Packages changed:
  amavisd-new
  bcm43xx-firmware
  fetchmail (6.4.15 -> 6.4.16)
  gnutls (3.6.15 -> 3.7.0)
  kernel-source (5.10.16 -> 5.11.2)
  libsoup
  libvirt (7.0.0 -> 7.1.0)
  libwps (0.4.11 -> 0.4.12)
  mousepad (0.5.2 -> 0.5.3)
  ntp
  openssl (1.1.1h -> 1.1.1j)
  openssl-1_1 (1.1.1h -> 1.1.1j)
  pavucontrol
  pentobi (18.4 -> 18.5)
  perl-Date-Manip (6.83 -> 6.85)
  perl-IO-Socket-SSL (2.068 -> 2.070)
  perl-URI (5.07 -> 5.08)
  python
  python-base
  python-importlib-metadata (3.4.0 -> 3.7.0)
  python-libvirt-python (7.0.0 -> 7.1.0)
  python-qt5 (5.15.2 -> 5.15.3)
  rubygem-lightbox2 (2.11.1.1 -> 2.11.3)
  rubygem-rails-6.0
  xfce4-panel (4.16.1 -> 4.16.2)
  xfce4-pulseaudio-plugin
  yast2-hardware-detection (4.1.1 -> 4.1.2)
  yast2-installation (4.3.29 -> 4.3.30)
  yast2-security (4.3.11 -> 4.3.14)

=== Details ===

==== amavisd-new ====
Subpackages: amavisd-new-docs

- Package amavisd-milter in a separate package
- Add perl(Convert::BinHex) to required packages
- Disable BerkeleyDB in configuration
  + amavisd-new-no-berkeleydb.patch

==== bcm43xx-firmware ====

- Cater for old and new ways of configuring bluetooth on RPi. Users of
  'hciattach' expect the firmware in '/lib/firmware' while users of the serdev
  configured bluetooth setups will expect it in '/lib/firmware/brcm'
  (bsc#1177189).

==== fetchmail ====
Version update (6.4.15 -> 6.4.16)
Subpackages: fetchmailconf

- update to 6.4.16:
  * fetchmail's --configdump, and fetchmailconf, lacked support for
    the sslcertfile option.
  * fetchmail --version [fetchmail -V] now queries and prints the
    SSL/TLS library's "SSL default trusted certificate" file or
    directory (mind the word "default"), where the OpenSSL-compatible
    TLS implementation will look for trusted root, meaning
    certification authority (CA), certificates.
  * fetchmail --version now prints version of the OpenSSL library
    that it was compiled against, and that it is using at runtime,
    and also the OPENSSL_DIR and OPENSSL_ENGINES_DIR (if available).

==== gnutls ====
Version update (3.6.15 -> 3.7.0)
Subpackages: libgnutls-dane0 libgnutls30 libgnutls30-32bit libgnutls30-hmac

- Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565]
  * Don't unset system priority settings in gnutls-cli-debug.sh
  * Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387
- Add gnutls-gnutls-cli-debug.patch
- Fix: Test certificates in tests/testpkcs11-certs have expired
  * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135
- Add gnutls-test-fixes.patch
- gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates
  * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131
- Add gnutls-ignore-duplicate-certificates.patch
- Update to 3.7.0
  * Depend on nettle 3.6
  * Added a new API that provides a callback function to retrieve
    missing certificates from incomplete certificate chains
  * Added a new API that provides a callback function to output the
    complete path to the trusted root during certificate chain
  verification
  * OIDs exposed as gnutls_datum_t no longer account for the
    terminating null bytes, while the data field is null terminated.
    The affected API functions are: gnutls_ocsp_req_get_extension,
    gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
  * Added a new set of API to enable QUIC implementation
  * The crypto implementation override APIs deprecated in 3.6.9 are
    now no-op
  * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support
  * Support for padlock has been fixed to make it work with Zhaoxin CPU
  * The maximum PIN length for PKCS #11 has been increased from 31
    bytes to 255 bytes
- Remove patch fixed upstream:
  * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
- Add version guards for the crypto-policies package
- Fix threading bug in libgnutls [bsc#1173434]
  * Upstream bug: gitlab.com/gnutls/gnutls/issues/1044
- Require the crypto-policies package [bsc#1180051]
- Use the centralized crypto policy profile (jsc#SLE-15832)
- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
  * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
- FIPS: Add TLS KDF selftest (bsc#1176671)
  * add gnutls-FIPS-TLS_KDF_selftest.patch

==== kernel-source ====
Version update (5.10.16 -> 5.11.2)
Subpackages: kernel-default kernel-docs

- Linux 5.11.2 (bsc#1012628).
- KVM: Use kvm_pfn_t for local PFN variable in
  hva_to_pfn_remapped() (bsc#1012628).
- mm: provide a saner PTE walking API for modules (bsc#1012628).
- KVM: do not assume PTE is writable after follow_pfn
  (bsc#1012628).
- KVM: x86: Zap the oldest MMU pages, not the newest
  (bsc#1012628).
- hwmon: (dell-smm) Add XPS 15 L502X to fan control blacklist
  (bsc#1012628).
- arm64: tegra: Add power-domain for Tegra210 HDA (bsc#1012628).
- Bluetooth: btusb: Some Qualcomm Bluetooth adapters stop working
  (bsc#1012628).
- ntfs: check for valid standard information attribute
  (bsc#1012628).
- usb: quirks: add quirk to start video capture on ELMO L-12F
  document camera reliable (bsc#1012628).
- USB: quirks: sort quirk entries (bsc#1012628).
- HID: make arrays usage and value to be the same (bsc#1012628).
- bpf: Fix truncation handling for mod32 dst reg wrt zero
  (bsc#1012628).
- commit 6fd6105
- config: refresh
- fix misspelled USB gadget debugging options
- commit 20be8e3
- Update config files. Update config files. Enable USB_GADGET(jsc#SLE-14042)
- supported.conf:
  After discussion what the feature request implied, it was
  decided that gadget mode is also needed on x86_64
- commit 4adcbc0
- macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672).
  Since rpm 4.16 files installed during build phase are lost.
- commit d0b887e
- update mainline references
- update mainline references:
  patches.suse/drm-bail-out-of-nouveau_channel_new-if-channel-init-.patch
  patches.suse/floppy-reintroduce-O_NDELAY-fix.patch
  patches.suse/media-uvcvideo-Accept-invalid-bFormatIndex-and-bFram.patch
- commit 4eacbc9
- Linux 5.11.1 (bsc#1012628).
- Xen/x86: don't bail early from clear_foreign_p2m_mapping()
  (bsc#1012628).
- Xen/x86: also check kernel mapping in set_foreign_p2m_mapping()
  (bsc#1012628).
- Xen/gntdev: correct dev_bus_addr handling in
  gntdev_map_grant_pages() (bsc#1012628).
- Xen/gntdev: correct error checking in gntdev_map_grant_pages()
  (bsc#1012628).
- xen/arm: don't ignore return errors from set_phys_to_machine
  (bsc#1012628).
- xen-blkback: don't "handle" error by BUG() (bsc#1012628).
- xen-netback: don't "handle" error by BUG() (bsc#1012628).
- xen-scsiback: don't "handle" error by BUG() (bsc#1012628).
- xen-blkback: fix error handling in xen_blkbk_map()
  (bsc#1012628).
- tty: protect tty_write from odd low-level tty disciplines
  (bsc#1012628).
- Bluetooth: btusb: Always fallback to alt 1 for WBS
  (bsc#1012628).
- commit 3652ea1
- arm: Update config files.
  Set CONFIG_WATCHDOG_SYSFS to true (bsc#1182560)
- commit 702d1a3
- rpm/kernel-subpackage-build: Workaround broken bot
  (https://github.com/openSUSE/openSUSE-release-tools/issues/2439)
- commit b74d860
- Update config files: Set reset-raspberrypi as builtin (bsc#1180336)
  This driver is needed in order to boot through USB. Ideally the kernel
  module should be selected by dracut, but it's not. So make it builtin
  until the relevant dracut fixes are available.
- commit 8186eab
- series.conf: cleanup
- move patches on the way to mainline into respective section
  patches.suse/drm-bail-out-of-nouveau_channel_new-if-channel-init-.patch
  patches.suse/media-uvcvideo-Accept-invalid-bFormatIndex-and-bFram.patch
  patches.suse/media-dvb-usb-Fix-memory-leak-at-error-in-dvb_usb_de.patch
  patches.suse/media-dvb-usb-Fix-use-after-free-access.patch
  patches.suse/media-pwc-Use-correct-device-for-DMA.patch
- commit 8309a4e
- kernel-binary.spec: Add back initrd and image symlink ghosts to
  filelist (bsc#1182140).
  Fixes: 76a9256314c3 ("rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).")
- commit 606c9d1
- rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058)
- commit c29e77d
- Refresh
  patches.suse/drm-bail-out-of-nouveau_channel_new-if-channel-init-.patch.
- Refresh
  patches.suse/media-uvcvideo-Accept-invalid-bFormatIndex-and-bFram.patch.
  Update upstream status.
- commit 1916d9d
- Update to 5.11 final
- refresh configs
- commit 253d8c6

==== libsoup ====
Subpackages: libsoup-2_4-1 libsoup-lang typelib-1_0-Soup-2_4

- Run the regression tests using GnuTLS NORMAL priority
- Disable tls_interaction-test until resolved upstream
  * See https://gitlab.gnome.org/GNOME/libsoup/issues/120
- Add libsoup-skip-tls_interaction-test.patch
- Fix tests: fix SSL test with glib-networking >= 2.65.90
  * See https://gitlab.gnome.org/GNOME/libsoup/issues/201
- Add libsoup-fix-SSL-test.patch
- Remove patches:
  * libsoup-disable-ssl-tests.patch
  * libsoup-disable-hsts-tests.patch

==== libvirt ====
Version update (7.0.0 -> 7.1.0)
Subpackages: libvirt-bash-completion libvirt-client libvirt-daemon libvirt-daemon-driver-interface libvirt-daemon-driver-libxl libvirt-daemon-driver-lxc libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lxc libvirt-daemon-qemu libvirt-daemon-xen libvirt-libs

- libxl: Fix node device detach when driver unspecified
  libxl-default-pcistub-name.patch
  boo#1182885
- spec: Bump minimum glib version to 2.56
- Update to libvirt 7.1.0
  - Many incremental improvements and bug fixes, see
    https://libvirt.org/news.html
  - bsc#1182367, bsc#1182515
  - Dropped patches:
    32c5e432-revert-f035f53b.patch,
    e3d60f76-fix-socket-file-gen.patch,
    7cf60006-qemu-swtpm-aarch64.patch,
    afb823fc-qemu-validate-swtpm.patch,
    8a4b8996-conf-move-virDomainCheckVirtioOptions.patch,
    c05f0066-conf-drop-empty-virDomainNetDefPostParse.patch,
    19d4e467-conf-improve-virDomainVirtioOptionsCheckABIStability.patch,
    bd112c9e-qemu-virtio-options-vsock.patch
- Remove old initscript patching of libvirt-guests.sh
  Modified suse-libvirt-guests-service.patch
  boo#1182494

==== libwps ====
Version update (0.4.11 -> 0.4.12)

- udpate to 0.4.12:
  - add a minimalist parser for Pocket Word .psw and .pwi files

==== mousepad ====
Version update (0.5.2 -> 0.5.3)
Subpackages: mousepad-lang

- Update to version 0.5.3
  * Use old style menu alignment (gxo#apps/mousepad#97,
    gxo#apps/mousepad!77)
  * Add a keybinding to reset font size
  * Fix inverted return value of scroll event handler
  * Various small improvements regarding accels
  * Block the right signal handler for tooltip updates
  * A clarification about action groups
  * Translation Updates

==== ntp ====

- Disown /var/lib/ntp, it is now part of the sysuser-ntp package.

==== openssl ====
Version update (1.1.1h -> 1.1.1j)

- Update to 1.1.1j release
- Update to 1.1.1i release

==== openssl-1_1 ====
Version update (1.1.1h -> 1.1.1j)
Subpackages: libopenssl1_1 libopenssl1_1-32bit libopenssl1_1-hmac

- Update to 1.1.1j
  * Fixed the X509_issuer_and_serial_hash() function. It attempts
    to create a unique hash value based on the issuer and serial
    number data contained within an X509 certificate. However it
    was failing to correctly handle any errors that may occur
    while parsing the issuer field [bsc#1182331, CVE-2021-23841]
  * Fixed the RSA_padding_check_SSLv23() function and the
    RSA_SSLV23_PADDING padding mode to correctly check for
    rollback attacks.
  * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and
    EVP_DecryptUpdate functions. Previously they could overflow the
    output length argument in some cases where the input length is
    close to the maximum permissable length for an integer on the
    platform. In such cases the return value from the function call
    would be 1 (indicating success), but the output length value
    would be negative. This could cause applications to behave
    incorrectly or crash. [bsc#1182333, CVE-2021-23840]
  * Fixed SRP_Calc_client_key so that it runs in constant time.
    The previous implementation called BN_mod_exp without setting
    BN_FLG_CONSTTIME. This could be exploited in a side channel
    attack to recover the password. Since the attack is local host
    only this is outside of the current OpenSSL threat model and
    therefore no CVE is assigned.
- Rebase patches:
  * openssl-1.1.1-fips.patch
  * openssl-1.1.0-issuer-hash.patch
  * openssl-1.1.1-evp-kdf.patch
- Removed patch because it was causing problems with other servers.
  * openssl-zero-pad-DHE-public-key.patch
  * bsc#1181796
- Zero pad the DHE public key in ClientKeyExchange for interoperability with
  Windows Server 2019.
  * openssl-zero-pad-DHE-public-key.patch
  * bsc#1181796
  * sourced from https://github.com/openssl/openssl/pull/12331/files
- Add version guards for the crypto-policies
- Disable test_srp subsection from 90-test_sslapi.t test
- Use SECLEVEL 2 in 80-test_ssl_new.t
- Add patches:
  * openssl-1_1-use-seclevel2-in-tests.patch
  * openssl-1_1-disable-test_srp-sslapi.patch
- Allow SHA1 in SECLEVEL 2 in non-FIPS mode
- Add openssl-1_1-seclevel.patch
- Require the crypto-policies package [bsc#1180051]
- Update to 1.1.1i (bsc#1179491)
  * Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
- Refresh openssl-1.1.1-fips-post-rand.patch

==== pavucontrol ====
Subpackages: pavucontrol-lang

- Require the pulseaudio-daemon capability instead of the
  pulseaudio package, so alternative implementations can be used
  (boo#1182730).

==== pentobi ====
Version update (18.4 -> 18.5)

- Update to version 18.5
  * Require GNU gettext >=0.19.6, which has built-in support for
    AppData, such the appstream package is no longer needed for
    compilation.
  * Added missing include that broke the compilation with GCC 11
  * Complete Russian translation of the manual.

==== perl-Date-Manip ====
Version update (6.83 -> 6.85)

- updated to 6.85
  see /usr/share/doc/packages/perl-Date-Manip/Changes
  6.85  2021-03-01
  - Test fixes
    Missed some tests that were failing.
  6.84  2021-03-01
  - Time zone fixes
    Newest zoneinfo data (tzdata 2021a).
  - Language fixes
    Corrections and additions to Italian. Patch supplied by Leo
    Cacciari (GitHub #33)

==== perl-IO-Socket-SSL ====
Version update (2.068 -> 2.070)

- updated to 2.070
  see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes
  2.070 2021/02/26
  - changed bugtracker in Makefile.PL to github, away from obsolete rt.cpan.org
  2.069 2021/01/22
  - IO::Socket::Utils CERT_asHash and CERT_create now support subject and issuer
    with multiple same parts (like multiple OU). In this case an array ref instead
    of a scalar is used as hash value.
    https://github.com/noxxi/p5-io-socket-ssl/issues/95

==== perl-URI ====
Version update (5.07 -> 5.08)

- updated to 5.08
  see /usr/share/doc/packages/perl-URI/Changes
  5.08      2021-02-28 18:08:32Z
  - added URI::nntps (GH#82)

==== python ====

- Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids
  use of semicolon as a query string separator (bpo#42967,
  bsc#1182379, CVE-2021-23336).

==== python-base ====
Subpackages: libpython2_7-1_0 python-xml

- Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids
  use of semicolon as a query string separator (bpo#42967,
  bsc#1182379, CVE-2021-23336).

==== python-importlib-metadata ====
Version update (3.4.0 -> 3.7.0)

- update to 3.7.0:
  * #131: Added ``packages_distributions`` to conveniently
    resolve a top-level package or module to its distribution(s).
  * #284: Introduces new ``EntryPoints`` object, a tuple of
    ``EntryPoint`` objects but with convenience properties for
    selecting and inspecting the results:
  - ``.select()`` accepts ``group`` or ``name`` keyword
    parameters and returns a new ``EntryPoints`` tuple
    with only those that match the selection.
  - ``.groups`` property presents all of the group names.
  - ``.names`` property presents the names of the entry points.
  - Item access (e.g. ``eps[name]``) retrieves a single
    entry point by name.
    ``entry_points`` now accepts "selection parameters",
    same as ``EntryPoint.select()``.
    ``entry_points()`` now provides a future-compatible
    ``SelectableGroups`` object that supplies the above interface
    but remains a dict for compatibility.
    In the future, ``entry_points()`` will return an
    ``EntryPoints`` object, but provide for backward
    compatibility with a deprecated  ``__getitem__``
    accessor by group and a ``get()`` method.
    If passing selection parameters to ``entry_points``, the
    future behavior is invoked and an ``EntryPoints`` is the
    result.
    Construction of entry points using
    ``dict([EntryPoint, ...])`` is now deprecated and raises
    an appropriate DeprecationWarning and will be removed in
    a future version.
  * #280: ``entry_points`` now only returns entry points for
    unique distributions (by name).

==== python-libvirt-python ====
Version update (7.0.0 -> 7.1.0)

- Update to 7.1.0
  - Add all new APIs and constants in libvirt 7.1.0

==== python-qt5 ====
Version update (5.15.2 -> 5.15.3)

- Update to version 5.15.3
  * Added the missing QImage.setAlphaChannel().
  * Support for the QtNetworkAuth library has been moved to a
    separate PyQtNetworkAuth package.
  * Bug fixes.
- Disable the build for SIPv4 and Python2. It does not build
  anymore. According to upstream, the change was not intentional,
  albeit SIP v4 is not officially supported anymore. We use this
  opportunity to ditch the old cruft. Moves the SLE/Leap builds
  to SIP v5.
- Remove unused QtWebEngine libraries from build system. Those are
  handled in the python-qtwebengine-qt5 package.
- Remove the unnecessary strict binary compatibility requirement
  for PyQt5.sip: python-sip[56]-devel will not runtime require any
  PyQt[56].sip module anymore and the %requires_eq would do nothing
  because the package is not installed.
- Some rpmlint runs were complaining that the PyQt5 dir was not
  also owned by the nonring extra packages

==== rubygem-lightbox2 ====
Version update (2.11.1.1 -> 2.11.3)

- updated to version 2.11.3
  * Updated lightbox2 to upstream version 2.11.3 ([Upstream changelog](https://github.com/lokesh/lightbox2/releases/tag/v2.11.3))

==== rubygem-rails-6.0 ====

- Fixed recommended dependencies (boo#1177517)

==== xfce4-panel ====
Version update (4.16.1 -> 4.16.2)
Subpackages: libxfce4panel-2_0-4 xfce4-panel-lang xfce4-panel-restore-defaults

- Update to 4.16.2
  * Add icons to help and about items in panel menu
  * Modernize documentation (developer.xfce.org)
  * Translation Updates

==== xfce4-pulseaudio-plugin ====
Subpackages: xfce4-pulseaudio-plugin-lang

- Require the pulseaudio-daemon capability instead of the
  pulseaudio package, so alternative implementations can be used
  (boo#1182730).

==== yast2-hardware-detection ====
Version update (4.1.1 -> 4.1.2)

- Fixed pointer check to compile with GCC 11 (bsc#1181916)
- 4.1.2

==== yast2-installation ====
Version update (4.3.29 -> 4.3.30)

- Do not write selinux and polkit default rules during upgrade
  (bsc#1182894)
- 4.3.30

==== yast2-security ====
Version update (4.3.11 -> 4.3.14)

- Ensure defined SELinux patterns are set (bsc#1182543).
- 4.3.14
- Do not write bootloader in insts-sys (bsc#1182894).
- 4.3.13