need
-    to add explicit dependency on it to prevent missing symbol errors
-    with the older versions
-
-- Restored autoreconf in build.
-- Removed gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch
-  since the version requirements of required libraries are once again
-  automatically determined.
-- Added gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch because it is a
-  better patch name for handling the '--with-guile-site-dir=' problem in
-  3.6.7.
-
-- Disabled dane support since dane is not shipped with SLE-15
+- Disabled dane support in SLE since dane is not shipped there
-  option '--with-guile-site-dir=' was removed from the configure script in 3.6.7.
-  * * Modified gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch
+  option '--with-guile-site-dir=' was removed from the configure script.
+  * * Added gnutls-3.6.6-set_guile_site_dir.patch
-- Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification
-  and padding oracle verification (in 3.6.5) [bsc#1118087] (CVE-2018-16868)
-- FATE#327114 - Update gnutls to 3.6.6 to support TLS 1.3
+- Update to 3.6.6
-  * Removed patches:
-    0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch
-    0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
-    0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
-    0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
-  * Added Patches:
-  * * disable failing psk-file test (race condition):
-    disable-psk-file-test.patch
-  * * Patch configure script to accept specific versions of autotools and guile
-    that are present in SUSE-SLE15. (A bug prevents configure from accepting
-    a range of compatible versions. Upstream's solution is to hardwire for
-    the most current versions.)
-    gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch
-  * Modified:
-  * * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
-- Security update
-  Improve mitigations against Lucky 13 class of attacks
-  * "Just in Time" PRIME + PROBE cache-based side channel attack
-    can lead to plaintext recovery (CVE-2018-10846, bsc#1105460)
-  * HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of
-    wrong constant (CVE-2018-10845, bsc#1105459)
-  * HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not
-    enough dummy function calls (CVE-2018-10844, bsc#1105437)
-  * add patches:
-    0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch
-    0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
-    0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
-    0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
-
google-noto-sans-cjk-fonts
+- use synthetic version 20201202.2.2004, as maintenance updates cannot
+  do version downgrades.
+
+feat!: rename noto-*-cjk-fonts -> google-noto-*-cjk-fonts
+- The Noto Coloremoji fonts have already been renamed by now
+- The other Noto fonts will be renamed once upstream finishes migrating them to the new website
+  * https://github.com/notofonts/notofonts.github.io
+  fix: move zh_MO obsoletes and provides to Hong Kong TC fonts
+- Macau is physically and culturally closer to Hong Kong than Taiwan
+  fix: summary and description for Hong Kong TC fonts
+
+- Move google-noto-serif-cjk-fonts into its own repository again
+
+- Update version to 2.004
+- Follow upstream versioning: use version numbers instead of dates
+
+- Fix the source URL to be properly downloadable
+
+- Update version to 2.002(20201202)
+  * The copyright year was changed from “2014–2019” to “2014–2020.”
+  * Addressed Issue #207 including glyph changes to U+4E08 and U+5C83.
+    Extension G encodings were added for U+30729, U+30EDD, U+30EDE,
+    and U+3106C and the previous GSUB rules were removed.
+  * Updated Korean glyph for U+58C4 as reported in Source Han Serif Issue #87
+  * Addressed Issue #204 for U+50E7, U+89E6, U+8FD0, U+9EA4, U+25C4A
+  * Mapped HK U+5C13 å°“ to JP glyph
+  * Fixed U+21B9 as reported in Issue #260
+  * Changed Korean mapping for U+51A4 as reported in Issue #202
+  * The weights for Kanbun glyphs U+3191–U+319F have been adjusted
+    as mentioned in the table at the beginning of Issue #205.
+  * Fixed Korean IVS mapping for U+8ACB as reported in Issue #276
+- Fix descriptions for *-full packages
+
+- Update version to 2.001(20190410)
+  * A second flavor of Traditional Chinese, for Hong Kong and supporting the
+    HKSCS-2016 standard, was add- ed, which increased the total number of font
+    resources by 16, from 72 to 88.
+  * 155 new mappings have been added to the CMap resources. 66 are from BMP code
+    points, 22 are from Plane 1 code points, and the remaining 67 are from
+    Plane 2 code points. Among the 67 new Plane 2 code points, 57 are from
+    Extension B, two are from Extension C, three are from Extension E, and the
+    remaining five are from Extension F.
+  * As a result of removing approximately 1,750 glyphs in order to make room for
+    approximately 1,750 new glyphs, the CID assignments of the glyphs
+    necessarily—and drastically—changed. The CID assignments of exactly 200
+    glyphs are unchanged from Version 1.004: 0–107, 2570–2633, 47223–47232,
+    47262–47272, 47281–47286, and 65484.
+  * The Traditional Chinese form of the Radical #162 辶 component was improved.
+  * The URO is complete up through U+9FEF (Unicode Version 11.0).
+  * The glyphs for some of the kana were tweaked.
+  * The glyphs and support for bopomofo, along with their tone marks, were
+    improved. This involved adding the 'GDEF' (Glyph Definition) table, the
+    'mark' (Mark Positioning) GPOS feature, and the 'ruby' (Ruby Nota- tion
+    Forms) GSUB feature.
+  * The language and script declarations in the 'locl' and 'vert' GSUB features
+    were improved.
+  * The 13-page glyph synopsis PDFs for the 500 pre-composed high-frequency
+  hangul syllables have been incorporated into the Unicode-base glyph synopsis
+  PDFs, and are bookmarked under the “Korean” book- mark.
+  * Placeholder glyphs for U+32FF, uni32FF (CID+2184) and uni32FF-V (CID+65359),
+    are included. This character has been reserved for the two-ideograph square
+    ligature that represents the name of Japan’s forthcoming new era which
+    starts on 2019-05-01, and will be the only character added in Unicode
+    Version 12.1.
+  * Like Source Han Serif, the CIDFont and CMap resources do not include XUID
+    arrays.
+  * Like Source Han Serif, there are no mappings for the range U+0000 through
+    U+001F.
+  * Like Source Han Serif, the code points that correspond to Halfwidth Jamo
+    variants map to glyphs that cor- respond to code points in the Hangul
+    Compatibility Jamo block. In other words, the glyphs for half-width jamo
+    have been removed.
+  * Like Source Han Serif, the 'name' table does not includes any Macintosh
+    (PlatformID=1) strings.
+  * Like Source Han Serif, the Regular weight is now style-linked to the Bold
+    weight. This means that the Bold weight may not appear in the font menu,
+    particularly when using applications that support style-linking as a way to
+    make text bold.
+  * Like Source Han Serif, the 'vert' GPOS feature is included.
+  * Like Source Han Serif, the deprecated 'hngl' (Hangul) GSUB feature is not
+    included in the Korean fonts and font instances.
+- Split HongKong Fonts for NotoSans.
+
google-noto-serif-cjk-fonts
+- use 20201202.2.002 to still have linear increase in versions
+
+feat!: rename noto-*-cjk-fonts -> google-noto-*-cjk-fonts
+- The Noto Coloremoji fonts have already been renamed by now
+- The other Noto fonts will be renamed once upstream finishes migrating them to the new website
+  * https://github.com/notofonts/notofonts.github.io
+  fix: move zh_MO obsoletes and provides to Hong Kong TC fonts
+- Macau is physically and culturally closer to Hong Kong than Taiwan
+
+- Move google-noto-serif-cjk-fonts into its own repository again
+
+- Update version to 2.001
+- Follow upstream versioning: use version numbers instead of dates
+
+- Fix the source URL to be properly downloadable
+
+- Update version to 2.002(20201202)
+  * The copyright year was changed from “2014–2019” to “2014–2020.”
+  * Addressed Issue #207 including glyph changes to U+4E08 and U+5C83.
+    Extension G encodings were added for U+30729, U+30EDD, U+30EDE,
+    and U+3106C and the previous GSUB rules were removed.
+  * Updated Korean glyph for U+58C4 as reported in Source Han Serif Issue #87
+  * Addressed Issue #204 for U+50E7, U+89E6, U+8FD0, U+9EA4, U+25C4A
+  * Mapped HK U+5C13 å°“ to JP glyph
+  * Fixed U+21B9 as reported in Issue #260
+  * Changed Korean mapping for U+51A4 as reported in Issue #202
+  * The weights for Kanbun glyphs U+3191–U+319F have been adjusted
+    as mentioned in the table at the beginning of Issue #205.
+  * Fixed Korean IVS mapping for U+8ACB as reported in Issue #276
+
+- Update version to 2.001(20190410)
+  * A second flavor of Traditional Chinese, for Hong Kong and supporting the
+    HKSCS-2016 standard, was add- ed, which increased the total number of font
+    resources by 16, from 72 to 88.
+  * 155 new mappings have been added to the CMap resources. 66 are from BMP code
+    points, 22 are from Plane 1 code points, and the remaining 67 are from
+    Plane 2 code points. Among the 67 new Plane 2 code points, 57 are from
+    Extension B, two are from Extension C, three are from Extension E, and the
+    remaining five are from Extension F.
+  * As a result of removing approximately 1,750 glyphs in order to make room for
+    approximately 1,750 new glyphs, the CID assignments of the glyphs
+    necessarily—and drastically—changed. The CID assignments of exactly 200
+    glyphs are unchanged from Version 1.004: 0–107, 2570–2633, 47223–47232,
+    47262–47272, 47281–47286, and 65484.
+  * The Traditional Chinese form of the Radical #162 辶 component was improved.
+  * The URO is complete up through U+9FEF (Unicode Version 11.0).
+  * The glyphs for some of the kana were tweaked.
+  * The glyphs and support for bopomofo, along with their tone marks, were
+    improved. This involved adding the 'GDEF' (Glyph Definition) table, the
+    'mark' (Mark Positioning) GPOS feature, and the 'ruby' (Ruby Nota- tion
+    Forms) GSUB feature.
+  * The language and script declarations in the 'locl' and 'vert' GSUB features
+    were improved.
+  * The 13-page glyph synopsis PDFs for the 500 pre-composed high-frequency
+  hangul syllables have been incorporated into the Unicode-base glyph synopsis
+  PDFs, and are bookmarked under the “Korean” book- mark.
+  * Placeholder glyphs for U+32FF, uni32FF (CID+2184) and uni32FF-V (CID+65359),
+    are included. This character has been reserved for the two-ideograph square
+    ligature that represents the name of Japan’s forthcoming new era which
+    starts on 2019-05-01, and will be the only character added in Unicode
+    Version 12.1.
+  * Like Source Han Serif, the CIDFont and CMap resources do not include XUID
+    arrays.
+  * Like Source Han Serif, there are no mappings for the range U+0000 through
+    U+001F.
+  * Like Source Han Serif, the code points that correspond to Halfwidth Jamo
+    variants map to glyphs that cor- respond to code points in the Hangul
+    Compatibility Jamo block. In other words, the glyphs for half-width jamo
+    have been removed.
+  * Like Source Han Serif, the 'name' table does not includes any Macintosh
+    (PlatformID=1) strings.
+  * Like Source Han Serif, the Regular weight is now style-linked to the Bold
+    weight. This means that the Bold weight may not appear in the font menu,
+    particularly when using applications that support style-linking as a way to
+    make text bold.
+  * Like Source Han Serif, the 'vert' GPOS feature is included.
+  * Like Source Han Serif, the deprecated 'hngl' (Hangul) GSUB feature is not
+    included in the Korean fonts and font instances.
+- Split HongKong Fonts for NotoSans.
+
gpg2
-- Security fix [CVE-2022-34903, bsc#1201225]
-  - Vulnerable to status injection
-  - Added patch gnupg-CVE-2022-34903.patch
-
-- gnupg-detect_FIPS_mode.patch: use AES as default cipher instead
-  of 3DES if we are in FIPS mode. (bsc#1196125)
-
-- Update gpg2 for SLE15-SP3 [jsc#SLE-17559, bsc#1182572]
-- Remove patches fixed upstream:
-  * gnupg-gpg-agent-ssh-agent.patch
-  * gnupg-2.2.22-fix-segv-import-keys.patch
-  * gnupg-Allow-redirection-from-https-to-http-for-CRLs.patch
-  * gnupg-CRL-fetching-via-https.patch
-  * gnupg-CVE-2018-1000858.patch
-  * gnupg-CVE-2018-12020.patch
-  * gnupg-CVE-2019-13050_0_of_5.patch
-  * gnupg-CVE-2019-13050_1_of_5.patch
-  * gnupg-CVE-2019-13050_2_of_5.patch
-  * gnupg-CVE-2019-13050_3_of_5.patch
-  * gnupg-CVE-2019-13050_4_of_5.patch
-  * gnupg-CVE-2019-13050_5_of_5.patch
-  * gnupg-CVE-2019-14855.patch
-- Update gpg2.keyring
+- Fix the build in SLE and Leap by adding an exclude in the files
+  section for the dirmngr's systemd user units. [jsc#PED-7093]
+
+- Do not pull revision info from GIT when autoconf is run. This
+  removes the -unknown suffix after the version number.
+  * Add gnupg-nobetasuffix.patch [bsc#1216334]
+
+- Fix Emacs EasyPG behavior when parsing output:
+  * gpg: Report BEGIN_* status before examining the input.
+  * Upstream task: https://dev.gnupg.org/T6481
+  * Add gnupg-Report-BEGIN_-status-before-examining-the-input.patch
+
+- Install the internal executables in the /usr/libexec dir instead
+  of /usr/lib64. These files are keyboxd, scdaemon, gpg-auth
+  gpg-check-pattern, gpg-pair-tool, gpg-preset-passphrase,
+  gpg-protect-tool, gpg-wks-client, dirmngr_ldap and tpm2daemon.
+
+- Provide the systemd-user files since they have been removed
+  upstream since version 2.4.1. [bsc#1201564]
+  * Add gpg2-systemd-user.tar.xz
+
+- Install the systemd user units in the _userunitdir [bsc#1201564]
+  * Note that, there is no activation by default.
+  * Rework excludes in the spec's files section.
+
+- Revert back to use the IBM TPM Software stack.
+
+- Update to 2.4.3:
+  * gpg: Set default expiration date to 3 years. [T2701]
+  * gpg: Add --list-filter properties "key_expires" and
+    "key_expires_d". [T6529]
+  * gpg: Emit status line and proper diagnostics for write errors. [T6528]
+  * gpg: Make progress work for large files on Windows. [T6534]
+  * gpg: New option --no-compress as alias for -z0.
+  * gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534]
+  * gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0]
+  * gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
+  * gpgtar: New option --no-compress.
+  * dirmngr: Extend the AD_QUERY command. [rG207c99567c]
+  * dirmngr: Disable the HTTP redirect rewriting. [T6477]
+  * dirmngr: New option --compatibility-flags. [rGbf04b07327]
+  * dirmngr: New option --ignore-crl-extensions. [T6545]
+  * wkd: Use export-clean for gpg-wks-client's --mirror and --create
+    commands. [rG2c7f7a5a27]
+  * wkd: Make --add-revocs the default in gpg-wks-client. New option
+  - -no-add-revocs. [rG10c937ee68]
+  * scd: Make signing work for Nexus cards. [rGb83d86b988]
+  * scd: Fix authentication with Administration Key for PIV. [rG25b59cf6ce]
+
+- Update to 2.4.2:
+  * gpg: Print a warning if no more encryption subkeys are left over
+    after changing the expiration date.  [rGef2c3d50fa]
+  * gpg: Fix searching for the ADSK key when adding an ADSK.  [T6504]
+  * gpgsm: Speed up key listings on Windows.  [rG08ff55bd44]
+  * gpgsm: Reduce the number of "failed to open policy file"
+    diagnostics.  [rG68613a6a9d]
+  * agent: Make updating of private key files more robust and track
+    display S/N.  [T6135]
+  * keyboxd: Avoid longish delays on Windows when listing keys.
+    [rG6944aefa3c]
+  * gpgtar: Emit extra status lines to help GPGME.  [T6497]
+  * w32: Avoid using the VirtualStore.  [T6403]
+  * Rebase gnupg-add_legacy_FIPS_mode_option.patch
+
+- Update to 2.4.1:
+  * If the ~/.gnupg directory does not exist, the keyboxd is now
+    automagically enabled. [rGd9e7488b17]
+  * gpg: New option --add-desig-revoker. [rG3d094e2bcf]
+  * gpg: New option --assert-signer. [rGc9e95b8dee]
+  * gpg: New command --quick-add-adsk and other ADSK features.
+    [T6395, https://gnupg.org/blog/20230321-adsk.html]
+  * gpg: New list-option "show-unusable-sigs". Also show "[self-signature]"
+    instead of the user-id in key signature listings. [rG103acfe9ca]
+  * gpg: For symmetric encryption the default S2K hash is now SHA256. [T6367]
+  * gpg: Detect already compressed data also when using a pipe. Also
+    detect JPEG and PNG file formats. [T6332]
+  * gpg: New subcommand "openpgp" for --card-edit. [T6462]
+  * gpgsm: Verification of detached signatures does now strip trailing
+    zeroes from the input if --assume-binary is used. [rG2a13f7f9dc]
+  * gpgsm: Non-armored detached signature are now created without
+    using indefinite form length octets. This improves compatibility
+    with some PDF signature verification software. [rG8996b0b655]
+  * gpgtar: Emit progress status lines in create mode. [T6363]
+  * dirmngr: The LDAP modifyTimestamp is now returned by some
+    keyserver commands. [rG56d309133f]
+  * ssh: Allow specification of the order keys are presented to ssh.
+    See the man page entry for --enable-ssh-support. [T5996, T6212]
+  * gpg: Make list-options "show-sig-subpackets" work again.
+    Fixes regression in 2.4.0. [rG5a223303d7]
+  * gpg: Fix the keytocard command for Yubikeys. [T6378]
+  * gpg: Do not continue an export after a cancel for the primary key. [T6093]
+  * gpg: Replace the --override-compliance-check hack by a real fix. [T5655]
+  * gpgtar: Fix decryption with input taken from stdin. [T6355]
+  * Rebase patches:
+  - gnupg-revert-rfc4880bis.patch
+  - gnupg-add_legacy_FIPS_mode_option.patch
+  * Remove patch fixed upstream:
+  - gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch
+
+- Temporarily revert back to the pre-2.4 default for key generation.
+  The new rfc4880bis has been set as the default in 2.4 version and
+  might create incompatible keys. Note that, rfc4880bis can still
+  be used with the option flag --rfc4880bis as in previous versions.
+  * More info in the gnupg-devel ML:
+    https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html
+  * Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9
+  * Add gnupg-revert-rfc4880bis.patch
+
+- Allow 8192 bit RSA keys in keygen UI when large_rsa is set
+  * Add gnupg-allow-large-rsa.patch
+
+- Fix the regression test suite fails with the IBM TPM Software
+  stack. Builds fine using the Intel TPM; use the swtpm and
+  tpm2-0-tss-devel packages instead of ibmswtpm2 and ibmtss-devel.
+
+- Fix broken GPGME QT tests: Upstram dev task dev.gnupg.org/T6313
+  * The original patch has been modified to expand the changes
+    also to the tests/gpgme/Makefile.in file.
+  * Add gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch
+
+- Updated to require libgpg-error-devel >= 1.46
+- Rebased patches:
+  * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
+  * gnupg-add_legacy_FIPS_mode_option.patch
+- GnuPG 2.4.0:
+  * common: Fix translations in --help for gpgrt < 1.47.
+  * gpg: Do not continue the export after a cancel for the primary key.
+  * gpg: Replace use of PRIu64 in log_debug.
+  * Update NEWS for 2.4.0.
+  * tests: Fix make check with GPGME.
+  * agent: Allow arguments to "scd serialno" in restricted mode.
+  * scd:p15: Skip deleted records.
+  * build: Remove Windows CE support.
+  * wkd: Do not send/install/mirror expired user ids.
+  * gpgsm: Print the revocation time also with --verify.
+  * gpgsm: Fix "problem re-searching certificate" case.
+  * gpgsm: Print revocation date and reason in cert listings.
+  * gpgsm: Silence the "non-critical certificate policy not allowed".
+  * gpgsm: Always use the chain model if the root-CA requests this.
+  * gpg: New export option "mode1003".
+  * gpg: Remove a mostly duplicated function.
+  * tests: Simplify fake-pinentry to use the option only.
+  * tests: Fix fake-pinentry for Windows.
+  * tests: Fix make check-all.
+  * agent: Fix import of protected v5 keys.
+  * gpgsm: Change default algo to AES-256.
+  * tests: Put a workaround for semihosted environment.
+  * tests: More fix for semihosted environment.
+  * tests: Support semihosted environment.
+  * tests: Fix tests under cms.
+  * tests,w32: Fix for semihosted environment.
+  * w32: Fix for tests on semihosted environment.
+  * w32: Fix gnupg_unsetenv.
+  * wkd: New option --add-revocs and some fixes.
+  * wkd: Make use of --debug extprog.
+  * gpg: New export-filter export-revocs.
+  * gpg: Fix double-free in gpg --card-edit.
+  * gpg: Make --require-compliance work with out --status-fd.
+  * gpg: New option --list-filter.
+  * dirmngr: Silence ocsp debug output.
+  * tests: Fix to support --enable-all-tests and variants.
+  * tests:w32: Fix for non-dot file name for Windows.
+  * tests:gpgscm:w32: Fix for GetTempPath.
+  * tests: Keep .log files in objdir.
+  * tests: Use 233 for invalid value of FD.
+  * w32: Fix gnupg_tmpfile for possible failure.
+  * scd: Redact --debug cardio output of a VERIFY APDU.
+  * common: Remove Windows CE support in common.
+  * gpgsm: Fix colon outout of ECC encryption certificates.
+  * scd:nks: Fix ECC signing if key not given by keygrip.
+  * dirmngr: Fix verification of ECDSA signed CRLs.
+  * agent: Allow trustlist on Windows in Unicode homedirs.
+  * gpg: Fix verification of cleartext signatures with overlong lines.
+  * gpg: Move w32_system function.
+  * gpg: New option --quick-update-pref.
+  * gpg: New list-options show-pref and show-pref-verbose.
+  * tests: Add tests to check that OCB is only used for capable keys.
+  * gpg: Make --list-packets work w/o --no-armor for plain OCB packets.
+  * tests: Add symmetric decryption tests.
+  * tests: Add tr:assert-same function.
+  * agent: Avoid blanks in the ssh key's comment.
+  * build: Update m4 files.
+  * gpg: Merge --rfc4880bis features into --gnupg.
+  * gpg: Allow only OCB for AEAD encryption.
+  * gpg: New option --compatibility-flags.
+  * gpgsm: Also announce AES256-CBC in signatures.
+  * gpg: Fix trusted introducer for user-ids with only the mbox.
+  * gpg: Import stray revocation certificates.
+  * agent: Automatically convert to extended key format by KEYATTR.
+  * card: New commands "gpg" and "gpgsm".
+  * card: Also show fingerprints of known X.509 certificates.
+  * scd:nks: Support non-ESIGN signing with the Signature Card v2.
+  * gpgsm: Allow ECC encryption keys with just keyAgreement specified.
+  * gpgsm: Use macro constants for cert_usage_p.
+  * build: Update gpg-error.m4.
+  * agent,common,dirmngr,tests,tools: Remove spawn PREEXEC argument.
+  * gpg: Move NETLIBS after GPG_ERROR_LIBS.
+  * gpg: Use GCRY_KDF_ONESTEP_KDF with newer libgcrypt in future.
+  * common,w32: Fix struct stat on Windows.
+  * agent,w32: Support Win32-OpenSSH emulation by gpg-agent.
+  * common: Don't use FD2INT for POSIX-only code.
+  * dirmngr: Fix build with no LDAP support.
+
+- GnuPG 2.3.8:
+  * gpg: Do not consider unknown public keys as non-compliant while
+    decrypting.
+  * gpg: Avoid to emit a compliance mode line if Libgcrypt is
+    non-compliant.
+  * gpg: Improve --edit-key setpref command to ease c+p.
+  * gpg: Emit an ERROR status if --quick-set-primary-uid fails and
+    allow to pass the user ID by hash.
+  * gpg: Actually show symmetric+pubkey encrypted data as de-vs
+    compliant.  Add extra compliance checks for symkey_enc packets.
+  * gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit
+    preference.
+  * gpgsm: Fix reporting of bad passphrase error during PKCS#11
+    import.
+  * agent: Fix a regression in "READKEY --format=ssh".
+  * agent: New option --need-attr for KEYINFO.
+  * agent: New attribute "Remote-list" for use by KEYINFO.
+  * scd: Fix problem with Yubikey 5.4 firmware.
+  * dirmngr: Fix CRL Distribution Point fallback to other schemes.
+  * dirmngr: New LDAP server flag "areconly" (A-record-only).
+  * dirmngr: Fix upload of multiple keys for an LDAP server specified
+    using the colon format.
+  * dirmngr: Use LDAP schema v2 when a Base DN is specified.
+  * dirmngr: Avoid caching expired certificates.
+  * wkd: Fix path traversal attack in gpg-wks-server. Add the mail
+    address to the pending request data.
+  * wkd: New command --mirror for gpg-wks-client.
+  * gpg-auth: New tool for authentication.
+  * New common.conf option no-autostart.
+  * Silence warnings from AllowSetForegroundWindow unless
+    GNUPG_EXEC_DEBUG_FLAGS is used.
+  * Rebase gnupg-detect_FIPS_mode.patch
+  * Remove patch upstream:
+  - gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
+
+- Fix YubiKey 5 Nano support (boo#1202201), add
+  gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
+
+- GnuPG 2.3.7:
+  * CVE-2022-34903: garbled status messages could trick gpgme and
+    other parsers to accept faked status lines [boo#1201225]
+  * A number of bug fixes to the gpg command line interface
+  * gpgsm gained a number of new options and got some rework on
+    the PKCS#12 parser to support DFN issues keys
+  * The gpg agent got some added options and UI tweaks
+  * smart card support got a number of bug fixes, and improved
+    support for Technology Nexus cards and Yubikey
+  * The Telesec ESIGN application is now supported
+
+- added tpm support, added a new subpackage gpg2-tpm
+
+- GnuPG 2.3.6:
+  * Up to five times faster verification of detached signatures,
+    doubled detached signing speed, threefold decryption speedup
+    for large files, nearly double the AES256.OCB encryption speed
+  * Add support for GeNUA cards
+  * Added and improved options for crypto options, and all-around
+    bug fixes
+
+- GnuPG 2.3.4:
+  * gpg: New option --min-rsa-length
+  * gpg: New option --forbid-gen-key
+  * gpg: New option --override-compliance-check
+  * gpgconf: New command --show-configs
+  * agent,dirmngr,keyboxd: New option --steal-socket
+  * gpg: Fix printing of binary notations
+  * gpg: Remove stale ultimately trusted keys from the trustdb
+  * gpg: Fix indentation of --print-mds and --print-md sha512
+  * gpg: Emit gpg 2.2 compatible Ed25519 signature
+  * gpgsm: Detect circular chains in --list-chain
+  * dirmngr: Make reading resolv.conf more robust
+  * dirmngr: Ask keyservers to provide the key fingerprints
+  * gpgconf: Allow changing gpg's deprecated keyserver option
+  * gpg-wks-server: Fix created file permissions
+  * scd: Support longer data for ssh-agent authentication with
+    openpgp cards
+  * scd: Modify DEVINFO behavior to support looping forever
+  * Silence warning about the rootdir under Unices w/o a mounted
+    /proc file system
+  * Fix possible build problems about missing include files
+
+- GnuPG 2.3.3:
+  * agent: Fix segv in GET_PASSPHRASE (regression)
+  * dirmngr: Fix Let's Encrypt certificate chain validation
+  * gpg: Change default and maximum AEAD chunk size to 4 MiB
+  * gpg: Print a warning when importing a bad cv25519 secret key
+  * gpg: Fix --list-packets for undecryptable AEAD packets
+  * gpg: Verify backsigs for v5 keys correctly
+  * keyboxd: Fix checksum computation for no UBID entry on disk
+  * keyboxd: Fix "invalid object" error with cv448 keys
+  * dirmngr: New option --ignore-cert
+  * agent: Fix calibrate_get_time use of clock_gettime
+  * Support a gpgconf.ctl file under Unix and use this for the
+    regression tests
+
+- GnuPG 2.3.2:
+  * gpg: Allow fingerprint based lookup with --locate-external-key.
+  * gpg: Allow decryption w/o public key but with correct card inserted.
+  * gpg: Auto import keys specified with --trusted-keys.
+  * gpg: Do not use import-clean for LDAP keyserver imports.
+  * gpg: Fix mailbox based search via AKL keyserver method.
+  * gpg: Fix memory corruption with --clearsign introduced with 2.3.1.
+  * gpg: Use a more descriptive prompt for symmetric decryption.
+  * gpg: Improve speed of secret key listing.
+  * gpg: Support keygrip search with traditional keyring.
+  * gpg: Let --fetch-key return an exit code on failure.
+  * gpg: Emit the NO_SECKEY status again for decryption.
+  * gpgsm: Support decryption of password based encryption (pwri).
+  * gpgsm: Support AES-GCM decryption.
+  * gpgsm: Let --dump-cert --show-cert also print an OpenPGP fingerprint.
+  * gpgsm: Fix finding of issuer in use-keyboxd mode.
+  * gpgsm: New option --ldapserver as an alias for --keyserver.
+  * agent: Use SHA-256 for SSH fingerprint by default.
+  * agent: Fix calling handle_pincache_put.
+  * agent: Fix importing protected secret key.
+  * agent: Fix a regression in agent_get_shadow_info_type.
+  * agent: Add translatable text for Caps Lock hint.
+  * agent: New option --pinentry-formatted-passphrase.
+  * agent: Add checkpin inquiry for pinentry.
+  * agent: New option --check-sym-passphrase-pattern.
+  * agent: Use the sysconfdir for a pattern file.
+  * agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pinentry.
+  * dirmngr: LDAP search by a mailbox now ignores revoked keys.
+  * dirmngr: For KS_SEARCH return the fingerprint also with LDAP.
+  * dirmngr: Allow for non-URL specified ldap keyservers.
+  * dirmngr: New option --ldapserver.
+  * dirmngr: Fix regression in KS_GET for mail address pattern.
+  * card: New option --shadow for the list command.
+  * tests: Make sure the built keyboxd is used.
+  * scd: Fix computing shared secrets for 512 bit curves.
+  * scd: Fix unblock PIN by a Reset Code with KDF.
+  * scd: Fix PC/SC removed card problem.
+  * scd: Recover the partial match for PORTSTR for PC/SC.
+  * scd: Make sure to release the PC/SC context.
+  * scd: Fix zero-byte handling in ECC.
+  * scd: Fix serial number detection for Yubikey 5.
+  * scd: Add basic support for AET JCOP cards.
+  * scd: Detect external interference when --pcsc-shared is in use.
+  * scd: Fix access to the list of cards.
+  * gpgconf: Do not list a disabled tpm2d.
+  * gpgconf: Make runtime changes with different homedir work.
+  * keyboxd: Fix searching for exact mail adddress.
+  * keyboxd: Fix searching with multiple patterns.
+  * tools: Extend gpg-check-pattern.
+  * wkd: Fix client issue with leading or trailing spaces in user-ids.
+  * Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry.
+  * Change the default keyserver to keyserver.ubuntu.com. This is a
+    temporary change due to the shutdown of the SKS keyserver pools.
+
+- GnuPG 2.3.1:
+  * The new configuration file common.conf is now used to enable
+    the use of the key database daemon with "use-keyboxd". Using
+    this option in gpg.conf and gpgsm.conf is supported for a
+    transitional period. See doc/example/common.conf for more.
+  * gpg: Force version 5 key creation for ed448 and cv448 algorithms.
+  * gpg: By default do not use the self-sigs-only option when
+    importing from an LDAP keyserver.
+  * gpg: Lookup a missing public key of the active card via LDAP.
+  * gpgsm: New command --show-certs.
+  * scd: Fix CCID driver for SCM SPR332/SPR532.
+  * scd: Further improvements for PKCS#15 cards.
+  * New configure option --with-tss to allow the selection of the
+    TSS library.
+- Rebase patches:
+  * gnupg-add_legacy_FIPS_mode_option.patch
+  * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
+  * gnupg-dont-fail-with-seahorse-agent.patch
+  * gnupg-set_umask_before_open_outfile.patch
+
+- GnuPG 2.3.0:
+  * A new experimental key database daemon is provided.  To enable
+    it put "use-keyboxd" into gpg.conf and gpgsm.conf.  Keys are stored
+    in a SQLite database and make key lookup much faster.
+  * New tool gpg-card as a flexible frontend for all types of
+    supported smartcards.
+  * New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and
+    gpg-connect-agent.
+  * The gpg-wks-client tool is now installed under bin; a wrapper for
+    its old location at libexec is also installed.
+  * tpm2d: New daemon to physically bind keys to the local machine.
+  * gpg: Switch to ed25519/cv25519 as default public key algorithms.
+  * gpg: Verification results now depend on the --sender option and
+    the signer's UID subpacket.
+  * gpg: Do not use any 64-bit block size cipher algorithm for
+    encryption.  Use AES as last resort cipher preference instead of
+    3DES.  This can be reverted using --allow-old-cipher-algos.
+  * gpg: Support AEAD encryption mode using OCB or EAX.
+  * gpg: Support v5 keys and signatures.
+  * gpg: Support curve X448 (ed448, cv448).
+  * gpg: Allow use of group names in key listings.
+  * gpg: New option --full-timestrings to print date and time.
+  * gpg: New option --force-sign-key.
+  * gpg: New option --no-auto-trust-new-key.
+  * gpg: The legacy key discovery method PKA is no longer supported.
+    The command --print-pka-records and the PKA related import and
+    export options have been removed.
+  * gpg: Support export of Ed448 Secure Shell keys.
+  * gpgsm: Add basic ECC support.
+  * gpgsm: Support creation of EdDSA certificates.  [#4888]
+  * agent: Allow the use of "Label:" in a key file to customize the
+    pinentry prompt.
+  * agent: Support ssh-agent extensions for environment variables.
+    With a patched version of OpenSSH this avoids the need for the
+    "updatestartuptty" kludge.
+  * scd: Improve support for multiple card readers and tokens.
+  * scd: Support PIV cards.
+  * scd: Support for Rohde&Schwarz Cybersecurity cards.
+  * scd: Support Telesec Signature Cards v2.0
+  * scd: Support multiple application on certain smartcard.
+  * scd: New option --application-priority.
+  * scd: New option --pcsc-shared; see man page for important notes.
+  * dirmngr: Support a gpgNtds parameter in LDAP keyserver URLs.
+  * The symcryptrun tool, a wrapper for the now obsolete external
+    Chiasmus tool, has been removed.
+  * Full Unicode support for the command line.
+- dropped legacy commands: gpg-zip
+
+- Remove the "files-are-digests" option from the openSUSE package.
+  This feature was not upstream and only used in the OBS signing
+  daemon. The recommended upstream feature for separating the data
+  to be signed from the private keys is gpg agent forwarding,
+  available from 2.1. Drop gnupg-2.2.8-files-are-digests.patch
-- Fix segv importing certain keys (e.g. ed25519). [bsc#1176034]
-- Add gnupg-2.2.22-fix-segv-import-keys.patch
-
-- Fix warning: agent returned different signature type ssh-rsa
-  * The gpg-agent's ssh-agent does not handle flags in signing
-    requests properly [bsc#1161268, bsc#1172308]
-  * Add gnupg-gpg-agent-ssh-agent.patch
-
-- Security fix: [bsc#1157900, CVE-2019-14855, jsc#SLE-16534]
-  * Web of Trust forgeries using collisions in SHA-1 signatures
-  * Ignore all SHA-1 signatures in 3rd party key signatures.
-  * Forbid the creation of SHA-1 third-party key signatures.
-  * Add option --allow-weak-key-signatures
-- Add gnupg-CVE-2019-14855.patch
-
-- Remove self-buildrequire [bsc#1152755]
-
-- Security fix: [bsc#1141093, CVE-2019-13050]
-  * Denial of service attacks via big keys
-  * Added patches:
-  - gnupg-CVE-2019-13050_0_of_5.patch
-  - gnupg-CVE-2019-13050_1_of_5.patch
-  - gnupg-CVE-2019-13050_2_of_5.patch
-  - gnupg-CVE-2019-13050_3_of_5.patch
-  - gnupg-CVE-2019-13050_4_of_5.patch
-  - gnupg-CVE-2019-13050_5_of_5.patch
-
-- Allow coredumps in X11 desktop sessions (bsc#1124847)
-  gpg-agent unconditionally disables coredumps, which is not
-  supposed to happen in the code path that does just exec(argv[])
-  * Added gnupg-gpg-agent-ulimit.patch
-
+- Allow coredumps in X11 desktop sessions (bsc#1124847)
+  gpg-agent unconditionally disables coredumps, which is not
+  supposed to happen in the code path that does just exec(argv[])
+  gnupg-gpg-agent-ulimit.patch
+
-- Security fix: [bsc#1120346, CVE-2018-1000858]
-  * Cross Site Request Forgery (CSRF) vulnerability in dirmngr that
-    can result in Attacker controlled CSRF.
-  * Added patches:
-  - gnupg-CRL-fetching-via-https.patch
-  - gnupg-Allow-redirection-from-https-to-http-for-CRLs.patch
-  - gnupg-CVE-2018-1000858.patch
-
-- Added gnupg-CVE-2018-12020.patch: Sanitize the diagnostic output of the
-  original file name in verbose mode (bsc#1096745, CVE-2018-12020).
-
gpgme
-- Update to 1.16.0 in SLE-15-SP4: [jsc#SLE-20014, jsc#SLE-21114]
-  * Remove gpgme-test-json.patch fixed upstream
+- Update to 1.23.0:
+  * Support GPGME_ENCRYPT_ALWAYS_TRUST also for S/MIME. [T6559]
+  * New keylist mode GPGME_KEYLIST_MODE_WITH_V5FPR. [T6705]
+  * New key capability flags has_*. [T6748]
+  * gpgme-tool: Support use of Windows HANDLE. [T6634]
+  * qt: Support refreshing keys via WKD. [T6672]
+  * qt: Handle cancel in changeexpiryjob. [T6754]
+  * Remove patches fixed upstream:
+  - gpgme-qt-tests-Fix-build-in-source-directory.patch
+  - gpgme-build-Suggest-out-of-source-build.patch
+
+- Use GCC 12 for building the Qt6 library on Leap 15. The
+  default compiler is too old.
+- Use '%{without xxx}' rather than '!%{with xxx}' in spec file
+
+- Use GCC 12 for building the Qt6 library. The default compiler
+  is too old.
+- Use '%{without xxx}' rather than '!%{with xxx}' in spec file
+
+- Fix builds with qt and qt6 [T6673]:
+  * qt,tests: Fix build in source directory. Include Qt binding
+    sources before C++ binding sources and C sources. This fixes
+    the problem that the debug.h in the C sources was found before
+    the one in the Qt bindings.
+  * build: Suggest out-of-source build. Suggest to run configure
+    from a build subdirectory.
+  * Add patches:
+  - gpgme-qt-tests-Fix-build-in-source-directory.patch
+  - gpgme-build-Suggest-out-of-source-build.patch
+
+- Update to 1.22.0:
+  * Prevent wrong plaintext when verifying clearsigned signature.
+  * Return bad data error instead of general error on unexpected data.
+  * Take care of offline mode for all operations of gpgsm engine.
+  * Prepare the use of the forthcoming libassuan version 3.
+  * New configure option --with-libtool-modification.
+  * cpp: Expose gpgme_decrypt_result_t.is_mime.
+  * qt: Clean up after failure or cancel of sign/encrypt archive operation.
+  * qt: Add setInputEncoding to QGpgMe::EncryptJob.
+  * qt: Make toLogString helper public.
+  * Interface changes relative to the 1.21.0 release:
+  - qt: EncryptJob::setInputEncoding           NEW.
+  - qt: DecryptionResult::isMime               NEW.
+  - qt: toLogString                            NEW.
+
+- Run testsuite in qemu build
+
+- Update to 1.21.0
+  * Extended gpgme_op_encrypt, gpgme_op_encrypt_sign, and gpgme_op_sign
+    to allow writing the output directly to a file. [T6530]
+  * Extended gpgme_op_decrypt and gpgme_op_verify to allow reading the
+    input data directly from files. [T6530]
+  * For key signing and uid revoking allow an empty user id. [rMfbc3963d62]
+  * Pass an input-size-hint also to the gpgsm engine. [T6534]
+  * qt: Allow writing the created archives directly to a file. [T6530]
+  * qt: Allow reading the signed/encrypted archive to decrypt
+    or verify directly from a file. [T6530]
+  * qt: Qt Jobs working with QIODeviceDataProvider now properly
+    handle input-size hints and progress for files larger.
+    2^32 bytes in 32 bit builds. [T6534]
+  * cpp: Error::isCanceled now also returns true for error code
+    GPG_ERR_FULLY_CANCELED. [T6510]
+  * python: Fix wrong use of write. [T6501]
+  * Interface changes relative to the 1.20.0 release:
+  - cpp: Data::setFlag                            NEW.
+  - cpp: Data::setSizeHint                        NEW.
+  - qt: Job::startIt                              NEW.
+  - qt: DecryptVerifyArchiveJob::setInputFile     NEW.
+  - qt: DecryptVerifyArchiveJob::inputFile        NEW.
+  - qt: EncryptArchiveJob::setRecipients          NEW.
+  - qt: EncryptArchiveJob::recipients             NEW.
+  - qt: EncryptArchiveJob::setInputPaths          NEW.
+  - qt: EncryptArchiveJob::inputPaths             NEW.
+  - qt: EncryptArchiveJob::setOutputFile          NEW.
+  - qt: EncryptArchiveJob::outputFile             NEW.
+  - qt: EncryptArchiveJob::setEncryptionFlags     NEW.
+  - qt: EncryptArchiveJob::encryptionFlags        NEW.
+  - qt: SignArchiveJob::setSigners                NEW.
+  - qt: SignArchiveJob::signers                   NEW.
+  - qt: SignArchiveJob::setInputPaths             NEW.
+  - qt: SignArchiveJob::inputPaths                NEW.
+  - qt: SignArchiveJob::setOutputFile             NEW.
+  - qt: SignArchiveJob::outputFile                NEW.
+  - qt: SignEncryptArchiveJob::setSigners         NEW.
+  - qt: SignEncryptArchiveJob::signers            NEW.
+  - qt: SignEncryptArchiveJob::setRecipients      NEW.
+  - qt: SignEncryptArchiveJob::recipients         NEW.
+  - qt: SignEncryptArchiveJob::setInputPaths      NEW.
+  - qt: SignEncryptArchiveJob::inputPaths         NEW.
+  - qt: SignEncryptArchiveJob::setOutputFile      NEW.
+  - qt: SignEncryptArchiveJob::outputFile         NEW.
+  - qt: SignEncryptArchiveJob::setEncryptionFlags NEW.
+  - qt: SignEncryptArchiveJob::encryptionFlags    NEW.
+
+- Update to 1.20.0:
+  * On Windows, the gettext functions provided by gpgrt are switched
+    into utf8 mode, so that all localized texts returned by GpgME or
+    gpgrt, e.g. the texts for error codes are now UTF-8 encoded. [T5960]
+  * Key::canSign now returns false for OpenPGP keys without signing
+    (sub)key. [T6456]
+  * The new macOS Homebrew location is now by default supported. [T6440]
+  * Fix regression in 1.19.0.
+  * Fix invocation of gpgtar on Windows.
+  * Interface changes relative to the 1.19.0 release:
+  - gpgme_subkey_t              EXTENDED: New field 'can_renc'.
+  - gpgme_subkey_t              EXTENDED: New field 'can_timestamp'.
+  - gpgme_subkey_t              EXTENDED: New field 'is_group_owned'.
+  - cpp: Subkey::canRenc        NEW.
+  - cpp: Subkey::canTimestamp   NEW.
+  - cpp: Subkey::isGroupOwned   NEW.
+  - cpp: Key::canReallySign     DEPRECATED.
+  * Release-info: https://dev.gnupg.org/T6463
+
+- Add a Qt6 flavor to build Qt6 bindings
+- Use %ldconfig_scriptlets
+
+- Update to 1.19.0:
+  * New context flag "no-auto-check-trustdb". [T6261]
+  * Optionally, build QGpgME for Qt 6
+  * Support component "gpgtar-name" in gpgme_get_dirinfo. [T6342]
+  * Extended gpgme_op_encrypt*, gpgme_op_encrypt_sign*, and
+    gpgme_op_sign* to allow creating an encrypted and/or signed
+    archive. [T6342]
+  * Extended gpgme_op_decrypt*, gpgme_op_decrypt_verify*,
+    and gpgme_op_verify* to allow extracting an encrypted and/or
+    signed archive. [T6342]
+  * cpp: Handle error when trying to sign expired keys. [T6155]
+  * cpp: Support encryption flags ThrowKeyIds, EncryptWrap, and
+    WantAddress. [T6359]
+  * cpp, qt: Fix building with C++11.  [T6141]
+  * qt: Fix problem with expiration dates after 2038-01-19 on 32-bit
+    systems  when adding an existing subkey to another key. [T6137]
+  * cpp: Allow setting the curve to use when generating ECC keys
+    for smart cards. [T4429]
+  * qt: Extend ListAllKeysJob to allow disabling the automatic
+    trust database check when listing all keys. [T6261]
+  * qt: Allow deferred start of import jobs. [T6323]
+  * qt: Support creating and extracting signed and encrypted
+    archives. [T6342]
+  * Rebase gpgme-suse-nobetasuffix.patch
+  * Remove patches upstream:
+  - gpgme-D546-python310.patch
+  - gpgme-1.18.0-T6137-qt_test.patch
+  - python311.patch
+
+- drop python2 subpackage handling. we do not support python 2.x
+  anymore, and if we would it would happen via singlespec
+
+- Update upstream keyring: https://gnupg.org/signature_key.asc
+
+- add python311.patch to build language bindings for python 3.11
+
+- Add gpgme-suse-nobetasuffix.patch
+  * remove "-unknown" suffix from version string
+  * boo#1205197
+
+- gpgme 1.18.0
+  * New keylist mode to force refresh via external methods
+  * The keylist operations now create an import result to report the
+    result of the locate keylist modes
+  * core: Return BAD_PASSPHRASE error code on symmetric decryption
+    failure
+  * cpp, qt: Do not export internal symbols anymore
+  * cpp, qt: Support revocation of own OpenPGP keys
+  * qt: The file name of (signed and) encrypted data can now be set
+  * cpp, qt: Support setting the primary user ID
+  * python: Fix segv(NULL) when inspecting contect after exeception
+- includes changes from version 1.17.1:
+  * qt: Fix a bug in the ABI compatibility of 1.17.0
+- includes changes from 1.17.0:
+  * New context flag "key-origin"
+  * New context flag "import-filter"
+  * New export mode to export secret subkeys
+  * Detect errors during the export of secret keys
+  * New function gpgme_op_receive_keys to import keys from a keyserver
+    without first running a key listing
+  * Detect bad passphrase error in certificate import
+  * Allow setting --key-origin when importing keys
+  * Support components "keyboxd", "gpg-agent", "scdaemon", "dirmngr",
+    "pinentry", and "socketdir" in gpgme_get_dirinfo
+  * Under Unix use poll(2) instead of select(2), when available.
+  * Fix results returned by gpgme_data_* functions
+  * Support closefrom also for glibc
+    (drop upstream gpgme-use-glibc-closefrom.patch
+  * cpp,qt: Add support for export of secret keys and secret subkeys.
+  * cpp,qt: Support for adding existing subkeys to other keys
+  * qt: Extend ChangeExpiryJob to change expiration of primary key
+    and of subkeys at the same time
+  * qt: Support WKD lookup without implicit import
+  * qt: Allow specifying an import filter when importing keys
+  * qt: Allow retrieving the default value of a config entry
+- drop patches included upstream
+  * gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch
+  * gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch
+- add patches to fix tests:
+  * gpgme-1.18.0-T6137-qt_test.patch
+
+- Add patches to support building bindings packages for
+  Python 3.10
+  * gpgme-D545-python310.patch -- https://dev.gnupg.org/D545
+  * gpgme-D546-python310.patch -- https://dev.gnupg.org/D546
-- Fix t-json test in SP3: https://dev.gnupg.org/T4820 [bsc#1183801]
-  * tests/json: Bravo key does not have secret key material
-  * tests/json: Do not check for keygrip of pubkeys
-  * core: Make sure the keygrip is available in WITH_SECRET mode
-- Add gpgme-test-json.patch
-
gpgme:qt
-- Update to 1.16.0 in SLE-15-SP4: [jsc#SLE-20014, jsc#SLE-21114]
-  * Remove gpgme-test-json.patch fixed upstream
+- Update to 1.23.0:
+  * Support GPGME_ENCRYPT_ALWAYS_TRUST also for S/MIME. [T6559]
+  * New keylist mode GPGME_KEYLIST_MODE_WITH_V5FPR. [T6705]
+  * New key capability flags has_*. [T6748]
+  * gpgme-tool: Support use of Windows HANDLE. [T6634]
+  * qt: Support refreshing keys via WKD. [T6672]
+  * qt: Handle cancel in changeexpiryjob. [T6754]
+  * Remove patches fixed upstream:
+  - gpgme-qt-tests-Fix-build-in-source-directory.patch
+  - gpgme-build-Suggest-out-of-source-build.patch
+
+- Use GCC 12 for building the Qt6 library on Leap 15. The
+  default compiler is too old.
+- Use '%{without xxx}' rather than '!%{with xxx}' in spec file
+
+- Use GCC 12 for building the Qt6 library. The default compiler
+  is too old.
+- Use '%{without xxx}' rather than '!%{with xxx}' in spec file
+
+- Fix builds with qt and qt6 [T6673]:
+  * qt,tests: Fix build in source directory. Include Qt binding
+    sources before C++ binding sources and C sources. This fixes
+    the problem that the debug.h in the C sources was found before
+    the one in the Qt bindings.
+  * build: Suggest out-of-source build. Suggest to run configure
+    from a build subdirectory.
+  * Add patches:
+  - gpgme-qt-tests-Fix-build-in-source-directory.patch
+  - gpgme-build-Suggest-out-of-source-build.patch
+
+- Update to 1.22.0:
+  * Prevent wrong plaintext when verifying clearsigned signature.
+  * Return bad data error instead of general error on unexpected data.
+  * Take care of offline mode for all operations of gpgsm engine.
+  * Prepare the use of the forthcoming libassuan version 3.
+  * New configure option --with-libtool-modification.
+  * cpp: Expose gpgme_decrypt_result_t.is_mime.
+  * qt: Clean up after failure or cancel of sign/encrypt archive operation.
+  * qt: Add setInputEncoding to QGpgMe::EncryptJob.
+  * qt: Make toLogString helper public.
+  * Interface changes relative to the 1.21.0 release:
+  - qt: EncryptJob::setInputEncoding           NEW.
+  - qt: DecryptionResult::isMime               NEW.
+  - qt: toLogString                            NEW.
+
+- Run testsuite in qemu build
+
+- Update to 1.21.0
+  * Extended gpgme_op_encrypt, gpgme_op_encrypt_sign, and gpgme_op_sign
+    to allow writing the output directly to a file. [T6530]
+  * Extended gpgme_op_decrypt and gpgme_op_verify to allow reading the
+    input data directly from files. [T6530]
+  * For key signing and uid revoking allow an empty user id. [rMfbc3963d62]
+  * Pass an input-size-hint also to the gpgsm engine. [T6534]
+  * qt: Allow writing the created archives directly to a file. [T6530]
+  * qt: Allow reading the signed/encrypted archive to decrypt
+    or verify directly from a file. [T6530]
+  * qt: Qt Jobs working with QIODeviceDataProvider now properly
+    handle input-size hints and progress for files larger.
+    2^32 bytes in 32 bit builds. [T6534]
+  * cpp: Error::isCanceled now also returns true for error code
+    GPG_ERR_FULLY_CANCELED. [T6510]
+  * python: Fix wrong use of write. [T6501]
+  * Interface changes relative to the 1.20.0 release:
+  - cpp: Data::setFlag                            NEW.
+  - cpp: Data::setSizeHint                        NEW.
+  - qt: Job::startIt                              NEW.
+  - qt: DecryptVerifyArchiveJob::setInputFile     NEW.
+  - qt: DecryptVerifyArchiveJob::inputFile        NEW.
+  - qt: EncryptArchiveJob::setRecipients          NEW.
+  - qt: EncryptArchiveJob::recipients             NEW.
+  - qt: EncryptArchiveJob::setInputPaths          NEW.
+  - qt: EncryptArchiveJob::inputPaths             NEW.
+  - qt: EncryptArchiveJob::setOutputFile          NEW.
+  - qt: EncryptArchiveJob::outputFile             NEW.
+  - qt: EncryptArchiveJob::setEncryptionFlags     NEW.
+  - qt: EncryptArchiveJob::encryptionFlags        NEW.
+  - qt: SignArchiveJob::setSigners                NEW.
+  - qt: SignArchiveJob::signers                   NEW.
+  - qt: SignArchiveJob::setInputPaths             NEW.
+  - qt: SignArchiveJob::inputPaths                NEW.
+  - qt: SignArchiveJob::setOutputFile             NEW.
+  - qt: SignArchiveJob::outputFile                NEW.
+  - qt: SignEncryptArchiveJob::setSigners         NEW.
+  - qt: SignEncryptArchiveJob::signers            NEW.
+  - qt: SignEncryptArchiveJob::setRecipients      NEW.
+  - qt: SignEncryptArchiveJob::recipients         NEW.
+  - qt: SignEncryptArchiveJob::setInputPaths      NEW.
+  - qt: SignEncryptArchiveJob::inputPaths         NEW.
+  - qt: SignEncryptArchiveJob::setOutputFile      NEW.
+  - qt: SignEncryptArchiveJob::outputFile         NEW.
+  - qt: SignEncryptArchiveJob::setEncryptionFlags NEW.
+  - qt: SignEncryptArchiveJob::encryptionFlags    NEW.
+
+- Update to 1.20.0:
+  * On Windows, the gettext functions provided by gpgrt are switched
+    into utf8 mode, so that all localized texts returned by GpgME or
+    gpgrt, e.g. the texts for error codes are now UTF-8 encoded. [T5960]
+  * Key::canSign now returns false for OpenPGP keys without signing
+    (sub)key. [T6456]
+  * The new macOS Homebrew location is now by default supported. [T6440]
+  * Fix regression in 1.19.0.
+  * Fix invocation of gpgtar on Windows.
+  * Interface changes relative to the 1.19.0 release:
+  - gpgme_subkey_t              EXTENDED: New field 'can_renc'.
+  - gpgme_subkey_t              EXTENDED: New field 'can_timestamp'.
+  - gpgme_subkey_t              EXTENDED: New field 'is_group_owned'.
+  - cpp: Subkey::canRenc        NEW.
+  - cpp: Subkey::canTimestamp   NEW.
+  - cpp: Subkey::isGroupOwned   NEW.
+  - cpp: Key::canReallySign     DEPRECATED.
+  * Release-info: https://dev.gnupg.org/T6463
+
+- Add a Qt6 flavor to build Qt6 bindings
+- Use %ldconfig_scriptlets
+
+- Update to 1.19.0:
+  * New context flag "no-auto-check-trustdb". [T6261]
+  * Optionally, build QGpgME for Qt 6
+  * Support component "gpgtar-name" in gpgme_get_dirinfo. [T6342]
+  * Extended gpgme_op_encrypt*, gpgme_op_encrypt_sign*, and
+    gpgme_op_sign* to allow creating an encrypted and/or signed
+    archive. [T6342]
+  * Extended gpgme_op_decrypt*, gpgme_op_decrypt_verify*,
+    and gpgme_op_verify* to allow extracting an encrypted and/or
+    signed archive. [T6342]
+  * cpp: Handle error when trying to sign expired keys. [T6155]
+  * cpp: Support encryption flags ThrowKeyIds, EncryptWrap, and
+    WantAddress. [T6359]
+  * cpp, qt: Fix building with C++11.  [T6141]
+  * qt: Fix problem with expiration dates after 2038-01-19 on 32-bit
+    systems  when adding an existing subkey to another key. [T6137]
+  * cpp: Allow setting the curve to use when generating ECC keys
+    for smart cards. [T4429]
+  * qt: Extend ListAllKeysJob to allow disabling the automatic
+    trust database check when listing all keys. [T6261]
+  * qt: Allow deferred start of import jobs. [T6323]
+  * qt: Support creating and extracting signed and encrypted
+    archives. [T6342]
+  * Rebase gpgme-suse-nobetasuffix.patch
+  * Remove patches upstream:
+  - gpgme-D546-python310.patch
+  - gpgme-1.18.0-T6137-qt_test.patch
+  - python311.patch
+
+- drop python2 subpackage handling. we do not support python 2.x
+  anymore, and if we would it would happen via singlespec
+
+- Update upstream keyring: https://gnupg.org/signature_key.asc
+
+- add python311.patch to build language bindings for python 3.11
+
+- Add gpgme-suse-nobetasuffix.patch
+  * remove "-unknown" suffix from version string
+  * boo#1205197
+
+- gpgme 1.18.0
+  * New keylist mode to force refresh via external methods
+  * The keylist operations now create an import result to report the
+    result of the locate keylist modes
+  * core: Return BAD_PASSPHRASE error code on symmetric decryption
+    failure
+  * cpp, qt: Do not export internal symbols anymore
+  * cpp, qt: Support revocation of own OpenPGP keys
+  * qt: The file name of (signed and) encrypted data can now be set
+  * cpp, qt: Support setting the primary user ID
+  * python: Fix segv(NULL) when inspecting contect after exeception
+- includes changes from version 1.17.1:
+  * qt: Fix a bug in the ABI compatibility of 1.17.0
+- includes changes from 1.17.0:
+  * New context flag "key-origin"
+  * New context flag "import-filter"
+  * New export mode to export secret subkeys
+  * Detect errors during the export of secret keys
+  * New function gpgme_op_receive_keys to import keys from a keyserver
+    without first running a key listing
+  * Detect bad passphrase error in certificate import
+  * Allow setting --key-origin when importing keys
+  * Support components "keyboxd", "gpg-agent", "scdaemon", "dirmngr",
+    "pinentry", and "socketdir" in gpgme_get_dirinfo
+  * Under Unix use poll(2) instead of select(2), when available.
+  * Fix results returned by gpgme_data_* functions
+  * Support closefrom also for glibc
+    (drop upstream gpgme-use-glibc-closefrom.patch
+  * cpp,qt: Add support for export of secret keys and secret subkeys.
+  * cpp,qt: Support for adding existing subkeys to other keys
+  * qt: Extend ChangeExpiryJob to change expiration of primary key
+    and of subkeys at the same time
+  * qt: Support WKD lookup without implicit import
+  * qt: Allow specifying an import filter when importing keys
+  * qt: Allow retrieving the default value of a config entry
+- drop patches included upstream
+  * gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch
+  * gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch
+- add patches to fix tests:
+  * gpgme-1.18.0-T6137-qt_test.patch
+
+- Add patches to support building bindings packages for
+  Python 3.10
+  * gpgme-D545-python310.patch -- https://dev.gnupg.org/D545
+  * gpgme-D546-python310.patch -- https://dev.gnupg.org/D546
-- Fix t-json test in SP3: https://dev.gnupg.org/T4820 [bsc#1183801]
-  * tests/json: Bravo key does not have secret key material
-  * tests/json: Do not check for keygrip of pubkeys
-  * core: Make sure the keygrip is available in WITH_SECRET mode
-- Add gpgme-test-json.patch
-
grub2
+- Fix reproducible build for grub.xen (bsc#1217619)
+  * 0001-mkstandalone-ensure-stable-timestamps-for-generated-.patch
+  * 0002-mkstandalone-ensure-deterministic-tar-file-creation-.patch
+
+- Fix unattended boot with TPM2 allows downgrading kernel and rootfs, also
+  enhancing the overall security posture (bsc#1216680)
+  * 0001-Improve-TPM-key-protection-on-boot-interruptions.patch
+  * 0002-Restrict-file-access-on-cryptodisk-print.patch
+  * 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch
+  * 0004-Key-revocation-on-out-of-bound-file-access.patch
+
gstreamer-plugins-bad
+- Add gstreamer-plugins-bad-CVE-2023-44429.patch:
+  Backporting 1db83d3f from upstream, Clip tile rows and cols to 64
+  as describe in AV1 specification.
+  (CVE-2023-44429 bsc#1217211)
+
-  from upstream to fix a heap overwrite in PGS subtitle
-  overlay decoder which might trigger a crash or remote code
-  execution (CVE-2023-37329 bsc#1213126).
+  Backport 7ed446dc,0dabf0eb from upstream to fix a heap overwrite
+  in PGS subtitle overlay decoder which might trigger a crash or
+  remote code execution (CVE-2023-37329 bsc#1213126).
-- Add patch to support building with srt 1.3.4 in SLE
-  * fix-build-with-srt-1.3.4.patch
+- Add fix-build-with-srt-1.3.4.patch:
+  To support building with srt 1.3.4 in SLE.
+- Update to version 1.16.3 (bsc#1181255 CVE-2021-3185):
+  - amcvideodec: fix sync meta copying not taking a reference
+  - audiobuffersplit: Perform discont tracking on running time
+  - audiobuffersplit: Specify in the template caps that only interleaved audio is supported
+  - audiobuffersplit: Unset DISCONT flag if not discontinuous
+  - autoconvert: Fix lock-less exchange or free condition
+  - autoconvert: fix compiler warnings with g_atomic on recent GLib versions
+  - avfvideosrc: element requests camera permissions even with capture-screen property is true
+  - codecparsers: h264parser: guard against ref_pic_markings overflow
+  - dtlsconnection: Avoid segmentation fault when no srtp capabilities are negotiated
+  - dtls/connection: fix EOF handling with openssl 1.1.1e
+  - fdkaacdec: add support for mpegversion=2
+  - hls: Check nettle version to ensure AES128 support
+  - ipcpipeline: Rework compiler checks
+  - interlace: Increment phase_index before checking if we're at the end of the phase
+  - lv2: Make it build with -fno-common
+  - h264parser: Do not allocate too large size of memory for registered user data SEI
+  - ladspa: fix unbounded integer properties
+  - modplug: avoid division by zero
+  - msdkdec: Fix GstMsdkContext leak
+  - msdkenc: fix leaks on windows
+  - musepackdec: Don't fail all queries if no sample rate is known yet
+  - openslessink: Allow openslessink to handle 48kHz streams.
+  - opencv: allow compilation against 4.2.x
+  - proxysink: event_function needs to handle the event when it is disconnecetd from proxysrc
+  - vulkan: Drop use of VK_RESULT_BEGIN_RANGE
+  - wasapi: added missing lock release in case of error in gst_wasapi_xxx_reset
+  - wasapi: Fix possible deadlock while downwards state change
+  - waylandsink: Clear window when pipeline is stopped
+  - webrtc: Support non-trickle ICE candidates in the SDP
+  - webrtc: Unmap all non-binary buffers received via the datachannel
+  - meson: build with neon 0.31
+- Drop upstream fixed patch: gstreamer-h264parser-fix-overflow.patch
+
+- Drop gstreamer-plugins-bad-patch-source.sh
+- Drop pre_checkin.sh
haveged
+- Remove haveged-switch-root.service because it's implemented incorrectly and
+  neither upstream don't know how to fix it (#77). On the other hand, without
+  this service haveged will be started from scratch after switch root so it's
+  hopefully no big deal. Also remove patch for bsc#1203079 as it's considered
+  as a security threat because of creating fixed name file in world-writable
+  directory. [jsc#PED-6184, bsc#1206699]
+  * Remove
+  - haveged-switch-root.service
+  - haveged-switch-root.patch
+
hplip
-- hppsfilter: booklet printing: change insecure fixed /tmp file paths
-  (bsc#1214399)
-  * add hppsfilter-booklet-printing-change-insecure-fixed-tm.patch
-
-- Update to hplip 3.23.8 (jsc#PED-5846)
+- Update to hplip 3.23.8
icu73_2
+- icu4c-73_c-ICU-22512-Fix-broken-TestHebrewCalendarInTemporalLeapYear.patch
+  Fix testsuite issue in hebrew calendar (bsc#1217479)
+
jbigkit
+- security update
+- added patches
+  fix CVE-2022-1210 [bsc#1198146], Malicious file leads to a denial of service in TIFF File Handler
+  + jbigkit-CVE-2022-1210.patch
+
kdump
+- upgrade to version 2.0.0
+  * add support for riscv64 (bsc#1204214)
+  * mkdumprd: fix the check for updated SSH keys
+  * prefer by-path and device-mapper aliases (bsc#1217617)
+  * udev: don't reload kdump if kernel handles hotplug (jsc#PED-5077)
+
kernel-firmware
+- Update to version 20231214 (git commit b80907ec3a81):
+  * qcom: Add Audio firmware for SM8650 QRD
+  * qcom: Add Audio firmware for SM8550 QRD
+  * Add rdfind for deb/rpm build jobs
+  * wfx: update to firmware 3.17
+  * wfx: fix broken firmware
+
+- Update to version 20231205 (git commit bfc33c1e308e):
+  * linux-firmware: Update AMD cpu microcode
+  * cxgb4: Update firmware to revision 1.27.5.0
+  * linux-firmware: add firmware for en8811h 2.5G ethernet phy
+  * s5p-mfc: Add MFC v12 Firmware
+  * qcom: update qrb4210 firmware
+  * qcom: update qcm2290 firmware
+  * qcom: update qcm2290/qrb4210 WiFi firmware file
+  * qcom: update Venus firmware file for v6.0
+
+- Update to version 20231128 (git commit d9f6088f7e91):
+  * Add a COPYOPTS variable
+  * rtl_bt: Update RTL8852A BT USB firmware to 0xDFC8_145F
+
+- Update to version 20231127 (git commit 4124f8f928d5):
+  * Make rdfind optional
+  * ice: update ice DDP wireless_edge package to 1.3.13.0
+  * linux-firmware: update firmware for mediatek bluetooth chip (MT7922)
+  * linux-firmware: update firmware for mediatek bluetooth chip (MT7921)
+  * linux-firmware: update firmware for MT7922 WiFi device
+  * linux-firmware: update firmware for MT7921 WiFi device
+  * Makefile, copy-firmware: Use portable "command -v" to detect installed programs
+  * amdgpu: update DMCUB firmware to 0.0.194.0 for DCN321 and DCN32
+  * powervr: add firmware for Imagination Technologies AXE-1-16M GPU
+  * ice: update ice DDP comms package to 1.3.45.0
+  * ice: update ice DDP package to 1.3.35.0
+  * mediatek: Remove an unused packed library
+  * amdgpu: update DMCUB firmware to 0.0.193.0 for DCN31 and DCN314
+- Drop obsoleted copy-file-skip-rdfind.patch; use --ignore-duplicates
+
+- Update to version 20231120 (git commit 9552083a783e):
+  * mediatek: Sync shared memory structure changes
+  * Intel Bluetooth: Update firmware file for Intel Bluetooth BE200
+  * i915: Update MTL DMC to v2.19
+  * Make email replies more resilient
+  * Try both utf-8 and windows-1252 for decoding email
+
+- Update to version 20231116 (git commit 6723a8d90923):
+  * iwlwifi: fix for the new FWs from core83-55 release
+  * Enable deb and rpm builds on tags
+  * linux-firmware: Add firmware for Cirrus CS35L41 on HP G11 Laptops
+  * linux-firmware: Add firmware for Cirrus CS35L41 on 2024 ASUS Zenbook Laptops
+
+- Update to version 20231115 (git commit a07fd0b96b5a):
+  * iwlwifi: add new FWs from core83-55 release
+  * iwlwifi: update cc/Qu/QuZ firmwares for core83-55 release
+  * Add a workaround for gitlab.freedesktop.org pull requests
+  * Add extra debugging output when processing pull requests
+  * Process pull requets directly from mbox
+  * linux-firmware: add firmware for mt7988 internal 2.5G ethernet phy
+  * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX101
+  * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX203
+  * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX211
+  * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX101
+  * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX101
+  * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX203
+  * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX203
+  * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX211
+  * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX211
+  * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX210
+
+- Update to version 20231110 (git commit 74158e7ac86d):
+  * amdgpu: DMCUB updates for various AMDGPU ASICs
+  * Ensure rdfind is installed
+  * Add checks for destination directory being specified
+  * Fix symlink creation for some files
+  * Fix classification of some pull requests
+  * nvidia: add GSP-RM version 535.113.01 firmware images
+- Skip rdfind (not included in our distro as default):
+  copy-file-skip-rdfind.patch
+- Fix make-files.sh to handle symlinked directories
+
-- Update to version 20231019 (git commit d983107a2dfa):
+- Update to version 20231019 (git commit d983107a2dfa)
+  (bsc#1215823, CVE-2023-20592):
+  (bsc#1215831, CVE-2021-26345, CVE-2021-46766, CVE-2021-46774,
+  CVE-2022-23820, CVE-2022-23830, CVE-2023-20519, CVE-2023-20521,
+  CVE-2023-20526, CVE-2023-20533, CVE-2023-20566):
krb5
+- Update patch 0007-SELinux-integration.patch for SELinux 3.5
+
libgpg-error
+- Do not pull revision info from GIT when autoconf is run. This
+  removes the -unknown suffix after the version number.
+  * Add libgpg-error-nobetasuffix.patch [bsc#1216334]
+
+- Update to 1.47:
+  * New error codes for PUKs and reset codes. [T6421]
+  * Avoid segv in logging with improper use of the "socket://".
+  * Fixed translation of argparse's internal option --help.
+  * Interface changes relative to the 1.46 release:
+  - GPG_ERR_SOURCE_TKD             NEW.
+  - GPG_ERR_BAD_PUK                NEW.
+  - GPG_ERR_NO_RESET_CODE          NEW.
+  - GPG_ERR_BAD_RESET_CODE         NEW.
+  - GPGRT_SPAWN_KEEP_STDIN         NEW.
+  - GPGRT_SPAWN_KEEP_STDOUT        NEW.
+  - GPGRT_SPAWN_KEEP_STDERR        NEW.
+  - GPGRT_SPAWN_INHERIT_FILE       NEW.
+  * Release-info: https://dev.gnupg.org/T6231
+
+- Update to 1.46:
+  * Support for bidirectional pipes under Windows.
+  * REG_DWORD types are now support in the Windows Registry.
+  * Added ES_SYSHD_SOCK support for gpgrt_sysopen under Windows.
+  * Fixed gpgrt_log_get_fd for the file case.
+  * Avoids header problem with C11 and "noreturn".
+  * The gpg-error-config command is not installed by default, because
+    it is now replaced by use of pkg-config/gpgrt-config with
+    gpg-error.pc.  Supply --enable-install-gpg-error-config configure
+    option, if it's really needed.
+  * Fixed support of posix-lock for FreeBSD.
+  * Build fixes for some Mingw tool chain versions.
+  * Removed remaining support for WindowsCE.
+  * Updated config.guess, config.sub, and config.rpath.
+  * gpg-error-config is now only installed when enabled.
+  * System paths are now stripped from --cflags --and --libs.
+
+- update to 1.45:
+  * gpgrt_access and gpgrt_mkdir now support file names longer than
+    MAX_PATH
+
+- Update to 1.44:
+  * Fix dependency to gpg-error-config-test.sh.
+  * Run the posix locking test only on supported platforms.
+  * Detect Linux systems using musl.
+  * Fix gpg-error-config-test for PKG_CONFIG_LIBDIR.
+  * Fix returning of option attributes for options with args.
+  * Add Turkish translations.
+
+- Update to 1.43:
+  * Fix for building against GNU libc 2.34.
+  * Fix gpgrt-config problems.
+  * Fix gpgrt_free for legacy platforms.
+  * Fix truncation of error message in the middle of a character.
+  * Fix the --disable-threads configure options.
+  * Improve lock-obj generation for cross-builds.
+  * Improve cross-builds.
+  * Improve gpgrt_wait_processes.
+
libksba
-- Security fix: [bsc#1206579, CVE-2022-47629]
-  * Integer overflow in the CRL signature parser.
-  * Add libksba-CVE-2022-47629.patch
-
-- Security fix: [bsc#1204357, CVE-2022-3515]
-  * Detect a possible overflow directly in the TLV parser.
-  * Add libksba-CVE-2022-3515.patch
+- Do not pull revision info from GIT when autoconf is run. This
+  removes the -unknown suffix after the version number.
+  * Run autoreconf for the added patch and add the build
+    dependecies on autoconf, automake and libtool.
+  * Add libksba-nobetasuffix.patch [bsc#1216334]
+
+- Update to 1.6.4:
+  * Correctly detect CMS write errors. [rK9ced7706f2]
+  * Release-info: https://dev.gnupg.org/T6543
+
+- update to 1.6.3 (bsc#1206579, CVE-2022-47629):
+  * Fix another integer overflow in the CRL parser.
+  Release-info: https://dev.gnupg.org/T6304
+
+- libksba 1.6.2: [bsc#1204357, CVE-2022-3515]
+  * Fix integer overflow in the CRL parser.
+
+- libksba 1.6.1:
+  * Allow an OCSP server not to return the sent nonce
+- fix rpmlint warnings
+
+- libksba 1.6.0:
+  * Limited support for the Authenticated-Enveloped-Data
+    content type.
+  * Support password based decryption.
+  * Silence warnings from static analyzers.
+  * Interface changes relative to the 1.5.0 release:
+  - KSBA_CT_AUTHENVELOPED_DATA       NEW.
+
+- libksba 1.5.1:
+  * Support Brainpool curves specified by ECDomainParameters
+
+- libksba 1.5.0:
+  * ksba_cms_identify now identifies OpenPGP keyblock content
+  * Supports TR-03111 plain format ECDSA signature verification
+  * Fixes a CMS signed data parser bug exhibited by a somewhat
+  strange CMS message
+- remove deprecated texinfo macros and update signing keyring
+
+- libksba 1.4.0:
+  * Supports ECDSA and EdDSA certificate creation and parsing.
+  * Supports ECDH enveloped data.
+  * Supports ECDSA and EdDSA signed data.
+  * Supports rsaPSS signature verification.
+  * Supports standard file descriptors in ksba_reader_read.
+  * Allows for optional elements in keyinfo objects.
+  * Fixes error detection in the CMS parser.
+  * Fixes memory leak in ksba_cms_identify.
+  * New constants KSBA_VERSION and KSBA_VERSION_NUMBER.
+  * New API to make creation of DER objects easy.
+  * Interface changes relative to the 1.3.5 release:
+  KSBA_VERSION                     NEW.
+  KSBA_VERSION_NUMBER              NEW.
+  KSBA_CT_SPC_IND_DATA_CTX         NEW.
+  KSBA_CLASS_*                     NEW.
+  KSBA_TYPE_*                      NEW.
+  ksba_der_t                       NEW.
+  ksba_der_release                 NEW.
+  ksba_der_builder_new             NEW.
+  ksba_der_builder_reset           NEW.
+  ksba_der_add_ptr                 NEW.
+  ksba_der_add_val                 NEW.
+  ksba_der_add_int                 NEW.
+  ksba_der_add_oid                 NEW.
+  ksba_der_add_bts                 NEW.
+  ksba_der_add_der                 NEW.
+  ksba_der_add_tag                 NEW.
+  ksba_der_add_end                 NEW.
+  ksba_der_builder_get             NEW.
-- libksba 1.3.1:
-  * Fixed memory leak in CRL parsing
-  * Build fixes for ppc64el
-
-- Use URL for source
-
libnvme
+- Update to version 1.6+5.g68c6ffb:
+  * avoid stack corruption by unaligned DMA to user space buffers
+    (bsc#1216344, gh#linux-nvme/libnvme#727)
+
libpwquality
+- Update to version 1.4.5:
+  + Minor bug fixes and documentation enhancements.
+  + Updated translations.
+
libqt5-qtbase
+- buildrequire pkconfig(icu-i18n) instead of libicu-devel to get
+  prefered libicuu
+
+- Add patch from upstream that fixes a buffer overflow in
+  QXmlStreamReader (bsc#1214327, CVE-2023-37369):
+  * CVE-2023-37369-qtbase-5.15.diff
+
libraw
-- security update
-- added patches
-  fix CVE-2021-32142 [bsc#1208470], Buffer Overflow in the LibRaw_buffer_datastream:gets function
-  + libraw-CVE-2021-32142.patch
+- update to 0.21.1:
+  * fixed typo in panasonic metadata parser
+  * Multiple fixes inspired by oss-fuzz project
+  * Phase One/Leaf IIQ-S v2 support
+  * Canon CR3 filmrolls
+  * Canon CRM (movie) files
+  * Tiled bit-packed (and 16-bit unpacked) DNGs
+  * (non-standard) Deflate-compressed integer DNG files are allowed
+  * Canon EOS R3, R7 and R10
+  * Fujifilm X-H2S, X-T30 II
+  * OM System OM-1
+  * Leica M11
+  * Sony A7-IV (ILCE-7M4)
+  * DJI Mavic 3
+  * Nikon Z9: standard compression formats only
+
+- Update to 0.21.0:
+  * Camera format support:
+    + Phase One/Leaf IIQ-S v2 support
+    + Canon CR3 filmrolls/RawBurst
+    + Canon CRM (movie) files
+    + Tiled bit-packed (and 16-bit unpacked) DNGs
+    + (non-standard) Deflate-compressed integer DNG files are allowed
+  * Camera support:
+    + Canon EOS R3, R7 and R10
+    + Fujifilm X-H2S, X-T30 II
+    + OM System OM-1
+    + Leica M11
+    + Sony A7-IV (ILCE-7M4)
+    + DJI Mavic 3
+    + Nikon Z9: standard compression formats only
+  * Multiple (resultion) thumbnails support
+  * Misc:
+    + Nikon makernotes: read NEFCompression tag for HE/HE* files
+    + Nikon orientation tag: more fixed offsets for known cameras
+    + Adobe DNG SDK 1.6 support (meaning, just an additional patch for GPR SDK)
+  * Bugs fixed:
+    + Fixed possible out-of-buffer read in Nikon orientation tag parser
+    + Out-of-range read-only array access in postprocessing if output_color is set to 0 (raw color)
+    + Minolta Z2 was not recognized correctly on 32-bit systems
+    + Fixed possible buffer overflow in Kodak C330 decoder
+    + dcraw_process(): check for buffer allocation results to avoid NULL deref
+    + Multiple bugfixes inspired by oss-fuzz project
-    CVE-2018-5819
+    CVE-2018-5819,CVE-2021-32142
-    bsc#1120515,bsc#1120516,bsc#1120517,bsc#1120519)
+    bsc#1120515,bsc#1120516,bsc#1120517,bsc#1120519,bsc#1208470)
libreoffice
+- Fix CVE-2023-6186, deny arbitrary script execution for link targets,
+  bsc#1217578
+  * CVE-2023-6186-1.patch
+  * CVE-2023-6186-2.patch
+  * CVE-2023-6186-3.patch
+  * CVE-2023-6186-4.patch
+  * CVE-2023-6186-5.patch
+- Fix CVE-2023-6185, improper input validation enabling arbitrary
+  Gstreamer pipeline injection, bsc#1217577
+  * CVE-2023-6185.patch
+
libselinux
+- Repair initrd libselinux check in selinux-ready
+
+- Do not BuildRequire swig and ruby-devel in the main build phase:
+  those are only needed for the bindings.
+
+- (bsc#1212618) Divide libselinux and libselinux-bindings again.
+  libselinux itself is in Ring0 so it has to have absolutely
+  minimal dependencies, so it is better to separate
+  libselinux-bindings into a separate pacakge.
+
+- Fix python packaging by setting the name to a fixed value
+
+- Remove separate libselinux-bindings SPEC file (bsc#1212618).
+
+- Add explicit BuildRequires for python3-pip and python3-wheel on
+  15.5, currently the macros don't do the right thing
+
+- allow building this with different python versions, to make this
+  usable for the new sle15 macro (using python3.11)
+
+- Add python-wheel build dependency to build correctly with latest
+  python-pip version.
+
+- Add _multibuild to define additional spec files as additional
+  flavors.
+  Eliminates the need for source package links in OBS.
+
+- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
+  of LTO
+
+- Enable LTO as it works fine now.
+
+- Update to version 3.5:
+  * check for truncations
+  * avoid newline in avc message
+  * bail out on path truncations
+  * add getpidprevcon to gather the previous context before the last
+    exec of a given process
+  * Workaround for heap overhead of pcre
+  * fix memory leaks on the audit2why module init
+  * ignore invalid class name lookup
+- Drop restorecon_pin_file.patch, is upstream
+- Refreshed python3.8-compat.patch
+- Added additional developer key (Jason Zaman)
+
+- Fixed initrd check in selinux-ready (bnc#1186127)
+
+- Added restorecon_pin_file.patch. Fixes issus when running
+  fixfiles/restorecon
+
+- Update to version 3.4:
+  * Use PCRE2 by default
+  * Make selinux_log() and is_context_customizable() thread-safe
+  * Prevent leakeing file descriptors
+  * Correctly hash specfiles larger than 4G
+- Refreshed skip_cycles.patch
+
+- Add Requires for exact libselinux1 version for selinux-tools
+- Simplyfied check for correct boot paramaters in selinux-ready
+  (bsc#1195361)
+
+- Update to version 3.3:
+  * Lots of smaller issues fixed found by fuzzing
+
+- Add missing libselinux-utils Provides to selinux-tools so that
+  %selinux_requires works
+
+- Remove Recommends for selinux-autorelabel. It's better to have this
+  in the policy package itself (bsc#1181837)
+
+- Switch to pcre2:
+  + Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+  + Pass USE_PCRE2=y to make.
+  + Replace pkgconfig(libpcre) Requires in -devel static with
+    pkgconfig(libpcre2-8).
+
+- Update to version 3.2:
+  * Use mmap()'ed kernel status page instead of netlink by default.
+    See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
+  * New log callback levels for enforcing and policy load notices -
+    SELINUX_POLICYLOAD, SELINUX_SETENFORCE
+  * Changed userspace AVC setenforce and policy load messages to audit
+    format.
+
+- Add Recommends: selinux-autorelabel, which is very important
+  for healthy use of the SELinux on the system (/.autorelabel
+  mechanism) (bsc#1181837).
+
+- install to /usr (boo#1029961)
+
+  * Refreshed python3.8-compat.patch
+- Added swig4_moduleimport.patch to prevent import errors due to
+  SWIG 4
+
+- Add python3.8-compat.patch which makes build possible even with
+  Python 3.8, which doesn’t automatically adds -lpython<ver>
+
+- Disable LTO (boo#1133244).
+
+- Updated spec file to use python3. Added python3.patch to fix
+  build
+
+- Update libselinux-2.2-ruby.patch: use RbConfig instead of
+  deprecated Config.
+
libsemanage
+- Remove build counter syncing for real
+
+- Add _multibuild to define additional spec files as additional
+  flavors.
+  Eliminates the need for source package links in OBS.
+
+- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
+  of LTO
+
+- Enable LTO now (boo#1138812).
+
+- Update to version 3.5
+  * Allow user to set SYSCONFDIR
+  * always write kernel policy when check_ext_changes is specified
+- Added additional developer key (Jason Zaman)
+
+- Update to version 3.4
+  * Optionally rebuild policy when modules are changed externally
+  * Fix USE_AFTER_FREE (CWE-672) in semanage_direct_get_module_info()
+  * Allow spaces in user/group names
+
+- Drop Buildrequires for libustr-devel, not needed anymore
+
+- Update to version 3.3
+  * Fixed use-after-free in parse_module_store()
+  * Fixed use_after_free in semanage_direct_write_langext()
+
+- Link to correct so version
+- Minor spec file cleanups
+
+- Move configuration file to separate libsemanage-conf package to allow
+  for parallel installation in future versions
+
+- Update to version 3.2
+  * dropped old and deprecated symbols and functions
+    libsemanage version was bumped to libsemanage.so.2
+  * libsemanage tries to sync data to prevent empty files in SELinux module
+    store
+
libsepol
+- Enable LTO now (boo#1138813).
+
+- Update to version 3.5
+  * Stricter policy validation
+  * do not write empty class definitions to allow simpler round-trip tests
+  * reject attributes in type av rules for kernel policies
+- Added additional developer key (Jason Zaman)
+
+- Update to version 3.4
+  * Add 'ioctl_skip_cloexec' policy capability
+  * Add sepol_av_perm_to_string
+  * Add policy utilities
+  * Support IPv4/IPv6 address embedding
+  * Hardened/added many validations
+  * Add support for file types in writing out policy.conf
+  * Allow optional file type in genfscon rules
+
+- Update to version 3.3
+  * Dropped CVE-2021-36085.patch, CVE-2021-36086.patch, CVE-2021-36087.patch
+    are all included
+  * Lot of smaller fixes identified by fuzzing
+
+- Fix heap-based buffer over-read in ebitmap_match_any (CVE-2021-36087, 1187928.
+  Added CVE-2021-36087.patch
+
+- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965).
+  Added CVE-2021-36085.patch
+- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964).
+  Added CVE-2021-36086.patch
+
+- Update to version 3.2
+  * more space-efficient form of storing filename transitions in the binary
+    policy and reduced the size of the binary policy
+  * dropped old and deprecated symbols and functions. Version was bumped to
+    libsepol.so.2
+
+- install to /usr (boo#1029961)
+
libssh2_org
+- Security fix: [bsc#1218127, CVE-2023-48795]
+  * Add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack"
+  * Add libssh2_org-CVE-2023-48795.patch
+
libstorage-ng
+- merge gh#openSUSE/libstorage-ng#968
+- make more use of new SystemCmd interface
+- 4.5.161
+
+- merge gh#openSUSE/libstorage-ng#967
+- block more udev by-id links (bsc#1217459)
+- adapted testsuite
+- 4.5.160
+
+- Translated using Weblate (Portuguese (Brazil)) (bsc#1149754)
+- 4.5.159
+
+- merge gh#openSUSE/libstorage-ng#966
+- fixed build with libxml 2.12.0
+- 4.5.158
+
+- merge gh#openSUSE/libstorage-ng#965
+- refactored class SystemCmd
+- fixed passing huge amount of data to stdin
+- coding style
+- 4.5.157
+
+- merge gh#openSUSE/libstorage-ng#964
+- extended testsuite
+- 4.5.156
+
+- merge gh#openSUSE/libstorage-ng#963
+- extended testsuite
+- 4.5.155
+
+- merge gh#openSUSE/libstorage-ng#962
+- improved error reporting in SystemCmd
+- 4.5.154
+
+- merge gh#openSUSE/libstorage-ng#961
+- added testcase
+- 4.5.153
+
+- merge gh#openSUSE/libstorage-ng#960
+- make more use of new SystemCmd interface
+- added const
+- 4.5.152
+
+- merge gh#openSUSE/libstorage-ng#959
+- removed unused function
+
+- merge gh#openSUSE/libstorage-ng#958
+- make more use of new SystemCmd interface
+- prefer make_unique over new
+- fixed compound action generation for removing btrfs qgroup
+  relations
+
libtirpc
+- fix sed parsing for libtirpc.pc.in in specfile (boo#1216862)
+
lsof
+- lsof 4.99.0:
+  * Do not hard-code fd numbers in epoll test
+  * --with-selinux configure option.
+  * Improve performance by using closefrom()
+  * Introduce liblsof for programmatic access over spawning lsof
+    in a subprocess
+- build with libtirpc
+- switch to upstream tarball again as it dropped proprietary code
+
+- Repacked tarball to remove proprietary code in dialects/uw/uw7/sys/fs
+
+- lsof 4.98.0:
+  * Fix two potential null pointer access bug when gethostbyname2()
+    returns an empty address list
+  * Fix handling of empty command name
+  * Add -H switch to print human readable size, e.g. 123.4K
+
+- update to 4.97.0:
+  * Remove support because the os is no longer updated for
+    more than 10 years
+  * Remove support because the os is no longer updated
+    for more than 20 years
+  * Add experimental build system based on Autotools
+  * Fixed LTsock testing on darwin
+  * Remove NEW and OLD folders
+  * Fix FreeBSD testcases
+  * Rewrite documentation and publish at https://lsof.readthedocs.io/
+
+- update to 4.96.5:
+  * Avoid C89-only constructs is Configure
+- drop format.patch, now upstream
+
+- format.patch: Use correct scanf/printf format for uint64_t
+- Build with %{optflags}
+
+- update to 4.96.4
+  * fix hash functions used for finding local tcp/udp IPCs
+  * Show copyright notice in --version output.
+  * Avoid some easy collissions for udp/udp6 sockets when hashing
+  * Changing the number of ipcbuckets to 4096
+  * obtain correct information of memory-mapped file.
+- drop remove-hostname.patch now upstream
+
+- Update remove-hostname.patch with the upstream version
+
+- Fix hostname in reproducible builds, bsc#1199709
+  * remove-hostname.patch
+
+- update to 4.95.0:
+  * Update perl scripts for the past few decades of progress
+  * Drop LSOF_CCDATE across all dialects to ensure reproducible builds
+  * Fix FD field description.
+  * Adjust alignment of buffer passed to stat().
+  * Clean up source code and documents.
+  - remove trailing whitespace,
+  - fix some issues in scripts found through shellcheck, and
+  - fix spelling
+  * man page: fix hyphen issues
+  * Fix broken LSOF_CFLAGS_OVERRIDE.
+  * [linux] Remove sysvlegacy function.
+  * [linux] use close_range instead of calling close repeatedly
+  * Add -Q option for adjusting exit status when failed to find a
+    search item (#129)
+- drop lsof-no-build-date-etc.patch (obsolete)
+
+- Update to 4.94.0:
+  * Fix various bugs
+  * Display more information for eventfd and other objects
+- Remove lsof-glibc-linux-5.0.patch as it has been fixed upstream
+- Remove lsof_4.81-include.patch as it is not needed anymore
+- Remove lsof_4.81-perl.patch as this change is now done inside the spec file
+- Remove lsof_4.81-fmt.patch as it is not needed anymore
+
+- update to 4.93.2:
+  The maintainership is switched from Vic to lsof-org
+  Made FreeBSD 13 adjustment.
+  Fix a typo causing a build error.
+  Fix a potential memory leak.
+  [linux] use tirpc for rpc if libc doesn't provide rpc.h.
+  Fix a typo in man page.
+  fix memory leaks detected by valgrind about unix endpoint
+    information.
+  Update the description about -fg and -fG options on linux.
+  Fix a broken symbolic link.
+  Update the version number embedded in lsof executable.
+- lsof-no-build-date-etc.patch: refreshed against newer base
+
+- Add lsof-glibc-linux-5.0.patch: Fix build with
+  linux-glibc-devel-5.0 by including sysmacros.h as needed (bsc#1181571)
+
-- license update: Zlib
-  lsof license is most similar to Zlib (also use SPDX format)
-
-- repack the tarball to remove legally problematic files
-  (bnc#705143)
-
-- change perl reference to /usr/bin/perl which actually exists
-
-- perl4 refference causes missing perl4 dependency
-
-- portability fixes (by Pascal)
-
-- Do not include build host specific information including
-  date and compilation time to make build-compare happy
-
-- update to lsof 4.84
-  * corrects a man page nroff command error
-  * recognizes FreeBSD 7.3
-  * adds improved task support, initially for Linux
-
-- update to lsof 4.83
-  * corrects an over-zealous test that causes lsof to produce no
-    ouput when the HASSECURITY and HASNOSOCKSECURITTY have been
-    specified at lsof build time
-  * fixes a typo with the LINUX_HASSELUNIX Configure variable
-  * accepts LSOF_RANLIB from the environment
-  * added Linux test for __UCLIBC__
-
-- fix 64bit issue (gcc 4.5)
-
-- enable parallel build
-
lvm2
+- Update lvm2 from LVM2.2.03.16 to LVM2.2.03.22 (jsc#PED-6339)
+  * 2.03.22:
+  * Fix pv_major/pv_minor report field types so they are integers, not strings.
+  * Add lvmdevices --delnotfound to delete entries for missing devices.
+  * Always use cachepool name for metadata backup LV for lvconvert --repair.
+  * Make metadata backup LVs read-only after pool's lvconvert --repair.
+  * Handle 'lvextend --usepolicies' for pools for all activation variants.
+  * Fix memleak in vgchange autoactivation setup.
+  * Support conversion from thick to fully provisioned thin LV.
+  * Cache/Thin-pool can use error and zero volumes for testing.
+  * Individual thin volume can be cached, but cannot take snapshot.
+  * internal support for handling error and zero target (for testing).
+  * COW above trimmed maximal size is does not return error.
+  * Add lvm.conf thin_restore and cache_restore settings.
+  * Handle multiple mounts while resizing volume with a FS.
+  * Handle leading/trailing spaces in sys_wwid and sys_serial used by deivce_id.
+  * Fix failing -S|--select for non-reporting cmds if using LV info/status fields.
+  * Allow snapshots of raid+integrity LV.
+  * Fix multisegment RAID1 allocator to prevent using single disk for more legs.
+  * 2.03.21:
+  * Allow (write)cache over raid+integrity LV.
+  * 2.03.20:
+  * Fix segfault if using -S|--select with log/report_command_log=1 setting.
+  * 2.03.19:
+  * Do not reset SYSTEMD_READY variable in udev for PVs on MD and loop devices.
+  * Ensure udev is processing origin LV before its thick snapshots LVs.
+  * 2.03.18:
+  * Fix warning for thin pool overprovisioning on lvextend.
+  * Add support for writecache metadata_only and pause_writeback settings.
+  * Fix missing error messages in lvmdbusd.
+  * 2.03.17:
+  * Add new options (--fs, --fsmode) for FS handling when resizing LVs (btrfs is unsupported).
+  * Fix 'lvremove -S|--select LV' to not also remove its historical LV right away.
+  * Fix lv_active field type to binary so --select and --binary applies properly.
+  * Error out in lvm shell if using a cmd argument not supported in the shell.
+  * Fix lvm shell's lastlog command to report previous pre-command failures.
+  * Add --valuesonly option to lvmconfig to print only values without keys.
+  * Add json_std output format for more JSON standard compliant version of output.
+  * Fix many corner cases in device_id, including handling of S/N duplicates.
+  * Fix various issues in lvmdbusd.
+- device-mapper version upgrade to 1.02.196
+  * Improve parallel creation of /dev/mapper/control device node.
+  * Import previous ID_FS_* udev records in 13-dm-disk.rules for suspended DM dev.
+  * Remove NAME="mapper/control" rule from 10-dm.rules to avoid udev warnings.
+  * Improve 'dmsetup create' without given table line with new kernels.
+  * Add DM_REPORT_GROUP_JSON_STD for more JSON standard compliant output format.
+- Drop patches that have been merged into upstream
+  - 0001-devices-file-move-clean-up-after-command-is-run.patch
+  - 0002-devices-file-fail-if-devicesfile-filename-doesn-t-ex.patch
+  - 0003-filter-mpath-handle-other-wwid-types-in-blacklist.patch
+  - 0004-filter-mpath-get-wwids-from-sysfs-vpd_pg83.patch
+  - 0005-pvdisplay-restore-reportformat-option.patch
+  - 0006-exit-with-error-when-devicesfile-name-doesn-t-exist.patch
+  - 0007-report-fix-pe_start-column-type-from-NUM-to-SIZ.patch
+  - 0008-_vg_read_raw_area-fix-segfault-caused-by-using-null-.patch
+  - 0009-mm-remove-libaio-from-being-skipped.patch
+  - 0010-dmsetup-check-also-for-ouf-of-range-value.patch
+  - 0011-devices-drop-double-from-sysfs-path.patch
+  - 0012-devices-file-fix-pvcreate-uuid-matching-pvid-entry-w.patch
+  - 0013-vgimportdevices-change-result-when-devices-are-not-a.patch
+  - 0014-vgimportdevices-fix-locking-when-creating-devices-fi.patch
+  - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch
+  - bug-1212613_apply-multipath_component_detection-0-to-duplicate-P.patch
+- Add upstream patch
+  + 0001-lvconvert-swapmetadata-fix-lvmlockd-locking.patch
+  + 0002-lvconvert-fix-ret-values-fro-integrity-remove.patch
+  + 0003-lvconvert-fix-regresion-from-integrity-check.patch
+  + 0004-gcc-cleanup-warnings.patch
+  + 0005-lvmlockd-fix-thick-to-thin-lv-conversion.patch
+  + 0006-lvmlockd-let-lockd_init_lv_args-set-lock_args.patch
+  + 0007-lvmlockd-fix-lvconvert-to-thin-pool.patch
+  + 0008-lvconvert-run-error-path-code-only-for-shared-VG.patch
+  + 0009-vgchange-acquire-an-exclusive-VG-lock-for-refresh.patch
+  + 0010-lvmlockd-client-mutex-ordering.patch
+  + 0011-filesystem-move-stat-after-open-check.patch
+  + 0012-tests-check-for-writecache.patch
+  + 0013-lvresize-fix-32-bit-overflow-in-size-calculation.patch
+  + 0014-gcc-fix-warnings-for-x32-architecture.patch
+  + 0015-gcc-warning-missing-braces-around-initializer.patch
+  + 0016-test-improve-aux-teardown.patch
+  + 0017-tests-aux-try-with-extra-sleep.patch
+  + 0018-tests-aux-using-singl-lvmconf-call.patch
+  + 0019-tests-missing-to-check-for-writecache-support.patch
+  + 0020-tests-pvmove-large-disk-area.patch
+  + 0021-tests-enforce-full-fs-check.patch
+  + 0022-tests-update-for-work-in-fake-dev-environment.patch
+  + 0023-tests-skip-test-when-lvmdbusd-runs-on-the-system.patch
+  + 0024-tests-better-slowdown.patch
+- Update patch
+  - bug-1037309_Makefile-skip-compliling-daemons-lvmlockd-directory.patch
+  - bug-1184124-link-tests-as-PIE.patch
+  - bug-1184687_Add-nolvm-for-kernel-cmdline.patch
+  - fate-31841-03_tests-new-test-suite-of-fsadm-for-btrfs.patch
+- Rename & Update patch
+  - bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch
+  + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-rules.patch
+- update lvm2.spec
+  - change upstream_device_mapper_version to 1.02.196
+  - change device_mapper_version to %{lvm2_version}_1.02.196
+  - add config item "-with-libexecdir=%{_libexecdir}" to fix libexec path since commit a2d33cdf
+  - add new binary "%{_libexecdir}/lvresize_fs_helper" to lvm2 package
+
lvm2:devicemapper
+- Update lvm2 from LVM2.2.03.16 to LVM2.2.03.22 (jsc#PED-6339)
+  * 2.03.22:
+  * Fix pv_major/pv_minor report field types so they are integers, not strings.
+  * Add lvmdevices --delnotfound to delete entries for missing devices.
+  * Always use cachepool name for metadata backup LV for lvconvert --repair.
+  * Make metadata backup LVs read-only after pool's lvconvert --repair.
+  * Handle 'lvextend --usepolicies' for pools for all activation variants.
+  * Fix memleak in vgchange autoactivation setup.
+  * Support conversion from thick to fully provisioned thin LV.
+  * Cache/Thin-pool can use error and zero volumes for testing.
+  * Individual thin volume can be cached, but cannot take snapshot.
+  * internal support for handling error and zero target (for testing).
+  * COW above trimmed maximal size is does not return error.
+  * Add lvm.conf thin_restore and cache_restore settings.
+  * Handle multiple mounts while resizing volume with a FS.
+  * Handle leading/trailing spaces in sys_wwid and sys_serial used by deivce_id.
+  * Fix failing -S|--select for non-reporting cmds if using LV info/status fields.
+  * Allow snapshots of raid+integrity LV.
+  * Fix multisegment RAID1 allocator to prevent using single disk for more legs.
+  * 2.03.21:
+  * Allow (write)cache over raid+integrity LV.
+  * 2.03.20:
+  * Fix segfault if using -S|--select with log/report_command_log=1 setting.
+  * 2.03.19:
+  * Do not reset SYSTEMD_READY variable in udev for PVs on MD and loop devices.
+  * Ensure udev is processing origin LV before its thick snapshots LVs.
+  * 2.03.18:
+  * Fix warning for thin pool overprovisioning on lvextend.
+  * Add support for writecache metadata_only and pause_writeback settings.
+  * Fix missing error messages in lvmdbusd.
+  * 2.03.17:
+  * Add new options (--fs, --fsmode) for FS handling when resizing LVs (btrfs is unsupported).
+  * Fix 'lvremove -S|--select LV' to not also remove its historical LV right away.
+  * Fix lv_active field type to binary so --select and --binary applies properly.
+  * Error out in lvm shell if using a cmd argument not supported in the shell.
+  * Fix lvm shell's lastlog command to report previous pre-command failures.
+  * Add --valuesonly option to lvmconfig to print only values without keys.
+  * Add json_std output format for more JSON standard compliant version of output.
+  * Fix many corner cases in device_id, including handling of S/N duplicates.
+  * Fix various issues in lvmdbusd.
+- device-mapper version upgrade to 1.02.196
+  * Improve parallel creation of /dev/mapper/control device node.
+  * Import previous ID_FS_* udev records in 13-dm-disk.rules for suspended DM dev.
+  * Remove NAME="mapper/control" rule from 10-dm.rules to avoid udev warnings.
+  * Improve 'dmsetup create' without given table line with new kernels.
+  * Add DM_REPORT_GROUP_JSON_STD for more JSON standard compliant output format.
+- Drop patches that have been merged into upstream
+  - 0001-devices-file-move-clean-up-after-command-is-run.patch
+  - 0002-devices-file-fail-if-devicesfile-filename-doesn-t-ex.patch
+  - 0003-filter-mpath-handle-other-wwid-types-in-blacklist.patch
+  - 0004-filter-mpath-get-wwids-from-sysfs-vpd_pg83.patch
+  - 0005-pvdisplay-restore-reportformat-option.patch
+  - 0006-exit-with-error-when-devicesfile-name-doesn-t-exist.patch
+  - 0007-report-fix-pe_start-column-type-from-NUM-to-SIZ.patch
+  - 0008-_vg_read_raw_area-fix-segfault-caused-by-using-null-.patch
+  - 0009-mm-remove-libaio-from-being-skipped.patch
+  - 0010-dmsetup-check-also-for-ouf-of-range-value.patch
+  - 0011-devices-drop-double-from-sysfs-path.patch
+  - 0012-devices-file-fix-pvcreate-uuid-matching-pvid-entry-w.patch
+  - 0013-vgimportdevices-change-result-when-devices-are-not-a.patch
+  - 0014-vgimportdevices-fix-locking-when-creating-devices-fi.patch
+  - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch
+  - bug-1212613_apply-multipath_component_detection-0-to-duplicate-P.patch
+- Add upstream patch
+  + 0001-lvconvert-swapmetadata-fix-lvmlockd-locking.patch
+  + 0002-lvconvert-fix-ret-values-fro-integrity-remove.patch
+  + 0003-lvconvert-fix-regresion-from-integrity-check.patch
+  + 0004-gcc-cleanup-warnings.patch
+  + 0005-lvmlockd-fix-thick-to-thin-lv-conversion.patch
+  + 0006-lvmlockd-let-lockd_init_lv_args-set-lock_args.patch
+  + 0007-lvmlockd-fix-lvconvert-to-thin-pool.patch
+  + 0008-lvconvert-run-error-path-code-only-for-shared-VG.patch
+  + 0009-vgchange-acquire-an-exclusive-VG-lock-for-refresh.patch
+  + 0010-lvmlockd-client-mutex-ordering.patch
+  + 0011-filesystem-move-stat-after-open-check.patch
+  + 0012-tests-check-for-writecache.patch
+  + 0013-lvresize-fix-32-bit-overflow-in-size-calculation.patch
+  + 0014-gcc-fix-warnings-for-x32-architecture.patch
+  + 0015-gcc-warning-missing-braces-around-initializer.patch
+  + 0016-test-improve-aux-teardown.patch
+  + 0017-tests-aux-try-with-extra-sleep.patch
+  + 0018-tests-aux-using-singl-lvmconf-call.patch
+  + 0019-tests-missing-to-check-for-writecache-support.patch
+  + 0020-tests-pvmove-large-disk-area.patch
+  + 0021-tests-enforce-full-fs-check.patch
+  + 0022-tests-update-for-work-in-fake-dev-environment.patch
+  + 0023-tests-skip-test-when-lvmdbusd-runs-on-the-system.patch
+  + 0024-tests-better-slowdown.patch
+- Update patch
+  - bug-1037309_Makefile-skip-compliling-daemons-lvmlockd-directory.patch
+  - bug-1184124-link-tests-as-PIE.patch
+  - bug-1184687_Add-nolvm-for-kernel-cmdline.patch
+  - fate-31841-03_tests-new-test-suite-of-fsadm-for-btrfs.patch
+- Rename & Update patch
+  - bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch
+  + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-rules.patch
+- update lvm2.spec
+  - change upstream_device_mapper_version to 1.02.196
+  - change device_mapper_version to %{lvm2_version}_1.02.196
+  - add config item "-with-libexecdir=%{_libexecdir}" to fix libexec path since commit a2d33cdf
+  - add new binary "%{_libexecdir}/lvresize_fs_helper" to lvm2 package
+
mariadb-connector-c
+- Update to release 3.1.22:
+  * https://mariadb.com/kb/en/mariadb-connector-c-3-1-22-release-notes/
+
ncurses
+- Add patch bsc1218014-cve-2023-50495.patch
+  * Fix CVE-2023-50495: segmentation fault via _nc_wrap_entry()
+
+- Add patch boo1201384.patch
+  * Do not fully reset serial lines
+
openssh
+- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795).
+  This mitigates a prefix truncation attack that could be used to
+  undermine channel security.
+
+- Enhanced SELinux functionality. Added
+  * openssh-7.8p1-role-mls.patch
+    Proper handling of MLS systems and basis for other SELinux
+    improvements
+  * openssh-6.6p1-privsep-selinux.patch
+    Properly set contexts during privilege separation
+  * openssh-6.6p1-keycat.patch
+    Add ssh-keycat command to allow retrival of authorized_keys
+    on MLS setups with polyinstantiation
+  * openssh-6.6.1p1-selinux-contexts.patch
+    Additional changes to set the proper context during privilege
+    separation
+  * openssh-7.6p1-cleanup-selinux.patch
+    Various changes and putting the pieces together
+  For now we don't ship the ssh-keycat command, but we need the patch
+  for the other SELinux infrastructure
+  This change fixes issues like bsc#1214788, where the ssh daemon
+  needs to act on behalf of a user and needs a proper context for this
+
openvpn
+- update to 2.6.8: (jsc#PED-5763 bsc#1217073)
+  * SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF
+    state - the new sanity check function introduced in 2.6.7 sometimes
+    tried to use a NULL pointer after an unsuccessful TLS handshake
+  * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
+    use a send buffer after it has been free()d in some circumstances,
+    causing some free()d memory to be sent to the peer. All configurations
+    using TLS (e.g. not using --secret) are affected by this issue.
+  * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
+    restore --fragment configuration in some circumstances, leading to a
+    division by zero when --fragment is used. On platforms where division
+    by zero is fatal, this will cause an OpenVPN crash.
+  * DCO: warn if DATA_V1 packets are sent by the other side - this a hard
+    incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4
+    server, and the only fix is to use --disable-dco.
+  * Remove OpenSSL Engine method for loading a key. This had to be removed
+    because the original author did not agree to relicensing the code with
+    the new linking exception added. This was a somewhat obsolete feature
+    anyway as it only worked with OpenSSL 1.x, which is end-of-support.
+  * add warning if p2p NCP client connects to a p2mp server - this is a
+    combination that used to work without cipher negotiation (pre 2.6 on
+    both ends), but would fail in non-obvious ways with 2.6 to 2.6.
+  * add warning to --show-groups that not all supported groups are listed
+    (this is due the internal enumeration in OpenSSL being a bit weird,
+    omitting X448 and X25519 curves).
+  * --dns: remove support for exclude-domains argument (this was a new 2.6
+    option, with no backend support implemented yet on any platform, and it
+    turns out that no platform supported it at all - so remove option again)
+  * warn user if INFO control message too long, do not forward to management
+    client (safeguard against protocol-violating server implementations)
+  * DCO-WIN: get and log driver version (for easier debugging).
+  * print "peer temporary key details" in TLS handshake
+  * log OpenSSL errors on failure to set certificate, for example if the
+    algorithms used are in acceptable to OpenSSL (misleading message would be
+    printed in cryptoapi / pkcs11 scenarios)
+  * add CMake build system for MinGW and MSVC builds
+  * remove old MSVC build system
+  * improve cmocka unit test building for Windows
+
p11-kit
+- Ensure that programs using <p11-kit/pkcs11x.h> can be compiled
+  with CRYPTOKI_GNU. Fixes GnuTLS builds. [jsc#PED-6705]
+  * Add p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch
+
-- new version 0.20.3
-  * Fix problems reinitializing managed modules after fork
-  * Fix bad bookeeping when fail initializing one of the modules
-  * Fix case where module would be unloaded while in use [#74919]
-  * Remove assertions when module used before initialized [#74919]
-  * Fix handling of mmap failure and mapping empty files [#74773]
-  * Stable p11_kit_be_quiet() and p11_kit_be_loud() functions
-  * Require automake 1.12 or later
-  * Build fixes for Windows [#76594 #74149]
-- apply patches to avoid errors from certificates with invalid public key
-  (fdo#82328, bnc#890908,
-  trust-Dont-use-invalid-public-keys-for-looking-up-.patch,
-  trust-Print-label-of-certificate-when-complaining-.patch)
-
perl-Cpanel-JSON-XS
+- updated to 4.37
+  see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes
+  4.37 2023-07-04 (rurban)
+  - Fix NAN/INF for AIX (Tux: AIX-5.3, tested by XSven on AIX-7.3) GH #165
+  - Fix empty string result in object stringification (PR #221 jixam)
+  - Allow \' in strings when allow_singlequote is enabled (PR #217 warpspin)
+
plocate
+- Add Provides/Obsoletes mlocate for Tumbleweed only
+  * Since CtLG Leap have try to make SLE compatible as much as possible,
+    SLE's default locate system is mlocate and it should not be replaced
+    by other locate service by default. plocate be an option.
+
poppler
-- security update
-- added patches
-  fix CVE-2023-34872 [bsc#1213888], remote denial-of-service in OutlineItem::open in Outline.cc
-  + poppler-CVE-2023-34872.patch
+- Add patch to let it build with the heavily patched tiff 4.0.9
+  we have in SLE 15:
+  * reduce-libtiff-required-version.patch
+
+- version update to 23.10.0
+    core:
+  * cairo: update type 3 fonts for cairo 1.18 api
+  * Fix crash on malformed files
+    build system:
+  * Make a few more dependencies soft-mandatory
+  * Add more supported gnupg releases
+  * Check if linker supports version scripts
+- modified patches
+  % reduce-boost-required-version.patch (refreshed)
+
+- build with gpgmepp for signing documents (bsc#1215632)
+
+- Update to version 23.09.0:
+  * core:
+  - Add Android-specific font matching functionality
+  - Fix digital signatures for NeedAppearance=true
+  - Forms: Don't look up same glyph multiple times
+  - Provide the key location for certificates you can sign with
+  - Add ToUnicode support for similarequal
+  - Fix crash on malformed files
+  * qt5:
+  - Provide the key location for certificates you can sign with
+  - Allow to force a rasterized overprint preview during PS
+    conversion
+  * qt6:
+  - Provide the key location for certificates you can sign with
+  - Allow to force a rasterized overprint preview during PS
+    conversion
+  * pdfsig:
+  - Provide the key location for certificates you can sign with
+- Changes from version 23.08.0:
+  * core:
+  - Fix GWG 19.2 - DeviceN Overprint (White)
+  - Splash: avoid bogus memory allocation size in
+    doTilingPatternFill
+  - Fix use-of-uninitialized-value in XRef
+  - Fix float-cast-overflow error in Catalog
+  - Cleanup gpgme backend code
+  - Version symbols in poppler core
+  * glib:
+  - Improve poppler_get_available_signing_certificates
+  - Add new members to PopplerCertificateInfo
+  * utils:
+  - pdftotext: small improvement to man page
+- Bump poppler_sover to 131 following upstream changes.
+
+- update to 23.07.0:
+  core:
+  * Fix reading of utf8-with-bom files
+  * Fix crash if CERT_ExtractPublicKey doesn't return a public
+    key
+  * Fix rendering of some malformed documents. Issue #1395
+  * Allow for stream compression and compress font streams in
+    forms Remove method Hints::getPageRanges
+  qt5:
+  * Fix crash when overprint preview is enabled
+  * Don't fail signature basics tests if backend is not
+    configured
+  qt6:
+  * Fix crash when overprint preview is enabled
+  * Don't fail signature basics tests if backend is not
+    configured
+  utils:
+  * pdfsig: Allow showung and selecting signature backend
+  * pdfsig: Describe signature dump format in manual page
+
+- update to 23.06.0 (bsc#1212255):
+  * CairoOutputDev: Fix crash when doing type3 rendering
+  * Fix crash with unknown signature hashing algorithms
+  * Add gpgme backend for signature handling
+  * FontInfo: Make it return proper information about font
+    substitution
+  * FontInfo: Try harder to get Type 3 font name
+  * Store embedded fonts widths table in a more effective manner
+  * Skip font lookup for nonprintable characters
+  * Fix crash on malformed files
+  * Add API to allow selecting signature backend (nss or gpgme)
+  * Convert embedded files to bytearray a bit smarter
+
+- update to 23.05.0:
+  * Fix crash when filling some forms
+  * Set SigFlags when signing unsigned signature
+  * Add some infrastructure code to support multiple signing
+    backends
+  * Fix potential stack overflow in PostScriptFunction::parseCode
+  * Fix some minor uninitialised memory reads
+
+- update to 23.04.0:
+  * Fix memory issue when signing fails. Issue #1372
+  * Internal improvements of signature related code
+  * CairoOutputDev: improve type3 font rendering
+  * Fix memory leak in
+    GlobalParams::findSystemFontFileForFamilyAndStyle
+  * pdftocairo: Fix crash in some special situations
+  * pdfsig: allow holes in -dump signature list
+  * pdfsig: Support --help
+
+- update to 23.03.0:
+  core:
+  * PngWriter: Fix potential uninitialized memory use
+
+- Update to version 23.02.0:
+  + core:
+  * CairoOutputDev:
+    . Fix rendering of color type 3 fonts
+    . Add handling matte entry
+  * Fix segfault on wrong nssdir
+  * Fix "NSS could not shutdown"
+  + utils: pdfsig: Point out supports PKCS#11 URIs as nickname
postfix
+- (bsc#1218304) VUL-0: postfix: new SMTP smuggling attack
+  (bsc#1218314) SMTP Smuggling - Spoofing E-Mails Worldwide
+  Apply patch containing the feature smtpd_forbid_unauth_pipelining
+  as default yes.
+  add patch:
+    postfix-3.7-patch06
+- Security: the Postfix SMTP server optionally disconnects remote
+  SMTP clients that violate RFC 2920 (or 5321) command pipelining
+  constraints. The server replies with "554 5.5.0 Error: SMTP protocol
+  synchronization" and logs the unexpected remote SMTP client input.
+  Specify "smtpd_forbid_unauth_pipelining = yes" to enable.
+- Workaround to limit collateral damage from OS distributions that
+  crank up security to 11, increasing the number of plaintext email
+  deliveries. This introduces basic OpenSSL configuration file support,
+  with two new parameters "tls_config_file" and "tls_config_name".
+  Details are in the postconf(5) manpage under "tls_config_file" and
+  "tls_config_name".
+
ppp
+- bsc#1218251, CVE-2022-4603, ppp-CVE-2022-4603.patch: improper
+  validation of array index of the component pppdump.
+
python-pip
+- Add CVE-2023-5752-r-param-hg.patch to fix bsc#1217353
+  (CVE-2023-5752) avoiding injection of arbitrary configuration
+  through Mercurial parameter.
+
python3-cryptography
+- Add CVE-2023-49083.patch to fix A null-pointer-dereference and
+  segfault could occur when loading certificates from a PKCS#7 bundle.
+  bsc#1217592
+
rdma-core
+- Update to v49.0 (jsc#PED-6891, jsc#PED-6864, jsc#PED-6839, jsc#PED-6836,
+    jsc#PED-6828, jsc#PED-6824, jsc#PED-6958, jsc#PED-6943, jsc#PED-6933, jsc#PED-6916)
+  - No release notes available.
+
sg3_utils
+- Make sure initrd is rebuilt when sg3_utils is updated
+  (bsc#1215772)
+
+- Update to version 1.47+15.b6898b8:
+  * rescan-scsi-bus.sh: remove /tmp/rescan-scsi-mpath-info.txt
+  (gh#doug-gilbert/sg3_utils#44)
+  * rescan_scsi_bus.sh: fix multipath issue when called with -s and
+  without -u (bsc#1215720, bsc#1216355)
+
tracker-miners
+- Add tracker-miners-CVE-2023-5557.patch: A bug in libcue could
+  lead to possible sandbox escape in tracker-extract, this fixes it
+  by adding seccomp rules and applying it to the whole process
+  (bsc#1216199, glgo#GNOME/tracker-miners!480, CVE-2023-5557).
+- Refresh tracker-miners-drop-syscalls-in-seccomp.patch: The patch
+  context is changed by tracker-miners-CVE-2023-5557.patch.
+
webkit2gtk3
+- Update to version 2.42.4 (boo#1218032):
+  + Fix incorrect random images incorrectly displayed as
+    backgrounds of <div> elements.
+  + Fix videos displayed aliased after being resized e.g. in
+    YouTube.
+  + Fix several crashes and rendering issues.
+  + Security fixes: CVE-2023-42883.
+
+- Update to version 2.42.3 (boo#1217844):
+  + Fix flickering while playing videos with DMA-BUF sink.
+  + Fix color picker being triggered in the inspector when typing
+    "tan".
+  + Do not special case the "sans" font family name.
+  + Fix build failure with libxml2 version 2.12.0 due to an API
+    change.
+  + Fix several crashes and rendering issues.
+  + Security fixes: CVE-2023-42916, CVE-2023-42917.
+
-  boo#1215868 boo#1215869 boo#1215870):
+  boo#1215868 boo#1215869 boo#1215870 boo#1218033):
-  + Security fixes: CVE-2023-39928, CVE-2023-41074, CVE-2023-32359.
+  + Security fixes: CVE-2023-39928, CVE-2023-41074, CVE-2023-32359,
+    CVE-2023-42890.
wireless-regdb
+- Define %{_firmwaredir} if not defined. This fixes RPM build errors.
+
+- Update to version 20230901:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Update regulatory rules for Australia (AU) for June 2023
+
+- Update to version 20230721:
+  * wireless-regdb: Update regulatory info for Türkiye (TR)
+  * wireless-regdb: Update regulatory rules for Egypt (EG) from March 2022 guidelines
+
+- Update to version 20230601:
+  * wireless-regdb: Update regulatory rules for Philippines (PH)
+
+- Update to version 20230503:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Update regulatory rules for Hong Kong (HK)
+  * wireless-regdb: update regulatory rules for India (IN)
+  * wireless-regdb: Update regulatory rules for Russia (RU). Remove DFS requirement.
+  * Update regulatory info for Russia (RU) on 6GHz
+
+- Update to version 20230213:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Update regulatory info for Russia (RU) on 5GHz
+
+- Update to version 20221205:
+  * wireless-regdb: Update regulatory rules for Japan (JP) on 6GHz
+  * wireless-regdb: Update regulatory rules for Japan (JP) on 5GHz
+
+- Update to version 20221012:
+  * wireless-regdb: update regulatory rules for Switzerland (CH)
+  * wireless-regdb: Update regulatory rules for Brazil (BR)
+
+- Update to version 20220812:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: update 5 GHz rules for PK and add 60 GHz rule
+  * wireless-regdb: add 5 GHz rules for GY
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Unify 6 GHz rules for EU contries
+  * wireless-regdb: Remove AUTO-BW from 6 GHz rules
+  * wireless-regdb: update regulatory rules for Bulgaria (BG) on 6GHz
+  * Regulatory update for 6 GHz operation in FI
+  * Regulatory update for 6 GHz operation in United States (US)
+  * Regulatory update for 6 GHz operation in Canada (CA)
+
+- Update to version 20220606:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Unify 6 GHz rules for EU contries
+  * wireless-regdb: Remove AUTO-BW from 6 GHz rules
+
+- Update to version 20220527:
+  * wireless-regdb: update regulatory rules for Bulgaria (BG) on 6GHz
+  * Regulatory update for 6 GHz operation in FI
+  * Regulatory update for 6 GHz operation in United States (US)
+  * Regulatory update for 6 GHz operation in Canada (CA)
+
+- Update to version 20220408:
+  * wireless-regdb: add db files missing from previous commit
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Update regulatory rules for Australia (AU)
+  * wireless-regdb: add missing spaces for US S1G rules
+
+- Update to version 20220324:
+  * wireless-regdb: Update regulatory rules for Israel (IL)
+
+- Update to version 20220218:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Update regulatory rules for the Netherlands (NL) on 6GHz
+  * wireless-regdb: Update regulatory rules for China (CN)
+  * wireless-regdb: Update regulatory rules for South Korea (KR)
+  * Revert "wireless-regdb: Update regulatory rules for South Korea (KR)"
+  * wireless-regdb: Update regulatory rules for Spain (ES) on 6GHz
+  * wireless-regdb: add 802.11ah bands to world regulatory domain
+  * wireless-regdb: add support for US S1G channels
+  * wireless-regdb: Update regulatory rules for France (FR) on 6 and 60 GHz
+  * wireless-regdb: Update regulatory rules for South Korea (KR)
+
+- Update to version 20220108:
+  * wireless-regdb: Update regulatory rules for Croatia (HR) on 6GHz
+
+- Update to version 20211209:
+  * wireless-regdb: Raise DFS TX power limit to 250 mW (24 dBm) for the US
+
+- Update to version 20210828:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * Update regulatory rules for Ecuador (EC)
+  * wireless-regdb: Update regulatory rules for Norway (NO) on 6 and 60 GHz
+  * wireless-regdb: Update regulatory rules for Germany (DE) on 6GHz
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: reduce bandwidth for 5730-5850 and 5850-5895 MHz in US
+  * wireless-regdb: remove PTMP-ONLY from 5850-5895 MHz for US
+  * wireless-regdb: recent FCC report and order allows 5850-5895 immediately
+  * wireless-regdb: update 5725-5850 MHz rule for GB
+
+- Update to version 20210421:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: re-add source url and info for CU
+
+- Update to version 20210407:
+  * wireless-regdb: Update regulatory rules for Cuba (CU) on 5GHz
+  * wireless-regdb: Do not hardcode 'sforshee' in the certificate commonName
+
+- Update to version 20210129:
+  * wireless-regdb: Update regulatory rules for Ukraine (UA)
+  * wireless-regdb: update CNAF regulation url for ES
+
+- leverage %{_firmwaredir} to install firmware into correct location (boo#1029961)
+
+- Update to version 20201120:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: Update regulatory rules for Kazakhstan (KZ)
+  * wireless-regdb: update 5.8 GHz regulatory rule for GB
+  * wireless-regdb: Update regulatory rules for Pakistan (PK) on 5GHz
+  * wireless-regdb: Update regulatory rules for Croatia (HR)
+  * wireless-regdb: restore channel 12 & 13 limitation in the US
+  * wireless-regdb: update regulatory rules for Egypt (EG)
+
+- Fixes for %_libexecdir changing to /usr/libexec
+
+- Update to version 20200429:
+  * wireless-regdb: update regulatory database based on preceding changes
+  * wireless-regdb: update rules for US on 2.4/5G
+  * GB: Extend to cover DMG channels 5 & 6
+  * wireless-regdb: Update regulatory rules for Singapore (SG)
+  * wireless-regdb: Update regulatory rules for Indonesia (ID)
+
+- Update to version 20191029:
+  * regdb: fix compatibility with python2
+  * wireless-regdb: Update regulatory rules for Russia (RU)
+  * wireless-regdb: Harmonize ranges of CEPT countries (stand of July 2019)
+  * wireless-regdb: Fix ranges of EU countries as they are harmonized since 2014
+  * wireless-regdb: Extend 5470-5725 MHz range to 5730 MHz for Taiwan (TW)
+  * wireless-regdb: Fix overlapping ranges for Switzerland and Liechtenstein
+  * wireless-regdb: update regulatory database based on preceding changes
+- Switch to _service
+- Update project url
+
xfsprogs
+- update to v6.5.0 (bsc#1217575, bsc#1217576):
+  - libxfs: fix atomic64_t detection on x86_32
+  - libxfs: use XFS_IGET_CREATE when creating new files
+  - libfrog: fix overly sleep workqueues
+  - xfs_db: use directio for device access
+  - libxfs: make platform_set_blocksize optional with directio
+  - mkfs: add a config file for 6.6 LTS kernels
+  - mkfs: enable reverse mapping by default
+  - mkfs: enable large extent counts by default
+  - xfs_db: create unlinked inodes
+  - xfs_db: dump unlinked buckets
+  - xfsprogs: don't allow udisks to automount XFS filesystems with no prompt
+  - xfs_repair: fix repair failure caused by dirty flag being abnormally set on buffer
+- drop:
+  - 0001-repair-shift-inode-back-into-place-if-corrupted-by-b.patch
+  - xfsprogs-mkfs-disable-reflink-support-by-default.patch
+  - xfsprogs-mkfs-don-t-trample-the-gid-set-in-the-protofile.patch
+  - xfsprogs-mkfs-enable-bigtime-by-default.patch
+  - xfsprogs-mkfs-prevent-corruption-of-passed-in-suboption-strin.patch
+  - xfsprogs-mkfs-terminate-getsubopt-arrays-properly.patch
+  - xfsprogs-xfs_repair-ignore-empty-xattr-leaf-blocks.patch
+- mkfs: disable inobtcnt and nrext64 features by default
+  - add xfsprogs-mkfs-disable-inobtcnt-and-nrext64-features-by-defaul.patch
+
xorg-x11-server
+- Add missing fixes on U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+  (bsc#1217765).
+
+- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+  * Out-of-bounds memory write in XKB button actions (CVE-2023-6377,
+    ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765)
+- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+  * Out-of-bounds memory read in RRChangeOutputProperty and
+    RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561,
+    bsc#1217766)
+
xscreensaver
+- Update xscreensaver-disable-upgrade-nagging-message.patch to
+  cover new messages. (boo#1206345, bsc#1217318)
+
xwayland
+- Add missing fixes on U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+  (bsc#1217765).
+
+- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+  * Out-of-bounds memory write in XKB button actions (CVE-2023-6377,
+    ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765)
+- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+  * Out-of-bounds memory read in RRChangeOutputProperty and
+    RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561,
+    bsc#1217766)
+
yast2-bootloader
-- support 32 bit UEFI firmware on x86_64/i386 architecture (bsc#1208003,
-  jsc#PED-2569)
-- 4.6.3
+- Backport:
+-- support 32 bit UEFI firmware on x86_64/i386 architecture
+  (bsc#1208003, jsc#PED-2569)
+- 4.6.4
-- Persist zfcp.allow_lun_scan kernel option for s390 arch
-  (needed for gh#openSUSE/agama#626).
-- 4.6.2
+- Branch package for SP6 (bsc#1208913)
-- 4.6.1
-
-- Bump version to 4.6.0 (bsc#1208913)
+- 4.5.9
yast2-network
+- Read all the driver modules from hwinfo instead of just the first
+  driver ones (bsc#1217652).
+- 4.6.7
+
zbar
+- security update:
+  * CVE-2023-40889 [bsc#1214770]
+    Fix heap based buffer overflow in qr_reader_match_centers()
+    + zbar-CVE-2023-40889.patch
+  * CVE-2023-40890 [bsc#1214771]
+    Fix stack based buffer overflow in lookup_sequence()
+    + zbar-CVE-2023-40890.patch
+