Removed rpms
============

 - glibc-locale-base-32bit
 - libavahi-common3-32bit
 - libcrypt1-32bit
 - libcups2-32bit
 - libndr-krb5pac0-32bit
 - libndr-standard0-32bit
 - libopenssl1_1-32bit
 - libsamdb0-32bit
 - libsystemd0-32bit
 - perl-base-32bit
 - libavahi-client3-32bit
 - libbz2-1-32bit
 - libhogweed4-32bit
 - libmount1-32bit
 - libsamba-errors0-32bit
 - libudev1-32bit
 - libuuid1-32bit
 - openslp-32bit
 - samba-libs-32bit
 - samba-winbind-32bit
 - systemd-32bit
 - typelib-1_0-Flatpak-1_0

Added rpms
==========

 - glibc-locale-base-32bit
 - libavahi-client3-32bit
 - libbz2-1-32bit
 - libhogweed4-32bit
 - libmount1-32bit
 - libsamba-errors0-32bit
 - libudev1-32bit
 - libuuid1-32bit
 - openslp-32bit
 - samba-libs-32bit
 - samba-winbind-32bit
 - systemd-32bit
 - libSPIRV-Tools-suse15
 - libavahi-common3-32bit
 - libcrypt1-32bit
 - libcups2-32bit
 - libglslang-suse9
 - libndr-krb5pac0-32bit
 - libndr-standard0-32bit
 - libopenssl1_1-32bit
 - libplacebo43
 - libsamdb0-32bit
 - libshaderc_shared1
 - libsystemd0-32bit
 - libwoff2common1_0_2
 - libwoff2dec1_0_2
 - openSUSE-signkey-cert
 - perl-base-32bit

Package Source Changes
======================

ImageMagick
+  fix CVE-2021-20309 [bsc#1184624], Division by zero in WaveImage() of MagickCore/visual-effects.c
+  + ImageMagick-CVE-2021-20309.patch
+  fix CVE-2021-20311 [bsc#1184626], Division by zero in sRGBTransformImage() in MagickCore/colorspace.c
+  + ImageMagick-CVE-2021-20311.patch
+  fix CVE-2021-20312 [bsc#1184627], Integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c
+  + ImageMagick-CVE-2021-20312.patch
+  fix CVE-2021-20313 [bsc#1184628], Cipher leak when the calculating signatures in TransformSignatureof MagickCore/signature.c
+  + ImageMagick-CVE-2021-20313.patch
+
+- security update
+- added patches
MozillaFirefox
+- Firefox Extended Support Release 78.10.0 ESR
+  * Fixed: Various stability, functionality, and security fixes
+- Mozilla Firefox ESR 78.10
+  MFSA 2021-15 (bsc#1184960)
+  * CVE-2021-23994 (bmo#1699077)
+    Out of bound write due to lazy initialization
+  * CVE-2021-23995 (bmo#1699835)
+    Use-after-free in Responsive Design Mode
+  * CVE-2021-23998 (bmo#1667456)
+    Secure Lock icon could have been spoofed
+  * CVE-2021-23961 (bmo#1677940)
+    More internal network hosts could have been probed by a
+    malicious webpage
+  * CVE-2021-23999 (bmo#1691153)
+    Blob URLs may have been granted additional privileges
+  * CVE-2021-24002 (bmo#1702374)
+    Arbitrary FTP command execution on FTP servers using an
+    encoded URL
+  * CVE-2021-29945 (bmo#1700690)
+    Incorrect size computation in WebAssembly JIT could lead to
+    null-reads
+  * CVE-2021-29946 (bmo#1698503)
+    Port blocking could be bypassed
+
MozillaThunderbird
+- Mozilla Thunderbird 78.10
+  * fixed: Usability & theme improvements on Windows
+  * fixed: Various security fixes
+  MFSA 2021-14 (bsc#1184960)
+  * CVE-2021-23994 (bmo#1699077)
+    Out of bound write due to lazy initialization
+  * CVE-2021-23995 (bmo#1699835)
+    Use-after-free in Responsive Design Mode
+  * CVE-2021-23998 (bmo#1667456)
+    Secure Lock icon could have been spoofed
+  * CVE-2021-23961 (bmo#1677940)
+    More internal network hosts could have been probed by a
+    malicious webpage
+  * CVE-2021-23999 (bmo#1691153)
+    Blob URLs may have been granted additional privileges
+  * CVE-2021-24002 (bmo#1702374)
+    Arbitrary FTP command execution on FTP servers using an
+    encoded URL
+  * CVE-2021-29945 (bmo#1700690)
+    Incorrect size computation in WebAssembly JIT could lead to
+    null-reads
+  * CVE-2021-29946 (bmo#1698503)
+    Port blocking could be bypassed
+  * CVE-2021-29948 (bmo#1692899)
+    Race condition when reading from disk while verifying
+    signatures
+
+- Mozilla Thunderbird 78.9.1
+  * new: Support recipient aliases for OpenPGP encryption.
+    Documentation can be found https://wiki.mozilla.org/
+    Thunderbird:OpenPGP:Aliases.
+  * fixed: The key and signature parts of the message security
+    popup on a received message could not be selected for
+    copy/paste.
+  * fixed: Various UX and theme improvements
+  MFSA 2021-13 (bsc#1184536)
+  * CVE-2021-23991 (bmo#1673240)
+    An attacker may use Thunderbird's OpenPGP key refresh
+    mechanism to poison an existing key
+  * MOZ-2021-23992 (bmo#1666236)
+    A crafted OpenPGP key with an invalid user ID could be used
+    to confuse the user
+  * CVE-2021-23993 (bmo#1666360)
+    Inability to send encrypted OpenPGP email after importing a
+    crafted OpenPGP key
+
+- Mozilla Thunderbird 78.9
+  * fixed: New mail notification displayed old messages that were
+    unread
+  * fixed: Spaces following soft line breaks in messages using
+    quoted-printable and format=flowed were incorrectly encoded;
+    existing messages which were previously incorrectly encoded
+    may now display with some words not separated by a space
+  * fixed: Some fields were unreadable in the Dark theme in the
+    General preferences panel
+  * fixed: Sending a message containing an anchor tag with an
+    invalid data URI failed
+  * fixed: When switching tabs, input focus was not moved to the
+    new tab
+  * fixed: Address Book: Syncing a read-only Google address book
+    via CardDAV failed
+  * fixed: Address Book: Importing VCards with non-ascii
+    characters would fail
+  * fixed: Address Book: Some values may not have been parsed
+    when syncing from Google address books.
+  * fixed: Add-ons Manager did not show if an addon used
+    experiment APIs
+  * fixed: Calendar: Removing a recurring task was not possible
+  * fixed: Various security fixes
+  MFSA 2021-12 (bsc#1183942)
+  * CVE-2021-23981 (bmo#1692832)
+    Texture upload into an unbound backing buffer resulted in an
+    out-of-bound read
+  * MOZ-2021-0002 (bmo#1691547)
+    Angle graphics library out of date
+  * CVE-2021-23982 (bmo#1677046)
+    Internal network hosts could have been probed by a malicious
+    webpage
+  * CVE-2021-23984 (bmo#1693664)
+    Malicious extensions could have spoofed popup information
+  * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169,
+    bmo#1690718)
+    Memory safety bugs fixed in Thunderbird 78.9
+- cleaned up and fixed mozilla.sh.in for wayland (boo#1177542)
+
NetworkManager
+- Add nm-fix-dhcp-client-timeout.patch: Better handle dhclient's
+  timeout so that a recorded lease can be used when dhcp server
+  is down(glfo#NetworkManager/NetworkManager!811, bsc#1183202).
+- Modified NetworkManager.conf: Use dhclient as the default dhcp
+  client(glfo#NetworkManager/NetworkManager!811, bsc#1183202).
+
+- Add NM-restore-MAC-on-release-only-when-cloned.patch: bond:
+  restore MAC on release only when there is a cloned MAC address
+  (glfo#NetworkManager/NetworkManager!775, bsc#1183967).
+
avahi
+- Add avahi-CVE-2021-3468.patch: avoid infinite loop by handling
+  HUP event in client_work (boo#1184521 CVE-2021-3468).
+  https://github.com/lathiat/avahi/pull/330
+
bzip2
-- update bzip2-1.0.6-CVE-2019-12900.patch to accept as many
-  selectors as the file format allows. This relaxes the previous
-  fix for CVE-2019-12900 so that bzip2 allows decompression of bz2
-  files that use (too) many selectors again. It fixes a bzip2 and
-  lbzip2 incompatibility caused by previous patch [bsc#1139083]
-  [CVE-2019-12900]
-
-- add bzip2-1.0.6-CVE-2019-12900.patch to fix an out-of-bounds
-  write in decompress.c when there are many nSelectors used in a
-  loop to access selectorMtf [bsc#1139083] [CVE-2019-12900]
-
-- add bzip2-1.0.6-CVE-2016-3189.patch to fix a heap use after
-  free vulnerability that was reported in bzip2recover [bsc#985657]
-  [CVE-2016-3189]
-
-- Update autotools patchset:
-  D bzip2-1.0.6-autoconfiscated.patch
-  A bzip2-1.0.6.2-autoconfiscated.patch
-
-- Use %license (boo#1082318)
-
-- Fix build on Fedora and Mageia
-
-- Update bzip2-1.0.6-autoconfiscated.patch:
-  * Bump version to 1.0.6.
-  * Fix script symlinks on platforms with EXEEXT.
-
-- Drop implicit pie building
-- Try profiled build
-- Move autoreconf to build section
-
-- cleanup with spec-cleaner
-
-- add bzip2-1.0.6-bzgrep_return_value.patch to fix bzgrep wrapper
-  that always returns 0 as an exit code when grepping multiple
-  archives [bsc#970260]
-
-- Remove bzip2-faster.patch, it causes a crash with libarchive and
-  valgrind points out uninitialized memory. See
-  https://github.com/libarchive/libarchive/issues/637#issuecomment-170612576
-
-- Avoid noarch sub package in SLE_11
-
-- Cleanup a bit.
-- Remove the profiling stuff as it should not be used nowdays.
-  At least even factory builds without it.
-- Provide libbz2.so.1.0 as other distros do, so we can run tiny
-  things like steam.
-- Respect cflags again, borked by previous commit.
-
-- build with PIE
-
-- fix basisms in bzgrep and bznew
-- add patches:
-  * bzip2-1.0.6-fix-bashisms.patch
-
ceph
+- Update to 15.2.11-83-g8a15f484c2:
+  + (bsc#1184231) cephadm: Allow to use paths in all <_devices> drivegroup sections
+
+- Update to 15.2.11-82-g7c6356e178:
+  + upstream Octopus v15.2.11 release
+    see https://ceph.io/releases/v15-2-11-octopus-released/
+  * (bsc#1183074) - (CVE-2021-20288) ceph: Unauthorized global_id reuse
+  + cephadm: Update Grafana container image from 7.0.3 to 7.3.1
+
+- Update to 15.2.10-81-g29303934a5:
+  + upstream Octopus v15.2.10 release, see https://ceph.io/releases/v15-2-10-octopus-released/
+  * bluestore: fix huge reads/writes at BlueFS (bsc#1183899)
+
+- Update to 15.2.9-83-g4275378de0:
+  + cephadm: fix 'inspect' and 'pull' (bsc#1182766)
+
+- Update to 15.2.9-82-gee18977364:
+  + upstream Octopus v15.2.9 release, see https://ceph.io/releases/v15-2-9-octopus-released/
+  * (bsc#1179997) (CVE-2020-27839) mgr/dashboard: Use secure cookies to store JWT Token
+  * (bsc#1178905) (CVE-2020-25678) Do not add sensitive information in Ceph log files
+  * (bsc#1172926) mgr/orchestrator: Sort 'ceph orch device ls' by host
+  * (bsc#1176390, bsc#1176679) mgr/dashboard: enable different URL for users
+    of browser to Grafana
+  * (bsc#1176489) mgr/cephadm: lock multithreaded access to OSDRemovalQueue
+  * (bsc#1176828) cephadm: command_unit: call systemctl with verbose=True
+  * (bsc#1177360) cephadm: silence "Failed to evict container" log msg
+  * (bsc#1177857) mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails
+  * (bsc#1178837) rgw: cls/user: set from_index for reset stats calls
+  * (bsc#1178860) mgr/dashboard: Disable TLS 1.0 and 1.1
+  * (bsc#1178932, bsc#1179569) cephadm: reference the last local image by digest
+
cifs-utils
+- cifs.upcall: fix regression in kerberos mount; (bsc#1184815).
+  * add 0015-cifs.upcall-fix-regression-in-kerberos-mount.patch
+
+- CVE-2021-20208: cifs-utils: cifs.upcall kerberos auth leak in
+  container; (bsc#1183239); CVE-2021-20208.
+
cups
+- When cupsd creates directories with specific owner group
+  and permissions (usually owner is 'root' and group matches
+  "configure --with-cups-group=lp") specify same owner group and
+  permissions in the RPM spec file to ensure those directories
+  are installed by RPM with the right settings because if those
+  directories were installed by RPM with different settings then
+  cupsd would use them as is and not adjust its specific owner
+  group and permissions which could lead to privilege escalation
+  from 'lp' user to 'root' via symlink attacks e.g. if owner is
+  falsely 'lp' instead of 'root' CVE-2021-25317 (bsc#1184161)
+
cups-filters
+- fix_upstream_issue348.patch fixes
+  https://github.com/OpenPrinting/cups-filters/issues/348
+  foomatic-rip segfaults with 'job-sheets=none,none'
+  but works with 'job-sheets=none'
+  (bsc#1182893)
+
dhcp
+- bsc#1185157:
+  Use /run instead of /var/run for PIDFile in dhcrelay.service.
+
dracut
+- Update to version 049.1+suse.187.g63c1504f:
+  * fix(shutdown): add timeout to umount calls (bsc#1178219)
+
e2fsprogs
+- Remove autoreconf call from e2fsprogs.spec (bsc#1183791)
+
flatpak
+-  Update to version 1.10.2:
+  + This is a security update which fixes a potential attack where
+    a flatpak application could use custom formated .desktop files
+    to gain access to files on the host system.
+  + Fix memory leaks
+  + Some test fixes
+  + Documentation updates
+  + G_BEGIN/END_DECLS added to library headders for c++ use
+  + Fix for X11 cookies on OpenSUSE
+  + Spawn portal better handles non-utf8 filenames
+
+- Flatpak only requires glib 2.44, not 2.60
+- Update ostree version required to 2020.8
+
+- Update to version 1.10.1:
+  + Fix flatpak build on systems with setuid bwrap
+  + Fix some compiler warnings
+  + Fix crash on updating apps with no deploy data
+  + Updated translations.
+- Remove deprecated texinfo packaging macros.
+- Switch to upstream release tarball.
+
+- Update to version 1.10.0:
+  + The major new feature in this series compared to 1.8 is the
+    support for the new repo format which should make updates
+    faster and download less data.
+  + The systemd generator snippets now call flatpak
+  - -print-updated-env in place of a bunch of shell for better
+    login performance.
+  + The .profile snippets now disable GVfs when calling flatpak to
+    avoid spawning a gvfs daemon when logging in via ssh.
+  + Build fixes for GCC 11.
+  + Flatpak now finds the pulseaudio sockets better in uncommon
+    configurations.
+  + Sandboxes with network access it now also has access to the
+    systemd-resolved socket to do dns lookups.
+  + Flatpak supports unsetting env vars in the sandbox using
+  - -unset-env, and --env=FOO= now sets FOO to the empty string
+    instead of unsetting it.
+  + Similarly the spawn portal has an option to unset an env var.
+  + The spawn portal now has an option to share the pid namespace
+    with the sub-sandbox.
+
+- Update to version 1.8.5 (CVE-2021-21261):
+  + This is a security update that fixes a sandbox escape where a
+    malicious application can execute code outside the sandbox by
+    controlling the environment of the "flatpak run" command when
+    spawning a sub-sandbox (boo#1180996)
+
+- Update to version 1.8.4:
+  + Fix support for ppc64.
+
+- Move flatpak-bisect and flatpak-coredumpctl to devel subpackage,
+  allow to remove python3 dependency on main package.
+
+- Enable LTO (boo#1133124) as gobject-introspection works fine with LTO.
+
+- Update to version 1.8.3:
+  + Fixed progress reporting for OCI and extra-data.
+  + The in-memory summary cache is more efficient.
+  + Fixed authentication getting stuck in a loop in some cases.
+  + Fixed authentication error reporting.
+  + We now extract OCI info for runtimes as well as apps.
+  + Fixed crash if anonymous authentication fails and -y is
+    specified.
+  + flatpak info now only looks at the specified installation if
+    one is specified.
+  + Better error reporting for server HTTP errors during download.
+  + Uninstall now removes applications before the runtime it
+    depends on.
+  + Fixed test-suite to pass with the latest OSTree version.
+  + Fixed dbus environment variables in flatpak enter.
+  + Avoid updating metadata from the remote when uninstalling.
+  + Fixed error message handling in various places.
+  + FlatpakTransaction now verifies all passed in refs to avoid.
+  + potential issues with invalid names.
+  + Updated translations.
+
+- Update to version 1.8.2:
+  + Added validation of collection id settings for remotes.
+  + Fix seccomp filters on s390.
+  + Robustness fixes to the spawn portal.
+  + Fix support for masking update in the system installation.
+  + Better support for distros with uncommon models of merged /usr.
+  + Cache responses from localed/AccountService.
+  + Fix hangs in cases where xdg-dbus-proxy fails to start.
+  + Fix double-free in cups socket detection.
+  + OCI authenticator now doesn't ask for auth in case of http
+    errors.
+
+- Fix invalid usage of %{_libexecdir} to reference systemd
+  directories.
+
+- Update to version 1.8.1:
+  * Avoid calling authenticator in update if ref didn't change
+  * Don't fail transaction if ref is already installed (after
+    transaction start)
+  * Fix flatpak run handling of userns in the --device=all case
+  * Fix handling of extensions from different remotes
+  * Fix flatpak run --no-session-bus
+  * Updated translations
+- Update to version 1.8.0:
+  * FlatpakTransaction has a new signal "install-authenticator"
+    which clients can handle to install authenticators needed for
+    the transaction. This is done in the CLI commands.
+  * We now always expose the host timezone data, allowing us the
+    expose the host /etc/localtime in a way that works better,
+    fixing several apps that had timezone issues.
+  * Fix flatpak enter which didn't work in some cases.
+  * We now ship a systemd unit (not installed by default) to
+    automatically detect plugged in usb sticks with sideload repos.
+  * By default we no longer install the gdm env.d file, as the
+    systemd generators work better.
+  * create-usb now exports partial commits by default
+  * Fix handling of docker media types in oci remotes
+  * Fix subjects in remote-info --log output
+- Remove source file used to generate a flatpak user on the system
+  since it's now included by upstream:
+  * system-user-flatpak.conf
+
+- Fixes for %_libexecdir changing to /usr/libexec
+
+- Update to version 1.6.4:
+  + This release backports some of the OCI authenticator fixes from
+    the 1.7 series, and should now be able to host flatpak images
+    on e.g. docker hub.
+  + Other changes:
+  - Fix a use-after free in libflatpak.
+  - Don't list p2p downgrades in list of available updates.
+
+- jsc#SLE-7171
giflib
+- Enable Position Independent Code and inherit CFLAGS from the build system.
+  * Added giflib-PIE.patch (bsc#1184123).
+
-- Update to new upstream release 5.0.4
-  * Fix for a rare misrendering bug when a GIF overruns the
-  decompression-code table.
-- Make patches have -p1, as requested by
-  http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
-
-- Added url as source.
-  Please see http://en.opensuse.org/SourceUrls
-
-- add giflib-automake-1_13.patch, fix build with automake-1.13.1
-
-- Remove "Obsoletes: giflib", because libgif6 must not obsolete
-  libgif4 (it would do that by way of libgif4's "Provides: giflib").
-
-- Adjust baselibs.conf for libgif6, remove libungif rpm symbols
-  since they are now no longer provided.
-
-- Version 5.0.3
-  * The library is now purely reentrant and thread-safe
-  * Adds an EGifSetGifVersion() entry point
-  * All names of exported functions now have a Gif, DGif, or EGif prefix.
-- packaging changes:
-  * soname is now libgif6
-  * Compatibility with ancient "libungif" via rpm spec file hacks
-  is no longer included, if there is any application around
-  that still requires this it has to be fixed.
-
-- Remove redundant tags/sections
-
-- annotate functions from gif_lib_private.h with visibility
-  hidden so they are not exported.
-
-- add libtool as buildrequire to make the spec file more reliable
-
-- Correct project URL
-- Implement shlib naming (libgif4)
-- Apply packaging guidelines (remove redundant/obsolete
-  tags/sections from specfile, etc.)
-
-- Do not use __Date__ and __TIME__ , make build-compare
-  happier
-
-- add baselibs.conf as a source
-
gnome-session
+- Add gnome-session-exit-when-lost-name-on-bus.patch: gnome-session
+  exit immediately when lost name on bus
+  (bsc#1175622 glgo!GNOME/gnome-session!60).
+
gnome-shell-extension-desktop-icons
+- Add desktop-icons-show-iso-file-icon.patch: Show ISO file icon as
+  default icon.
+  (bsc#1183504 glgo#GNOME/World/ShellExtensions/desktop-icons!196)
+
gpgme
+- Fix t-json test in SP3: https://dev.gnupg.org/T4820 [bsc#1183801]
+  * tests/json: Bravo key does not have secret key material
+  * tests/json: Do not check for keygrip of pubkeys
+  * core: Make sure the keygrip is available in WITH_SECRET mode
+- Add gpgme-test-json.patch
+
gzip
+- fix DFLTCC segfault [bsc#1177047]
+- added patches
+  fix https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=be0a534ba2b6e77da289de8da79e70843b1028cc
+  + gzip-1.10-fix-DFLTCC-segfault.patch
+
irqbalance
+- not balancing interrupts in Xen guests (bsc#1178477, bsc#1183405)
+  A procinterrupts-check-xen-dyn-event-more-flexible.patch
+
kimageformats
+- Add patch to fix OOB write (oss-fuzz#33742):
+  * 0001-xcf-Fix-Stack-buffer-overflow-WRITE-on-broken-files.patch
+
kyotocabinet
+- Add yet an other patch kyotocabinet-pie.patch
+  * link all executables as pie (bsc#1185033)
+
+- Update to version 1.2.77:
+  * kcthread.cc (CondVar::wait): a bug on Win32 was fixed.
+  * kcdbext.h (IndexDB::set, IndexDB::replace): a bug of updating
+    existing records was fixed.
+  * kcdb.h (DB::check): new function.
+- Drop no longer needed gcc6-fix-errors.patch
+- Modernise spec file
+
-- update version 1.2.76
-  * kcthread.cc (CondVar::wait): a bug on Win32 was fixed.
-  * kcdbext.h (IndexDB::set, IndexDB::replace): a bug of updating existing records was fixed.
-  * kcdb.h (DB::check): new function.
-
-- Make kyotocabinet installation work on SLE_11
-
-- Remove redundant tags/sections per specfile guideline suggestions
-- Add autotools BuildRequires for factory/12.2
-
-- updated to 1.2.52
-
-- updated to 1.2.50
-
-- created package (version 1.2.47)
-
libcap
+- Add explicit dependency on libcap2 with version to libcap-progs
+  and pam_cap (bsc#1184690)
+
-- Update to libcap 2.22
-- libcap 2.22 includes:
-  * Clarified License file (with version 2 of the GPL)
-  * Support getting/setting capabilities on large files
-  * After --chroot command, change working directory to "/".
-- libcap 2.21 includes:
-  * Introduce cap_get_bound() and cap_drop_bound() functions.
-    also include a macro CAP_IS_SUPPORTED(cap) for capabilities
-- libcap 2.20 includes:
-  * Latest kernel capabilites supported: now includes CAP_SYSLOG
-  * $(CFLAGS) Makefile fixes
-  * Default to installing setcap with an inheritable capability.
-
libhugetlbfs
+- Hardening: Link as PIE (bsc#1184123).
+
-- There are no tests installed in s390(x) case, therefore there are no
-  files in %{_libdir}/libhugetlbfs
-  Remove the directory from the file list to fix package build for s390(x)
-
-- Add support of ppc64le with 4 patches
-  libhugetlbfs-ppc64le.patch
-  libhugetlbfs.ppc64le.step2.patch
-  libhugetlbfs.ppc64le.step3.patch
-  libhugetlbfs.ppc64le.step4.patch
-
-- Update to version 2.16:
-  Features:
-  * ARM Support
-  * s390x Dynamic TASK_SIZE support
-  Bug Fixes:
-  * find_mounts() now properly NULL terminates mount point names
-
-- Update to version 2.15
-  Features:
-  * Some System z functionality went into 2.15
-  * Updated man pages
-  * Added basic events for core_i7 to oprofile_map_events
-  Fixes:
-  * Disable Unable to verify address range warning when offset < page_size
-  * Remove sscanf in library setup to avoid heap allocation before _morecore
-  override
-  * Revert heap exhaustion patch
-  * hugectl no longer clips LD_LIBRARY_PATH variable
-  * Fix clean on failure code to avoid closing stdout
-
-- Add excludearch for arm due to lacking support
-
-- Update to version 2.13
-  * hugeadm can now be used to control Transparent Huge Page tunables
-  * New morecore mode to better support THP
-  * Check permissions on hugetlbfs mount point before marking it as
-    available
-  * Fix shm tests to use random address instead of fixed, old address
-    failed on ARM
-
-- Update to version 2.12
-  * libhugetlbfs usages can now be restricted to certain binary names
-  * libhugetlbfs now supports static linking
-  * hugeadm uses more human readable directory names for mount points
-  * Fix segfault if specified user was not in passwd, failuer in
-    getpwuid() is now checked
-  * Added tests for static linking to testcase
-  * Added missing tests to driver script
-
-- Do not include the 268MB testcase /usr/lib/libhugetlbfs/tests/obj32/linkhuge_rw.
-
-- Update to version 2.11
-  Bugfixes and new features are listed in the NEWS file in
-  /usr/share/doc/packages/libhugetlbfs/NEWS
-
-- Update to version 2.9:
-  * Add --no-reseve to hugectl to request mmap'd pages are not reserved
-    for kernels newer than 2.6.34
-  * Add --obey-numa-mempol to hugeadm to request static pool pages are
-    allocated following the process NUMA memory policy
-  * Add switch to let administrator limit new mount points by size or inodes
-  * cpupcstat now caches the value returned by tlmiss_cost.sh to avoid
-    rerunning the script
-  * When specifying huge page pool sizes with hugeadm, memory sizes can
-    be used as well as the number of huge pages
-  * DEFAULT is now a valid huge page pool for resizing, it will adjust
-    the pool for the default huge page size
-  * tlbmiss_cost.sh in the contrib/ sub directory will estimate the cost
-    in CPU cycles of a TLB miss on the arch where it is run
-  * Add python script which automates huge page pool setup with minimal
-    input required from user
-  * cpupcstat now supports data collection using the perf tool as well as
-    oprofile
-  * --explain reports if min_free_kbytes is too small
-  * add --set-min_free_kbytes to hugeadm
-
-- strip test binaries to fix build
-
-- Removed unused files
-
-- add workarounds for broken Makefile logic to detect arch
-
-- Package baselibs.conf
-
-- Fix typo in requires.
-
-- Update from version 2.0 to 2.5
-
libmodulemd
+- Update to 2.12.0
+  + Add support for 'buildorder' to Packager documents
+  + Fix issue with ModuleIndex when input contains only Obsoletes documents
+  + Extend read_packager_[file|string]() to support overriding the module name
+    and stream.
+  + Ignore Packager documents when running ModuleIndex.update_from_*()
+  + Add python overrides for XMD in PackagerV3
+  + Add python override to ignore the GType return when reading packager files
+  + Add PackagerV3.get_mdversion()
+- Drop patch incorporated in this release
+  + Patch: 0001-Fix-integer-size-issue-on-32-bit-platforms.patch
+
libostree
+- Enable LTO (boo#1133120) as it works now.
+
+- Update to version 2020.8:
+  + This release mostly contains scalability improvements and
+    bugfixes.
+  + Caching-related HTTP headers are now supported on summaries and
+    signatures, so that they do not have to be re-downloaded if not
+    changed in the meanwhile.
+  + Summaries and delta have been reworked to allow more
+    fine-grained fetching.
+  + Finally, this fixes several bugs related to atomic variables,
+    HTTP timeouts, and 32-bit architectures.
+- Changes from version 2020.7:
+  + Static deltas can now be signed to more easily support offline
+    verification.
+  + There's now support for multiple initramfs images; the idea
+    here is that one can have a "main" initramfs image and a
+    secondary one which represents local configuration.
+  + The documentation is now moved to
+    https://ostreedev.github.io/ostree/
+  + Lot of preparatory cleanups to the pull code landed for
+    upcoming work on indexing deltas outside of the summary.
+  + On the bugfix side, the biggest one is a fix for an assertion
+    failure when upgrading from systems before ostree supported
+    devicetree.
+  + Also notable is that ostree no longer hardlinks zero sized
+    files to avoid hitting filesystem maximum link counts.
+- Changes from version 2020.6:
+  + One notable feature: ostree now supports / and /boot being on
+    the same filesystem.
+  + Other than that it's mostly bugfixes; there is one quite
+    important one for anyone using the readonly=true for /sysroot
+    (which is still just Fedora CoreOS I suspect).
+  + There's some improvements to the GObject Introspection
+    metadata, some (cosmetic) static analyzer fixes, a fix for the
+    immutable bit on s390x, dropping a deprecated bit in the
+    systemd unit file, etc.
+- Changes from version 2020.5:
+  + This release primarily fixes a regression in 2020.4 where the
+    "readonly sysroot" changes incorrectly left the sysroot
+    read-only on systems that started out with a read-only / (most
+    of them, e.g. Fedora Silverblue/IoT at least).
+  + There's some additions to the pull API to aid flatpak.
+  + There were a few fixes to the man pages, and ostree show now
+    displays the parent commit.
+  + The default dracut config now enables reproducibility.
+  + On the "feature" side, there is a new ostree admin unlock
+  - -transient. We expect this to be a foundation for further
+  support for "live" updates.
+- Changes from version 2020.4:
+  + By far the biggest change in this release is new ed25519
+    signing support, powered by libsodium.
+  + stree commit gained a new --base argument, which significantly
+    simplifies constructing "derived" commits, particularly for
+    systems using SELinux.
+  + Handling of the read-only sysroot was reimplemented to run in
+    the initramfs and be more reliable. Enabling the readonly=true
+    flag in the repo config is recommended.
+  + Several bugs were fixed in locking for the temporary "staging"
+    directories OSTree creates, particularly on NFS.
+  + lib: Coerce flags enums to GIR bitfields changed some values to
+    be (correctly) flags - this may show up as incompatible for
+    GObject Introspection consumers (but not C).
+  + A new timestamp-check-from-rev option was added for pulls,
+    which makes downgrade protection more reliable and will be used
+    by Fedora CoreOS.
+  + Several fixes and enhancements were made for "collection" pulls
+    including a new --mirror option.
+  + The ostree commit command learned a new --mode-ro-executables
+    which enforces W^R semantics on all executables.
+  + A new commit metadata key (OSTREE_COMMIT_META_KEY_ARCHITECTURE)
+    was added to help standardize the architecture of the OSTree
+    commit. This could be used on the client side for example to
+    sanity-check that the commit matches the architecture of the
+    machine before deploying.
+
+- Stop invalid usage of %_libexecdir:
+  + Use %{_prefix}/lib where appropriate.
+  + Use _systemdgeneratordir for the systemd-generators.
+  + Define _dracutmodulesdir based on dracut.pc. Add
+    BuildRequires(dracut) for this to work.
+
librsvg
+- Update to version 2.46.5:
+  + Update dependent crates that had security vulnerabilities:
+    generic-array to 0.12.4 - RUSTSEC-2020-0146
+    smallvec to 0.6.14      - RUSTSEC-2021-0003 - CVE-2021-25900
+  + There are no changes to the library code.
+  + Fix bash-isms in Makefile.am (Tin-Wei Lan).
+  + Fix Visual Studio build (Chun-wei Fan).
+- bsc#1183403 - CVE-2021-25900 - buffer overflow in the smallvec crate.
+
libsolv
+- fix rare segfault in resolve_jobrules() that could happen
+  if new rules are learnt
+- fix a couple of memory leaks in error cases
+- fix error handling in solv_xfopen_fd()
+- bump version to 0.7.19
+
+- fixed regex code on win32
+- fixed memory leak in choice rule generation
+- repo_add_conda: add flag to skip v2 packages
+- bump version to 0.7.18
+
libxml2
+- Security fix: [bsc#1185408, CVE-2021-3518]
+  * Fix use-after-free in xinclude.c:xmlXIncludeDoProcess()
+  * Add libxml2-CVE-2021-3518.patch
+
+- Security fix: [bsc#1185410, CVE-2021-3517]
+  * Fix heap-based buffer overflow in entities.c:xmlEncodeEntitiesInternal()
+  * Add libxml2-CVE-2021-3517.patch
+
+- Security fix: [bsc#1185409, CVE-2021-3516]
+  * Fix use-after-free in entities.c:xmlEncodeEntitiesInternal()
+  * Add libxml2-CVE-2021-3516.patch
+
libzypp
+- Properly handle permission denied when providing optional files
+  (bsc#1185239)
+- Fix sevice detection with cgroupv2 (bsc#1184997)
+- version 17.25.10 (22)
+
+- Add missing includes for GCC 11 (bsc#1181874)
+- Fix unsafe usage of static in media verifier.
+- Solver: Avoid segfault if no system is loaded (bsc#1183628)
+- MediaVerifier: Relax media set verification in case of a single
+  not-volatile medium (bsc#1180851)
+- Do no cleanup in custom cache dirs (bsc#1182936)
+- ZConfig: let pubkeyCachePath follow repoCachePath.
+- version 17.25.9 (22)
+
-- Patch: Identify well-known category names (bsc#117984)
+- Patch: Identify well-known category names (bsc#1179847)
-- Add missing includes for GCC 11 compatibility.
+- Add missing includes for GCC 11 compatibility. (bsc#1181874)
lvm2
+- Add metadata-based autoactivation property for VG and LV (bsc#1178680)
+  + bug-1178680_add-metadata-based-autoactivation-property-for-VG-an.patch
+
mpfr
+- Add cummulative patch mpfr-4.0.2-p6.patch fixing various bugs.
+
+- Add floating-point-format-no-lto.patch in order to fix assembler scanning
+  (boo#1141190).
+
+- Update to mpfr 4.0.2
+  * Cummulative bugfix release, includes mpfr-4.0.1-cummulative-patch.patch.
+
+- Fix %install_info_delete usage:
+  * It has to be performed in %preun not in %postun.
+  * See https://en.opensuse.org/openSUSE:Packaging_Conventions_RPM_Macros#.25install_info_delete.
+
+- Add mpfr-4.0.1-cummulative-patch.patch.  Fixes
+  * A subtraction of two numbers of the same sign or addition of two
+    numbers of different signs can be rounded incorrectly (and the
+    ternary value can be incorrect) when one of the two inputs is
+    reused as the output (destination) and all these MPFR numbers
+    have exactly GMP_NUMB_BITS bits of precision (typically, 32 bits
+    on 32-bit machines, 64 bits on 64-bit machines).
+  * The mpfr_fma and mpfr_fms functions can behave incorrectly in case
+    of internal overflow or underflow.
+  * The result of the mpfr_sqr function can be rounded incorrectly
+    in a rare case near underflow when the destination has exactly
+    GMP_NUMB_BITS bits of precision (typically, 32 bits on 32-bit
+    machines, 64 bits on 64-bit machines) and the input has at most
+    GMP_NUMB_BITS bits of precision.
+  * The behavior and documentation of the mpfr_get_str function are
+    inconsistent concerning the minimum precision (this is related to
+    the change of the minimum precision from 2 to 1 in MPFR 4.0.0). The
+    get_str patch fixes this issue in the following way: the value 1
+    can now be provided for n (4th argument of mpfr_get_str); if n = 0,
+    then the number of significant digits in the output string can now
+    be 1, as already implied by the documentation (but the code was
+    increasing it to 2).
+  * The mpfr_cmp_q function can behave incorrectly when the rational
+    (mpq_t) number has a null denominator.
+  * The mpfr_inp_str and mpfr_out_str functions might behave
+    incorrectly when the stream is a null pointer: the stream is
+    replaced by stdin and stdout, respectively. This behavior is
+    useless, not documented (thus incorrect in case a null pointer
+    would have a special meaning), and not consistent with other
+    input/output functions.
+
-- Add Source URL, see https://en.opensuse.org/SourceUrls
-
-- Update to version 3.1.2.
-  * Bug fixes
-  * Updated examples to the MPFR 3.x API
-
-- Update to version 3.1.1.
-  * Bug fixes
-
-- patch license to follow spdx.org standard
-
-- Remove redundant tags/sections per specfile guideline suggestions
-
-- Update to version 3.1.0.
-  * The mpfr_urandom and mpfr_urandomb functions now return identical
-    values on processors with different word size.
-  * Speed improvement for the mpfr_sqr and mpfr_div functions using
-    Mulders' algorithm.
-  * Much faster formatted output (mpfr_printf, etc.) with %Rg and similar.
-  * New divide-by-zero exception (flag) and associated functions.
-- Remove bogus provides/obsoletes for old shared library version.
-- Fix license, it is LGPL v3 or later.
-
-- Update to version 3.0.1.
-  * Minor bugfixes.
-
-- Update to version 3.0.0.
-  * Bump SO version to 4.
-
-- use %_smp_mflags
-
-- PA-Risc is not threadsafe just as sparc
-
-- add baselibs.conf to specfile as source
-
-- Do not use --enable-thread-safe on SPARC (Fedora does the same) -
-  the tests segfault if TS is enabled
-
-- Update to version 2.4.2.
-  * Bug and documentation fixes.
-
-- Add x86 baselibs entry.
-
-- Update to version 2.4.1 (no changes).
-- Apply current cummulative bugfixing patch.
-  * mpfr_fmod, mpfr_remainder and mpfr_remquo rounding issues.
-  * incorrect type in vasprintf.c.
-  * wrong type in mpfr_zeta_ui.
-
nautilus
+- Update set_trusted.sh: Use the right value in gio command
+  (bsc#1185026).
+
+- Update to version 3.34.3 (bsc#1171506):
+  + Revert icon emblem fixes in order to prevent performance
+    issues.
+  + Fix crashes often happening when searching.
+  + Fix crashes after conflict dialog response.
+
openexr
+  fix CVE-2021-23215 [bsc#1185216], Integer-overflow in Imf_2_5:DwaCompressor:initializeBuffers
+  fix CVE-2021-26260 [bsc#1185217], Integer-overflow in Imf_2_5:DwaCompressor:initializeBuffers
+  + openexr-CVE-2021-23215,26260.patch
+
+- security update
+- modified patches
+  % openexr-CVE-2021-3474.patch (splitted into openexr-CVE-2021-20296.patch)
+- added patches
+  fix CVE-2021-20296 [bsc#1184355], Segv on unknown address in Imf_2_5:hufUncompress - Null Pointer dereference
+  + openexr-CVE-2021-20296.patch
+  fix CVE-2021-3477 [bsc#1184353], Heap-buffer-overflow in Imf_2_5::DeepTiledInputFile::readPixelSampleCounts
+  + openexr-CVE-2021-3477.patch
+  fix CVE-2021-3479 [bsc#1184354], Out-of-memory caused by allocation of a very large buffer
+  + openexr-CVE-2021-3479.patch
+
+- security update
+- added patches
+  fix CVE-2021-3474 [bsc#1184174], Undefined-shift in Imf_2_5::FastHufDecoder::FastHufDecoder
+  + openexr-CVE-2021-3474.patch
+  fix CVE-2021-3475 [bsc#1184173], Integer-overflow in Imf_2_5::calculateNumTiles
+  + openexr-CVE-2021-3475.patch
+  fix CVE-2021-3476 [bsc#1184172], Undefined-shift in Imf_2_5::unpack14
+  + openexr-CVE-2021-3476.patch
+
+- security update
+- added patches
openldap2
+- bsc#1182791 - improve proxy connection timout options to correctly
+  prune connections.
+  * 0225-ITS-8625-Separate-Avlnode-and-TAvlnode-types.patch
+  * 0226-ITS-9197-back-ldap-added-task-that-prunes-expired-co.patch
+  * 0227-ITS-9197-Increase-timeouts-in-test-case-due-to-spora.patch
+  * 0228-ITS-9197-fix-typo-in-prev-commit.patch
+  * 0229-ITS-9197-Fix-test-script.patch
+  * 0230-ITS-9197-fix-info-msg-for-slapd-check.patch
+
openslp
-- Add missing group(daemon) prerequires to the openslp-server
-  package [bnc#1165050]
-- Add missing openslp requires to the openslp-server package
-  [bnc#1165121]
-
-- Add missing zlib build dependency, which used to be pulled in
-  by libopenssl-devel. The package fails to build since the openssl
-  upgrade to 1.1.1 (bsc#1149792)
-
-- Use tcp connects to talk with other DAs [bnc#1117969]
-  new patch: openslp.tcpknownda.diff
-- Fix segfault in predicate match if a registered service has
-  a malformed attribute list [bnc#1136136]
-  new patch: openslp.nullattr.diff
-
-- Fix memory corruption when the sendbuf gets reallocated
-  [bnc#1090638] [CVE-2017-17833]
-  new patch: openslp.sendbuf_move.diff
-- Fix out of bounds reads in message parsing
-  new patch: openslp.parseoob.diff
-
-- move systemd notification before the chroot() call, otherwise
-  the notify function cannot reach systend's unix domain socket
-  [bnc#1089097]
-
-- Use %license (boo#1082318)
-- fix slpd using the peer address as local address for TCP
-  connections [bnc#1076035]
-  new patch: openslp.localaddr.diff
-- use tcp connections for unicast requests [bnc#1080964]
-  new patch: openslp.tcpunicast.diff
-
-- add separate source openslp.logrotate.systemd to
-  use systemctl reload for logrotate configuration
-
-- Add support for OpenSSL 1.1. Commit from upstream [bsc#1042665]
-  new patch: openslp.openssl-1.1.diff
-
-- Also update openslp.sd_notify.diff to use the new systemd lib
-
-- Replace pkgconfig(libsystemd-*) with pkgconfig(libsystemd)
-  Nowadays pkgconfig(libsystemd) replaces all libsystemd-* libs, which
-  are obsolete.
-
-- Fix bounds check in SLPFoldWhiteSpace
-  [bnc#1001600] [CVE-2016-7567]
-  new patch: openslp.foldws.diff
-
-- remove convenience code as changes bytes in the message
-  buffer breaking the verification code [bnc#994989]
-  new patch: openslp.noconvenience.diff
-- fix storage handling in predicate code, it clashed with gcc's
-  fortify_source extension [bnc#909195]
-  new patch: openslp.predicatestorage.diff
-- bring back allowDoubleEqualInPredicate option
-  new patch: openslp.doubleequal.diff
-- fix bug in openslp.initda.diff patch
-- fix rcopenslp helper
-- fix _xrealloc not checking the malloc return value
-  [bnc#980722] [CVE-2016-4912]
-  new patch: openslp.xrealloc.diff
-
-- Do not depend on fillup and insserv if the package build with
-  systemd support; the dependencies are not needed in that case
-
openssl-1_1
+- Don't list disapproved cipher algorithms while in FIPS mode
+  * openssl-1.1.1-fips_list_ciphers.patch
+  * bsc#1161276
+
p7zip
+- Add almost-upstream CVE-2021-3465.patch (bsc#1184699, CVE-2021-3465)
+
patterns-base
+- Recommending openSUSE-signkey-cert in the base pattern bsc#1182641
+
perl-Image-ExifTool
+- Update to version 12.25 fixes (boo#1185547)
+  * JPEG XL support is now official
+  * Added read support for Medical Research Council (MRC) image
+    files
+  * Added ability to write a number of 3gp tags in video files
+  * Added a new Sony PictureProfile value (thanks Jos Roost)
+  * Added a new Sony LensType (thanks LibRaw)
+  * Added a new Nikon LensID (thanks Niels Kristian Bech Jensen)
+  * Added a new Canon LensType
+  * Decode more GPS information from Blackvue dashcam videos
+  * Decode a couple of new NikonSettings tags (thanks Warren
+    Hatch)
+  * Decode a few new RIFF tags
+  * Improved Validate option to add minor warning if standard
+    XMP is missing xpacket wrapper
+  * Avoid decoding some large arrays in DNG images to improve
+    performance unless the -m option is used
+  * Patched bug that could give runtime warning when trying to
+    write an empty XMP structure
+  * Fixed decoding of ImageWidth/Height for JPEG XL images
+  * Fixed problem were Microsoft Xtra tags couldn't be deleted
+  version 12.24:
+  * Added a new PhaseOne RawFormat value (thanks LibRaw)
+  * Decode a new Sony tag (thanks Jos Roost)
+  * Decode a few new Panasonic and FujiFilm tags (thanks LibRaw
+    and Greybeard)
+  * Patched security vulnerability in DjVu reader
+  * Updated acdsee.config in distribution (thanks StarGeek)
+  * Recognize AutoCAD DXF files
+  * More work on experimental JUMBF read support
+  * More work on experimental JPEG XL read/write support
+  version 12.23:
+  * Added support for Olympus ORI files
+  * Added experimental read/write support for JPEG XL images
+  * Added experimental read support for JUMBF metadata in JPEG
+    and Jpeg2000 images
+  * Added built-in support for parsing GPS track from Denver
+    ACG-8050 videos
+    with the -ee option
+  * Added a some new Sony lenses (thanks Jos Roost and LibRaw)
+  * Changed priority of Samsung trailer tags so the first
+    DepthMapImage takes
+    precedence when -a is not used
+  * Improved identification of M4A audio files
+  * Patched to avoid escaping ',' in "Binary data" message when
+  - struct is used
+  * Removed Unknown flag from MXF VideoCodingSchemeID tag
+  * Fixed -forcewrite=EXIF to apply to EXIF in binary header of
+    EPS files
+  * API Changes:
+    + Added BlockExtract option
+  version 12.22:
+  * Added a few new Sony LensTypes and a new SonyModelID (thanks
+    Jos Roost and LibRaw)
+  * Added Extra BaseName tag
+  * Added a new CanonModelID (thanks LibRaw)
+  * Decode timed GPS from unlisted programs in M2TS videos with
+    the -ee3 option
+  * Decode more Sony rtmd tags
+  * Decode some tags for the Sony ILME-FX3 (thanks Jos Roost)
+  * Allow negative values to be written to XMP-aux:LensID
+  * Recognize HEVC video program in M2TS files
+  * Enhanced -b option so --b suppresses tags with binary data
+  * Improved flexibility when writing GPS coordinates:
+    + Now pulls latitude and longitude from a combined
+    GPSCoordinates string
+    + Recognizes the full word "South" and "West" to write
+    negative coordinates
+  * Improved warning when trying to write an integer QuickTime
+    date/time tag and Time::Local is not available
+  * Convert GPSSpeed from mph to km/h in timed GPS from Garmin
+    MP4 videos
+  version 12.21:
+  * Added a few new iOS QuickTime tags
+  * Decode a couple more Sony rtmd tags
+  * Patch to avoid possible "Use of uninitialized value" warning
+    when attempting to write QuickTime date/time tags with an
+    invalid value
+  * Fixed problem writing Microsoft Xtra tags
+  * Fixed Windows daylight savings time patch for file times
+    that was broken in 12.19 (however directory times will not
+    yet handle DST properly)
+  version 12.20:
+  * Added ability to write some Microsoft Xtra tags in MOV/MP4
+    videos
+  * Added two new Canon LensType values (thanks Norbert Wasser)
+  * Added a new Nikon LensID
+  * Fixed problem reading FITS comments that start before column
+    11
+  version 12.19:
+  * Added -list_dir option
+  * Added the "ls-l" Shortcut tag
+  * Extract Comment and History from FITS files
+  * Enhanced FilePermissions to include device type (similar to
+    "ls -l")
+  * Changed the name of Apple ContentIdentifier tag to
+    MediaGroupUUID (thanks Neal Krawetz)
+  * Fixed a potential "substr outside of string" runtime error
+    when reading corrupted EXIF
+  * Fixed edge case where NikonScanIFD may not be copied
+    properly when copying MakerNotes to another file
+  * API Changes:
+    + Added ability to read/write System tags of directories
+    + Enhanced GetAllGroups() to support family 7 and take
+    optional ExifTool reference
+    + Changed QuickTimeHandler option default to 1
+  version 12.18:
+  * Added a new SonyModelID
+  * Decode a number of Sony tags for the ILCE-1 (thanks Jos
+    Roost)
+  * Decode a couple of new Canon tags (thanks LibRaw)
+  * Patched to read differently formatted UserData:Keywords as
+    written by iPhone
+  * Patched to tolerate out-of-order Nikon MakerNote IFD entries
+    when obtaining tags necessary for decryption
+  * Fixed a few possible Condition warnings for some
+    NikonSettings tags
+  version 12.17:
+  * Added a new Canon FocusMode value
+  * Added a new FujiFilm FilmMode value
+  * Added a number of new XMP-crs tags (thanks Herb)
+  * Decode a new H264 MDPM tag
+  * Allow non-conforming lower-case XMP boolean "true" and
+    "false" values to be written, but only when print conversion
+    is disabled
+  * Improved Validate option to warn about non-capitalized
+    boolean XMP values
+  * Improved logic for setting GPSLatitude/LongitudeRef values
+    when writing
+  * Changed -json and -php options so the -a option is implied
+    even without the -g option
+  * Avoid extracting audio/video data from AVI videos when -ee
+  - u is used
+  * Patched decoding of Canon ContinuousShootingSpeed for newer
+    firmware versions of the EOS-1DXmkIII
+  * Re-worked LensID patch of version 12.00 (github issue #51)
+  * Fixed a few typos in newly-added NikonSettings tags (thanks
+    Herb)
+  * Fixed problem where group could not be specified for
+    PNG-pHYs tags when writing
+  version 12.16:
+  * Extract another form of video subtitle text
+  * Enhanced -ee option with -ee2 and -ee3 to allow parsing of
+    the H264 video stream in MP4 files
+  * Changed a Nikon FlashMode value
+  * Fixed problem that caused a failed DPX test on Strawberry
+    Perl
+  * API Changes:
+    + Enhanced ExtractEmbedded option
+  version 12.15:
+  * Added a couple of new Sony LensType values (thanks LibRaw
+    and Jos Roost)
+  * Added a new Nikon FlashMode value (thanks Mike)
+  * Decode NikonSettings (thanks Warren Hatch)
+  * Decode thermal information from DJI RJPEG images
+  * Fixed extra newline in -echo3 and -echo4 outputs added in
+    version 12.10
+  * Fixed out-of-memory problem when writing some very large PNG
+    files under Windows
+  version 12.14:
+  * Added support for 2 more types of timed GPS in video files
+    (that makes 49 different formats now supported)
+  * Added validity check for PDF trailer dictionary Size
+  * Added a new Pentax LensType
+  * Extract metadata from Jpeg2000 Association box
+  * Changed -g:XX:YY and -G:XX:YY options to show empty strings
+    for non-existent groups
+  * Patched to issue warning and avoid writing date/time values
+    with a zero month or day number
+  * Patched to avoid runtime warnings if trying to set FileName
+    to an empty string
+  * Fixed issue that could cause GPS test number 12 to fail on
+    some systems
+  * Fixed problem extracting XML as a block from Jpeg2000
+    images, and extract XML tags in the XML group instead of XMP
+- Update URL
+
+- update to 12.13:
+  - Add time zone automatically to most string-based QuickTime date/time tags
+    when writing unless the PrintConv option is disabled
+  - Added -i HIDDEN option to ignore files with names that start with "."
+  - Added a few new Nikon ShutterMode values (thanks Jan Skoda)
+  - Added ability to write Google GCamera MicroVideo XMP tags
+  - Decode a new Sony tag (thanks LibRaw)
+  - Changed behaviour when writing only pseudo tags to return an error and avoid
+    writing any other tags if writing FileName fails
+  - Print "X image files read" message even if only 1 file is read when at least
+    one other file has failed the -if condition
+  - Added ability to geotag from DJI CSV log files
+  - Added a new CanonModelID
+  - Added a couple of new Sony LensType values (thanks LibRaw)
+  - Enhanced -csvDelim option to allow "\t", "\n", "\r" and "\\"
+  - Unescape "\b" and "\f" in imported JSON values
+  - Fixed bug introduced in 12.10 which generated a "Not an integer" warning
+    when attempting to shift some QuickTime date/time tags
+  - Fixed shared-write permission problem with -@ argfile when using -stay_open
+    and a filename containing special characters on Windows
+  - Added -csvDelim option
+  - Added new Canon and Olympus LensType values (thanks LibRaw)
+  - Added a warning if ICC_Profile is deleted from an image (github issue #63)
+  - EndDir() function for -if option now works when -fileOrder is used
+  - Changed FileSize conversion to use binary prefixes since that is how the
+    conversion is currently done (eg. MiB instead of MB)
+  - Patched -csv option so columns aren't resorted when using -G option and one
+    of the tags is missing from a file
+  - Fixed incompatiblity with Google Photos when writing UserData:GPSCoordinates
+    to MP4 videos
+  - Fixed problem where the tags available in a -p format string were limited to
+    the same as the -if[NUM] option when NUM was specified
+  - Fixed incorrect decoding of SourceFileIndex/SourceDirectoryIndex for Ricoh
+    models
+
+- Update to 12.10
+  * Added -validate test for proper TIFF magic number in
+    JPEG EXIF header
+  * Added support for Nikon Z7 LensData version 0801
+  * Added a new XMP-GPano tag
+  * Decode ColorData for the Canon EOS 1DXmkIII
+  * Decode more tags for the Sony ILCE-7SM3
+  * Automatically apply QuickTimeUTC option for CR3 files
+  * Improved decoding of XAttrMDLabel from MacOS files
+  * Ignore time zones when writing date/time values and
+    using the -d option
+  * Enhanced -echo3 and -echo4 options to allow exit status
+    to be returned
+  * Changed -execute so the -q option no longer suppresses
+    the "{ready}" message when a synchronization number is used
+  * Added ability to copy CanonMakerNotes from CR3 images
+    to other file types
+  * Added read support for ON1 presets file (.ONP)
+  * Added two new CanonModelID values
+  * Added trailing "/" when writing QuickTime:GPSCoordinates
+  * Added a number of new XMP-crs tags
+  * Added a new Sony LensType (thanks Jos Roost)
+  * Added a new Nikon Z lens (thanks LibRaw)
+  * Added a new Canon LensType
+  * Decode ColorData for Canon EOS R5/R6
+  * Decode a couple of new HEIF tags
+  * Decode FirmwareVersion for Canon M50
+  * Improved decoding of Sony CreativeStyle tags
+  * Improved parsing of Radiance files to recognize comments
+  * Renamed GIF AspectRatio tag to PixelAspectRatio
+  * Patched EndDir() feature so subdirectories are always
+    processed when -r is used (previously, EndDir() would
+    end processing of a directory completely)
+  * Avoid loading GoPro module unnecessarily when reading MP4 videos
+    from some other cameras
+  * Fixed problem with an incorrect naming of CodecID tags in some
+    MKV videos
+  * Fixed verbose output to avoid "adding" messages for
+    existing flattened XMP tags
+  * Added a new Sony LensType
+  * Recognize Mac OS X xattr files
+  * Extract ThumbnailImage from MP4 videos of more dashcam models
+  * Improved decoding of a number of Sony tags
+  * Fixed problem where the special -if EndDir() function didn't
+    work properly for directories after the one in which
+    it was initially called
+  * Patched to read DLL files which don't have a .rsrc section
+  * Patched to support new IGC date format when geotagging
+  * Patched to read DLL files with an invalid size in the header
+  * Added support for GoPro .360 videos
+  * Added some new Canon RF and Nikkor Z lenses
+  * Added some new Sony LensType and CreativeStyle values
+    and decode some ILCE-7C tags
+  * Added a number of new Olympus SceneMode values
+  * Added a new Nikon LensID
+  * Decode more timed metadata from Insta360 videos
+  * Decode timed GPS from videos of more Garmin dashcam models
+  * Decode a new GoPro video tag
+  * Reformat time-only EventTime values when writing and prevent
+    arbitrary strings from being written
+  * Patched to accept backslashes in SourceFile entries for -csv option
+
+- update to 12.06
+  - Added read support for Lyrics3 metadata (and fixed problem
+    where APE metadata may be ignored if Lyrics3 exists)
+  - Added a new Panasonic VideoBurstMode value
+  - Added a new Olympus MultipleExposureMode value
+  - Added a new Nikon LensID
+  - Added back conversions for XMP-dwc EventTime that were removed
+    in 12.04 with a patch to allow time-only values
+  - Decode GIF AspectRatio
+  - Decode Olympus FocusBracketStepSize
+  - Extract PNG iDOT chunk in Binary format with the
+    name AppleDataOffsets
+  - Process PNG images which do not start with mandatory
+    IHDR chunk
+  - Added a new Panasonic SelfTimer value
+  - Decode a few more DPX tags
+  - Extract AIFF APPL tag as ApplicationData
+  - Fixed bug writing QuickTime ItemList 'gnre' Genre values
+  - Fixed an incorrect value for Panasonic VideoBurstResolution
+  - Fixed problem when applying a time shift to some invalid
+    makernote date/time values
+
+- update to 12.04:
+  * See /usr/share/doc/packages/perl-Image-ExifTool/Change
+
+- update to 11.50, see Image-ExifTool-11.50.tar.gz for details
+
+- Update to version 11.30:
+  * Add a new Sony/Minolta LensType.
+  * Decode streaming metadata from TomTom Bandit Action Cam MP4
+    videos.
+  * Decode Reconyx HF2 PRO maker notes.
+  * Decode ColorData for some new Canon models.
+  * Enhanced -geotag feature to set AmbientTemperature if
+    available.
+  * Remove non-significant spaces from some DICOM values.
+  * Fix possible "'x' outside of string" error when reading
+    corrupted EXIF.
+  * Fix incorrect write group for GeoTIFF tags.
+
+- Update to version 11.29
+  * See /usr/share/doc/packages/perl-Image-ExifTool/Changes
+
+- Update to version 11.27
+  * See /usr/share/doc/packages/perl-Image-ExifTool/Changes
+
+- Update to version 11.24
+  * See /usr/share/doc/packages/perl-Image-ExifTool/Changes
+
+- Update to version 11.11 (changes since 11.01):
+  * See /usr/share/doc/packages/perl-Image-ExifTool/Changes
+
+- Update to 11.01:
+  * Added a new ProfileCMMType
+  * Added a Validate warning about non-standard EXIF or XMP in
+    PNG images
+  * Added a new Canon LensType
+  * Decode a couple more PanasonicRaw tags
+  * Patched to avoid adding tags to QuickTime videos with multiple
+    'mdat' atoms --> avoids potential corruption of these videos!
+
+- Update to 11.00:
+  * Added read support for WTV and DVR-MS videos
+  * Added print conversions for some ASF date/time tags
+  * Added a new SonyModelID
+  * Decode a new PanasonicRaw tag
+  * Decode some new Sony RX100 VI tags
+  * Made Padding and OffsetSchema tags "unsafe" so they
+    aren't copied by default
+
permissions
+- Update to version 20181225:
+  * etc/permissions: remove unnecessary entries (bsc#1182899)
+
plasma5-desktop
+- Add upstream patch to fix renaming files on the desktop via the
+  keyboard shortcut (boo#1174487, kde#425436):
+  * 0001-Fix-renaming-shortcut-for-files-selected-via-selecti.patch
+
plasma5-workspace
+- Add upstream patch to fix broken/missing "Switch User"
+  functionality with systemd 246 (boo#1177223, kde#427777):
+  * Fix-missing-Switch-User-with-systemd-246.patch
+
plymouth
+- Pickup plymouth-only_use_fb_for_cirrus_bochs.patch: Currently our
+  kernel hardware support need this fix, and boo#1172028 will be
+  fix seperately (bnc#888590 boo#1172028 bsc#1181913).
+
procps
+- Add upstream patch procps-3.3.17-bsc1181976.patch based on
+  commit 3dd1661a to fix bsc#1181976 that is change descripton
+  of psr, which is for 39th field of /proc/[pid]/stat
+
python-libxml2-python
+- Security fix: [bsc#1185408, CVE-2021-3518]
+  * Fix use-after-free in xinclude.c:xmlXIncludeDoProcess()
+  * Add libxml2-CVE-2021-3518.patch
+
+- Security fix: [bsc#1185410, CVE-2021-3517]
+  * Fix heap-based buffer overflow in entities.c:xmlEncodeEntitiesInternal()
+  * Add libxml2-CVE-2021-3517.patch
+
+- Security fix: [bsc#1185409, CVE-2021-3516]
+  * Fix use-after-free in entities.c:xmlEncodeEntitiesInternal()
+  * Add libxml2-CVE-2021-3516.patch
+
radvd
-- fix the radvd.service file to use /etc/sysconfig/radvd
-  (bnc#854316)
-
-- Update to version 1.9.7
-  * ioctl bug fix for getting the hardware address and mtu of an interface
-- Update to version 1.9.6
-  * Check AdvSendAdvert before sending an advertisement
-- Update to version 1.9.5
-  * IPv6 forwarding setting should be 1 or 2
-  * Performance fix in netlink message processing
-  * fix for kernels with no NETLINK_NO_ENOBUFS defined
-  * distributing gz, bz2 and xz tarballs
-  * also distributing md5, sha1, sha256 and gpg signatures
-- Update to version 1.9.4
-  * IPv6 forwarding setting should be 1 or 2
-  * Performance fix in netlink message processing
-  * fix for kernels with no NETLINK_NO_ENOBUFS defined
-  * distributing gz, bz2 and xz tarballs
-  * also distributing md5, sha1, sha256 and gpg signatures
-- Update to version 1.9.3
-  * check for sys/sysctl.h availability
-  * radvdump fix to interpret MTU and Route
-- Update to version 1.9.2
-  * A few minor Makefile.am fixes
-- Update to version 1.9.1
-  * Replacing a '==' in configure with '=' for better shell portability
-- added .asc (gpg key not yet found)
-
-- Don't start daemon after package installation, the default config is almost
-  useless and previous package versions installed even bad ones into
-  /etc/radvd.conf (it would never be fixed since the file is
-  %ghost %config(noreplace)
-- Fix try-restart to only restart the daemon if it's actually running. Allow
-  condrestart, which is LSB
-
-- Add radvd-tmpfile-grpname.patch: On openSUSE, the radvd user is
-  added to the 'daemon' group (not a specific 'radvd' group). Thus
-  adjusting the groupname in for the file to be installed in
-  tmpfiles.d. Otherwise, the systemd-tmpfiles service fails to
-  start (and radvd can't find the /var/run folder).
-
-- Remove URL from source as this is a git snapshot
-
-- Update to version 1.9rc1.xxx
-  * Support systemd tmpfiles.d
-  * add Native systemd units for this service
-  * Uses libdaemon to deamonize and store PID file.
-  * Use setsockopt NETLINK_NO_ENOBUFS
-  * fixes debian bug 634485
-
-- add automake as buildrequire to avoid implicit dependency
-
-- Update to version 1.8.3:
-  + proper tracking of buffer usage in send_ra
-- Drop diff_release_1_8_2..44ee01c7.patch: fixed upstream.
-
-- Update to version 1.8.3-rc1
-- additional patches up to commit 44ee01c7 to fully fix the
-  path traversal CVE-2011-3602 (bnc#721968)
-
-- Update to version 1.8.1 for details see NEWS
-- Fix package building in factory, creating /var/run/radvd before
-  being marked as %ghost
-- Run spec cleaner
-
-- new version 1.7:
-  - Fix an unintentional change in 1.3: RAs were accidentally often unicast to
-    solicitors instead of being multicast. This is still compliant with the
-    specification but is not optimal.
-  - Allow radvd.conf prefix, clients, route, and RDNSS options to be in any order.
-  - exit if the number of prefixes/routes/etc. would grow too much.
-  - Fix radvd skipping multiple interfaces when UnicastOnly is on or
-    AdvSendAdvert is off. This got broken in radvd 1.3.
-  - Fix a segmentation fault on reload_config() timer list corruption that only
-    occurs with multiple interfaces.
-  - Add '-c' flag to test configuration.
-  - Deprecate old, pre-RFC5006 parameters. Support RFC6106 by adding DNS Search List support.
-- run as user radvd by default (bnc#691456)
-- clean up init script
-- install a small default config that advertises ULAs. Default prefix is
-  autogenerated to get a different for on each installation.
-- start even if forwarding is not on to be able to work with ULAs only
-
-- Update to version 1.3:
-  - mainly compilation fixes
-  - decreased the default valid and preferred lifetimes
-  - support for arbitrary interface names
-
rsyslog
+- fix groupname retrieval for large groups (bsc#1178490)
+  * add 0001-rainerscript-call-getgrnam_r-repeatedly-to-get-all-g.patch
+
ruby2
+- Update to 2.5.9 (boo#1184644)
+  https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-5-9-released/
+  - CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability
+    in WEBrick
+  - CVE-2021-28965: XML round-trip vulnerability in REXML
+  Complete list of changes at
+  https://github.com/ruby/ruby/compare/v2_5_8...v2_5_9
+- Update suse.patch:
+  Remove fix for CVE-2020-25613 as it is included in the update
+
shim
+- Include suse-signed shim for AArch64 (bsc#1185621)
+
systemd
+- add conversion script for moving legacy collect based udev rules
+  to chzdev based ones (bsc#1183984)
+
systemd-presets-common-SUSE
+- Enable hcn-init.service for HNV on POWER (bsc#1184136 ltc#192155).
+
tcsh
+- Add patch tcsh-6.20.00-toolong.patch which is an upstream commit
+  ported back to 6.20.00 to fix bsc#1179316 about history file growing
+
vlc
+- Update to version 3.0.13:
+  + Demux:
+  - Adaptive: fix artefacts in HLS streams with wrong profiles/levels
+  - Fix regression on some MP4 files for the audio track
+  - Fix MPGA and ADTS probing in TS files
+  - Fix Flac inside AVI files
+  - Fix VP9/Webm artefacts when seeking
+  + Codec:
+  - Support SSA text scaling
+  - Fix rotation on Android rotation
+  - Fix WebVTT subtitles that start at 00:00
+  + Access:
+  - Update libnfs to support NFSv4
+  - Improve SMB2 integration
+  - Fix Blu-ray files using Unicode names on Windows
+  - Disable mcast lookups on Android for RTSP playback
+  + Video Output: Rework the D3D11 rendering wait, to fix
+    choppiness on display
+  + Interfaces:
+  - Fix VLC getting stuck on close on X11 (#21875)
+  - Improve RTL on preferences on macOS
+  - Add mousewheel horizontal axis control
+  - Fix crash on exit on macOS
+  - Fix sizing of the fullscreen controls on macOS
+  + Misc:
+  - Improve MIDI fonts search on Linux
+  - Update Soundcloud, Youtube, liveleak
+  - Fix compilation with GCC11
+  - Fix input-slave option for subtitles
+  + Updated translations.
+- Drop vlc-gcc11.patch: fixed upstream.
+- Extend vlc-srto_tsbpddelay.patch: allow srt >= 1.3 for openSUSE.
+
+- Guard post scriptlets to only run %{_libdir}/vlc/vlc-cache-gen if
+  it already (or still, in case of uninstall) exists.
+
+- Add vlc-gcc11.patch: Fix build using gcc11 (boo#1181918).
+
+- Drop libpcre-devel BuildRequires: not been used in a while.
+
+- Limit libplacebo to is_openssue: vlc does not exist in SLE, which
+  makes the usage of is_opensuse valid; backports has is_opensuse
+  set to 1. This is mostly interesting for 3rd party build service
+  instances.
+
+- Enable libplacebo support (the core rendering algorithms and
+  ideas of mpv rewritten as an independent library):
+  + Add pkgconfig(libplacebo) BuildRequires
+  + Pass --enable-libplacebo to %configure
+
+- Update to version 3.0.12:
+  + Access: Add new RIST access module compliant with simple
+    profile (VSF_TR-06-1).
+  + Access Output: Add new RIST access output module compliant with
+    simple profile (VSF_TR-06-1).
+  + Demux: Fixed adaptive's handling of resolution settings.
+  + Audio output: Fix audio distortion on macOS during start of
+    playback.
+  + Video Output: Direct3D11: Fix some potential crashes when using
+    video filters.
+  + Misc:
+  - Several fixes in the web interface, including privacy and
+    security improvements
+  - Update YouTube and Vocaroo scripts.
+  + Updated translations.
+- Drop vlc-CVE-2020-26664.patch: fixed upstream.
+- Drop fix-missing-includes-with-qt-5.15.patch: fixed upstream.
+
vsftpd
+- Add seccomp-fixes.patch to allow getdents64 syscall in seccomp
+  sandbox, fixes bsc#1179553
+  Also in the same patch, fix the architecture offset from 4 to 5,
+  this change was documented in https://lore.kernel.org/patchwork/patch/554803/
+
+- Apply "0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch" and
+  "0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch",
+  which add the "ssl_tlsv1_1" and "ssl_tlsv1_2" options to the
+  configuration file. Both options default to true. [SLE-4182]
+
+- Use %{_prefix}/lib instead of misused %{_libexecdir}.
+
+- Add pam_keyinit.so to PAM config file.
+  [vsftpd.pam, bsc#1144062]
+
+- Apply "vsftpd-avoid-bogus-ssl-write.patch" to fix a segmentation
+  fault that occurred while trying to write to an invalid TLS
+  context. [bsc#1125951]
+
+- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
+  shortcut the build queues by allowing usage of systemd-mini
+
+- firewall-macros should be BuildRequires, not Requires(post)
+  (the macro gets expanded during package build)
+
-- force using fork() instead of clone() on s390 - fixes bnc#890469
-  * vsftpd-3.0.2-s390.patch
-
-- Cleanup with spec-cleaner
-- Remove conditions about init files as we do not build for < 12.1
-  anyway.
-- Update the README.SUSE file to describe more the listen option.
-
-- Add socket service for vsftpd to avoid the need for xinetd here.
-
-- Add comment about listen variables for xinetd configuration.
-  Fixes bnc#872221.
-- Add default configuration as arg to xinetd started vsftpd.
-- Updated patch:
-  * vsftpd-2.0.4-xinetd.diff
-
-- Move the enabling of timeofday and alarm one level deeper to
-  be sure it is whitelisted everytime.
-  Also should possibly fix bnc#872215.
-- Updated patch:
-  * vsftpd-enable-gettimeofday-sec.patch
-
-- Remove forking from service type as it hangs in endless loop.
-
-- Fix warning about dangling symlink on rcvsftpd from rpmlint and
-  remove also clean section while at it.
-
-- Add patch to allow gettimeofday and alarm calls with seccomp
-  enabled. bnc#870122
-- Added patch:
-  * vsftpd-enable-gettimeofday-sec.patch
-
-- Specify that the service type is forking
-
-- changed license to SUSE-GPL-2.0-with-openssl-exception
-  * suggested by legal team
-
-- add allow_root_squashed_chroot option to enable chroot on nsf
-  mounted with squash_root option (fate#311051)
-  * vsftpd-root-squashed-chroot.patch
-
-- build with OPENSSL_NO_SSL_INTERN this hides internal struct
-  members or functions that if changed in future openssl versions
-  will break the ABI of the calling applications.
-
-- add vsftpd-enable-dev-log-sendto.patch (bnc#812406#c1)
-  * this enabled a sendto on /dev/log socket when syslog is enabled
-- provide more verbose explanation about isolate_network and seccomp_sanbox in
-  config file template
-- don't install init file on openSUSE 13.1+
-- drop a build support for SL 10 and older
-
-- add vsftpd-drop-newpid-from-clone.patch (bnc#786024#c38)
-  * drop CLONE_NEWPID from clone to enable audit system
-- add vsftpd-enable-fcntl-f_setfl.patch (bnc#812406)
-  * unconditionally enable F_SETFL patch - might be safe to do
-
-- add isolate_network and seccomp_sandbox options to template to make them
-  easier to find (bnc#786024)
-
-- add vsftpd-allow-dev-log-socket.patch (bnc#786024)
-  * whitelist /dev/log related socket syscall
-
-- Verify GPG signature.
-
-- Fix useradd invocation: -o is useless without -u and newer
-  versions of pwdutils/shadowutils fail on this now.
-
-- update to 3.0.2 (bnc#786024)
-  * Fix some seccomp related build errors on certain CentOS and Debian versions.
-  * Seccomp filter sandbox: missing munmap() -- oops. Did you know that qsort()
-  opens and maps /proc/meminfo but only for larger item counts?
-  * Seccomp filter sandbox: deny socket() gracefully for text_userdb_names.
-  * Fix various NULL crashes with nonsensical config settings. Noted by Tianyin
-  Xu <tixu@cs.ucsd.edu>.
-  * Force cast to unsigned char in is* char functions.
-  * Fix harmless integer issues in strlist.c.
-  * Started on a (possibly ill-advised?) crusade to compile cleanly with
-  Wconversion. Decided to suspend the effort half-way through.
-  * One more seccomp policy fix: mremap (denied).
-  * Support STOU with no filename, uses a STOU. prefix.
-
-- make seccomp sandbox enabled by default
-  * dropped vsftpd-3.0.0-turn-seccomp-sandbox-off.patch
-
-- fix building on 11.4 x86_64 and lower
-  * fix where, when, & how __USE_GNU gets #defined
-  * make seccomp optional and disable it on 10.3 and lower
-
-- update to upstream 3.0.0:
-  * Make listen mode the default.
-  * Fix missing "const" in ssl.c
-  * Add seccompsandbox.c to support a seccomp filter sandbox; works against
-    Ubuntu 12.04 ABI.
-  * Rearrange ftppolicy.c a bit so the syscall list is easily comparable with
-    seccompsandbox.c
-  * Rename deprecated "sandbox" to "ptrace_sandbox".
-  * Add a few more state checks to the privileged helper processes.
-  * Add tunable "seccomp_sandbox", default on.
-  * Use hardened build flags.
-  * Retry creating a PASV socket upon port reuse race between bind() and
-    listen(), patch from Ralph Wuerthner <ralph.wuerthner@de.ibm.com>.
-  * Don't die() if recv() indicates a closed remote connection. Problem report
-    on a Windows client from Herbert van den Bergh,
-    <herbert.van.den.bergh@oracle.com>.
-  * Add new config setting "allow_writeable_chroot" to help people in a bit of
-    a spot with the v2.3.5 defensive change. Only applies to non-anonymous.
-  * Remove a couple of fixed things from BUGS.
-  * strlen() trunction fix -- no particular impact.
-  * Apply some tidyups from mmoufid@yorku.ca.
-  * Fix delete_failed_uploads if there is a timeout. Report from Alejandro
-    Hernández Hdez <aalejandrohdez@gmail.com>.
-  * Fix other data channel bugs such as failure to log failure upon timeout.
-  * Use exit codes a bit more consistently.
-  * Fix bad interaction between SSL and trans_chunk_size.
-  * Redo data timeout to fire properly for SSL sessions.
-  * Redo idle timeout to fire properly for SSL sessions.
-  * Make sure PROT_EXEC isn't allowed, thanks to Will Drewry for noticing.
-  * Use 10 minutes as a max linger time just in case an alarm gets lost.
-  * Change PR_SET_NO_NEW_PRIVS define, from Kees Cook.
-  * Add AES128-SHA to default SSL cipher suites for FileZilla compatibility.
-    Unfortunately the default vsftpd SSL confiuration still doesn't fully work with
-    FileZilla, because FileZilla has a data connection security problem: no client
-    certificate presentation and no session reuse. At least the error message is
-    now very clear.
-  * Add restart_syscall to seccomp policy. Triggers reliably if you strace whilst
-    a data transfer is in progress.
-  * Fix delete_failed_uploads for anonymous sessions.
-  * Don't listen for urgent data if the control connection is SSL, due to possible
-    protocol synchronization issues.
-- SUSE specific changes:
-  * turn off the listen mode (listen=NO) by default and change README.SUSE
-  * merge new hardended flags for build and linking
-  * fix the wrong Type=forking from systemd service file
-  * turn off the seccomp_sandbox off by default as SUSE kernel does not support
-    it (yet)
-
-- follow Systemd Packaging guidelines
-  http://en.opensuse.org/openSUSE:Systemd_packaging_guidelines
-- add $local_fs and $remote_fs to init script
-
-- use the original tarball, because the bz2 repacking madness disables
-  gpg --verify
-- revert a part oc changes utf converting
-
-- update to upstream 2.3.5:
-  * Try and force glibc to cache zoneinfo files in an attempt to work around
-    glibc parsing vulnerability. Thanks to Kingcope.
-  * Only report CHMOD in SITE HELP if it's enabled. Thanks to Martin Schwenke
-    <martin@meltin.net>.
-  * Some simple fixes and cleanups from Thorsten Brehm <tbrehm@dspace.de>.
-  * Only advertise "AUTH SSL" if one of SSLv2, SSLv3 is enabled. Thanks to
-    steve willing <eiji-gravion@hotmail.com>.
-  * Handle connect() failures properly. Thanks to Takayuki Nagata
-    <tnagata@redhat.com>.
-  * Add stronger checks for the configuration error of running with a
-    writeable root directory inside a chroot(). This may bite people who
-    carelessly turned on chroot_local_user but such is life.
-- convert .changes file to unicode
-- refresh vsftpd-2.0.4-conf.diff to vsftpd-2.3.5-conf.patch
-- name patches explicitly without macro as per recommendations
-- remove INSTALL file from binary package
-- update license to GPL-2.0+
-- mark /etc/sysconfig/SuSEfirewall2/services/vsftpd as config file
-
-- fis copy/paste error in previous change
-
-- Add systemd unit
-
-- fix bnc#713588 - bogus logrotate config for vsftpd
-  call /sbin/killproc -HUP /usr/sbin/vsftpd like init script
-- change the url and service file to the new location at
-  security.appspot.com/vsftpd
-
-- Update to 2.3.4
-- Avoid consuming excessive CPU when matching filenames to patterns. Thanks to
-  Maksymilian Arciemowicz <cxib@securityreason.com>.
-- Some bugfixes from Raphaël Rigo <raphael.rigo@syscall.eu> -- good bugs but
-  no apparent security impact.
-
-- Update to version 2.3.2
-- Fix silly regression re: log files being overwritten from the start.
-- Rename a few file-open functions to make it clearer what they do
-
-- Update to 2.3.0
-- Add extremely simply HTTP support. It's very experimental, ignorant of HTTP
-  protocol and headers, and likely has all sorts of other issues. The use case
-  it might satisfy is if you need to serve simple static unathenticated content
-  with large levels of paranoia.
-- Fix port_promiscuous breakage.
-- Minor FAQ update.
-- Use a larger address space limit if using text_userdb_names=YES
-- Always use CLONE_NEWNET if possible when in HTTP mode.
-- Change REST + STOR so that it's possible to overwrite part of file without
-  truncating it.
-- Boot the session if we see a USER where encryption was required. May prevent
-  the transmission of plaintext passwords by buggy clients.
-- Fix failure to transmit a large ASCII file over SSL, if it contains \n -> \r\n
-  fixups.
-
-- $remote_fs --> network-remotefs
-
-- updated to version 2.2.2
-  * Change "File receive OK." to "Transfer complete." to placate some broken
-  clients. Thanks Holger Kiehl <Holger.Kiehl@dwd.de>.
-  * Fix erroneous "child died" upon FTP client connect, when under load. Awesome
-  thanks to Holger Kiehl <Holger.Kiehl@dwd.de> for running diagnostic tests on
-  his live server.
-  * Boot the session if an overly long line is encountered.
-- see Changelog file for changes in 2.1.0, 2.1.1, 2.1.2 and 2.2.0 releases
-- deprecated use-ipv6-scope-id.patch,libcap2-fix.diff,write_race.patch
-  nowarn.patch
-
-- added use-ipv6-scope-id.patch to fix connection issues with
-  ipv6-link local address (bnc#574366)
-
-- fix typo in the package description - and remove authors
-
webkit2gtk3
+- Per discussion with maintenance, let's not remove features that
+  customers could possibly be using:
+- Add webkit2gtk3-restore-npapi.patch: restore NPAPI plugin
+  support. Reverts webkit#215503.
+
+- Update to version 2.32.0 (boo#1184155):
+  + Fix the authentication request port when URL omits the port.
+  + Fix iframe scrolling when main frame is scrolled in async
+    scrolling mode.
+  + Stop using g_memdup.
+  + Show a warning message when overriding signal handler for
+    threading suspension.
+  - Fix the build on RISC-V with GCC 11.
+  - Fix several crashes and rendering issues.
+  + Security fixes: CVE-2021-1788, CVE-2021-1844, CVE-2021-1871
+  + Changes in version 2.30.6 (boo#1184262):
+  + Update user agent quirks again for Google Docs and Google Drive.
+  + Fix several crashes and rendering issues.
+  + Security fixes: CVE-2020-27918, CVE-2020-29623, CVE-2021-1765
+  CVE-2021-1789, CVE-2021-1799, CVE-2021-1801, CVE-2021-1870.
+- Remove webkit-font-scaling.patch: contained in upstream
+- Drop original SLE 15 support from the spec. Drop
+  webkit-process.patch and old-wayland-scanner.patch; they are not
+  needed for SP2.
+- Pass ENABLE_GAMEPAD=OFF to cmake, since we don't have manette.
+- Add glproto-devel to BuildRequires: now needed for the build on
+  SLE 15.
+
+- Update _constraints for armv6/armv7 (bsc#1182719)
+
wpa_supplicant
+- Add CVE-2021-30004.patch -- forging attacks may occur because
+  AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c
+  (bsc#1184348)
+
+- Fix systemd device ready dependencies in wpa_supplicant@.service file.
+  (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)
+
xdg-desktop-portal
+- Ensure systemd rpm macros are called at install/uninstall times
+  for systemd user services.
+- Add BuildRequires on systemd-rpm-macros.
+
+- Update to version 1.8.0:
+  + openuri:
+  - Allow skipping the chooser for more URL tyles
+  - Robustness fixes
+  + filechooser: Return the current filter
+  + camera:
+  - Make the client node visible
+  - Don't leak pipewire proxy
+  + Fix file descriptor leaks
+  + Testsuite improvements
+  + Updated translations.
+- Changes from version 1.7.2:
+  + document:
+  - Reduce the use of open fds
+  - Add more tests and fix issues they found
+  + Fix the build with musl.
+- Changes from version 1.7.1:
+  + filechooser:
+  - Add a "directory" option
+  - Document the "writable" option
+  + document: Expose directories with their proper name
+- Changes from version 1.7.0:
+  + testsuite improvements
+  + background: Avoid a segfault
+  + screencast: Require pipewire 0.3
+  + document:
+  - Support exporting directories
+  - New fuse implementation
+  + Better support for snap and toolbox
+  + Updated translations.
+- Drop patches fixed upstream:
+  + xdg-dp-port-pipewire-3-api.patch
+  + 0001-Fix-use-after-free-in-xdg_get_app_info_from_pid.patch
+  + 0002-add-AssumedAppArmorLabel-key-to-D-Bus-service-files.patch
+  + 0003-Fix-criticals-if-no-default-handler-for-desired-type.patch
+
+- Require /usr/bin/fusermount: xdg-document-portal calls out to the
+  binary. Without it, files or dirs can be selected, but
+  whatever is done with or in them, will not have any effect
+  (boo#1175899).
+
+- Fixes for %_libexecdir changing to /usr/libexec
+
xdg-desktop-portal-gtk
+- Update to version 1.8.0:
+  + filechooser: Return the current filter
+  + screenshot: Fix cancellation
+  + appchooser: Avoid a crash
+  + wallpaper:
+  - Properly preview placement settings
+  - Drop the lockscreen option
+  + printing: Improve the notification
+  + Updated translations.
+- Changes from version 1.7.1:
+  + filechooser:
+  - Handle the "directory" option to select directories
+  - Only show preview when we have an image
+  + Updated translations.
+- Changes from version 1.7.0:
+  + screencast: Support mutter version 3
+  + settings: Fall back to gsettings for enable-animations
+  + Updated translations.
+- Drop xdg-dpg-support-mutter-pipewire-3-api.patch: Fixed upstream.
+
+- Add xdg-dpg-support-mutter-pipewire-3-api.patch: screencast: Bump
+  supported Mutter version to 3 (New pipewire api ver 3).
+
xorg-x11-server
+- U_build-glx-Lower-gl-version-to-work-with-libglvnd.patch,
+  U_meson-Fix-another-reference-to-gl-9.2.0.patch
+  * fix build on sle15-sp3 with updated libglvnd/Mesa and their
+    new pkgconfig files
+    (https://gitlab.freedesktop.org/xorg/xserver/-/issues/893)
+
+- U_xwayland-Do-not-crash-if-gbm_bo_create-fails.patch
+  * xwayland: Do not crash if gbm_bo_create() fails (boo#1184072) (boo#1184543)
+
+- U_Fix-XChangeFeedbackControl-request-underflow.patch
+  * Fix XChangeFeedbackControl() request underflow (CVE-2021-3472,
+    ZDI-CAN-1259, bsc#1180128)
+
yast2-trans
+- Update to version 84.87.20210502.7b34dbceae:
+  * Translated using Weblate (Slovak)
+  * Translated using Weblate (Slovak)
+  * Translated using Weblate (Slovak)
+  * Translated using Weblate (Slovak)
+  * Translated using Weblate (Slovak)
+  * Translated using Weblate (Slovak)
+  * Translated using Weblate (Slovak)
+  * Translated using Weblate (Slovak)
+  * Translated using Weblate (Turkish)
+  * Translated using Weblate (Portuguese (Brazil))
+  * Translated using Weblate (Japanese)
+  * Translated using Weblate (Japanese)
+  * New POT for text domain 'network'.
+  * New POT for text domain 'installation'.
+  * New POT for text domain 'network'.
+  * Translated using Weblate (Japanese)
+  * Translated using Weblate (Japanese)
+  * Translated using Weblate (Japanese)
+  * Translated using Weblate (Japanese)
+  * Translated using Weblate (Slovak)
+  * Translated using Weblate (Slovak)
+  * Translated using Weblate (Slovak)
+  * Translated using Weblate (Slovak)
+